Apple Bonjour Services on the Cisco mdns Enabled Controllers

Similar documents
Wireless LAN Apple Bonjour Deployment Guide

solution guide DLNA, AIRPLAY AND AIRPRINT ON CAMPUS NETWORKS

The Extreme Networks Solution for Apple Bonjour Traffic Management A SOLUTION WHITE PAPER

Deploying Cisco Basic Wireless LANs WDBWL v1.1; 3 days, Instructor-led

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

Apple Airport Extreme Base Station V4.0.8 Firmware: Version 5.4

CCT vs. CCENT Skill Set Comparison

Web Authentication Proxy on a Wireless LAN Controller Configuration Example

Enabling Apple AirPrint with Your Xerox Device Built on ConnectKey Technology. A White Paper

XenMobile Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

Interconnecting Cisco Network Devices 1 Course, Class Outline

MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

How To Use An Ipad Wireless Network (Wi Fi) With An Ipa (Wired) And An Ipat (Wired Wireless) Network (Wired Wired) At The Same Time

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

ipad Deployment Guide

VIA CONNECT PRO Deployment Guide

ProSAFE 8-Port and 16-Port Gigabit Click Switch

Design and Implementation Guide. Apple iphone Compatibility

On-boarding and Provisioning with Cisco Identity Services Engine

VLANs. Application Note

VIA COLLAGE Deployment Guide

Aerohive Networks Inc. Free Bonjour Gateway FAQ

The Wireless Network Road Trip

Virtual Networking Features of the VMware vnetwork Distributed Switch and Cisco Nexus 1000V Series Switches

IP Addressing and Subnetting. 2002, Cisco Systems, Inc. All rights reserved.

Automatic Configuration and Service Discovery for Networked Smart Devices

Classroom Management network FAQ and troubleshooting

Course Syllabus. Fundamentals of Windows Server 2008 Network and Applications Infrastructure. Key Data. Audience. Prerequisites. At Course Completion

VLAN 802.1Q. 1. VLAN Overview. 1. VLAN Overview. 2. VLAN Trunk. 3. Why use VLANs? 4. LAN to LAN communication. 5. Management port

ios Education Deployment Overview

INTERCONNECTING CISCO NETWORK DEVICES PART 1 V2.0 (ICND 1)

Cisco Certified Network Associate Exam. Operation of IP Data Networks. LAN Switching Technologies. IP addressing (IPv4 / IPv6)

Managing the BYOD Evolution

> Technical Configuration Guide for Microsoft Network Load Balancing. Ethernet Switch and Ethernet Routing Switch Engineering

VIA HOW TO CONFIGURE A DMZ FOR SECURE COLLABORATION KRAMER WHITE PAPER. By Lars Duziack

How To Configure Voice Vlan On An Ip Phone

Crestron Electronics, Inc. AirMedia Deployment Guide

Interconnecting Cisco Networking Devices, Part 1 (ICND1) v3.0

Fundamentals of Windows Server 2008 Network and Applications Infrastructure

Top-Down Network Design

ProSafe Plus Switch Utility

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

WiNG5 CAPTIVE PORTAL DESIGN GUIDE

HARTING Ha-VIS Management Software

Quick Start Guide. WAP371 Wireless AC/N Dual Radio Access Point with Single Point Setup Quick Start Guide. Cisco Small Business

Good MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

Can PowerConnect Switches Be Used in IP Multicast Networks?

Cisco - Configure the 1721 Router for VLANs Using a Switch Module (WIC-4ESW)

Juniper / Cisco Interoperability Tests. August 2014

What communication protocols are used to discover Tesira servers on a network?

Course Contents CCNP (CISco certified network professional)

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Lab Diagramming Intranet Traffic Flows

Juniper Networks EX Series/ Cisco Catalyst Interoperability Test Results. May 1, 2009

Penn State Wireless 2.0 and Related Services for Network Administrators

CCNA R&S: Introduction to Networks. Chapter 5: Ethernet

Cisco Mobility Express Bundle. S&L Webinar

TamoSoft Throughput Test

TrustSec How-To Guide: On-boarding and Provisioning

ADDENDUM 12 TO APPENDIX 8 TO SCHEDULE 3.3

BYOD: BRING YOUR OWN DEVICE.

Phone: Fax: Box: 230

CT5760 Controller and Catalyst 3850 Switch Configuration Example

TECHNICAL NOTE. GoFree WIFI-1 web interface settings. Revision Comment Author Date 0.0a First release James Zhang 10/09/2012

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

Lab - Using IOS CLI with Switch MAC Address Tables

LabQuest 2 Networking

Cisco Unified Access Technology Overview: Converged Access

Configuring QoS in a Wireless Environment

Lab Testing Summary Report

Digi Connect WAN Application Guide Using the Digi Connect WAN and Digi Connect VPN with a Wireless Router/Access Point

Quick Start Guide. WRV210 Wireless-G VPN Router with RangeBooster. Cisco Small Business

Cisco Discovery 3: Introducing Routing and Switching in the Enterprise hours teaching time

New DNS Technologies in the LAN

Cisco IOS Flexible NetFlow Command Reference

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

JOB READY ASSESSMENT BLUEPRINT COMPUTER NETWORKING FUNDAMENTALS - PILOT. Test Code: 4514 Version: 01

Configuring DHCP Snooping

TECHNICAL WHITEPAPER. Author: Tom Kistner, Chief Software Architect. Table of Contents

Networks - EtherNet IP Course (Version 5.1)

Configuring the Device for Access Point Discovery

Overview of Network Traffic Analysis

Cisco Networking Professional-6Months Project Based Training

Efficient Video Distribution Networks with.multicast: IGMP Querier and PIM-DM

Three Key Design Considerations of IP Video Surveillance Systems

Cisco TrustSec How-To Guide: Guest Services

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

How To Understand and Configure Your Network for IntraVUE

Bring Your Own Design: Implemen4ng BYOD Without Going Broke or Crazy. Eric Stresen- Reuter Technical Director Ruckus Wireless

Introduction to Network Operating Systems

District of Columbia Courts Attachment 1 Video Conference Bridge Infrastructure Equipment Performance Specification

Securing end devices

Constraining IP Multicast in a Switched Ethernet Network

hp ProLiant network adapter teaming

Network Agent Quick Start

Personal Firewall Default Rules and Components

- Multicast - Types of packets

Wireless Local Area Networks (WLANs)

Configuring the Fabric Interconnects

How Much Broadcast and Multicast Traffic Should I Allow in My Network?

Transcription:

Last Modified: December 24, 2014 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883

2014 Cisco Systems, Inc. All rights reserved.

CONTENTS CHAPTER 1 Overview 1 CHAPTER 2 Cisco Bonjour Gateway Solution 3 CHAPTER 3 Bonjour Deployment using mdns Gateway 5 CHAPTER 4 mdns services with Wired Bonjour Devices 7 CHAPTER 5 LSS (Location Specific Services) and mdns AP 9 mdns AP 10 CHAPTER 6 Bonjour mdns enhancements in Phase III rel 8.0 13 Introduction to Bonjour Policies 13 Client Context Attributes 14 mdns Profile Attached to Local Policies 14 CHAPTER 7 (Optional) Cisco Prime Infrastructure Portal for Modifying User Access privileges per Service Instance 17 CHAPTER 8 Summary of Features by Release 21 iii

Contents iv

CHAPTER 1 Overview Bonjour is Apple's version of Zeroconf - it is mdns with DNS-SD. Apple devices will advertise their services via IPv4 and IPv6 simultaneously (IPv6 link local and Globally Unique). The Bonjour protocol operates on service announcements and service queries which allow devices to ask and advertise specific applications such as: Printing Services File Sharing Services Remote Desktop Services itunes Wireless idevice Syncing (in Apple ios v5.0 - v7.0) AirPlay offering the following streaming services: Music broadcasting in ios v4.2 v7.0 Video broadcasting in ios v4.3 v7.0 Full screen mirroring in ios v5.0 v7.0 (ipad2, iphone4s or later) Each query or advertisement is sent to the Bonjour multicast address for delivery to all clients on the subnet. Apple's Bonjour protocol relies on mdns (Multicast DNS) operating at UDP port 5353 and sent to the following reserved group addresses: IPv4 Group Address 224.0.0.251 IPv6 Group Address FF02::FB The addresses used by the Bonjour protocol are link-local multicast addresses and thus are only forwarded on the local L2 domain. Routers cannot use multicast routing to redirect the traffic because the time to live (TTL) is set to one, and link-local multicast is meant to stay local by design. 1

Overview 2

CHAPTER 2 Cisco Bonjour Gateway Solution From 7.4 release WLC supports Bonjour gateway functionality on WLC itself for which you need not even enable multicast on the controller. The WLC will snoop all Bonjour discovery packets and will not forward the same on AIR or Infra network. Bonjour is Apple's version of Zeroconf - it is mdns with DNS-SD. Apple devices will advertise their services via IPv4 and IPv6 simultaneously (IPv6 link local and Globally Unique). To address this issue Cisco WLC acts as a Bonjour Gateway. The WLC listens for Bonjour services and by caching those Bonjour advertisements (AirPlay, AirPrint etc.) from the source/host e.g. AppleTV and responding back to Bonjour clients when they ask/request for a service. The following illustrates this process. Step 1 The Controller listens for the Bonjour services. Step 2 The WLC then cache those Bonjour services. 3

