Apple Bonjour protocol tamed by Aruba AirGroup enterprise Wi-Fi tool
AirGroup controls MDNS discovery traffic
By John Cox | Network World US | Published: 14:46, 23 March 2012
Aruba Networks claims with its new AirGroup feature it has found a way for iPads and iPhones to discover and use projectors, Apple TVs, printers and the like without flooding the enterprise Wi-Fi network with multicast discovery messages.
The wireless LAN vendor announced yesterday an update to its WLAN controller software that lets multicast domain name services, like Apple's Bonjour protocol, work simply and securely but without creating a drag on the network. The AirGroup is a a reference to Apple's nomenclature for capabilities like the mobile printing service AirPrint and AirPlay.
AirGroup is being demonstrated this week at Aruba's annual Airheads User Conference in Las Vegas. AirGroup is a new feature of the controller's Aruba OS and of the Aruba ClearPass Policy Manager, announced in February. ClearPass offers a set of modules that let enterprise IT groups streamline provisioning, inventory, security and management for personally owned devices used for work purposes, a trend often dubbed "bring your own device" or BYOD.
Related Articles on Techworld
Bonjour is a discovery service designed for flat Wi-Fi networks, which are typical for homes but not for corporate sites, according to Robert Fenstermacher, director of product marketing for Aruba, of Sunnyvale, California. AirGroup is intended to make this class of protocols "enterprise-friendly," he says.
Aruba isn't only company attacking this problem. Rival Aerohive recently enabled its "controller-less" access points to act as Bonjour gateways, as our Nearpoints blogger Craig Mathias explained. He notes that Bonjour and similar discovery protocols run at Layer 2 and are therefore not routable. "Only one AP is required, although the cooperative nature of Aerohive's architecture means that all users need to do is specify what Bonjour services should be mapped, and the underlying software does the rest," Mathias said.
These are multicast protocols, and devices using them, such as iPhones, and iPads, "are always looking for peers," says Chuck Lukaszewski, Aruba's senior director of professional services, and head of the company's elite Aruba Customer Engineering (ACE) group. iPads, for example, may be looking for printers running Apple's AirPrint, or for an Apple TV to display screens on a conference room flat-panel TV.
There are two problems for the network, Lukaszewski says. First, these devices simply generate a lot of broadcast traffic, because the protocols are "chatty," and the traffic spills across the entire WLAN. Aruba says that some of its higher-education customers report that this broadcast traffic can reach 90% of their WLAN. Second, this traffic is transmitted at much slower rates than regular data traffic. "The volume and speed of this traffic ends up slowing down the whole network," he says. "It's like getting stuck behind a slow-moving car with no way to pass it."
Initially, Aruba deployment engineers would create and install a series of Access Control Lists on the Aruba controller's firewall, to filter out this traffic. But customers, especially colleges and universities, realised they wanted this traffic so that users with mobile devices could make use of the discovery protocols to connect to peripherals. What was needed was some way to manage it.
AirGroup does this. The Aruba controller can now listen for these multicast DNS messages, such as the discovering of Apple AirPlay-compliant printers on the network, sent by an iPad via the nearby WLAN access point. Two things happen next. First, the controller can leverage Aruba and various backend services to identify the specific device, its associated user, the user's role (such as "faculty" or "student" or "sales"), the access privileges associated with the role, and the requesting device's physical location.
Second, the controller, which has created a database of Bonjour devices that are advertising their presence, can then direct the request to a nearby AirPrint printer, for example, one that's in the same building or floor as the requesting device.
Policies can be set so that students and faculty - but not guests - can use an AirPrint printer in a library, for example; or so that a lecturer - but not students - can access a lecture-hall Apple TV for streaming an iPad video to a wide-screen display.
AirGroup in effect blocks the broadcast traffic to the rest of the WLAN. "It almost completely eliminates the discovery-related traffic generated conventionally by MDNS services," says Fenstermacher.
Aruba has created a technique that lets iPads and other mobile devices make use of the discovery protocols as they were designed to be used: for finding and connecting to local shared devices.
AirGroup will be released for testing in selected customer sites in coming weeks. Aruba expects to make it generally available via updates to Aruba OS and ClearPass Policy Manager during the second half of 2012.