Network wide Bonjour® – How would you support Bonjour across multiple VLANs?
As the saying goes, “every stick has two ends”. While laptops, smartphones and tablets have enabled us to be more mobile without compromising on being “connected,” with it comes challenges such as WIFI accessibility, power consumption and your ability to find network based services, like a printer wherever you happen to be.
To facilitate the ability for an end user to discover Services on a network, various Service Discovery protocols have been introduced. One of the most popular is DNS-SD (DNS-Service Discovery), which in conjunction with mDNS (multicast DNS) make up Apple’s offering called Bonjour. Bonjour enables end users to discover Services on their local network. While Bonjour is focused on smaller networks (e.g. Home Networks) with the advent of mobile customers wanting to discover services in close proximity, Bonjour becomes an ideal option to facilitate that. However, as Bonjour utilizes mDNS which is constrained to a single VLAN, customers are not able to discover services across multiple VLANs.
There are a few approaches being proposed to support Bonjour across multiple VLANs:
- One approach, as shown in Figure 1, is to allow the L3 aware network device where multiple VLANs are connected (e.g. L3 switch, WLAN Controller) to forward the Bonjour queries and responses across the VLANs. Essentially, the network device acts as a pass-through for Bonjour allowing “bridging” of link local multicasts across L3 boundaries. The benefit of this approach is that it is relatively easy to deploy. The CON is that every VLAN will learn about all the advertised Services, which limits the solutions scalability, as well as flooding link local multicasts across the network.
Building on the first approach and to manage the Bonjour traffic crossing the VLANs, the L3 aware network device can default to supporting only a subset of Services (e.g. Printers) by using access control filters. For example in Figure 2 below, Printers are shared across VLANs where Apple TV is not. The benefit of this approach is that while it is still relatively easy to deploy, the volume of DNS-SD traffic can be controlled. The CON is that the customer will need to know in advance which Services they are interested in sharing across the VLANs and implement the filtering policy.
- A third approach is for the L3 aware network device to take a more active role by maintaining a directory of the learned services from all the connected VLANs. The benefit is that the L3 device responds to Bonjour queries, acting as a proxy for services not local to the requesting client’s VLAN. In Figure 3 below, the L3 aware device acts as a standard Bonjour client. It will query for available Services on VLANs 1 and 2 and pre-populate a local directory of services from all the VLANs. For example, if the “smartphone” sends a Service request for Printers, that Query is responded to directly by the L3 aware device, transparent to the services on the other VLANs. In this example, as “Printer 2” and “AppleTV 1” were pre-populated in the directory, the L3 aware device responded to the query for printers with “Printer 2”. However, since in this example responses to requests for “Apple TV” have been filtered out by the customer, a query sent for AppleTV, will be ignored. On the PRO side, the customer devices are not burdened with responding to Bonjour queries from other VLANs, therefore the solution scales well. On the CON side, the proxy function does require proper processor and memory sizing to support the functionality.
Which approach should be used depends on your network deployment. For small networks (e.g. Home networks) the first approach could suffice where the second approach provides some services filtering options to control which services are shared. The third approach will enable the Bonjour solution to scale.Irrespective of which approach is used to discover services across VLANs, additional challenges that need to be considered are; location, volume of services and security. With respect to location of the Services, when you discover services across VLANs, in many cases you want to assure the services are in close proximity to you. Do you need to learn about printers across your network versus just printers adjacent to you?
On volume, when sending a query for services, your device will learn about services across your network. Managing the number of Services learned by your client can be a challenge. When considering the security requirements, should Services that have restricted access, only be advertised to customers that are authorized to utilize the Service? If so, do we need to tie the Service authorization to Service accessability to assure that only those authorized to learn about a Service have network connectivity to the Service.
While Bonjour has been very successful in small mobile work environments, the requirement to extend Bonjour network coverage drives the need for support across multiple VLANs, which introduces additional challenges. They include support for services by location, the volume of services you learn about and security. Extensions to DNS-SD are being explored at the IETF to facilitate sharing of services across multiple VLANs. As Bonjour becomes more ubiquitous, the solutions to enable support across your network will evolve. Subscribe to our blog and check back over the next few months, as we provide updates and information on the Bonjour solution offering.