Solved: WLC 5508 -7.4.100 mDNS Bonjour snooping

Andrew MacTaggart · ‎05-06-2013

Hello

Have 7.4 installed and configured for Bonjour Snooping. All is working, but working too well. We have a large campus that house 2 schools and each school is complaining that they can see the other schools AppleTV devices.

I have played around with a few different scenarios to see if I can localize the bonjour traffic.

I guess I am looking to create a logical split for bonjour devices amoung the schools.

Apple came to the school and informed us that the IPAD has a limit of 64 devices that can be seen via the bonjour. At some point we will have over 100 AppleTV added.

so we have 3 wlc 5508's with 7.4.100

we have 2 SSIDs that span the whole campus

using AP groups to segment the floors in buildings

So the schools are logically split with AP groups

Here is what I have tried

I created few mDNS profiles and assigned the services for Apple TV - let's call them school1 and school2

I assign the mDNS profiles to the interfaces dedicated each school

enable snooping on the WLAN with profile of none

The end result is that devices from both schools can be seen.

I tried to create new ssid for apple TVs and a new ssid for 1 schools teachers

I followed the vlan select example

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_tech_note09186a0080bb1d7c.shtml

end result is that devices from both schools can be seen

I have tried the mDNS without multicast enabled just like the video shows to no avail - I assume maybe my AP groups might be more complicated then the example of just 2 vlans

https://supportforums.cisco.com/community/netpro/wireless-mobility/begin-wireless/blog/2013/01/01/wireless-lan-controller-wlc-release-74--bonjour-gateway-configuration-example

I have tried combinations of things, but I must be missing something

In the webinar, Cisco said it will use filtering to restrict which clients can see which services (Apple TV's, etc). What will Cisco use to filter Bonjour requests?

according to this article

http://www.pcadvisor.co.uk/news/network-wifi/3376119/cisco-answers-user-questions-about-upcoming-apple-bonjour-gateway/#ixzz2SIDqFH49

The filtering options are: · Per WLAN/SSID · Per VLAN or AP Group · Per Interface Group (which is a group of VLANs pooled together).

A Bonjour service policy can be created and applied on any one of the above criteria. In the future, we will support per-user Bonjour service policies which will come as a RADIUS attribute from the AAA server.

Read more: http://www.pcadvisor.co.uk/news/network-wifi/3376119/cisco-answers-user-questions-about-upcoming-apple-bonjour-gateway/#ixzz2SZqMYpdh

Cheers

Any insight would be appreciated

ericgarnel · ‎05-07-2013

Here are the ACLs for the controller

acl create BlockBonjour
acl apply BlockBonjour
acl counter start
acl rule add BlockBonjour 1
acl rule add BlockBonjour 2
acl rule action BlockBonjour 1 deny
acl rule action BlockBonjour 2 permit
acl rule destination address BlockBonjour 1 224.0.0.251 255.255.255.255
acl rule destination address BlockBonjour 2 0.0.0.0 0.0.0.0
acl rule destination port range BlockBonjour 1 0 65535
acl rule destination port range BlockBonjour 2 0 65535
acl rule source address BlockBonjour 1 0.0.0.0 0.0.0.0
acl rule source address BlockBonjour 2 0.0.0.0 0.0.0.0
acl rule source port range BlockBonjour 1 0 65535
acl rule source port range BlockBonjour 2 0 65535
acl rule direction BlockBonjour 1 In
acl rule direction BlockBonjour 2 Any
acl rule dscp BlockBonjour 1 Any
acl rule dscp BlockBonjour 2 Any
acl rule protocol BlockBonjour 1 Any
acl rule protocol BlockBonjour 2 Any
acl apply BlockBonjour
ipv6 acl create BlockAllIPv6
ipv6 acl apply BlockAllIPv6
ipv6 acl rule add BlockAllIPv6 1
ipv6 acl rule action BlockAllIPv6 1 deny
ipv6 acl rule destination address BlockAllIPv6 1 :: 0
ipv6 acl rule destination port range BlockAllIPv6 1 0 65535
ipv6 acl rule source address BlockAllIPv6 1 :: 0
ipv6 acl rule source port range BlockAllIPv6 1 0 65535
ipv6 acl rule direction BlockAllIPv6 1 Any
ipv6 acl rule dscp BlockAllIPv6 1 Any
ipv6 acl rule protocol BlockAllIPv6 1 Any
ipv6 acl apply BlockAllIPv6

Apply to wlan: The wlan index is used in this case, the first wlan created on controller

wlan acl 1 BlockBonjour
wlan ipv6 acl 1 BlockAllIPv6

View solution in original post

Saurav Lodh · ‎05-06-2013

I found this ,"With Release 7.4, you can do this by tying the multicast DNS services (mDNS) to the interface or interface group and then placing the user (e.g., student or teacher) into that correct interface/interface group using AAA Override. To apply the profile for an interface group, in the GUI go to Interface Groups > Edit and use the mDNS Profile field."

Andrew MacTaggart · ‎05-06-2013

Would I need to apply the AAA overide for AP groups or only with Interface Groups or only if I am assigning the vlan with ACS 5.3.

