aerohive k-12 education deployment guide€¦ · metka dragos, andrew garcia, joe zhao, deven...

To learn more about Aerohive products, visit www.aerohive.com/techdocs

© 2016 Aerohive Networks, Inc. p/n 330152-05, Rev. A

Aerohive K-12 Education Deployment Guide Part 5: Bonjour Gateway

This is the fifth part in a series of guides explaining how to deploy Aerohive products within K-12 education environments. The deployment encompasses a school district office and three types of schools—elementary schools, middle schools, and high schools—with particular emphasis on the high school, which is the pilot site for the others.

The configuration described in this part of the series describes how to make Bonjour services available between different subnets/VLANs by defining one Aerohive AP as a Bonjour Gateway.

The settings are based on HiveManager Online 6.6r3, HiveOS 6.6r2 for the Aerohive access points, and 6.6r1 for the Aerohive switches. (HiveManager 6.6r3 can manage devices running HiveOS 6.6r3 as well as those running earlier HiveOS versions.)

http://www.aerohive.com/techdocs

Aerohive K-12 Education Deployment Guide, Part 5: Bonjour Gateway | 2

When viewing this guide online, click any screen capture to see the related Help topic for details.

Aerohive K-12 Education Deployment Guide Part 1 – Part 2 – Part 3 – Part 4 – Part 5


Acknowledgements

I would like to thank the following people for their many contributions to this series: Jonathan Hurtt, Ruchi Sharma, Metka Dragos, Andrew Garcia, Joe Zhao, Deven Ducommun, Gregor Vucajnk, Bryan Harkins, John Grass, Jeff Haydel, Rich Korb, Mike Sun, David Coleman, Matt Hanna, and Paul Levasseur. If you find value in these guides, it is because of their expert input and careful reviews. It has been my privilege to work with them at Aerohive.

http://www.aerohive.com/330000/docs/guides/Aerohive_Ed-K-12-DeployGuide-1-Planning.pdf

http://www.aerohive.com/330000/docs/guides/Aerohive_Ed-K-12-DeployGuide-2-Wireless-Access.pdf

http://www.aerohive.com/330000/docs/guides/Aerohive_Ed-K-12-DeployGuide-3-Ethernet-Switching.pdf

http://www.aerohive.com/330000/docs/guides/Aerohive_Ed-K-12-DeployGuide-4-High-Density.pdf






Contents

Introduction.................................................................................................................................................................................. 4 Bonjour Technology and Bonjour Gateways ......................................................................................................................... 4 Setting up Bonjour Gateway .................................................................................................................................................... 6

Bonjour Gateway Profile .................................................................................................................................................... 6 Firewall Rules ........................................................................................................................................................................ 9 Bonjour Designated Device ............................................................................................................................................ 12

Monitoring Bonjour Services .................................................................................................................................................... 13 Bonjour Gateway Monitor in HiveManager.................................................................................................................. 13 Bonjour Services Browser on Client Devices ................................................................................................................. 16










Introduction By adding an Aerohive Bonjour Gateway to the network, you can make services for devices like printers and Apple TVs in the infrastructure devices subnet available to teachers, staff, and students in their respective subnets.

This guide continues the configuration of Aerohive devices within the context of an example high school, which serves as the pilot for all the schools in its district. It is the fifth part in a series of guides and follows Aerohive K-12 Education Deployment Guide, Part 4: High-density Radio Profiles. Previous parts of this series explained how to plan the network, configure its wireless and wired components in a network policy, and define radio profiles for two high-density areas in the school. In this part, you will add a Bonjour Gateway to the same network policy created in the earlier parts of this series.

Bonjour Technology and Bonjour Gateways Key Points: Bonjour is a technology that devices can use to create IP addresses and host names for themselves so they can join a network and advertise and discover services without any manual intervention. Bonjour advertises services within a Layer 2 broadcast domain, and Bonjour Gateways extend these advertisements to other domains.

Bonjour is the Apple term for Zero Configuration Networking, or Zeroconf. Zeroconf ensures that each device that connects to a network can obtain an IP address and domain name and can then discover services available on its local network. The host can obtain an IP address from a DHCP server, a manual configuration, or—as a fallback option if either of the first two methods are not used—by using link-local addressing to assign itself an address. It can then receive a globally unique domain name from a DNS server or it can assign itself a locally unique domain name












in the Zeroconf namespace using mDNS (multicast Domain Name System) to claim a name and then announce it to other devices on its local network. After that, the host can use mDNS queries and responses to discover services running on other devices in its local network and to advertise services it is running itself.