Cisco Bonjour Gateway Solution Step 3 Listens for the client queries for services. Step 4 The WLC sends a unicast response to the client queries for Bonjour services. 4

CHAPTER 3 Bonjour Deployment using mdns Gateway From 7.4 release WLC supports Bonjour gateway functionality on WLC itself. WLC will snoop all Bonjour discovery packets and will not forward the same on AIR or Infra network thus minimizing the traffic flow and increasing overall network performance on both wired and wireless or over the air networks. In addition to creating the mdns Gateway that supports a total of the 6400 services and up to 16000 services on the high end controllers, network admin can create Bonjour Policy Profiles to manage the services and their access. Bonjour Policy Profile is a list of allowed network applications such as AirPlay or Printing and can be enforced on the WLAN, VLAN or on the Interface Group. Also the Bonjour service profile provides filtering to allow only certain WLANs, Interfaces or Interface Groups to access specific service types. Only one mdns profile can be applied to one WLAN. 5

Bonjour Deployment using mdns Gateway 6

CHAPTER 4 mdns services with Wired Bonjour Devices mdns Gateway as illustrated below supports both wireless and wired Bonjour Devices. In most scenarios, some Bonjour devices may be directly connected to the switch or device. Bonjour services can be accessed even when the Bonjour device is connected via an Ethernet cable on a network. 7

mdns services with Wired Bonjour Devices 8

CHAPTER 5 LSS (Location Specific Services) and mdns AP In release 7.5 additional Bonjour enhancements were added on the WLC. One of them is processing of mdns service advertisements to support LSS. Basically all valid mdns service advertisements received at the WLC will be tagged with the MAC address of the AP associated with the service advertisement from the Service Provider device, so in essence only clients connected to the same AP as the SP will have access to that service. LSS only applies to wireless SP-DB entries. There is no location awareness for wired SP devices. To summarize, LSS filtering applies only to wireless SP-DB entries. Wireless SP-DB entries are filtered based on the AP-NEIGHBOR-LIST if LSS is enabled for the service. Only client in the same RF neighborhood as the service provider will be granted permission to use that service The location of clients and service providers is established by the MAC address of their associated AP's. The RRM DB provides the list of neighboring AP for any given AP and this information will be acted upon while filtering the SP-DB wireless entries in response to mdns queries originating from wireless clients. For Wired clients / service providers there is no sense of location that could be applied similarly and so the wired SP-DB entries cannot be filtered similarly. Below is the network diagram of LSS enabled Bonjour gateway. When the client query for the service the WLC using the client AP MAC address look up the RRM DB for the neighbor AP-list and filter the SP-DB for the service with the service provider's associate with the AP-list while responding to the query. 9

mdns AP LSS (Location Specific Services) and mdns AP mdns AP, page 10 mdns AP Bonjour mdns as mentioned earlier, is a link local multicast and thus forwarded on Local L2 domain. Therefore mdns services behind the Router or not L2 adjacent will not be seen by WLC in release 7.4 as illustrated below. In release 7.5 the mdns AP was added as enhancement and to correct the mdns L2 limitations. mdns AP has the ability to snoop wired Services on VLANs invisible to WLC This enhancement allows the controller to have the visibility of wired service providers, which are on VLANs that are not visible to the controller. VLAN visibility at the WLC is achieved by APs forwarding the mdns advertisements to the controller. The maximum number of VLANs that AP can snoop is 10. 10

LSS (Location Specific Services) and mdns AP mdns AP This feature is supported on local and monitor mode AP. 11

