Date post: | 04-Aug-2015 |
Category: |
Technology |
Upload: | aruba-networks-an-hp-company |
View: | 3,853 times |
Download: | 3 times |
Enabling AirPrint and AirPlay on your Network
March, 2014
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
2 #AirheadsConf
Agenda
• Zeroconf Networking and Challenges• Aruba Technology Solution• Design, Build & Run• AirGroup in Distributed Networks• Scaling, Troubleshooting and Best Practices• New AirGroup Enhancements• Q & A
3CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Zeroconf Networking and Challenges
4CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Zeroconf: Overview
• What is Zero Configuration Networking?
• Apple Bonjour
• Description of Protocols
– IP Address Auto configuration
– Multicast DNS (name resolution without DNS)
– Service Discovery
• DLNA/UPnP
– Digital Living Network Alliance
– Universal Plug and Play
– Simple Services Discovery Protocol (SSDP)
5CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
mDNS
• Used by Apple’s Bonjour implementation of Zeroconf• Absence of a DNS Server– Perform DNS queries via IP Multicast
– Does not require any changes to the DNS Protocol (messages, resource record types, etc.)
• Multicast DNS Queries– Uses the destination address 224.0.0.251
– Destination port: UDP 5353
– When a machine receives a response to a query, other machines on the network receive the response too and can add it to their own caches for future use.
6CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
SSDP
• Used by DLNA’s UPnP– Based on HTTPU
– Uses HTTP NOTIFY and M-SEARCH messages
• SSDP queries– Uses the destination address 239.255.255.250
– Destination port: UDP 1900
• UPnP servers, renderers and control points
OverviewFunction UPnP Bonjour
Discovery protocol SSDP mDNS
To advertise services HTTP NOTIFY mDNS response
To find services HTTP M-SEARCH mDNS query
7CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Bonjour in the Enterprise?
L2/L3
Aruba Mobility Controller
SSID 2(VLAN 10)
SSID 1(VLAN 20)
@6
Mbp
s
@ 6 Mbps
@ 6Mbps
@6 Mbps
Does not work across VLANs
Increased channel utilization with multicast traffic
No filtering of services
8CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Aruba Technology Solution
9CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Bonjour in the Enterprise with AirGroup
L2/L3
Aruba Mobility Controller
SSID 2(VLAN 10)
SSID 1(VLAN 20)
@6
Mbp
s@ Unicast rate
@ 6Mbps
@ Unicast rate
Bonjour across VLANs
Reduced channel utilization
Services can be filtered
10CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Enabling Bonjour across VLANs
1. Everybody sees everything• Enabling Bonjour across VLANs has opened up the Pandora's
box
2. Lack of Security• Why would my personal device be visible to others?
• How do I assign a device to be a common resource?
• Why do I get need to know about a printer that is across the campus?
AirGroup Benefits:
• Context aware access control
• Personalized AirGroup experience
• Ease of installation
11CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Aruba Mobility Controller/Instant
Intercepts queries and builds cache table
Acts as a ‘proxy’ for user requests, unicasts response
VLAN Bridging
Traffic optimization over the air
Allow/Block services globally
12CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Value Add with CPPM
Registration portal for end users to register their personal devices (Apple TVs, Printers)
Registration portal for network administrators to register shared devices (conference room Apple TVs, Printers)
Define a “personal AirGroup” by specifying a list of users to share devices with.
Define role and location attributes for shared devices.
