More Related Content Similar to Enabling AirPrint & AirPlay on Your Network (20) More from Aruba, a Hewlett Packard Enterprise company (20) Enabling AirPrint & AirPlay on Your Network2. CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
2 #AirheadsConf
Agenda
• Zeroconf Networking and Challenges
• Aruba Technology Solution
• Design, Build & Run
• AirGroup in Distributed Networks
• Scaling, Troubleshooting and Best Practices
• New AirGroup Enhancements
• Q & A
4. 4
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Zeroconf: Overview
• What is Zero Configuration Networking?
• Apple Bonjour
• Description of Protocols
– IP Address Auto configuration
– Multicast DNS (name resolution without DNS)
– Service Discovery
• DLNA/UPnP
– Digital Living Network Alliance
– Universal Plug and Play
– Simple Services Discovery Protocol (SSDP)
5. 5
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
mDNS
• Used by Apple’s Bonjour implementation of Zeroconf
• Absence of a DNS Server
– Perform DNS queries via IP Multicast
– Does not require any changes to the DNS Protocol (messages,
resource record types, etc.)
• Multicast DNS Queries
– Uses the destination address 224.0.0.251
– Destination port: UDP 5353
– When a machine receives a response to a query, other machines
on the network receive the response too and can add it to their own
caches for future use.
6. 6
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
SSDP
• Used by DLNA’s UPnP
– Based on HTTPU
– Uses HTTP NOTIFY and M-SEARCH messages
• SSDP queries
– Uses the destination address 239.255.255.250
– Destination port: UDP 1900
• UPnP servers, renderers and control points
Overview
Function UPnP Bonjour
Discovery protocol SSDP mDNS
To advertise services HTTP NOTIFY mDNS response
To find services HTTP M-SEARCH mDNS query
7. 7
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Bonjour in the Enterprise?
L2/L3
Aruba Mobility
Controller
SSID 2
(VLAN 10)
SSID 1
(VLAN 20)
Does not work across VLANs
Increased channel utilization
with multicast traffic
No filtering of services
9. 9
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Bonjour in the Enterprise with
AirGroup
L2/L3
Aruba Mobility
Controller
SSID 2
(VLAN 10)
SSID 1
(VLAN 20)
Bonjour across VLANs
Reduced channel utilization
Services can be filtered
10. 10
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Enabling Bonjour across VLANs
1. Everybody sees everything
• Enabling Bonjour across VLANs has opened up the Pandora's
box
2. Lack of Security
• Why would my personal device be visible to others?
• How do I assign a device to be a common resource?
• Why do I get need to know about a printer that is across the
campus?
AirGroup Benefits:
• Context aware access control
• Personalized AirGroup experience
• Ease of installation
11. 11
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Aruba Mobility Controller/Instant
Intercepts queries and
builds cache table
Acts as a ‘proxy’ for user
requests, unicasts response
VLAN Bridging
Traffic optimization over the
air
Allow/Block services
globally
12. 12
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Value Add with CPPM
Registration portal for end users to
register their personal devices (Apple TVs,
Printers)
Registration portal for network
administrators to register shared devices
(conference room Apple TVs, Printers)
Define a “personal AirGroup” by specifying
a list of users to share devices with.
Define role and location attributes for
shared devices.
Time fencing for shared devices
ClearPass
13. 13
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Putting the pieces together..
AirGroup Solution Architecture
Network Core / Data Center
Aruba Mobility Controller
Aruba ClearPass
Policy Manager
Other operations
systems
Aruba AirWave
Network Manager
Mobility Access Switch
Instant 11n Access Point
Campus 11n Access Points
Mobility Access Switch
Mobility Controller
14. 14
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Use Case 1: Interactive K12
Classroom with AirGroup
Network Core / Data Center
Aruba Mobility
Controller
Aruba ClearPass
Policy Manager
Other operations
systems
Aruba AirWave
Network Manager
Teacher
Students
1. Teachers share content using the Apple TV
2. Students can share & collaborate using the Apple TV
3. Users outside this classroom cannot use this Apple TV
15. 15
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Use Case 2: Restricted Access
University Classroom with AirGroup
Network Core / Data Center
Aruba Mobility
Controller
Aruba ClearPass
Policy Manager
Other operations
systems
Aruba AirWave
Network Manager
Teacher
Students
1.Only Professors share content using the Apple TV
2. Students cannot use this Apple TV
3. Users outside this classroom cannot use this Apple TV
16. 16
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Use Case 3: All Wireless Office
Conference Room with AirGroup
Network Core / Data Center
Aruba Mobility
Controller
Aruba ClearPass
Policy Manager
Other operations
systems
Aruba AirWave
Network Manager
Employee Guest
1. Employee has access to the conference room Apple TV
2. Employee shares the Apple TV with
guest for a limited duration
3. Guest is able to use Apple TV
17. 17
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Use Case 4: Personal Device Access in
University Dorms
Network Core / Data Center
Aruba Mobility
Controller
Aruba ClearPass
Policy Manager
Other operations
systems
Aruba AirWave
Network Manager
Student 1Student 2
1. Only Student 1 can access his personal
printer and Apple TV
2. Student 2 cannot use Student 1’s
personal devices
3. Student 1 can share his devices with
Student 2
18. 18
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Use Case 5: Common Device
Access in a Retail Store
Network Core / Data Center
Aruba Mobility
Controller
Aruba ClearPass
Policy Manager
Other operations
systems
Aruba AirWave
Network Manager
Employee 2Employee 1
Shopper 1. Employees can engage with visitors
using Apple TV and use print services
2. Visitors/Shoppers cannot use in-store
devices
19. 19
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Use Case 6: Per-Building Access
in a Campus
Network Core / Data Center
Aruba Mobility
Controller
Aruba ClearPass
Policy Manager
Other operations
systems
Aruba AirWave
Network Manager
Users in the building can use services
within the building
Campus 1
Building 1
Campus 1
Building 2
Campus 1
Building 3
20. 20
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Use Case 7: Per-Floor access in
a Hospital
Network Core / Data Center
Aruba Mobility
Controller
Aruba ClearPass
Policy Manager
Other operations
systems
Aruba AirWave
Network Manager
Only doctors and nurses in ER get access
to services
Floor 3 – General
Patient Care
Floor 1 – ER
Doctors, nurses & patients on level 3 get
access to services
22. 22
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
AirGroup Deployment Model
• Supported AirGroup deployment models
• Overlay model not supported
Single controller Multiple Controllers
AirGroup Domain 1 AirGroup Domain 2
IAP Multiple IAP Clusters
AirGroup Domain 1 AirGroup Domain 2
AirGroup Deployment
23. 23
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
AirGroup Deployment Model
1. The same mobility controller that
terminates all APs and provides
WLAN access runs AirGroup
functionality too.
2. Trunk the VLANs, where wired
devices like printers are connected,
to the AirGroup controller.
3. Can operate with or without Clear
Pass Policy Manager.
25. 25
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
User Device Registration Portal
with ClearPass
User logs in using the AD
credentials
Device View from a user/admin
perspective
AP Mobility Controller ClearPass
(Guest & PM)
CPPM helps in providing a filtered mDNS response to users and reduce noise.
26. 26
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Personal Device Registration
What is the name of the Device?
What is the MAC of the Device?
Who else can use my “personal device”?
-username
Logged in as “Student 1”
27. 27
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Common Device Registration based
on User Name, Role or Location
Logged in as “Network Admin”
Who can use the device form – “location context”?
- AP name, AP mac, AP-Group
Which users can see the device– “shared with”?
- usernames
Which user group can see the device – “user role”?
