Wireless Access

Hello all

new to this social network, being using Aruba since Spring 2009

Have a question about AirPlay.

Would like to hear from community pros and cons of configuring Aruba so AirPlay will work.

Quick background about our setup,

Using 12 Vlan for our 802.1x network.

Two 6000 with about 600 AP mostly 125

All vlans are /23 except one which is /22 (say vlan1)

All vlans dhcp ip pool is /23, including the Vlan1

Using “aaa derivation-rules user” profile the force devices to Vlan1

Plane to connect the Apple TV to Wire on Vlan1

I know we need to have multicast enabled.

Our user Max is about 2000 mostly on our 802.1x network.

Any thought will be appreciated.

Thank you.

Behzad Barzideh

The problem isn't going to be AirPlay. The problem is going to be all the other applications that start killing your wireless network once you enable broadcast and multicast, unless you can figure out a way to block all those other apps.

---

@bbarzideh wrote:

Hello all

 

new to this social network, being using Aruba since Spring 2009

 

Have a question about AirPlay.

Would like to hear from community pros and cons of configuring Aruba so AirPlay will work.

Quick background about our setup,

Using 12 Vlan for our 802.1x network.

Two 6000 with about 600 AP mostly 125

All vlans are /23 except one which is /22 (say vlan1)

All vlans dhcp ip pool is /23, including the Vlan1

Using “aaa derivation-rules user” profile the force devices to Vlan1

Plane to connect the Apple TV to Wire on Vlan1

I know we need to have multicast enabled.

Our user Max is about 2000 mostly on our 802.1x network.

 

Any thought will be appreciated.

 

Thank you.

Behzad Barzideh

 

 

---

The biggest issue with Airplay  is that both devices need to be on the same subnet to find each other, which is not really possible with VLAN pooling.  Bonjour, on which Airplay depends is NOT an enterprise protocol and as such, does not have enterprise support from Apple.  There are too many tradeoffs that have to be made to deploy Airplay for a protocol that is intended only for the home.

I agree with Colin. It is not designed for enterprise use.

Unfortunately, even though it is intended for home use only, I'm sure it is only a matter of time before I have professors demanding AirPlay support. I already have one professor who does presentations from his iPad via the VGA adapter.

I did find that Panasonic does have their own wireless projector app for iOS. However, it has limited file support; and being that I have no wireless Panasonic projectors set up, there is no way for me to see if the projector discovery is doing a subnet scan or a broadcast scan (my guess would be the latter as it came up with "no projectors found" very quickly on my /22 wireless network).

I understand all and agree. However, we are there. I need to present Proc and Cons (tradeoffs) to the upper managment. So Colin, Could you please provied few bullet points of the tradeoffs.

Thank you.

This is probably not an all-inclusive list.  Hopefully others will come up with more, or correct me.

- Broadcast traffic and performance are mortal enemies.  Supporting a few users who want to do iPad mirroring, for example could end up penalizing productivity for a large number of users who do not participate.

- Will need to support a single subnet spanning your entire infrastructure, for both wired and wireless devices.

- No troubleshooting mechanism or tools to help determine connectivity issues.

- No centralized monitoring, management of such devices like number of devices online, number of devices connected, quality of service provided, etc.

- No centralized admission control for those devices - If you wanted to only allow certain people to be able to connect/disconnect, you could not do that

- Little Security - Any device on the same subnet can enumerate all devices.  Anyone with physical access to a device can easily pair and control the device fairly quickly.

- As the number of Airplay-compatible devices increases on the network, it will be more and more difficult for users to find and connect to their own devices, as the list gets longer.  It will be only a matter of time where a naming convention for iDevices will have to be managed for those users, and it probably would be assigned to an fte in IT to do so.

- If a user decides to consume an inordinate amount of bandwidth using an application such as video, there is no easy way to immediately identify that user and constrict it on the fly.

A quick search of the Apple forums reveals this:  https://discussions.apple.com/thread/3538172?start=0&tstart=0

Thank you this is good start.

FYI, I have created a setup which will allow this to work. But I had to allow Broadcast and Multicast which I do not like at all.

I will look forward to more input for the Pros and Cons. In hope of hearing few Pros.(not likely, I know).

Thank you again.

Buzz

Hi Buzz,

I definitely feel your pain on this issue. My University, Washington and Lee, is starting to hear rumblings of Airplay requests from faculty. I witnessed a few demos at Educause that used display mirroring from an iPad over an Apple TV and was really impressed with what it adds to the teaching experience.