Time fencing for shared devices
ClearPass
13CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Putting the pieces together.. AirGroup Solution Architecture
Network Core / Data Center
Aruba Mobility Controller
Aruba ClearPass Policy Manager
Other operations systems
Aruba AirWave Network Manager
Mobility Access Switch
Instant 11n Access Point
Components can be assembled into a distributed branch architecture, suitable for Enterprise or Service Providers
Components can be assembled into a small, medium or large campus network architectureCampus 11n Access Points
Mobility Access SwitchMobility Controller
14CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Use Case 1: Interactive K12 Classroom with AirGroup
Network Core / Data Center
Aruba Mobility Controller
Aruba ClearPass Policy Manager
Other operations systems
Aruba AirWave Network Manager
Teacher
Students
1. Teachers share content using the Apple TV
2. Students can share & collaborate using the Apple TV
3. Users outside this classroom cannot use this Apple TV
15CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Use Case 2: Restricted Access University Classroom with AirGroup
Network Core / Data Center
Aruba Mobility Controller
Aruba ClearPass Policy Manager
Other operations systems
Aruba AirWave Network Manager
Teacher
Students
1.Only Professors share content using the Apple TV
2. Students cannot use this Apple TV
3. Users outside this classroom cannot use this Apple TV
16CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Use Case 3: All Wireless Office Conference Room with AirGroup
Network Core / Data Center
Aruba Mobility Controller
Aruba ClearPass Policy Manager
Other operations systems
Aruba AirWave Network Manager
Employee Guest
1. Employee has access to the conference room Apple TV
2. Employee shares the Apple TV with guest for a limited duration
3. Guest is able to use Apple TV
17CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Use Case 4: Personal Device Access in University Dorms
Network Core / Data Center
Aruba Mobility Controller
Aruba ClearPass Policy Manager
Other operations systems
Aruba AirWave Network Manager
Student 1Student 2
1. Only Student 1 can access his personal printer and Apple TV
2. Student 2 cannot use Student 1’s personal devices
3. Student 1 can share his devices with Student 2
18CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Use Case 5: Common Device Access in a Retail Store
Network Core / Data Center
Aruba Mobility Controller
Aruba ClearPass Policy Manager
Other operations systems
Aruba AirWave Network Manager
Employee 2Employee 1Shopper 1. Employees can engage with visitors
using Apple TV and use print services
2. Visitors/Shoppers cannot use in-store devices
19CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Use Case 6: Per-Building Access in a Campus
Network Core / Data Center
Aruba Mobility Controller
Aruba ClearPass Policy Manager
Other operations systems
Aruba AirWave Network Manager
Users in the building can use services within the building
Campus 1Building 1
Campus 1Building 2
Campus 1Building 3
20CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Use Case 7: Per-Floor access in a Hospital
Network Core / Data Center
Aruba Mobility Controller
Aruba ClearPass Policy Manager
Other operations systems
Aruba AirWave Network Manager
Only doctors and nurses in ER get access to services
Floor 3 – General Patient Care
Floor 1 – ER
Doctors, nurses & patients on level 3 get access to services
21CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Design, Build & Run
22CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
AirGroup Deployment Model
• Supported AirGroup deployment models
• Overlay model not supported
Single controller Multiple Controllers
AirGroup Domain 1 AirGroup Domain 2
IAP Multiple IAP Clusters
AirGroup Domain 1 AirGroup Domain 2
AirGroup Deployment
23CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
AirGroup Deployment Model
1. The same mobility controller that terminates all APs and provides WLAN access runs AirGroup functionality too.
2. Trunk the VLANs, where wired devices like printers are connected, to the AirGroup controller.
3. Can operate with or without Clear Pass Policy Manager.
24CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
AirGroup Clusters and Domains
25CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
User Device Registration Portal with ClearPass
User logs in using the AD credentials
Device View from a user/admin perspective
AP Mobility Controller ClearPass(Guest & PM)
CPPM helps in providing a filtered mDNS response to users and reduce noise.
26CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Personal Device Registration
What is the name of the Device?
What is the MAC of the Device?
