I don’t generally like the idea of IoT (i.e. Internet of Shit) but I do have some Philips Hue lights at home. Since I isolate IoT devices to a separate semi-locked down VLAN, turning on and off lights was a bit of hassle, until I decided to address it in a sane way. On very high level, it’s basically getting the Bonjour discovery protocol working across VLANs, and a bit of inter-VLAN routing then.
Configure Intra-VLAN Routing
This is network engineering 101 course so I will not outline it here. But generally speaking, making IoT network fully connected with other network segments are not good ideas, therefore I have a set of inbound and outbound rules applied to make it work. For Hue Bridge, it requires inbound tcp/8080 and outbound DNS, NTP, HTTPS and SSDP protocol ports.
Configure Bonjour Forwarding
On Aruba controller, go to Configuration > System > Profiles, then enable AirGroup feature by creating a new AirGroup profile, create a new AirGroup Service, add the following Service IDs into the profile:
_hap._tcp_homekit._tcp
And finally, register this service to the new AirGroup Profile.
Once finished this step, go to Configuration > Services > AirGroup, turn on AirGroup service and select the corresponding profile. Select Distributed mode if the WLC is deployed without MM, or otherwise, use Centralized mode. Disable this service on certain VLAN (e.g. Guest) as desired, and then you are good to go.
Once finished AirGroup setup, verify Inter User Bridging is enabled in Global firewall settings, and user isolation is not enabled in Virtual AP/SSID profiles.
Other Notes
Tune your IGMP snooping as well if you encounter random performance issues.