05-06-2013 09:19 PM - edited 07-04-2021 12:02 AM
Hello
Have 7.4 installed and configured for Bonjour Snooping. All is working, but working too well. We have a large campus that house 2 schools and each school is complaining that they can see the other schools AppleTV devices.
I have played around with a few different scenarios to see if I can localize the bonjour traffic.
I guess I am looking to create a logical split for bonjour devices amoung the schools.
Apple came to the school and informed us that the IPAD has a limit of 64 devices that can be seen via the bonjour. At some point we will have over 100 AppleTV added.
so we have 3 wlc 5508's with 7.4.100
we have 2 SSIDs that span the whole campus
using AP groups to segment the floors in buildings
So the schools are logically split with AP groups
Here is what I have tried
I created few mDNS profiles and assigned the services for Apple TV - let's call them school1 and school2
I assign the mDNS profiles to the interfaces dedicated each school
enable snooping on the WLAN with profile of none
The end result is that devices from both schools can be seen.
I tried to create new ssid for apple TVs and a new ssid for 1 schools teachers
I followed the vlan select example
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_tech_note09186a0080bb1d7c.shtml
end result is that devices from both schools can be seen
I have tried the mDNS without multicast enabled just like the video shows to no avail - I assume maybe my AP groups might be more complicated then the example of just 2 vlans
I have tried combinations of things, but I must be missing something
In the webinar, Cisco said it will use filtering to restrict which clients can see which services (Apple TV's, etc). What will Cisco use to filter Bonjour requests?
according to this article
The filtering options are: · Per WLAN/SSID · Per VLAN or AP Group · Per Interface Group (which is a group of VLANs pooled together).
A Bonjour service policy can be created and applied on any one of the above criteria. In the future, we will support per-user Bonjour service policies which will come as a RADIUS attribute from the AAA server.
Cheers
Any insight would be appreciated
Solved! Go to Solution.
05-07-2013 10:03 AM
Here are the ACLs for the controller
acl create BlockBonjour
acl apply BlockBonjour
acl counter start
acl rule add BlockBonjour 1
acl rule add BlockBonjour 2
acl rule action BlockBonjour 1 deny
acl rule action BlockBonjour 2 permit
acl rule destination address BlockBonjour 1 224.0.0.251 255.255.255.255
acl rule destination address BlockBonjour 2 0.0.0.0 0.0.0.0
acl rule destination port range BlockBonjour 1 0 65535
acl rule destination port range BlockBonjour 2 0 65535
acl rule source address BlockBonjour 1 0.0.0.0 0.0.0.0
acl rule source address BlockBonjour 2 0.0.0.0 0.0.0.0
acl rule source port range BlockBonjour 1 0 65535
acl rule source port range BlockBonjour 2 0 65535
acl rule direction BlockBonjour 1 In
acl rule direction BlockBonjour 2 Any
acl rule dscp BlockBonjour 1 Any
acl rule dscp BlockBonjour 2 Any
acl rule protocol BlockBonjour 1 Any
acl rule protocol BlockBonjour 2 Any
acl apply BlockBonjour ipv6 acl create BlockAllIPv6
ipv6 acl apply BlockAllIPv6
ipv6 acl rule add BlockAllIPv6 1
ipv6 acl rule action BlockAllIPv6 1 deny
ipv6 acl rule destination address BlockAllIPv6 1 :: 0
ipv6 acl rule destination port range BlockAllIPv6 1 0 65535
ipv6 acl rule source address BlockAllIPv6 1 :: 0
ipv6 acl rule source port range BlockAllIPv6 1 0 65535
ipv6 acl rule direction BlockAllIPv6 1 Any
ipv6 acl rule dscp BlockAllIPv6 1 Any
ipv6 acl rule protocol BlockAllIPv6 1 Any
ipv6 acl apply BlockAllIPv6
Apply to wlan: The wlan index is used in this case, the first wlan created on controller
wlan acl 1 BlockBonjour
wlan ipv6 acl 1 BlockAllIPv6
05-06-2013 10:51 PM
I found this ,"With Release 7.4, you can do this by tying the multicast DNS services (mDNS) to the interface or interface group and then placing the user (e.g., student or teacher) into that correct interface/interface group using AAA Override. To apply the profile for an interface group, in the GUI go to Interface Groups > Edit and use the mDNS Profile field."
05-06-2013 11:59 PM
Would I need to apply the AAA overide for AP groups or only with Interface Groups or only if I am assigning the vlan with ACS 5.3.
It's worth a try
Cheers
A
05-07-2013 12:26 AM
I set AAA override on both WLANs and had the guys clear the bonjour cache on IPADS and made the AppleTV sleep.
To no avail, they still see AppleTVs from school 1
I have attached some images of what is configured.
AP Group 1 of many- school 1 does not have these interfaces but does have a different mDNS profile
05-07-2013 04:53 AM
So how is everything setup? Centralized WLC deployment? Layer 2 extended or is the schools separated by layer 3? Apple TV's and iPads on the same subnet? Just trying to understand the connectivity.
