- The MultiZone feature allows you to manage separate WLANs on the same AP but under separate management and traffic zones, managed by separate controllers.
- A zone is a collection of managed devices under a single administrative domain.
- Zones can have a single managed device or a cluster of devices.
- The ability to leverage existing APs to support SSIDs from different controller domains or zones.
- create secure containers such that APs can maintain a separation of WLANs belonging to different organizations.s
- Erect an “air wall” between zones where each administrative domain can only view and manage their SSIDs.
- A zone is a collection of mobility controllers under a single administrative domain.
- A zone can consist of a standalone 8.x mobility controller or a mobility conductor and its associated managed devices.
- Aruba MultiZone APs can terminate their tunnels to MCs in different zones. ArubaOS 6.x did NOT support this feature.
In a MultiZone environment there are two zone roles:
- Primary Zone (PZ) – APs connect to the primary zone (PZ) upon initial boot up. The PZ retains full control of AP management and configuration, including AP, WLAN, and RF profiles. This is where you create MultiZone profiles to enable the feature.
- Data Zone (DZ) – APs connect to these secondary zones after receiving configuration from the PZ. You cannot reboot, upgrade, or provision MultiZone APs from the DZ. This must be done for the PZ. The only configuration that is allowed on the DZ is the tunnel mode virtual AP (VAP).
Note 1: The PZ and DZ do NOT need to be on the same L2 subnet. However, L3 connectivity is required.
Note 2: The APs MUST be whitelisted on the DZ controllers
Note 3: DZ does not use an AP license for PZ APs. However, if you need firewall services in the DZ, then each PZ AP uses one PEF license and one RFP license.
Mobility controllers in all zones must run the same ArubaOS version. The DZ and PZ must have the same group names defined. You cannot manage PZ and DZ controllers from the same MM. Mesh AP and RAP are not supported.
- A maximum of five zones (one PZ and four DZ)
- A maximum of 12 controllers for all zones
- A maximum of 16 VAPs per radio for all zones
Note: The Data Zone (DZ) and Primary Zone (PZ) MUST have the same ACL, SSID and AP-Groups defined.
Step #1. Create the MultiZone Profile and point it to the DZ controller
Step #2. Create an access control list and user role(s).
ip access-list session NPLLC-06142022-allowall
any any any permit
ipv6 any any any permit
ip access-list session NPLLC-06142022-deny-client-as-dhcp-server
user any udp 68 deny
ipv6 user any icmpv6 rtr-adv deny
ip access-list session apprf-NPLLC-authenticated-sacl
access-list session NPLLC-06142022-deny-client-as-dhcp-server
access-list session NPLLC-06142022-allowall
Step #3. Create the WLAN SSID profile if one does not already exist.
wlan ssid-profile “EGUEST_ssid_prof”
a-tx-rates 12 18 24 36 48 54
g-tx-rates 12 18 24 36 48 54
Step #4. Create an AP group.
Step #5. Attach the MultiZone profile to the AP group
Step #5. Enable CPsec on the DZ Controller
(vDMZMULTZONE0001) mm #control-plane-security
Step #6. Allow GRE 47 between the DZ and DZ
Primary Zone controller
Data Zone controller
show ap bss-table and show ap essid output
Verify that the client can connect and obtain a valid IP