Who else can use my “personal device”?-username
Logged in as “Student 1”
27CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Common Device Registration based on User Name, Role or Location
Logged in as “Network Admin”
Who can use the device form – “location context”?- AP name, AP mac, AP-Group
Which users can see the device– “shared with”?- usernames
Which user group can see the device – “user role”?- User role
28CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
AirGroup Operation – Location Based Device Sharing
AirGroup servers can be shared based on the following
location attributes:
1. AP Name
2. AP Group
3. AP FQLN
29CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
AirGroup Operation – Location Based Device Sharing
1. Based on AP Name
Building Floor 1
AP2
AP1
2. Based on ARM, AP2 is an RF neighbor
1. On ClearPass registration portal, share the AirGroup printer with AP1
3. iPhone associated to AP2 can now see AirGroup printer associated to AP1
30CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
AirGroup Operation – Location Based Device Sharing
2. Based on AP Group
Campus
Building 2
Building 4Building 3
Building 1
AP Group 1
AP Group 4AP Group 3
AP Group 2
AirGroup services
restricted to each building
31CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
AirGroup Operation – Location Based Device Sharing
3. Based on AP FQLN
FQLN = <ap-name>.<floor>.<building>.<campus>
AP1Building Floor 1
AP1
AP1
Building Floor 2
Building Floor 3
FQLN = AP1.Floor 2.1344.Aruba
FQLN = AP1.Floor 3.1344.Aruba
FQLN = AP1.Floor 1.1344.Aruba
Apple TV associated to AP1
4. iPhone on Floor 2 is
associated to AP1 on Floor 3
1. On ClearPass registration portal, share Apple TV with FQLN = AP1.Floor 2.1344.Aruba
2. Users associated to AP1 on Floor 1 can see
the Apple TV
3. Users associated to AP1 on Floor 3 can see the Apple TV
AP2FQLN = AP2.Floor 2.1344.Aruba
32CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
AirGroup Controller Configuration
Require CPPM Device Registration
AirGroup Enabled
CPPM Server
AirGroup CoA Update
33CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
AirGroup ClearPass Configuration..
CoA Update Port must match!
34CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
..AirGroup ClearPass Configuration
ClearPass reads the controller configuration
35CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
AirGroup ClearPass Configuration
Controller Information used for AirGroup DeviceRegistration
36CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
AirGroup in Distributed Networks
37CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Single IAP Cluster
mDNS packet (AirPrint service) mDNS packet
(AirPlay service)
Database
P1 Air Print
TV1 Air Play
mDNS, AirPlay service multicast query
mDNS, TV1 service unicast response
LAN
AirPrint printer (P1)SSID: VLAN1 SSID: VLAN2
Apple TV (TV1)
IAP 1 IAP 3IAP 2
Database
P1 Air Print
TV1 Air Play
Database
P1 Air Print
TV1 Air Play
ROLE: VLAN2
SSID: VLAN3
38CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Single IAP cluster with CPPM Server
mDNS packet (AirPrint service) mDNS packet
(AirPlay service)
LAN
AirPrint printer (P1)SSID: VLAN1
SSID: VLAN2
Username: XServers discovered: P1 and TV1
Apple TV (TV1)
IAP 1 IAP 3IAP 2
SSID: VLAN3
CPPM
Policy Enforcement
P1 is shared with X and Y
TV1 is shared with X
SSID: VLAN2
Username: YServers discovered: P1
39CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Multiple IAP Clusters
Database sync every 2 minutes
Swarm 1 Servers
P1 AirPrint
TV1 AirPlay
Swarm 2 Servers
P2 AirPrint
TV2 AirPlay
Swarm 1 Servers
P1 AirPrint
TV1 AirPlay
Swarm 2 Servers
P2 AirPrint
TV2 AirPlay
VC
VC
IAP 1 IAP 3IAP 2 IAP 4 IAP 6IAP 5
Router
AirPrint printer (P1)SSID: VLAN1
Apple TV (TV1)SSID: VLAN3
SSID: VLAN2 AirPrint printer (P2)SSID: VLAN4
Apple TV (TV2)SSID: VLAN6
SSID: VLAN5
40CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
AirGroup UI
• Navigate to Settings -> Advanced settings -> AirGroup
41CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
CPPM Server Configuration
AirGroup CoA port – This can’t be standard CoA port as it is used by Auth/STM server already.
CoA only – This server is only to get CoA packet, this server wouldn’t be used for MAC-Authorization.
43CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Three ways to discover wired AirGroup servers:
1. Trunk all VLANs to the AirGroup controller
2. Configure a Tunneled Node between MAS and AirGroup controller.
3. Configure an L2 GRE tunnel and redirect mDNS packets across the tunnel.
AirGroup on 3rd party switches:• Trunk VLANs to the AirGroup controller
AirGroup on the Mobility Access Switch
44CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Scaling, Troubleshooting and Best Practices
45CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
Impact of Broadcast Controls on AirGroup
Two broadcast control knobs:• Broadcast-Multicast (BCMC) Optimization: VLAN
specific• Broadcast-filter-all: VAP specific
– When AirGroup is enabled, mDNS exceptions are automatically created to bypass above knobs.