Sent from Cisco Technical Support iPhone App
05-07-2013 05:38 AM
Currently we are testing before deployment
Centralized WLCs
layer 3 separation between schools
Apple TVs and clients on different subnets[although have both scenarios]
AP groups assign the interface[subnet] to a group of APs usually by floor
The latest setup
added the AAA overide
created subnet just for appletvs assigned mDNS profile to the interface, created a WLAN just for appleTVs
Created a interface group for Teachers assigned mDNS profile to the interface group, Created WLAN for Teachers, added mcast interface, enabled mDNS snooping with profile and without[NONE] option
Used AP group to assign both WLANs to selected schools 2 APs.
In School 1 AppleTV and IPAD connect to same subnet, Same WLAN, Same AP Group, Same AP.
In School 2 AppleTV on own subnet and IPAD etc.. on their own subnet.
Problem is school 2 client sees school 1's AppleTV
The Schools are planning to deploy 150 to 200 AppleTVs
Cheers
05-07-2013 06:22 AM
The centralized WLC is what's the main hurdle since all the traffic is tunneled back to the WLC. The main feature ov v7.4 and mDNS is to allow bonjour to traverse layer 3. This is what's causing you nightmares:) Current'y there is no way to filter what clients can see what Apple TV device, but hopefully in the future since Aruba's Clearpasss can do that. You really have to sit back an look at how to design your bonjour network. Placing clients and Apple TV's in the same subnet might work better for you and disabling mDNS. Or you might only allow certain subnet's (AP Groups) for client and Apple TV's to communicate, by blocking bonjour. This is hard if your clients connect to an AP and adjacent floor in which that subnet would be blocked by an acl. Using mDNS on the WLC just allows you to not be on the same subnet, but in a large deployment of Apple TV's this can be an issue. So maybe think how you can group devices together that will work for you now and in the future and maybe see how you can block bonjour from being seem by all subnet's.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
05-07-2013 06:35 AM
Scott -- Could you not use a ACL on the WLC to shape this ?
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
05-07-2013 06:41 AM
You can, but I hate the ACL's in the WLC:)
Sent from Cisco Technical Support iPhone App
05-07-2013 06:43 AM
You hate ACLs on the WLC -- I agree with you they are a challenge.
But, it is an option to help this fella out .. I mean the other fella (not you Scott).
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
05-07-2013 06:46 AM
Haha... True statement and maybe others who have not felt with ACL might find it better.
Sent from Cisco Technical Support iPhone App
05-07-2013 06:50 AM
LOL ... Going through ISE has improved my ACL experience ..
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
05-07-2013 10:03 AM
Here are the ACLs for the controller
acl create BlockBonjour
acl apply BlockBonjour
acl counter start
acl rule add BlockBonjour 1
acl rule add BlockBonjour 2
acl rule action BlockBonjour 1 deny
acl rule action BlockBonjour 2 permit
acl rule destination address BlockBonjour 1 224.0.0.251 255.255.255.255
acl rule destination address BlockBonjour 2 0.0.0.0 0.0.0.0
acl rule destination port range BlockBonjour 1 0 65535
acl rule destination port range BlockBonjour 2 0 65535
acl rule source address BlockBonjour 1 0.0.0.0 0.0.0.0
acl rule source address BlockBonjour 2 0.0.0.0 0.0.0.0
acl rule source port range BlockBonjour 1 0 65535
acl rule source port range BlockBonjour 2 0 65535
acl rule direction BlockBonjour 1 In
acl rule direction BlockBonjour 2 Any
acl rule dscp BlockBonjour 1 Any
acl rule dscp BlockBonjour 2 Any
acl rule protocol BlockBonjour 1 Any
acl rule protocol BlockBonjour 2 Any
acl apply BlockBonjour ipv6 acl create BlockAllIPv6
ipv6 acl apply BlockAllIPv6
ipv6 acl rule add BlockAllIPv6 1
ipv6 acl rule action BlockAllIPv6 1 deny
ipv6 acl rule destination address BlockAllIPv6 1 :: 0
ipv6 acl rule destination port range BlockAllIPv6 1 0 65535
ipv6 acl rule source address BlockAllIPv6 1 :: 0
ipv6 acl rule source port range BlockAllIPv6 1 0 65535
ipv6 acl rule direction BlockAllIPv6 1 Any
ipv6 acl rule dscp BlockAllIPv6 1 Any
ipv6 acl rule protocol BlockAllIPv6 1 Any
ipv6 acl apply BlockAllIPv6
Apply to wlan: The wlan index is used in this case, the first wlan created on controller
wlan acl 1 BlockBonjour
wlan ipv6 acl 1 BlockAllIPv6
05-08-2013 07:54 AM
Eric "VIP" Endorsed! Good post!
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
05-08-2013 08:27 AM
Thanks!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: