Multicast Domain Name System (mDNS) – Still Flooding?
“Most likely”, said John with frustration and despair as he grappled with the daunting task of stabilizing the performance of a large university network while simultaneously supporting Multicast Domain Name System (mDNS) services for end-users. The need to accommodate non-routable mDNS technology across complex enterprise networks is a frequent challenge. John’s worries, such as high CPU usage, WiFi network instability, extensive mDNS flooding, and the need to re-structure the Layer 2 network, are just a few of the well-documented challenges that arise in any large, inundated enterprise network environments.
In today’s fast-paced and ever-evolving technological landscape, digital natives expect seamless access to a wide range of services with just a few simple taps or clicks. They expect the same level of convenience and ease of use at home and at work, which has set a high bar for enterprise networks to meet. The mDNS protocol has proven to be an indispensable tool for delivering rich, intuitive service experiences to end users. As a result, it has become a widely adopted and de facto standard for “smart” consumer devices, Internet of Things (IoT) devices, and audio-visual (AV) endpoints.
As technology continues to advance, the implementation of Bring Your Own Device (BYOD) policies has given way to the proliferation of next-generation information technology (IT), operational technology (OT), and audio-visual (AV) managed products that incorporate mDNS protocols. This can pose significant challenges for network architects like John, as they must navigate the intricacies of supporting such demanding and mission-critical services while ensuring scalability, security, and non-disruptive network operation.
Service-On-Stick
The RFC 6762 introduced mDNS to support zero-configuration networking capabilities, which greatly simplified peer-to-peer service management with no new learning curves, add-on apps, or classic tools – it just works. The protocol, designed to operate in single flat Layer 2 networks, offers transparent and seamless functionality to end-users, making it a perfect fit for home networks. However, such technologies also present a broad range of challenges for IT professionals, as they must securely connect services between disparate networks while implementing granular security policies, determining location proximity, assigning user roles, and much more. John misses the AppleTalk Routing that he used to use, as the industry decoupled service routing from IP routing several years ago. And when John can’t route mDNS services across the university campus, the only option left was to extend the mDNS flood to a centralized Wireless LAN Controller (WLC).
Remember – “Routing-on-Stick”? Due to the lack of service routing, the Enterprise network adopted the “Service-On-Stick” model to bridge disjointed mDNS endpoints between Wired and Wireless networks across the IP core. The Cisco WLC served as the one-arm-mDNS-gateway function, which required IT to extend the mDNS flood from Wired networks to discover services from remote Wired networks and proxy or distribute them to Wireless users on an on-demand basis. As the size and design of Enterprise networks vary, so does the “Service-On-Stick” deployment mode, which can work based on the mDNS flood-n-learn method, as illustrated in Figure 1 below.
The Impact
The flood-and-learn-based technology in flat Layer 2 networks operates stealthily without the need for IT involvement. However, this can be a cause for concern for IT organizations as these technologies can circumvent Infosec policies and negatively affect the performance of higher-level systems, networks, and endpoint devices.
The Enterprise IT demands key questions to be asked regarding the deployment mode of “Service-on-Stick” utilizing mDNS:
Does it work?
Undoubtedly. The BYOD era has conclusively demonstrated the efficacy of this classic approach. All the Figure-1 flood-and-learn deployment modalities remain valid and relevant, much like the “Routing-on-Stick” configuration which is still widely utilized today. Nevertheless, when the WLC necessitates Layer 2 extension through multiple hops away from the wired mDNS service providers endpoints, such as AirPlay-enabled devices, AV systems, and printers, the service context is lost, resulting in a lack of connectivity, security policy enforcement, and availability synchronization across the network in real-time. This can lead to several known limitations, such as poor end-user service browsing and a suboptimal usability experience.
Can it scale?
The question of scalability is paramount. Regardless of mDNS, the fundamental networking design principles advocate for a routing-based approach, with bridging employed only as a last resort. As networks, endpoints, and mDNS services expand in a multitudinous manner, any central processing technology on any single networking device may introduce various anomalies, thereby raising the risk of complete system failure once it surpasses its operational limits.
It’s not just the network scale. Utilizing a tool like Wireshark and filtering for mDNS traffic within a single VLAN on your computer can provide valuable insights into the mDNS traffic load. This alone can be a significant contributing factor to network resource depletion, CPU utilization, sluggish application performance, and battery drain on each connected endpoint. Additionally, it’s important to consider the impact on network bandwidth, CPU/memory usage, and overall network stability while assessing the performance of mDNS.
Is it secure?
As enterprise networks adopt a Zero Trust security model to protect their infrastructure, enforcing service-level stringent information security policies in flooded Layer 2 networks may prove to be a daunting task. This may lead the IT organization to resort to completely blocking mDNS traffic, which may have a detrimental impact on various business-critical applications. Security policy enforcement is limited to the central WLC, making it imperative to consider alternative security measures to mitigate potential risks.
