Wireless Access

What is Multizone?

ArubaOS 8 enables multi-tenant wireless network by creating multiple secure separate networks using the same access point.

Software/Hardware:

(2x) Virtual Mobility Master (8.3.0.3)

(2x) Virtual Mobility Controller (8.3.0.3)

Topology:

For this lab I am using two Virtual Mobility Masters (vMM) and two Virtual Mobility Controllers (vMC).  Each vMM is managing a single vMC. (note: you do not need a Mobility Master for the Data Zone Mobility Controller).

Terminology:

Primary Zone - The Primary Zone is the controller on which the Multizone profile is configured.

Data Zone - The Data Zone is the controller on which a Mutizone profile is configured to connect to.

CPSec:

In order for Multizone to function CPSec will need to be enabled; with auto cert provisioning.

SSID Configuration:

For the purpose of this lab, I will be using two wireless networks.

PrimarySSID - This SSID will be configured on the Primary Zone controller and will be a PSK network.

DatazoneSSID - This SSID will, be configured on the Data Zone controller and will be a PSK network.

Advanced Profiles:

If you don't have "show advanced profiles" enabled you will need to do this.  The setting can be enabled from the User > Preferences.

Primary Zone Multizone Profile Configuration:

Create a new AP multizone profile for the primary zone; configure the number of Primary Zone VAPS and the number of Primary Zone Nodes.

In this lab I have configured 1 VAP and 1 Node, as i only have one Primary Zone vMC, and only 1 Access Point that i am using. (If you have more AP's in the Primary Zone AP group then you would increment the VAPS number to the AP count.  The Same would go for the Nodes, i.e. if you have a cluster of MC's).

For the Data Zone controller IP, configure the zone number (as you can have multiple zones).  Configure the IP address if the Data Zone MC (this could be the MC IP or the VIP of a cluster).  

Primary Zone AP Group Configuration:

For the Primary Zone AP group, I have added the PrimarySSID.

Primary Zone AP Group Multizone Profile:

In order to complete the configuration of the Primary Zone AP Group the multizone profile that was configured earlier needs to be applied.

Data Zone AP Group Configuration:

On the Data Zone AP Group I have added the DatazoneSSID. (Note: no multizone profile is required on the Data Zone vMC AP Group).

CLI Output:

Now that the above has been configured, the Primary Zone AP will now start to broadcast the Data Zone wireless network.  (Note: this can take a couple of minutes).  On the Data Zone vMC you will now be able to notice that there is an AP connected.

From the CLI we can validate that that the Datazone SSID is part of the datazone.

Thanks for the guide.

Hi Matthew!

I've never done this, just trying to read me up on the config elements.
I know it's a year since you wrote this post, but this post show up in Google so - how about you update and elaborate it a bit further?

Like
Mobility Master and RFP license on PrimaryZone is a pre-req for Multi-Zone
No license needed on the DataZone controller
AP-group names on both Controllers need to be an exact match
Datazone controller MUST be standalone or configured by different MM than the Primary

Hi,

I configured for multizone my two controllers but I got this error on datazone controller log. And The AP is down on datazone controller dashboard. Why i got this error messages ?

Apr 2 18:58:37 stm[5372]: <305047> <5372> <WARN> |stm| Dropping unsecure SAP message type STATUS_REPORT from AP at 192.168.80.76 (MAC address 00:00:00:00:00:00)

Thanks for the doc! However, according to https://www.arubanetworks.com/techdocs/ArubaOS_85_Web_Help/Content/arubaos-solutions/multizone/conf-mult-zone.htm?Highlight=multizone it seems that the number of VAP actually refers to the number of SSID instead of the number of AP?