Bonjour works well for devices communicating within a single subnet/VLAN; however, hosts in one Layer 2 broadcast domain cannot discover services advertised within another. Aerohive Bonjour Gateways provide a means for detecting mDNS service queries and responses and then relaying them across Layer 3 boundaries so that hosts can make use of services available in other network segments as well as in their own.

Note: A Bonjour Gateway does not route traffic; it merely relays mDNS queries and responses.

For the school network described in this guide, you will employ a Bonjour Gateway to make Apple TV and printer services in the Infrastructure Devices subnet (10.1.20.0/24 VLAN 120) available to teachers and staff in 10.1.10.0/23 VLAN 110 and to students in 10.2.0.0/21 VLAN 200.

Note: For a Bonjour Gateway to provide access to services across subnet/VLAN boundaries, the hosts on the network cannot have link-local IP addresses. They must use DHCP or static addresses so that traffic can be routed between them.










A BDD (Bonjour Dedicated Device) is an Aerohive device that scans for mDNS service queries and responses in the subnets/VLANs to which it is connected and then broadcasts them on different subnets/VLANs.

A BDD shares the service announcements it receives with other Aerohive APs in the same management VLAN. It can also exchange service advertisements with BDDs in other management VLANs as long as they are within radio range, are defined as Layer 3 roaming neighbors, or are in the same topology map in HiveManager and are in the same realm. However, because all the Aerohive devices in this guide are in the same management VLAN and participate in all the same data VLANs, sending service advertisements between BDDs is unnecessary. You only need a single BDD for the entire campus.

Which device should be the BDD? If more than one device in a management subnet/VLAN is capable of becoming a BDD, the hive members elect a BDD based on device priority, with different models having different priorities. In the example deployment here, there are AP230 and AP130 access points and SR2148P switches. The default priority is 21 for an AP230 and 10 for an AP130. (Switches cannot be Bonjour Gateways.) With a number closer to 255 being higher in priority, one of the AP230 devices would be elected BDD; and among them, it would be whichever AP230 has the lowest MAC address.

Although the Bonjour Gateway mechanism is stateless (it relays mDNS queries and responses without storing them), and thus the processing load is light, it is preferable to have the BDD be an AP230 that is not in one of the two high-density areas. Simply set a high priority on one of the AP230 devices outside a high-density area. In this particular example, an AP230 near the MDF was chosen to be the BDD because it is conveniently close to the room where the school network administrators work; but it could also be elsewhere, such as in a multimedia center for example.

In addition to choosing which device will be the BDD, you also choose which service advertisements it will forward from one VLAN/subnet to another. The configuration is simple and is explained in the following sections.

Setting up Bonjour Gateway Key Points: Create a Bonjour Gateway profile and add it to the network policy, modify a firewall policy, and choose which AP will be the BDD (Bonjour Designated Device).

Bonjour Gateway Profile Every network policy has a Bonjour Gateway component by default. It references the predefined Bonjour Gateway profile QS-Bonjour-Service, which shares only Aerohive services among hive members in the same management subnet and is mainly used for deployments requiring Internet-bound traffic to pass through an HTTP proxy (see sidebar).

For cases where you want Aerohive devices to forward other types of Bonjour-advertised services across Layer 2 boundaries, you must use a different Bonjour Gateway profile. You can use the predefined QS-Bonjour-Only profile, which supports Aerohive services and a number of other common ones, or create a new profile.

HTTP Proxy – Client Settings

When an HTTP proxy server is on the perimeter of a private network, data forwarding devices must be configured to send all Internet-bound traffic through it. Aerohive uses Bonjour to ease the configuration of HTTP proxy settings on all hive members deployed in such an environment.

1. Configure HTTP proxy settings on one hive member.

2. That hive member uses Bonjour to advertise the proxy services to other hive members in the same management VLAN.

3. The other hive members retrieve the HTTP proxy settings from the one with the configuration and add those settings to their configuration so they can also use the HTTP proxy. This saves you all the time and effort of configuring HTTP proxy settings on devices one by one.










