To cope with the rising tide of iOS devices trying to use Apple's Bonjour discovery protocol on enterprise networks, Cisco recently announced that it is building a Bonjour gateway for its wireless LAN controllers. The company replied to nine follow-up questions after an online webinar for IT professionals about the product.
The gateway is intended to make Bonjour-based technologies like AirPlay and AirPrint better-behaved on enterprise networks. Some webinar attendees came away with some unasked or unanswered questions. Jameson Blandford, a technical marketing engineer with the gateway's product management group, replies via email below. (The webinar reply is available online.)
The behavior of Apple products on corporate networks is an urgent issue for many IT groups. Historically, Apple products used to be relegated to niches in big companies. But with the advent of the iPhone and now the iPad, most large U.S. companies have become Apple customers on a scale never before imagined. These devices use Bonjour, which is Apple's implementation of "zero configuration networking" or zeroconf, which is a group of open Layer 2 protocols to automatically and quickly set up an IP network, without having to set up services such as Dynamic Host Configuration Protocol, DNS and DNS Service Directory.
Apple devices use Bonjour to discover and link with each other, with printers running Apple's AirPrint software, and with devices like the Apple TV box, which acts like an interface between client iOS and OS X devices and flat panel TVs or selected Internet video content providers.
But Bonjour is designed for simple, single networks, not more complex corporate networks that may include scores or hundreds of subnets. It's not routable, and it can generate very heavy amounts of broadcast traffic over big networks with lots of Apple clients and services. A group of higher-education IT managers, part of Educause, recently created a petition asking Apple to make changes in Bonjour and other technologies to address these issues.
Cisco's new code will turn its WLAN controllers into a Bonjour gateway, and couple this with policy-based end user privileges. For users, this will mean that Apple clients will be able to find and access network-attached AirPrint printers, Apple TVs and the like on different subnets, so everything will "just work" as it does on their own home networks. A second expected result will be a big decrease in the amount of Bonjour-based discovery traffic that today is putting a heavy load on enterprise nets teeming with Apple's MacBook laptops, iPhones, iPads and more.
After the Cisco webinar, IT professionals raised a number of questions about Cisco's implementation. Here are the questions and Blandford's answers.
Some of Cisco's support documentation for dealing with Bonjour mentions the Avahi software, an open-source zeroconf implementation. Is Cisco's pending Bonjour Gateway based on, or incorporate-and-make-use-of Avahi?
The gateway is not based on Avahi.
The webinar's demo showed wireless clients, but didn't seem to address wired clients, such as a wired Apple TV. Will the Cisco gateway handle wired Bonjour devices?
The Bonjour Services Directory will snoop for devices on both the wireless and wired-side of the network. [For example,] when a client on the wireless side of the network requests the "AirPlay" service, the controller will return back both the Apple TV on the wired network, and the Apple TV on the wireless network.
Will customers need to have a wireless LAN controller on each routing node in the network, to ensure that VLANs (subnets) can reach the controller? If VLANs cross a Layer 3 boundary, will a controller be needed to terminate them?
In the initial release, the VLAN of wired Bonjour devices must be trunked to the [WLAN] controller so that their advertisements can be seen. We recognize this presents a challenge for customers with distributed networks -- so we are exploring the capability for the [Aironet WLAN] access point to also snoop Bonjour traffic. With this flexible solution, a "Bonjour Detector" AP can be placed anywhere in the network and snoop Bonjour for all of the devices on that wired segment while sending relevant service entries back to the controller's master database.
In the future we are also looking at leveraging other Cisco devices in the network that can perform wired-side snooping and improve the reach of the solution.
Does Cisco have any plans to incorporate the Bonjour GW in their IOS firmware running on their Catalysts?
This is a logical place for wired-side Bonjour snooping. However we cannot comment on official roadmap positions.
In the webinar, Cisco said it will use filtering to restrict which clients can see which services (Apple TV's, etc). What will Cisco use to filter Bonjour requests?
The filtering options are: · Per WLAN/SSID · Per VLAN or AP Group · Per Interface Group (which is a group of VLANs pooled together).
A Bonjour service policy can be created and applied on any one of the above criteria. In the future, we will support per-user Bonjour service policies which will come as a RADIUS attribute from the AAA server.
Will Cisco support location-aware service discovery to limit the number of, for example, Apple TVs that might show up on an iPhone or iPad in response to a discover request?
We are actively investigating how the physical location of the wireless client can be used to provide a pin-pointed service list with only the Apple TVs, printers, etc. which are nearby. No comment on availability yet.
Does roaming work with the Gateway, and if so how?
Yes, Layer 3 roaming across controllers works to ensure users moving amongst access points on different controllers continue to see the devices they saw on the original controller. The Bonjour services on the anchor controller will be displayed to the client included both wired and wireless devices.
There was some confusion about whether the Gateway actually use multicast to deliver Bonjour services to clients. One person said it does not. Is this correct?
This is correct, the controller sends the response back to the client via unicast so that other clients do not hear any services they are not supposed to see. For subsequent connections after service discovery (such as an iPad mirroring the screen to the Apple TV) these are unicast, and between the two end devices, using Apple's own protocol.
How specific can you be about the beta release of the Gateway?
Beta for the v7.4 release will be in Oct/Nov of this year .
John Cox covers wireless networking and mobile computing for Network World. Twitter: http://twitter.com/johnwcoxnww Email: [email protected] Blog RSS feed: http://www.networkworld.com/community/blog/2989/feed
Read more about lan and wan in Network World's LAN & WAN section.