– Enabling the above controls does not affect AirGroup functionality.
46CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
AirGroup Scalability Limits
• AOS 6.3/6.4 Platform limits:
• In an AirGroup domain, the total number of AirGroup users and servers is bound by the platform limit of the top-end controller.
• Hard cap on the scaling limits• Scaling limits were defined based on CPU and memory utilization on the
controller:o
o (7210) # show airgroup internal-state statistics
AirGroup Server and User Limits in Controllers
3200XM
3400 3600 M3 7210 7220 7240
# AirGroup servers 500 1000 2000 2000 2000 2000 2000
# AirGroup users 1500 3000 6000 6000 9000 12000 16000
mDNS Packet Rate Limits in Controllers
3200 3400 3600 M3 7210 7220 7240
mDNS packets received per second
10 10 20 20 20 25 30
47CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
How to Measure AirGroup Traffic..
• Before enabling AirGroup1. If administrator is permitting AirGroup traffic
!ip access-list session mdns
any any udp 5353 permit !
To see ACL hits:(poc-campus-mc1) #show acl hits | include mdns
2. If administrator is denying AirGroup traffic !
ip access-list session mdns_denyany any udp 5353 deny!
To see ACL hits:(poc-campus-mc1) #show acl hits | include
mdns_deny
48CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
..How to Measure AirGroup Traffic
Steps to calculate the number of mDNS packets hitting the controller:
1. Run the show acl hits command once (say at 10am) to reset
the New Hits counter. Note the time.
2. Run the command again after, say 15 mins, and note the number of
mDNS hits under New Hits. This gives the number of mDNS packets
seen in a duration of 15 minutes. (# of mDNS packets)/(15*60) gives
the rate of mDNS packets per second.
3. Repeat step2 after another 15 mins.
4. Run the test multiple times to average out the mDNS packet rate.
49CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
AirGroup: Debugging and Logs
• AirGroup related debugging information is available under the user, system and security debug logs.
• Use the following debug levels to collect debug information for AirGroup:
• logging level debugging user process mdns• logging level debugging system process mdns• logging level debugging security process mdns
• Apart from the debug logs, collect the following command outputs for debugging AirGroup issues:
• Show airgroup servers verbose• Show airgroup users verbose• Show airgroup cache entries• Show airgroup internal-state statistics
• Collect tech-support logs from the AirGroup controller at 2 or 3 instances spaced about 5-10 minutes apart
50CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
General Best Practices..
• AirGroup in large deployments
o Enabling all AirGroup services consumes a large amount of system
resources
o Start by enabling select AirGroup services
o AirPrint, AirPlay and Chromecast services are enabled by default in
AOS 6.4. For a new service to be allowed, create a custom AirGroup
service.
o Start by restricting AirGroup services to most important VLANs
o Disable the allowall service
• When deploying wired AirGroup servers, make sure that the VLANs are
trunked all the way to the controller running AirGroup.
51CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
• Disable deny-inter-user firewall settings. These settings can
prevent clients from communicating each other.
• For large deployments, use CPPM to register the AirGroup servers
with location tag for better performance.
• If AirGroup is enabled on multiple controllers in a deployment that
share common VLANs, configure AirGroup domains and add the
controllers to the cluster.
..General Best Practices
52CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
AirGroup: AP Forwarding Mode
• AirGroup is supported only on tunnel and de-tunnel forwarding modes
• AirGroup services may break if NATing is enabled on user VLANs
53CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
New AirGroup Enhancements
54CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
#AirheadsConf
AOS 6.4 AirGroup Enhancements
• AirGroup support for DLNA-based devices
• Support for virtual mDNS device configuration
• CPPM Integration
• Ability to share AirGroup services based on logical groups
• Static time fencing
• UI dashboard enhancements
• AirWave support • Coming soon
55
56CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Thank You
#AirheadsConf