The 2X Impact
The next-generation enterprise networks are swiftly evolving from traditional Spanning Tree Protocol (STP) or overlay networks to more advanced fabric-based technologies such as Virtual Extensible LAN (VXLAN). These solutions offer greater flexibility to IT organizations, allowing them to create non-blocking Layer 2 networks or establish segmented Layer 3 overlay networks. However, as the Layer 2 network boundary expands across the enterprise IP core network, the mDNS flood boundary also expands, inadvertently. In the shared broadcast domain, service-level segmentation to restrict mDNS discovery may compromise network security, making it crucial to evaluate the potential security risks and implement appropriate measures to mitigate them.
To address the potential negative effects on network performance and security that can be caused by mDNS applications, various IT strategies are often implemented, such as filtering mDNS traffic at the network edge, implementing rate-limiting on CPU usage or interfaces, and so on. These measures prioritize maintaining network stability and security over accommodating mDNS services. In certain situations, however, it may not be feasible to fully mitigate these impacts. For example, in next-generation immersive meeting spaces, it may be necessary to utilize Cisco Webex AirPlay for content sharing at the swipe of a finger. Similarly, convention centers may require advanced Audio-Video solutions, and manufacturing facilities may rely on over-the-air portable radio programming to effectively manage their large-scale operations.
Cisco DNA Service for Bonjour
IP routing is specifically designed to confine flood boundaries to the edge of a network. Utilizing an intelligent routing protocol control-plane, it enables the creation of a hierarchical and scalable infrastructure that can synchronize network states, enforce security measures, and provide end-to-end reachability to each connected endpoint. Similarly, the Cisco DNA Service for Bonjour solution is built on these principles, offering an end-to-end scalable and secure solution for routing mDNS services in enterprise-grade Wired and Wireless networks.
The Cisco DNA Service for Bonjour is a vital solution to a long-standing issue in IT – the integration of mDNS services seamlessly without necessitating major changes to existing operating environments, all while maintaining stringent security standards. Figure 2 illustrates the end-to-end Cisco DNA Service for Bonjour solution architecture for a traditional enterprise campus network.
The Cisco DNA Service for Bonjour offers a comprehensive solution that effectively addresses various classic WLC flood-n-learn mDNS network challenges by providing:
- End-to-End Service – An enterprise-grade service discovery and distribution that eliminates mDNS flood and enables unicast-based wired and wireless networks without any network boundary limitations. The IT professionals can seamlessly integrate solutions without forklift design change to support end-to-end service-oriented enterprise networks.
- Scalability – A fully distributed mDNS service-routing solution that decouples classic and centralized mDNS processing on WLC systems, resulting in a highly scalable and reliable solution that can handle a large number of devices and services, even in large and complex networks.
- Security – Giving enterprise IT organizations control over new services based on location, role, and other policies, the new unicast-based model, thus implicitly denying un-checked or out-of-policy services based on IT-enforced policies, ensuring that the network is protected from potential security threats and vulnerabilities.
- User Experience – The end-user service discovery and distribution experience remain intact between residential and secure enterprise networks, with a zero learning curve and an agent-less mDNS service-routing solution, allowing IT to easily adapt new services introduced in consumer products as they evolve without the need for major changes to the network infrastructure. This leads to a seamless and efficient network experience for end users.
Overall, the Cisco DNA Service for Bonjour solution provides enterprise IT organizations with a robust, secure, and scalable solution that can meet the growing demands of their network infrastructure and expand new mDNS services demanded by business-critical endpoints, increase productivity on consumer products, and more.
Enterprise-Grade mDNS Solution
The Cisco DNA Service for Bonjour is a highly versatile and adaptable mDNS service-routing solution that can be implemented in a wide range of traditional or modern fabric-based network architectures. The solution enables Enterprise IT organizations to smoothly transition from a flood-and-learn approach (Figure 1) to a fully unicast-based mDNS service-routing design. Depending on the specific Wired and Wireless network design, the mDNS flood-boundary can terminate at the first-hop Layer 2 Ethernet switch or WLC for policy enforcement and service routing to the upstream L2/L3 network.
The unicast-based service routing between Cisco Catalyst 9800 WLC, Catalyst 9000 switch, or Cisco DNA Center requires only essential IP connectivity and operates independently of other IP routing protocols. The implementation of a multicast routing protocol in the Wired and central-switching Wireless user network is optional. The new Cisco IOS XE 17.9.1 software on Catalyst 9800 WLC introduces the AP Multicast and Wireless user Switched Virtual Interface (SVI) interface as optional when WLC is configured in “mDNS Service Peer” mode.
Hierarchical mDNS Service-Routing
The well-established design principles of structure and hierarchy are highly effective when planning and constructing extensive Enterprise campus networks. These principles offer flexibility, modularity, and scalability, whether applied to physical cabling, determining L2/L3 boundaries and more. The Cisco DNA Service for Bonjour solution conforms to these same principles by managing mDNS boundaries between two-tier hierarchical service-routing domains, ensuring a robust and efficient network infrastructure:
Local Area Bonjour Domain
Route mDNS even in bridge network (traditional or overlay). When one or more Catalyst 9000 family switches or WLCs in Layer 2 mode connect to a common Distribution IP gateway, it is known as a Local Area Bonjour Domain. The IGMP Snooping was purpose-built to solve IP Multicast traffic flood challenges in the Layer 2 network environment. In flood-free unicast-based Layer 2 Wired and Wireless networks, the IT gets full mDNS security control to process and route services following policies:
- Access: Each Layer 2 switch OR WLC terminates mDNS flood from LAN port or AP to locally process mDNS information based on IT-defined policies. Performs service routing with the upstream IP gateway in Distribution.
