Aruba MultiZone is a capability in ArubaOS 8 that allows an AP to establish a tunnel to multiple Mobility Controllers (MC) residing in different zones. One of the most likely use cases for MultiZone is to have a single AP terminate a corporate SSID to an MC residing within the corporate LAN and terminate a guest SSID to an MC residing within a DMZ segment isolated from the corporate LAN by a firewall. Another possible use case would be a multi-tenancy environment. I’m sure there are many more use cases but it’s important to think about why a feature would be used.
The MultiZone feature uses the concept of a zone to represent a Mobility Controller, or controller cluster, under a single administrative domain where tunnels are terminated. The Primary Zone (PZ) contains the MC with which the AP establishes a tunnel after it boots in order to download its configuration. If configured, the AP configuration will contain a MultiZone profile which includes one or more Data Zones (DZ). The PZ MC retains full control of the AP and is responsible for AP configuration including RF parameters. The DZ MC is only capable of configuring VAPs (SSIDs) and cannot change any other configuration, upgrade, or reboot the AP. If the DZ MC fails the AP remains online and continues advertising VAPs in the PZ. If the PZ MC fails the AP will no longer advertise DZ VAPs.
Some key considerations to think about when preparing for a MultiZone deployment include:
- The PZ and DZ MC must run the same version of AOS
- The PZ and DZ MC cannot be managed by the same Mobility Master (MM)
- The PZ MC requires RF Protect (RFP) licensing to support MultiZone
- The DZ MC does not require any specific licensing*
- A MultiZone Profile may contain:
- One PZ (where the profile is created) and up to four DZ
- Up to 12 MCs total across all zones **
- Up to 16 VAPs (SSIDs) per-radio total across all zones
- Only one MultiZone Profile can be applied to an AP Group or AP
*Although the DZ MC does not require AP licensing, if you intend to implement firewall policies on tunneled traffic a Policy Enforcement Firewall Next Generation (PEF-NG) license would be required.
Now let’s take a look at how to setup a MultiZone. The first step is to create the MultiZone Profile. After logging into the MM and selecting the desired hierarchy level navigate to Configuration > System > Profiles > AP > AP multizone and click the + button to create a new AP multizone profile.
Enter a name for the profile and click the + button to add a Data Zone.
Enter the details for the Data Zone keeping in mind the restrictions for MultiZone.
Once you have configured the necessary Data Zones be sure to check the Enable/disable multizone box to enable MultiZone for this profile. When you are finished click Submit, Pending Changes, and Deploy Changes.
Now that the MultiZone profile is configured it must be applied to an AP Group. Once you have selected the appropriate level within the hierarchy Navigate to Configuration > AP Groups > [ap-group] > Profiles > AP > AP multizone and select the MultiZone profile from the drop-down menu. When you are finished click Submit, Pending Changes, and Deploy Changes.
If the Profiles tab does not display in the AP Group click the username in the upper right-hand corner of the dashboard, select Preferences, and check the box to Show advanced profiles.
It’s very important to ensure the Data Zone MC has a matching AP Group, the name must match exactly and is case-sensitive. The AP(s) will also need to be added to the whitelist on the DZ MC in order to join the MC, and if CPsec is enabled you will most likely need to enable auto cert provisioning.
To validate the MultiZone configuration the first thing to validate is that the APs connected to the PZ MC appear in the DZ MC by running show ap database and confirming the AP has the “z” flag present which indicates the AP is a DZ AP.
To validate the correct MultiZone Profile has been applied for an AP issue the “show ap debug multizone ap-name [ap-name]” command and validate the number of VAPs and MCs allowed.
We can validate the GRE tunnels established to the DZ MC by running the “show datapath tunnel table“command as shown below.
In this example I have two APs in the AP Group with two VAPs allowed which was defined in the MultiZone profile. If I filter the output using “| include 10.2.30.2” in the command we can focus in on the tunnels established by AP2.
In this case we see the following tunnels:
- Type 9000: GRE heartbeat tunnel
- Type 82×0: one for each VAP on radio 0 (2.4 GHz)
- Type 83×0: one for each VAP on radio 0 (2.4 GHz)
- Type IPSE: related to IPsec functions
We can confirm that the profile limit on VAPs is in effect by using the following commands:
- show profile-list wlan virtual-ap
- Lists all the VAP profiles configured on the DZ MC
- show ap-group [ap-group]
- Confirm all 3 VAP profiles are assigned to the AP Group associated with the MultiZone configuration
- show ap essid
- Confirm only 2 VAPs are active on the APs as restricted by the MultiZone profile
I hope this post was helpful in understanding what MultiZone is, what some of the important limitations are, how to configure it, and how to validate the configuration.