For the school deployment described here, create a new Bonjour Gateway profile that shares service advertisements for Apple TVs and printers in the infrastructure devices VLAN (120) with teachers and staff in VLAN 110 and students in VLAN 200. Add it to the HighSchoolDeployment network policy, which was created earlier in this series, and list VLANs 120, 110, and 200 as the ones in which you want the Bonjour Gateway to participate. You then create three filter rules defining the types of services the Bonjour Gateway shares from VLAN 120 (infrastructure devices) and VLANs 110 and 200 (teachers and staff, and students).

Double-check that Bonjour Gateway is still enabled in the network policy by clicking Configuration > HighSchoolDeployment > > Edit.

Because Bonjour Gateway was enabled when the network policy was initially created earlier, it should still be enabled now.

The above network policy includes settings for Aerohive access points to provide wireless access to the network, settings for Aerohive switches to provide wired network access and data forwarding, and settings for one or more Aerohive devices (a single AP230 in this particular case) to provide Bonjour Gateway services.






http://docs.aerohive.com/330000/docs/help/english/6.6r3/hm/full/Content/config/netConfig.htm






In the Bonjour Gateway section of the network policy, click Choose > New, create the following Bonjour Gateway profile, and save it.

Note: AirPlay requires two services to function: *._airplay._tcp. and *._raop._tcp. Be sure that the Bonjour Gateway shares both of them. Mirroring content to Apple TVs that are wired to the network also requires a change to the firewall policy appled to the Students and Student-iPads user profiles, as explained in the next section.

HiveManager automatically adds the newly configured Bonjour Gateway profile to the network policy where you can see it in the Bonjour Gateway section.

When there are several BDDs in multiple realms, you can limit how they apply filter rules by distance (the management subnets of two BDDs must be within the maximum number of wireless hops apart from each other to share services) and by realm name. However, in the configuration here, these settings are irrelevant because there is a single BDD in a single realm. Therefore, you can leave the Max Wireless Hop field empty and set the realm as [-any-]. For more information, see the HiveManager Help.

Although the APs belong to other VLANs as well (130 = security cameras, 999 = guests), the Bonjour Gateway only participates in these three.







http://docs.aerohive.com/330000/docs/help/english/6.6r3/hm/full/Content/config/com/bonjourGW.htm






Firewall Rules The firewall policy in user profiles for students and their iPads, created in part 2 of this deployment series, has a default action that denies all inbound traffic initiated outside the StudentNetwork subnet (10.2.0.0/21).

This rule blocks students from mirroring iPad content to an Apple TV when the TV connects to the network over Ethernet. Because the TV initiates an application service to the iPad and that service must pass through the AP, the firewall policy on the AP comes into play and blocks it. To resolve this, you must add a To-Access firewall policy rule that permits the Apple application from the infrastructure devices subnet to the students subnet.

Note: This rule only pertains to students because their user profile has a firewall policy denying inbound traffic. The user profile for teachers and staff does not.

The illustrations on the next page show why the firewall policy takes effect when an Apple TV has an Ethernet link to the network but not when it has a wireless link.

This firewall rule permits the Apple application service from Apple TVs in InfrastructureDevices (10.1.20.0/24) to iOS devices in StudentNetwork (10.2.0.0/21). This allows mirroring between iPads and Apple TVs when the TVs have Ethernet connections to the network.










If the Apple TV has a wireless network connection, the firewall rule does not come into play because the iPad and Apple TV establish a direct wireless link to each other for mirrored content, thus bypassing the AP completely. They communicate directly with each other over the 40-MHz 149-153 channel.










Applications that support AirPlay such as videos from YouTube, Vimeo, Netflix, and so on do not require a To-Access rule permitting the Apple application across the firewall. AirPrint does not require the additional rule either. It is strictly required for mirroring content to Apple TVs that have Ethernet connections to the network.

Because peer-to-peer Airplay uses the 40-MHz channel 149-153, it is a good idea to exclude it from the pool of channels from which ACSP (Aerohive Channel Selection Protocol) dynamically draws them—in particular, on the APs in classrooms with wireless Apple TVs. You can do this through the supplemental CLI feature. First, enable the supplemental CLI option on the Home > Administration > HiveManager Settings page.

Then enter the following commands in a supplemental CLI profile:

Apply it at the device level for APs in classrooms with wireless Apple TVs. It is in the Advanced Settings section on the device settings page. It is also available in the dialog box when configuring multiple devices.










Note: It is possible to apply the supplemental CLI profile at the network policy level instead of at the device level. However, that would exclude these channels from all APs, not just the ones where they pose a potential issue. For more information about Apple AirPlay, see http://help.apple.com/deployment/ios/#/apd8fc751f59.

Bonjour Designated Device Hive members in the same management subnet/VLAN elect one of themselves to be the BDD (Bonjour Designated Device). This is the device that monitors specified VLANs for multicast Bonjour services and forwards them to other VLANs based on filter rules. Clients in those VLANs can then access services in other ones as permitted by firewall rules. In addition, the BDD shares services with other BDDs in the same realm but in different management VLANs so that clients in those VLANs can also access the advertised services. In this example, there is a single management VLAN, so there is only one BDD.

All the hive members in a management subnet/VLAN elect one device to be their BDD, basing their choice on device priorities. Each model has a different default priority, which you can modify. If all the devices have the same priority, then whatever device has the lowest MAC address becomes the BDD.

However, rather than allow the election process to choose a BDD on its own, set a high priority for one of the devices to ensure that it gets elected. In this example, it is an AP230 near the MDF (main distribution frame).

Upload the network policy with the Bonjour Gateway profile to all the devices in the network along with the device-level settings for the AP that is going to function as the BDD.

On the HS-All map set AP Labels to Host Name.

Note the name of the AP230 in the classroom near the MDF.

On the device settings page for that AP, set the Bonjour Gateway priority to 200.






http://help.apple.com/deployment/ios/#/apd8fc751f59





Monitoring Bonjour Services Key Points: See the Bonjour services that were discovered by the BDD and those discovered by client devices.

HiveManager provides a view of all the Bonjour services discovered by BDDs. You can also use a Bonjour services browser on client devices in different parts of the network and see which Bonjour services are available there.

Bonjour Gateway Monitor in HiveManager You can see all the Bonjour services that the BDD has discovered and which it is sharing on the Monitor > Bonjour Gateway page.

You can filter which services are displayed in several ways—by realm and BDD, and if they are shared with different destination VLANs. In the example deployment here, there is a single realm and BDD so they cannot by used for filtering the display in this case. However, you can view all the services discovered in a source VLAN or just those






http://docs.aerohive.com/330000/docs/help/english/6.6r3/hm/full/Content/monitor/bonjour.htm





that have been discovered and shared in destination VLANs. Each device can advertise multiple Bonjour services, as can be seen by the various services listed above for the Epson printer. You can reduce the number of Bonjour services displayed to just the ones that the BDD shares by selecting Display Shared Services Only.

The above three service types are exactly the same ones you set in the Bonjour Gateway profile earlier:

If there were multiple BDDs, you could filter the display by selecting only the ones whose detected services you wanted to view. In this case, however, there is only one BDD for the entire campus.












To see details about a service and its destination VLAN group, click the yellow arrows to expand those sections.











Bonjour Services Browser on Client Devices

Another way to check that Bonjour services from a source VLAN are available in destination VLANs is to connect a wireless client in the destination VLAN and use a Bonjour services browser such as Discovery – Bonjour Browser by Tildesoft. The Bonjour services below appeared on a client in the StudentNetwork subnet (10.2.0.0/21):

You can the drill down into any of the services to see details about it, including the IP address of the device hosting the service. In the case of the _ipp._tcp. service viewed on a client in the StudentNetwork subnet (10.2.0.0/21), you can see that it was advertised by an Epson XP-630 printer in the InfrastructureDevices subnet (10.1.20.0/24):

Bonjour Gateways are simple to configure, easy to monitor, and provide users quick access to services on devices in different parts of the network, regardless of the Layer 3 boundaries between them.






https://itunes.apple.com/us/app/discovery-bonjour-browser/id305441017?mt=8

https://itunes.apple.com/us/app/discovery-bonjour-browser/id305441017?mt=8

aerohive k-12 education deployment guide€¦ · metka dragos, andrew garcia, joe zhao, deven...

Documents