mdns AP LSS (Location Specific Services) and mdns AP 12

CHAPTER 6 Bonjour mdns enhancements in Phase III rel 8.0 Introduction to Bonjour Policies, page 13 Client Context Attributes, page 14 mdns Profile Attached to Local Policies, page 14 Introduction to Bonjour Policies Starting 8.0 release; the following new capabilities will be added to the Bonjour Services Directory functionality: Ability to apply granular access policies per unique service instance Ability to apply granular access policies based upon user-groups so two users can have differentiated access even though they are connected to the same SSID and get and IP address from the same VLAN Ability to define granular location per wired as well as wireless Bonjour Service(per Access Point or AP Group) In release 8.0 the IT administrators can define how the service instance is shared, which is articulated as "service instance is shared with whom" i.e. user-id, "service instance is shared with which role/s" i.e. client-role and "what is the location allowed to access the service instance" i.e. client location. This configuration can be applied to wired and wireless service instances and the response to any query will solely be based on the policy configured for each service instance. This allows selective sharing of service instances based on the location, user-id or role. Several customers have expressed preference to connect their Apple TV via the wired ethernet connection due to 802.1x capabilities. The 8.0 release allows filtering of wired services at par with wireless service instances. While mdns profile associated with the client checks for service type being queried before responding to the query, the access policy further allows filtering of specific service instances based on querying client location and role or user-id. With Bonjour access policy there will now be two levels of filtering client queries, one (1) at the service type level by using the mdns profile and then (2) at the service instance level using the access policy associated with the service each instance. A service instance or a set of service instances discovered and cached by the WLC could be associated with an access policy filter which acts like a lens that determines which clients and what kind of client context [ role or user-id ] can see and access the service instance. Bonjour access policy filters can be configured for specific service instances identified by the MAC address of the devices publishing the services. 13

Client Context Attributes Bonjour mdns enhancements in Phase III rel 8.0 Bonjour access policy is associated with a service group name which is composed of one or more MAC addresses of the devices publishing Bonjour services. The service group name is then attached to the service instance when it is discovered and cached at the WLC. While traversing the list of service instances in response to a client query each instance will be evaluated to verify if the querying client location, role or user-id are allowed access to the service instance before including the same in the response. Currently we support a maximum of 5 service groups for a single MAC address. Client Context Attributes Any client initiating an mdns query can be associated with a set of attributes that describe the context of the client and attributes like "location" can change dynamically when clients move to a different location. The user can formulate a rule by combining attributes with logical OR operations and attach the rule to the policy. A policy is composed of one single rule, even though we could provision for multiple rules. mdns Profile Attached to Local Policies Just like all clients associated with a SSID pick the same Bonjour profile and allow the services configured for the profile, a Bonjour profile could be attached to a local policy for a client with a particular device type and ensure each policy can be configured with a different mdns profile name to restrict the policy from being able to use the services allowed by the profile. Eventually the device gets access to the service instance based on the access policy tagged to the specific service instance. There are two levels of filtering: Local policy just decides/controls if the service type is allowed or not Bonjour access policy for the specific service instance will eventually decide if the client can use the service. 14

Bonjour mdns enhancements in Phase III rel 8.0 mdns Profile Attached to Local Policies Summary: As shown in the examples above Teacher will have access to certain Apple TVs such as : Apple TV 1 and Apple TV 2 in specific location. Student based on the policy designed will have only access to the Apple TV2 in specific location. Guest User will not have access to any services on this WLAN. 15

mdns Profile Attached to Local Policies Bonjour mdns enhancements in Phase III rel 8.0 16

CHAPTER 7 (Optional) Cisco Prime Infrastructure Portal for Modifying User Access privileges per Service Instance Another enhancement added in PI 2.2 is the capability of the Administrator or another pre-provisioned user to manage access privilege per service instance via the Cisco Prime Infrastructure portal. Imagine if the IT Administrator of a school allows each teacher privileges to access the Apple TVs in each classroom. Now in a particular class if a teacher wants to allow a student access to the Apple TV in that classroom; he/she can do so using the mdns Policy Admin portal within PI. i.e. Student gets access to one specific Service Instance as oppose to all services the teacher has via the new PI Portal. This grant can be time specific and applied to multiple controllers. 17

(Optional) Cisco Prime Infrastructure Portal for Modifying User Access privileges per Service Instance 18

(Optional) Cisco Prime Infrastructure Portal for Modifying User Access privileges per Service Instance The policies can be very specific down to a specific service that the user can use. 19

(Optional) Cisco Prime Infrastructure Portal for Modifying User Access privileges per Service Instance 20

CHAPTER 8 Summary of Features by Release WLC 7.4 WLC 7.5 WLC 8.0 Bonjour Gateway Limit mdns Over Air Manage Bonjour Services on VLAN or WLAN Manage Bonjour Services in Profiles Manage Wireless Bonjour Services by Location Manage Bonjour SP with mdns AP Manage Bonjour Wired and Wireless Services by Location Manage Bonjour Services by Rule User Assigned Bonjour Services WLC 8.0 + Pi 2.1 Manage Bonjour Services by Name Manage Bonjour Services by Device WLC 8.0 + ISE 1.2 21

Summary of Features by Release 22

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information