- Distribution: Discovers mDNS service instances or requests from downstream Layer 2 Switch or WLC and optionally distributes between them if required.
Wide Area Bonjour Domain
When mDNS services need to be discovered beyond a single IP gateway, the Cisco Wide Area Bonjour solution is required. Like the client-server model, the network-wide distributed Catalyst 9000 IP gateway switch establishes unicast-based service routing with the centralized Cisco DNA Center hosting the Wide Area Bonjour application. The IT-defined global service-routing policy on Cisco DNA Center enables service-routing between IP gateway switches, providing a scalable and efficient solution for managing mDNS services across a Wide Area Bonjour domain.
The unicast data path between the IP gateway follows routing tables and policies. The Cisco DNA Center is never in the data path between IP gateways.
Proximity Matters
Imagine you are in front of a printer and your 10.9-inch iPad dynamically discovers hundreds of them, but the one you need is elusive and cannot be located or searched for within the user interface. The efficiency of employees is hindered in Enterprise networks when technology fails to provide optimal user experience in service navigation and usability. In traditional flood-and-learn-based networks, the presence of the service provider and receiver cannot be accurately identified and propagated across the network. The use of disparate network mappings utilizing wireless radios provides limited to no effective solution.
If the network can route mDNS services, it can also route location proximities. The Cisco DNA Service for Bonjour offers flexibility in defining and constructing “service zones” by simply tagging and grouping Ethernet switch LAN ports and Wireless Access Points (APs) on a WLC into common service policy zones. The iPad now discovers a narrowed-down set of printers based on the IT-defined location-based service policy. As an iPad user moves around floors and buildings, the proximity rules are automatically adjusted, providing a seamless, “home-like” zero-configuration service experience in Enterprise network environments of any size.
Support Matrix
The Cisco DNA Service Bonjour solution is a comprehensive, end-to-end Enterprise networking solution that empowers our customers to construct secure and expandable mDNS service-routing networks utilizing Cisco’s extensive Ethernet switching and Wireless networking portfolio.
The adaptable routing architecture is compatible with a range of traditional L2/L3 networks, MPLS, and cutting-edge fabric-based networks such as Cisco SD-Access and BGP EVPN VXLAN. As depicted in Table 1, the Cisco DNA Service for Bonjour support matrix illustrates the various capabilities of this innovative solution.
Key Takeaway
John accomplished the task of migrating his 60th and final University building with Wide Area Bonjour, resulting in a completely mDNS flood-free network. The fully distributed mDNS processing across LAN switches and central WLC contributes to a significant boost in the system, network, and endpoint performance. John expanded his original Apple TV use case to include Google Chrome Cast, Mobile Printing, File-Sharing, and other essential services, thereby enhancing the productivity of students, professors, and staff.
Since 2019, the Cisco DNA Service for Bonjour has been widely accepted and implemented solutions across a broad industrial domain, effectively addressing persistent challenges. This sophisticated solution empowers IT administrators to seamlessly integrate their network ecosystem to accommodate revolutionary technologies, including modern computers and mobile device OS, audio-visual conferencing systems, the Internet of Things, and many other state-of-the-art innovations in Enterprise campus networks.
It is likely that your Enterprise network may still be running mDNS flooded under the hood, and if you have already invested in the above support matrix, then upgrading your network experience by following in the footsteps of John and over 7000+ other successful global Enterprise customers could be a wise decision. Cisco DNA Center will expand a range of deployment options, from physical, and virtual to cloud-based. Consult with your Cisco sales team to determine the best option that meets your specific requirements.
References
Cisco DNA Service for Bonjour – Solution Landing Page
Cisco DNA Service for Bonjour – At-a-Glance
Cisco DNA Service for Bonjour Deployment Guide
Cisco DNA Service for Bonjour Deployment Guide – Traditional LAN and Wireless Local Mode
Cisco DNA Service for Bonjour Deployment Guide – Traditional LAN and FlexConnect Wireless Local Mode
Cisco DNA Service for Bonjour Deployment Guide – Cisco Software-Defined Access Mode
Quick Configuration Guide
Cisco DNA Service for Bonjour Quick Configuration Guide
Cisco DNA Service for Bonjour CCO Configuration Guide
Cisco Catalyst 9300 Series Switches
Cisco Catalyst 9400 Series Switches
Cisco Catalyst 9500 Series Switches
Cisco Catalyst 9600 Series Switches
Cisco Nexus 9300 Series Switches
Cisco Catalyst 9800 Series WLC
Cisco Catalyst 9100 Series – Embedded Wireless LAN Controller
Cisco DNA-Center – Wide Area Bonjour User Guide
Share: