How BEES always find their way home with Private Client Groups (PCG)

Jeevan Patil Senior Director, Product Management Published 12 Nov 2020

Bees are one of the most fascinating creatures of the animal kingdom. In the concrete jungle bees are made to store their food sweet honey in a beehive. While beehive itself is the most efficient structure and a true engineering marvellet us focus on the fascinating communication between the beesthe organization and role-based access for now.  

Throughout their life, bees get assigned various roles. Young bees that are barely 1-2 days old get assigned the role of a cleaner of a cell. When they are 10-12 days old, they get the role of a builder to create beeswax for building a new honeycombA few more days later, they get the opportunity to be a forager bee searching for honey located in flowers. Others are temperature controllers, nurses, and even undertakers. Each bee performs a specific role at a particular time of its career. Bees continuously communicate with each other to stay aligned. I For example, the conversation about food foraging revolves around code of movement called the waggle dance. Scientists believe that the waggle dance’s duration identifies the bee’s distance from the flower, and the angle at which she dances describes the direction of the source. The communication mechanism is incredibly accurate because bees can locate the flower several miles away using this instruction.  Using the same dance moves, the bees can find their way home. 


A somewhat controversial topic that some scientists posit is that bees in a hive identify each other using their pheromones, which are influenced by the hive’s odor. If an outside bee aims to steal honey and attacks the hive, the intruder will be repelled by the guard bees. However, if a friendly bee comes in, they are allowed to enter and adopt the role of one of the worker bees. The role-based access, the advanced communication mechanisms, and the high level of organization is un-BEE-lievably fascinating and has many parallels to that of a modern IT network.  

How do I determine if I need this role-based access capability for my network? 

The typical use cases where such a capability is needed are a dorm room in a school, a multi-dwelling unit, or a hotel room where one wall-jack access point (AP) is deployed per room.  Each room often has its own printer, gaming machine, MP3 player, streaming device, connected light, smart clock, and smart speaker assistant. In a higher education dormitory scenario, imagine that these devices belong to a student. The student doesn’t want some smart aleck to hack into his/her network and play loud music or print miscellaneous documents without his permissionHowever, if a friend comes over, he/she is allowed to connect to his network without accessing the room resources. Now you see a need for network segmentation, connectivity, and role-based access similar to a beehive  

How is this capability implemented in my network? 

All devices in a room are grouped into a logical concept called Private Client Groups (PCGs), which are created based upon Extreme Network’s patented Private Pre-Shared Key (PPSK) security technologyPPSK security provides unique Wi-Fi authentication credentials and visibility.  PPSK security enables you to provide multiple groups of users, differentiated access policies even with a single SSID and single VLAN.  Even when your Internet of Things (IoT) devices do not support 802.1X, you can assign each device unique identity credentials, provide per-device visibility, and of course, WPA2-level encryption.  Private Client Groups can tie a PPSK tied to the MAC address of an anchor AP and can be used to identify the associated clients just like pheromones help identify bees from the same hive. Now what happens when a friend visits your dorm room, are they blocked from any network access? No, they are still supported by redirecting to their own logical group. However, the traffic belonging to the visitor is tunneled automatically back via GRE to their anchor AP from the AP in your room. Didn’t I promise sophisticated communication and homing mechanism similar to bees?  Additionally, there is an automatic PCG segmentation option implemented via the integrated firewall capability of the AP. Just because the friend is in your room does not mean that they are permitted to access your resources. And even if the visitor is not a member of the dorm at all and has no PCG, they can still be allowed access to the Internet. Private Client Groups is just like the concept of drifting bees that visit a hive, a friendly migrant is welcome, but the naughty bee is repelled. 

Just like every hive is unique and constructed to fit the space in which its built, networks need to be adaptable to fit their environment. Cloud Config Groups (CCG), allows an admin to configure groups of devices and use these groups to configure variable attributes on devices, or to exclude devices from receiving these attributes. To learn more about CCG, checkout this blog from Dave Coleman. 

How do I learn more about PCG? 

  1. Learn from the developer himself 

  2. Steps to configure a Private Client Group on XIQ  

Get the latest stories sent straight to your inbox!

Related Enterprise Stories