- User role
28. 28
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
AirGroup Operation – Location
Based Device Sharing
AirGroup servers can be shared based on the following
location attributes:
1. AP Name
2. AP Group
3. AP FQLN
29. 29
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
AirGroup Operation – Location
Based Device Sharing
1. Based on AP Name
Building
Floor 1
AP2
AP1
2. Based on ARM, AP2 is
an RF neighbor
1. On ClearPass registration portal,
share the AirGroup printer with AP1
3. iPhone associated to AP2 can now
see AirGroup printer associated to AP1
30. 30
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
AirGroup Operation – Location
Based Device Sharing
2. Based on AP Group
Campus
Building 2
Building 4
Building 3
Building 1
AP Group 1
AP Group 4
AP Group 3
AP Group 2
AirGroup
services
restricted to
each building
31. 31
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
AirGroup Operation – Location
Based Device Sharing
3. Based on AP FQLN
FQLN = <ap-name>.<floor>.<building>.<campus>
AP1
Building
Floor 1
AP1
AP1
Building
Floor 2
Building
Floor 3
FQLN = AP1.Floor 2.1344.Aruba
FQLN = AP1.Floor 3.1344.Aruba
FQLN = AP1.Floor 1.1344.Aruba
Apple TV associated
to AP1
4. iPhone on
Floor 2 is
associated to
AP1 on Floor 3
1. On ClearPass registration portal, share
Apple TV with FQLN = AP1.Floor 2.1344.Aruba
2. Users associated to
AP1 on Floor 1 can see
the Apple TV
3. Users associated to AP1 on Floor 3
can see the Apple TV
AP2
FQLN = AP2.Floor 2.1344.Aruba
32. 32
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
AirGroup Controller Configuration
Require CPPM Device Registration
AirGroup Enabled
CPPM Server
AirGroup CoA
Update
34. 34
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
..AirGroup ClearPass
Configuration
ClearPass reads the
controller configuration
35. 35
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
AirGroup ClearPass
Configuration
Controller Information used for AirGroup DeviceRegistration
37. 37
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Single IAP Cluster
mDNS packet
(AirPrint service) mDNS packet
(AirPlay service)
Database
P1 Air Print
TV1 Air Play
mDNS, AirPlay service
multicast query
mDNS, TV1 service
unicast response
LAN
AirPrint printer (P1)
SSID: VLAN1 SSID: VLAN2
Apple TV (TV1)
IAP 1 IAP 3IAP 2
Database
P1 Air Print
TV1 Air Play
Database
P1 Air Print
TV1 Air Play
ROLE: VLAN2
SSID: VLAN3
38. 38
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Single IAP cluster with CPPM Server
mDNS packet
(AirPrint
service) mDNS packet
(AirPlay service)
LAN
AirPrint printer (P1)
SSID: VLAN1
SSID: VLAN2
Username: X
Servers discovered:
P1 and TV1
Apple TV (TV1)
IAP 1 IAP 3IAP 2
SSID: VLAN3
CPPM
Policy Enforcement
P1 is shared with X and Y
TV1 is shared with X
SSID: VLAN2
Username: Y
Servers discovered: P1
39. 39
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Multiple IAP Clusters
Database sync every 2 minutes
Swarm 1 Servers
P1 AirPrint
TV1 AirPlay
Swarm 2 Servers
P2 AirPrint
TV2 AirPlay
Swarm 1 Servers
P1 AirPrint
TV1 AirPlay
Swarm 2 Servers
P2 AirPrint
TV2 AirPlay
VC VC
IAP 1 IAP 3IAP 2 IAP 4 IAP 6IAP 5
Router
AirPrint printer (P1)
SSID: VLAN1
Apple TV (TV1)
SSID: VLAN3
SSID: VLAN2
AirPrint printer (P2)
SSID: VLAN4
Apple TV (TV2)
SSID: VLAN6
SSID: VLAN5
41. 41
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
CPPM Server Configuration
AirGroup CoA port – This can’t be standard
CoA port as it is used by Auth/STM server
already.
CoA only – This server is only to get
CoA packet, this server wouldn’t be
used for MAC-Authorization.
42. 43
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Three ways to discover wired AirGroup servers:
1. Trunk all VLANs to the AirGroup controller
2. Configure a Tunneled Node between MAS and
AirGroup controller.
3. Configure an L2 GRE tunnel and redirect mDNS packets
across the tunnel.
