Aruba MultiZone – Basics


  • The MultiZone feature allows you to manage separate WLANs on the same AP but under separate management and traffic zones, managed by separate controllers.
  • A zone is a collection of managed devices under a single administrative domain.
  • Zones can have a single managed device or a cluster of devices.

MultiZone objectives:

  • The ability to leverage existing APs to support SSIDs from different controller domains or zones.
  • create secure containers such that APs can maintain a separation of WLANs belonging to different organizations.s
  • Erect an “air wall” between zones where each administrative domain can only view and manage their SSIDs.

  • A zone is a collection of mobility controllers under a single administrative domain.
  • A zone can consist of a standalone 8.x mobility controller or a mobility conductor and its associated managed devices.
  • Aruba MultiZone APs can terminate their tunnels to MCs in different zones. ArubaOS 6.x did NOT support this feature.

Zone roles

In a MultiZone environment there are two zone roles:

  • Primary Zone (PZ) – APs connect to the primary zone (PZ) upon initial boot up. The PZ retains full control of AP management and configuration, including AP, WLAN, and RF profiles. This is where you create MultiZone profiles to enable the feature.
  • Data Zone (DZ) – APs connect to these secondary zones after receiving configuration from the PZ. You cannot reboot, upgrade, or provision MultiZone APs from the DZ. This must be done for the PZ. The only configuration that is allowed on the DZ is the tunnel mode virtual AP (VAP).

Note 1: The PZ and DZ do NOT need to be on the same L2 subnet. However, L3 connectivity is required.

Note 2: The APs MUST be whitelisted on the DZ controllers

Note 3: DZ does not use an AP license for PZ APs. However, if you need firewall services in the DZ, then each PZ AP uses one PEF license and one RFP license.

MultiZone Limitations

Mobility controllers in all zones must run the same ArubaOS version. The DZ and PZ must have the same group names defined. You cannot manage PZ and DZ controllers from the same MM. Mesh AP and RAP are not supported.

  • A maximum of five zones (one PZ and four DZ)
  • A maximum of 12 controllers for all zones
  • A maximum of 16 VAPs per radio for all zones

MultiZone Configuration

Note: The Data Zone (DZ) and Primary Zone (PZ) MUST have the same ACL, SSID and AP-Groups defined.

Step #1. Create the MultiZone Profile and point it to the DZ controller



Step #2. Create an access control list and user role(s).


ip access-list session NPLLC-06142022-allowall
any any any permit
ipv6 any any any permit
ip access-list session NPLLC-06142022-deny-client-as-dhcp-server
user any udp 68 deny
ipv6 user any icmpv6 rtr-adv deny

ip access-list session apprf-NPLLC-authenticated-sacl
User role:

access-list session NPLLC-06142022-deny-client-as-dhcp-server
access-list session NPLLC-06142022-allowall


Step #3. Create the WLAN SSID profile if one does not already exist.

wlan ssid-profile “EGUEST_ssid_prof”
essid “EGUEST”
wpa-passphrase whateveryouittobe
opmode wpa2-psk-aes
a-basic-rates 24
a-tx-rates 12 18 24 36 48 54
g-basic-rates 24
g-tx-rates 12 18 24 36 48 54
g-beacon-rate 24
a-beacon-rate 24
multicast-rate 24

Step #4. Create an AP group.

virtual-ap “EGUEST”

Step #5. Attach the MultiZone profile to the AP group

virtual-ap “EGUEST”
ap-multizone-profile “EKRALAC_MZ1_PROFILE”

Step #5. Enable CPsec on the DZ Controller

(vDMZMULTZONE0001) mm #control-plane-security

Step #6. Allow GRE 47 between the DZ and DZ

traffic blocked


Primary Zone controller

Data Zone controller

show ap bss-table and show ap essid output

Verify that the client can connect and obtain a valid IP

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.