Deploying Aruba IAP Zones

By Greg_Weaver posted Oct 16, 2019 10:24 AM

  

OP: @theITrebel 

If you are new to the Aruba Instant products, you may be wondering if/how you can selectively broadcast SSID within your IAP cluster. The good news is that you CAN do this by using the Zones feature within the IAP.  This is useful when you are trying to control what areas certian SSID are broadcast in within your physical AP deployment. In some cases, it could even be considered a security risk to broadcast specific networks everywhere. For instance, point of sale networks may not be needed in guest room areas of a hotel to prevent unwanted access attempts to sensitive data. 

 

Issue:

 

Customer has Aruba Instant APs (IAP) that they want to selectively broadcast SSIDs throughout the deployment.

 

Example Use Case:

 

Hotel customer has a “Public” network they want to broadcast in the hotel lobby, but wants to broadcast a “Private” pay-as-you-go network in other areas like hotel rooms.

 

Resolution:

 

Within the IAP architecture, Aruba has implemented a “Zone” feature that is configurable in both an Airwave managed IAP cluster and non-Airwave managed cluster. The purpose of this feature is to allow selective broadcast of SSID within an IAP deployment. It functions by only allowing a configured SSID to broadcast on IAPs that have matching zone configuration.

 

An example of non-Airwave managed configuration can be seen in the IAP Virtual Controller WLAN settings (Figure 1) and the individual IAP settings (Figure 2). Figure 1 highlights the 'Zone' field that is used. This field can contain any string of information selected and all IAP that have a matching Zone field will broadcast that SSID. If an IAP does not have a zone field that matches what is set in the WLAN profile, it will not broadcast that SSID. Other caveats are noted at the conclusion of this article.

 

For users that use Aruba Airwave to configure their IAP cluster, you can implement this feature as well. Airwave managed cluster configuration examples using the IAP GUI Config are shown in Figure 3 & 4. The same prinicpals and caveats mentinoed above apply to Airwave managed clusters as well.

 

Once configured, you will see in Figure 5 that a scan of the spectrum shows the correct deployment. In this example one IAP was configured in zone “225” with the Public SSID being configured in the same zone. Thus, only the IAP (Channel 1/52) is broadcasting the Public SSID. The Private SSID was not configured with a zone and thus is broadcast on ALL IAPs in the cluster (IAPs Channel 1/52 & 11/116).

 

Caveats:

The following constraints apply to the zone configuration:

 

  • An IAP can belong to only one zone and only one zone can be configured on an SSID.
  • If an SSID belongs to a zone, all IAPs in this zone can broadcast this SSID. If no IAP belongs to the zone configured on the SSID, the SSID is not broadcast. 
  • If an SSID does not belong to any zone, all IAPs can broadcast this SSID.

  

Device versions used:

IAP 225/325: 6.4.4.8-4.2.4.4

Airwave: 8.2.3

Scott L - ACDX #916, ACCP, ACMP, CWNE #253Figure1 IAP VC Config.pngFigure5 WifiSpecturmDiscovery.pngFigure2 IAP AP Zone Config.pngFigure3 Airwave WLAN Config.pngFigure4 Airwave IAP Config.png

https://blogs.arubanetworks.com/solutions/improving-network-segmentation-with-aruba-instant-zones/

2 comments
10 views

Comments

Dec 09, 2020 02:39 AM

Wonderful, what a web site it is! This website presents valuable data to us, keep it up. OGYOUTUBE Apk

Oct 31, 2020 04:01 PM

Traditionally only one zone can be configured to an Instant AP
but starting from Instant 8.3.0.0, Instant APs can be assigned multiple SSID zones to serve different set of
clients in different zones of the Wi-Fi environment. In the previous releases, commas were a part of the zone
name. Commas configured in ArubaInstant 6.5.4.x or prior versions will be used as delimiters when Instant APs
are upgraded to ArubaInstant 8.3.0.x or later.
You can configure up to six SSID zones per AP, and up to 32 SSID zones per ssid-profile. However, it is strongly
recommended not to configure multiple zones in per-AP and per-SSID profiles at the same time.