Extend Apple Services beyond Vlans

Extend Apple Services beyond Vlans

Scenarios: 

There can be scenarios in an enterprise, where a user try to connect his iPhone to another Apple device, such as Airplay, Apple TV or an Air print compatible printer in the network environment and find that it doesn’t work. The possible reasons for non-working, are known as Bonjour issues.

So what exactly is Bonjour and why it causes so many challenges?

Bonjour & its challenges:

Bonjour is layer 2, non-routable, network service advertisement protocol. It is just like a phonebook service help to find devices on network although it is not a service itself. The Bonjour protocol operates on service announcements and service queries which allow devices to ask and advertise specific applications.

Apple implemented Bonjour as a way to automatically assign IP addresses and hostnames to devices as well as allow the discovery and use of services without requiring a Domain Name Search (DNS) server. For e.g. when you connect an Apple device to the network, it will request an IP address using Domain Host Control Protocol (DHCP) protocol, however, if no DHCP server responds to the request, the device will self-assign an IPv4 address, and an IPv6 address depending on which one itself support.

Apple implemented a multicast version of DNS, for hostnames as well as service advertisement and discovery where devices self-assign hostnames, advertise and request services using a specific IPv4 and IPv6 multicast address. This is known as Multicast DNS (mDNS).

mDNS uses the following IPv4 and IPv6 multicast addresses and port number-

  • MAC address 01:00:5E:00:00:FB
  • IPv4 address 224.0.0.251
  • IPv6 address FF02::FB
  • UDP port 5353

Service announcements:

Following are some of the service announcements which operate on Bonjour protocol:

  • File Sharing service
  • Printing service
  • Remote Desktop service
  • Airplay services like video, audio screen streaming

Therefore mDNS & Bonjour are designed for local networks where there are few devices on the same subnet. However, with enterprise networks, thing are different. With mDNS limited to local network block and non-route ability, Apple devices in different VLAN’s do not discover each other, and are unable to connect to each other’s services. Other than above-stated challenge, mDNS has a deep impact on wired and wireless network devices as well.

IGMP snooping, which is widely enabled on LAN switches for multicast traffic does not work with mDNS service. Similarly, in a wireless environment, moving Bonjour traffic between VLAN’s becomes a challenge for the enterprises.

To address these issues, various wired and wireless solution providers have developed Bonjour Gateway which allows to manage and control Apple service availability (such as AirPrint™, AirPlay®, file sharing, collaboration applications, etc.) across an entire enterprise network. Bonjour gateway is more of a software application, which sits over various WLAN Controller appliances or Wireless Access Points directly.

These gateways make Bonjour routable without requiring that clients know anything about addressing, naming or location. The Bonjour gateways also convert multicast to unicast, limiting the amount of multicast traffic.

mdns

 

One important consideration while designing Bonjour networks, it is very important to configure only those services that need to be forwarded, and only those VLANs that need to be included. Forwarding all mDNS multicast traffic without filtering, for example, would increase the total amount of multicast traffic per VLAN quite significantly, especially if there are a large number of Apple devices on the network.

Additional security implications must also be considered, as users may not realize that their devices are advertising their presence, and without the appropriate security settings, their personal content could be compromised. Restricting services such as iTunes from being forwarded helps to reduce the exposure and visibility.