Solved: Wide Area Bonjour : Location Groups

KristofB · ‎12-02-2022

Hello Community,

We are trying to implement Wide Area Bonjour via DNA (on SDA Fabric all cat9300).
With the information found on internet we managed to make this work on EDGE/SDA-agent (+ All connected AP’s) level.
Meaning we can filter Bonjour services we want FROM and direct TO specific EDGE’s. Very nice!

However, this is not granular enough to meet our customer requirements…
(some EDGE’s are stack of many units with 30+ AP’s connected, that’s a way too large “Bonjour domain”)
-> For AP, we assume WLC is not in picture as sdg-agent/service-peer when wireless is running Fabric mode, right?!

I believe the solution could exist in the form of ‘Location Groups’. Where -If I understand it correctly- we should be able to (statically :/) add interfaces (also AP interfaces) to a specific Location Group.
However, we cannot find any documentation about this subject? And we have no clue how to configure this?!

As in;
EDG2(config)#mdns-sd location-group 202 vlan 1021
Error: Snooping not enabled for vlan 1021
What snooping???

Some documentation or examples would really help!

(And if this works… I hope there is a way to assign the Location Group dynamically via ISE or anything? I’m quite allergic to static port config ;))

Thank you!

Kristof

jalejand · ‎12-04-2022

Hi Kristof

MDNS snooping is automatically enabled when using MDNS Unicast model instead of Flood model. Flood model is enabled when the mdns-sd gateway command is used under an SVI, Unicast model is enabled when the mdns-sd gateway is used under the VLAN Configuration itself.

Edge-1(config)#mdns location-group 202 vlan 1021
Error: Snooping not enabled for vlan 1021

Edge-1(config)#mdns-sd gateway
Edge-1(config-mdns-sd)#mode sdg

Edge-1(config)#vlan configuration 1021
Edge-1(config-vlan-config)#mdns-sd gateway
Edge-1(config-vlan-mdns-sd)#--- here you add the rest of the mdns config

Edge-1(config)#mdns location-group 202 vlan 1021
Edge-1(config-mdns-lg)#

Verification:

Flood bonjour: SVI mdns

Edge-1(config)#int vlan 1021
Edge-1(config-if)#mdns-sd gateway
Edge-1(config-if-mdns-sd)#end

Edge-1#show pla sof fed sw active ip mdns snooping  vlan
Vlan      Address Family (1:IPv4 2:IPv6 0:Both)
-----------------------------------------------

Unicast bonjour: VLAN configuration

Edge-1(config)#int vlan 1021
Edge-1(config-if)#no mdns-sd gateway

Edge-1(config)#vlan configuration 1021
Edge-1(config-vlan-config)#mdns-sd gateway


Edge-1#show pla sof fed sw active ip mdns snooping  vlan
Vlan      Address Family (1:IPv4 2:IPv6 0:Both)
-----------------------------------------------
1021      1 --- MDNS Snoopíng enabled

Edge-1(config)#mdns location-group 202 vlan 1021
Edge-1#show mdns location-group detail
 Trusted Trunks         : NA
 Vlan's                 : 1021
 Total Number of Location Groups: 1
================================================================================
VLAN                NUMBER OF LGs       LG ID     Ports in LG's
================================================================================

1021                         2          202     No Active Ports
                                        0       Te1/0/4, Te1/0/8, Ac0,

View solution in original post

Preston Chilcote · ‎12-02-2022

Hey Kristof,

I don't have much experience yet with Bonjour, but I can help a little. That error is referring to mDNS snooping. I looked briefly for how to configure mdns snooping on an access switch and sadly couldn't find an obvious command, like "mdns snooping". Most info seems related to WLCs.

If I were you I would first use the Make a Wish tool in the Cisco DNA GUI to let the Product Managers know you have a need for more granular and centralized control. They are always interested to know how users want to use these features.

KristofB · ‎12-04-2022

Hi Preston,

Indeed, finding some more info on mdns snooping could clarify this.

I made the wish… just waiting for the miracle to happen now

K

jalejand · ‎12-04-2022

Hi Kristof

MDNS snooping is automatically enabled when using MDNS Unicast model instead of Flood model. Flood model is enabled when the mdns-sd gateway command is used under an SVI, Unicast model is enabled when the mdns-sd gateway is used under the VLAN Configuration itself.