First off, I completely agree with everything that Colin mentioned. We have two SSIDs that are using VLAN pools to provide client IPs. As Colin mentioned, that is going to make it hard to come up with a solution. Also, we use the following firewall directives on each of our controllers:

firewall deny-inter-user-bridging
firewall deny-inter-user-traffic

This blocks all client to client communication.

Here's how we're dealing with Airplay now: we have a couple of demo "carts" that have a Linksys router with an Apple TV connected via an Ethernet cable. The problem with this solution is that it is not scalable and is a kludge, at best.

Here's what I've been thinking as a potential future solution:

1. Remove the above firewall commands.

2. Write an ACL that would be a deny user to user traffic for all of our current roles. 

3. Add two new user roles, one for the iPads and one for the Apple TVs. These new roles would allow our Help Desk to easily monitor the devices in Airwave.

4. Add the MAC addresses of the Apple TV and the iPads to the internal DB on the master controller. 

5. Here's what I'm not sure about... I would try hard coding the VLAN into the new roles that were created in step #3. I'm not sure if this would work with VLAN pooling enabled.

I think we could have a semi-scalable solution if step #5 would work.

My partner in crime at the University brought up another idea. He mentioned we could come up with a mobile cart comprised of Aruba gear. We could then provide a WPA2-PSK network that would be managed through the Aruba infrastructure and could provide a wireless network for the Apple TV and iPad. The only downside of this would be the additional cost of the access points in the cart and the potential of having a lot of gear "down" in Airwave.

-Mike

Thank you for sharing your though.

To set a vlan for a given MAC you can use this command

aaa derivation-rules user "name of derivation profile referenced in aaa profile"

  set vlan condition macaddr equals "00:0B:XX:XX:XX:XX" set-value 3026

  set vlan condition macaddr equals "00:0B:XX:XX:XX:XY" set-value 3026

I know if works since I have test it.

My problem is the MC/BC. I like your idea of paring Apple TV and Aruba AP.

I but this module does not address the MC/BC.

So, I was taking to our SE and ACE and they suggest using a RAP, creating a different SSID just for the RAP and placing the Apple TV and iPad inside (behind) the RAP. In assents, the RAP is a Router which will be managed by Aruba system. I think this will be much better since

a) we do not have to enable  inter-user-bridging and inter-user-traffic.

b)if I could connect AppleTV to wire of RAP2, iPad still can connect to 802.1x network.

c)BC/MC will be localize to this area

d) this most likely will be fixed in any given room so RAP will be up

e) AirPlay List will be small.

What about this, would it work?

---

@bbarzideh wrote:

Thank you for sharing your though.

To set a vlan for a given MAC you can use this command

 

aaa derivation-rules user "name of derivation profile referenced in aaa profile"

  set vlan condition macaddr equals "00:0B:XX:XX:XX:XX" set-value 3026

  set vlan condition macaddr equals "00:0B:XX:XX:XX:XY" set-value 3026

 

I know if works since I have test it.

My problem is the MC/BC. I like your idea of paring Apple TV and Aruba AP.

I but this module does not address the MC/BC.

So, I was taking to our SE and ACE and they suggest using a RAP, creating a different SSID just for the RAP and placing the Apple TV and iPad inside (behind) the RAP. In assents, the RAP is a Router which will be managed by Aruba system. I think this will be much better since

a) we do not have to enable  inter-user-bridging and inter-user-traffic.

b)if I could connect AppleTV to wire of RAP2, iPad still can connect to 802.1x network.

c)BC/MC will be localize to this area

d) this most likely will be fixed in any given room so RAP will be up

e) AirPlay List will be small.

 

What about this, would it work?

 

 

---

Sounds like a good plan.  The devil, of course will be in the details like:

- What resources will the AppleTV need to access in addition to allowing the ipad to Discover it.

- Ditto for the ipad

- Traffic engineering for applications on both devices.

My first concern is that you would be pushing the RAP2 to its limit, trying to push HD video from an iPAD2 to an AppleTV, being that the RAP2 only supports 802.11b/g.

I'm guessing that's what Colin is referring to on the last line, Traffic engineering. You may have to go the route of a RAP-5WN set to 5Ghz only (which would be ideal anyhow). Plus I'd probably set the power down to about 6 or 9 dBm max, to reduce the interference with your normal wireless network.

I wonder if you could replace the RAP2 with an AP-125 and use it's additional Ethernet port?

-Mike