Security

Good day,

I have a home lab set up and I'm looking for guidance on HomeKit functionality that relies on mDNS. While I have an IT and networking background, I am not a network engineer. I am not clear if I need to utilize AirGroup in my home environment.

Basics: 

3600 running 6.3.1.25

5 IAP's (225's)

Single VLAN

Recently changed from "Tunnel" to "Bridge" mode.

My HomeKit devices report "Not Responding" occasionally. I expected this during build out as I had Client Aware off while the 5 IAP's figured out what channels and power strength were optimal. I disabled Client Aware a day later when things looked settled. 

I orignially had AirGroup on and all was well, however I disabled it when I read it was meant for forwarding mDNS and other traffic across VLAN's and still had an occasional device report "Not Responding". All seemed to work well.

I moved one of the IAP's and disabled "Client Aware" for a day again to let the controller optimize again. After disabling a day later, I still have a few "Not Responding" devices. 

What has drawn my interest is this - While the Apple Home application may report a device as "Not Responding", the devices are connected to the IAP. They have an IP. I can reach some of them via their native applications which I assume rely on their own protocol or perhaps a cloud service, so they are connected. This suggests to me there's still something I have incorrectly set that is causing issues with mDNS.

My questions are:

Does AirGroup need to be enabled for a single, flat VLAN for mDNS to work properly?

What other settings, if any, should I be adjusting to ensure mDNS is functioning correctly?

Does the IAP's being in bridge mode affect mDNS vs. being in tunnel mode? I recently adjusted this setting to "Bridge" as my controller doesn't hang off my core switch.

Thanks!

Hello,

My understanding is that Airgroup does not work in bridge mode. Traffic needs to be tunneled back to the contoller (rather than bridged out locally) for it to be able to sort out all the mDNS magic.

Alexander

Thanks for your reply, Alexander. 

Does AirGroup need to be enabled on a singlle VLAN network? This is an area I am not clear on. Things work better when it is on, however I believe I read somewhere AirGroup is for forwarding that traffic across VLAN's. 

HomeKit isn't a popular topic here I gather.

Enabling AirGroup on a single VLAN will also allow "an administrator to turn on "drop broadcasts and multicast" but still have users discovery mdns and DLNA devices." - taken from a previous answer given to me a couple years ago - https://community.arubanetworks.com/t5/Wireless-Access/Multicast-IGMP-Snooping-BCMC-Optimzation-etc/m-p/265787#M60193

Unsuppressed/Unfiltered broadcasts/multicasts can be highly detrimental to wireless networks due to the amount of air time consumed (learned this first hand due to a previous vendor having the habit of "reverting changes" randomly - causing multicast to be re-enabled) - especially with chatty protocols such as SSDP running in the background. In larger environments, it's easy to see a difference from a "before/after" with filtering multicast (decreased channel utilization, drop in junk throughput, increase in client association [2,000 clients], etc) - so it may be less noticeable to see the drastic change in your home-environment.

Thanks for chiming in, cbjohns. While being unsure if I need AirGroup enabled for a single VLAN, the issue I'm trying to isolate is a device showing a "Not responding" status in the Home app. The device will be active and seemingly randomly, drop to "Not responding". The device is still online. I can ping it and it responds. The device typically remains controllable via the manufacturer's app but the native "Home" app on iPhone won't see it. Powercycling or re-configuring it to my SSID will resolve the issue temporarily.

This was very frequent when I had Client Aware disabled to allow the AP's to optimize channel and power, however settled down once I enabled Client Aware. Either some service is getting blocked or perhaps the 3600 is forcing the device to move to a different AP or frequency which is causing the issue.

#show airgroup blocked-service-id shows 0 services blocked, so I'm leaning away from that.

It's a home network so I'm not as concerned with broadcast traffic and device isolation as one would be in an enterprise environment. 

Does IGMP come into play?

Having the same issue on an eero network for two different garage door openers. Like you, believe it to be related to Bonjour/mDNS. Going to try this tool https://itunes.apple.com/us/app/discovery-dns-sd-browser/id305441017?mt=8 to analyze. Perhaps we can stay in touch offline via email as we work to resolve this issue. I am at jdeloach@capsoftinc.com if you would like to do that. Thanks.

Update:

My issue was related to the default firewall settings denying traffic in the broadcast space. Those rules were removed and AirGroup turned off. Things were much better but still ran into occasional Not Responding issues but they eventually resolved themselves. 

I switched to Bridge mode and I have had even less Not Responding messages. They may appear momentarily but go away after the AP forwards the info. 

Also updated to the last supported firmware for the 3600 (6.4.4.6).

Quick update -

Still having "No Response" issues. It seems as though most will go away after being in the "Home" app for a minute or two which may suggest latency or some other delay for a device on AP1 to reach my phone on AP3. I have a sprinkler timer that will drop from HomeKit after a week or so but it still reachable via their app (and pingable, obviously). A power cycle is required to get it back into HK. There's an AP in the garage with the timer, so not sure what's happening there.

I don't know if the issues are related to the Aruba or not. Debating on getting a simple Eero or similar to see if the problems remain to eliminate the 3600 & 225's from the troubleshooting environment.

For something that should just work, HomeKit can be a challenge with many devices and multiple AP's. I thought having 3 Airport Extreme's were the source of my issues. Guess not!