ASE Link: Go to the solution
This solution creates a Multizone AP network.
The objective of a Multizone AP network is to have the same AP hardware to be able to terminate in different administrative domains (or zones).
acronyms USED in this solution
- PZ - Primary Zone
- DZ - Data Zone
- MM - Mobility Master
- MC - Mobility Controller
- MD - Managed Device (same as MC)
- VAP - Virtual Access Point (think ESSID)
- CPSec - Control Plane Security
- AP - Access Point
- AOS - Aruba Operating System
A Multizone AP is an AP that is capable of terminating its tunnels on controllers residing in different zones.
A zone can be thought of as a collection of controllers under a single administrative domain. It can be a standalone controller or a cluster of controllers managed by an MM.
There are two types of zones - Primary zone (PZ) and Data zone (DZ).
- A Primary zone is the zone that the AP connects to when booting up. Multizone APs are fully-managed by the PZ.
- If a Multizone profile is configured in the PZ, the AP not only advertises SSIDs belonging to the PZ but will also connect to a Data zone to simultaneously advertise DZ SSIDs. Only VAP settings on the Multizone APs that are specific to the DZ, can be managed by the DZ.
Use Case #1: Isolate guest traffic from the internal network by having a Multizone AP build separate, secure tunnels to the corporate controller and the guest anchor controller (DMZ) for corporate and guest SSIDs respectively, thus creating an "airwall" between the two SSIDs. Doing so helps avoid the need for guest traffic to traverse the corporate controller on its way to the guest anchor in the DMZ. In 6.x, both guest and corporate SSIDs are tunneled from the AP to the corporate controller, and the guest tunnel from there onwards to the guest anchor controller via an L2 GRE tunnel, and this can be a security concern for some customers.
Use Case #2: Allow multiple 'tenants' in a geographical location to be able to leverage existing AP infrastructure to advertise their own SSIDs. The PZ will be the owner of the WLAN infrastructure (including APs), and one or more DZs will be the 'tenants'.
Minimum Network Requirements
- A Primary and a Data zone with at least one controller in each zone.
- AOS 126.96.36.199 or later
- CPSec required in both PZ and DZ.
- The AP Groups for a Multizone AP in PZ and DZ should have identical names.
- The DZ AP Group should be reserved exclusively for Multizone APs.
- AP is already up and running in the PZ and advertising one or more SSIDs. Use this solution if you would like to create an SSID using ASE.
- At least one SSID (in tunnel mode of operation) is already created as part of the DZ AP Group.
- This solution covers MM-MD and standalone deployments. Master-Local deployments in AOS 8.0.x will be covered at a later time.
- Only MDs and Standalone controllers can terminate APs.
- MDs in PZ and DZ cannot be managed by the same MM.
- Ensure that the same AOS version is running in both PZ and DZ.
- Up to 4 DZs can be configured per PZ.
- Up to 12 controllers can be present across all zones.
- Up to 16 VAPs can be configured across all zones.
- For the DZ SSID(s), only tunnel mode of operation is supported.
- In AOS 8.0.1 and below, Multizone is not supported on VMCs (MD or standalone).
- The following AP models support the Multizone feature:
|AOS||AP Model(s) Supported|
Identifying the group Node
- When prompted for Group Node in this ASE solution, the easiest way to look it up is via the show configuration node-hierarchy command.
(MM1) [md] #show configuration node-hierarchy Default-node is not configured. Autopark is disabled. Configuration node hierarchy ---------------------------- Config Node Type Name ----------- ---- ---- / System /md System /md/poc Group /md/poc/00:0b:86:b5:b6:c7 Device Aruba7030 /md/poc/00:0b:86:bb:cd:47 Device Aruba7024 /mm System /mm/mynode System (MM1) [md] #
- You can also look up the Group Node from the UI as shown in the screenshot below. As an example, the Managed Network > poc > path corresponds to /md/poc, i.e. a group node.
- PZ: Mobility Master and 2 MDs (7024 and 7030) running AOS 188.8.131.52_57204
- DZ: Standalone 7030 running AOS 184.108.40.206_57204
- This solution has been tested and verified in a PZ + one DZ setup.
- No additional licenses are required for the Multizone feature.
- In the Primary Zone, standard MM/7xxx, AP and PEFNG licenses are applicable for the MM/standalone controller, Access Points and firewall policies, respectively.
- In the Data Zone, Multizone APs do not consume AP licenses, but PEFNG, RFP and WebCC licenses will be used where applicable.
To learn more about the Multizone feature in 8.0, please refer to the following resource.