AirGroup on 3rd party switches:
• Trunk VLANs to the AirGroup controller
AirGroup on the Mobility Access
Switch
44. 45
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Impact of Broadcast Controls on
AirGroup
Two broadcast control knobs:
• Broadcast-Multicast (BCMC) Optimization: VLAN
specific
• Broadcast-filter-all: VAP specific
– When AirGroup is enabled, mDNS exceptions are
automatically created to bypass above knobs.
– Enabling the above controls does not affect AirGroup
functionality.
45. 46
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
AirGroup Scalability Limits
• AOS 6.3/6.4 Platform limits:
• In an AirGroup domain, the total number of AirGroup users and servers is
bound by the platform limit of the top-end controller.
• Hard cap on the scaling limits
• Scaling limits were defined based on CPU and memory utilization on the
controller:
o
o (7210) # show airgroup internal-state statistics
AirGroup Server and User Limits in Controllers
3200X
M
3400 3600 M3 7210 7220 7240
# AirGroup servers 500 1000 2000 2000 2000 2000 2000
# AirGroup users 1500 3000 6000 6000 9000 12000 16000
mDNS Packet Rate Limits in Controllers
3200 3400 3600 M3 7210 7220 7240
mDNS packets
received per second
10 10 20 20 20 25 30
46. 47
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
How to Measure AirGroup
Traffic..
• Before enabling AirGroup
1. If administrator is permitting AirGroup traffic
!
ip access-list session mdns
any any udp 5353 permit
!
To see ACL hits:
(poc-campus-mc1) #show acl hits | include mdns
2. If administrator is denying AirGroup traffic
!
ip access-list session mdns_deny
any any udp 5353 deny
!
To see ACL hits:
(poc-campus-mc1) #show acl hits | include mdns_deny
47. 48
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
..How to Measure AirGroup
Traffic
Steps to calculate the number of mDNS packets hitting
the controller:
1. Run the show acl hits command once (say at 10am) to reset
the New Hits counter. Note the time.
2. Run the command again after, say 15 mins, and note the number of
mDNS hits under New Hits. This gives the number of mDNS packets
seen in a duration of 15 minutes. (# of mDNS packets)/(15*60) gives
the rate of mDNS packets per second.
3. Repeat step2 after another 15 mins.
4. Run the test multiple times to average out the mDNS packet rate.
48. 49
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
AirGroup: Debugging and Logs
• AirGroup related debugging information is available under the
user, system and security debug logs.
• Use the following debug levels to collect debug information for
AirGroup:
• logging level debugging user process mdns
• logging level debugging system process mdns
• logging level debugging security process mdns
• Apart from the debug logs, collect the following command
outputs for debugging AirGroup issues:
• Show airgroup servers verbose
• Show airgroup users verbose
• Show airgroup cache entries
• Show airgroup internal-state statistics
• Collect tech-support logs from the AirGroup controller at
2 or 3 instances spaced about 5-10 minutes apart
49. 50
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
General Best Practices..
• AirGroup in large deployments
o Enabling all AirGroup services consumes a large amount of system
resources
o Start by enabling select AirGroup services
o AirPrint, AirPlay and Chromecast services are enabled by default in AOS
6.4. For a new service to be allowed, create a custom AirGroup service.
o Start by restricting AirGroup services to most important VLANs
o Disable the allowall service
• When deploying wired AirGroup servers, make sure that the VLANs are
trunked all the way to the controller running AirGroup.
50. 51
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
• Disable deny-inter-user firewall settings. These settings can
prevent clients from communicating each other.
• For large deployments, use CPPM to register the AirGroup servers
with location tag for better performance.
• If AirGroup is enabled on multiple controllers in a deployment that
share common VLANs, configure AirGroup domains and add the
controllers to the cluster.
..General Best Practices
51. 52
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
AirGroup: AP Forwarding Mode
• AirGroup is supported only on tunnel and de-tunnel forwarding modes
• AirGroup services may break if NATing is enabled on user VLANs
53. 54
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
AOS 6.4 AirGroup
Enhancements
• AirGroup support for DLNA-based devices
• Support for virtual mDNS device configuration
• CPPM Integration
• Ability to share AirGroup services based on logical groups
• Static time fencing
• UI dashboard enhancements
• AirWave support
• Coming soon