Edge-1(config)#mdns location-group 202 vlan 1021
Error: Snooping not enabled for vlan 1021

Edge-1(config)#mdns-sd gateway
Edge-1(config-mdns-sd)#mode sdg

Edge-1(config)#vlan configuration 1021
Edge-1(config-vlan-config)#mdns-sd gateway
Edge-1(config-vlan-mdns-sd)#--- here you add the rest of the mdns config

Edge-1(config)#mdns location-group 202 vlan 1021
Edge-1(config-mdns-lg)#

Verification:

Flood bonjour: SVI mdns

Edge-1(config)#int vlan 1021
Edge-1(config-if)#mdns-sd gateway
Edge-1(config-if-mdns-sd)#end

Edge-1#show pla sof fed sw active ip mdns snooping  vlan
Vlan      Address Family (1:IPv4 2:IPv6 0:Both)
-----------------------------------------------

Unicast bonjour: VLAN configuration

Edge-1(config)#int vlan 1021
Edge-1(config-if)#no mdns-sd gateway

Edge-1(config)#vlan configuration 1021
Edge-1(config-vlan-config)#mdns-sd gateway


Edge-1#show pla sof fed sw active ip mdns snooping  vlan
Vlan      Address Family (1:IPv4 2:IPv6 0:Both)
-----------------------------------------------
1021      1 --- MDNS Snoopíng enabled

Edge-1(config)#mdns location-group 202 vlan 1021
Edge-1#show mdns location-group detail
 Trusted Trunks         : NA
 Vlan's                 : 1021
 Total Number of Location Groups: 1
================================================================================
VLAN                NUMBER OF LGs       LG ID     Ports in LG's
================================================================================

1021                         2          202     No Active Ports
                                        0       Te1/0/4, Te1/0/8, Ac0,

KristofB · ‎12-05-2022

Hi jalejand, (name!?)

That’s indeed the info I missed! you sure helped me a lot forward here! Big thanks!!

I wasn’t aware the same command would have such a difference between those locations (makes sense… L3 vs L2) Of course now I’m wondering what “mdns unicast model” vs “mdns flood model” actually means? I wasn’t aware of those two flavors?

Bottom-line, it works!

Instead of;

interface Vlan1021
 mdns-sd gateway
  service-policy LOCAL_AREA_POLICY
  active-query timer 60

I now use;

vlan configuration 1021
 mdns-sd gateway
  service-policy LOCAL_AREA_POLICY
  active-query timer 60

and finally I’m able to configure;

mdns-sd location-group 222 vlan 1021
  interface Gi1/0/3
mdns-sd location-group 223 vlan 1021
  interface Gi1/0/4

On DNA you can see which Location Group services are come from (if you select ANY not Default!). And now I can direct my filters to a specific Location Group, very nice!!

And it also works for Wireless. You cannot add the AP interface port to the location group because of “VLAN mismatch” (In a way that’s normal, Fabric AP reside only in underlay VLAN) However I am able to set the Access-Tunnel corresponding to each AP in the location group. And this works per overlay! Nice!

mdns-sd location-group 222 vlan 1021
  interface Gi1/0/3
mdns-sd location-group 223 vlan 1021
  interface Gi1/0/4 Ac2
mdns-sd location-group 444 vlan 1022
  interface Ac2

I would almost say you solved my question 100% and we are ready to deploy!

However…

All this doesn’t really match with the "Closed Authentication / all dynamic ports" nature you should be using on SDA.

For Wireless I don’t see a big problem (for now?). AP’s typically don’t move often (however you have to manually verify which Access-tunnel the AP is using and match your mdns CLI config per Edge. So not a basic day-N template)

For wired I don’t see the solution? (unless statically assigning the ports, what we don’t like). Sure you can add a dynamic assigned port to the Location Group if the VLAN matches. Though if the port goes down (and back UP again) the port is removed from mdns Location-group ☹ (because of default VLAN 1 or Critical VLAN). I assume we cannot set Location-Group dynamically with ISE since its not port config? (do we?)

Hmmmmm

Actually, I wonder why this “Intent” you create on DNA app isn’t fully translated to the network? DNA has all the info to generate the full mdns CLI config? That would be an amazing feature! Take this as another wish, we are getting close to Christmas so I'm allowed

Thank you very much!

Kristof