It's worth a try

Cheers

A

Andrew MacTaggart · ‎05-07-2013

I set AAA override on both WLANs and had the guys clear the bonjour cache on IPADS and made the AppleTV sleep.

To no avail, they still see AppleTVs from school 1

I have attached some images of what is configured.

AP Group 1 of many- school 1 does not have these interfaces but does have a different mDNS profile

Scott Fella · ‎05-07-2013

So how is everything setup? Centralized WLC deployment? Layer 2 extended or is the schools separated by layer 3? Apple TV's and iPads on the same subnet? Just trying to understand the connectivity.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Andrew MacTaggart · ‎05-07-2013

Currently we are testing before deployment

Centralized WLCs

layer 3 separation between schools

Apple TVs and clients on different subnets[although have both scenarios]

AP groups assign the interface[subnet] to a group of APs usually by floor

The latest setup

added the AAA overide

created subnet just for appletvs assigned mDNS profile to the interface, created a WLAN just for appleTVs

Created a interface group for Teachers assigned mDNS profile to the interface group, Created WLAN for Teachers, added mcast interface, enabled mDNS snooping with profile and without[NONE] option

Used AP group to assign both WLANs to selected schools 2 APs.

In School 1 AppleTV and IPAD connect to same subnet, Same WLAN, Same AP Group, Same AP.

In School 2 AppleTV on own subnet and IPAD etc.. on their own subnet.

Problem is school 2 client sees school 1's AppleTV

The Schools are planning to deploy 150 to 200 AppleTVs

Cheers

Scott Fella · ‎05-07-2013

The centralized WLC is what's the main hurdle since all the traffic is tunneled back to the WLC. The main feature ov v7.4 and mDNS is to allow bonjour to traverse layer 3. This is what's causing you nightmares:) Current'y there is no way to filter what clients can see what Apple TV device, but hopefully in the future since Aruba's Clearpasss can do that. You really have to sit back an look at how to design your bonjour network. Placing clients and Apple TV's in the same subnet might work better for you and disabling mDNS. Or you might only allow certain subnet's (AP Groups) for client and Apple TV's to communicate, by blocking bonjour. This is hard if your clients connect to an AP and adjacent floor in which that subnet would be blocked by an acl. Using mDNS on the WLC just allows you to not be on the same subnet, but in a large deployment of Apple TV's this can be an issue. So maybe think how you can group devices together that will work for you now and in the future and maybe see how you can block bonjour from being seem by all subnet's.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

George Stefanick · ‎05-07-2013

Scott -- Could you not use a ACL on the WLC to shape this ?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Scott Fella · ‎05-07-2013

You can, but I hate the ACL's in the WLC:)

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

George Stefanick · ‎05-07-2013

You hate ACLs on the WLC -- I agree with you they are a challenge.

But, it is an option to help this fella out .. I mean the other fella (not you Scott).

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Scott Fella · ‎05-07-2013

Haha... True statement and maybe others who have not felt with ACL might find it better.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

George Stefanick · ‎05-07-2013

LOL ... Going through ISE has improved my ACL experience ..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

ericgarnel · ‎05-07-2013

Here are the ACLs for the controller

acl create BlockBonjour
acl apply BlockBonjour
acl counter start
acl rule add BlockBonjour 1
acl rule add BlockBonjour 2
acl rule action BlockBonjour 1 deny
acl rule action BlockBonjour 2 permit
acl rule destination address BlockBonjour 1 224.0.0.251 255.255.255.255
acl rule destination address BlockBonjour 2 0.0.0.0 0.0.0.0
acl rule destination port range BlockBonjour 1 0 65535
acl rule destination port range BlockBonjour 2 0 65535
acl rule source address BlockBonjour 1 0.0.0.0 0.0.0.0
acl rule source address BlockBonjour 2 0.0.0.0 0.0.0.0
acl rule source port range BlockBonjour 1 0 65535
acl rule source port range BlockBonjour 2 0 65535
acl rule direction BlockBonjour 1 In
acl rule direction BlockBonjour 2 Any
acl rule dscp BlockBonjour 1 Any
acl rule dscp BlockBonjour 2 Any
acl rule protocol BlockBonjour 1 Any
acl rule protocol BlockBonjour 2 Any
acl apply BlockBonjour
ipv6 acl create BlockAllIPv6
ipv6 acl apply BlockAllIPv6
ipv6 acl rule add BlockAllIPv6 1
ipv6 acl rule action BlockAllIPv6 1 deny
ipv6 acl rule destination address BlockAllIPv6 1 :: 0
ipv6 acl rule destination port range BlockAllIPv6 1 0 65535
ipv6 acl rule source address BlockAllIPv6 1 :: 0
ipv6 acl rule source port range BlockAllIPv6 1 0 65535
ipv6 acl rule direction BlockAllIPv6 1 Any
ipv6 acl rule dscp BlockAllIPv6 1 Any
ipv6 acl rule protocol BlockAllIPv6 1 Any
ipv6 acl apply BlockAllIPv6

Apply to wlan: The wlan index is used in this case, the first wlan created on controller

wlan acl 1 BlockBonjour
wlan ipv6 acl 1 BlockAllIPv6

George Stefanick · ‎05-08-2013

Eric "VIP" Endorsed! Good post!

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

ericgarnel · ‎05-08-2013

Thanks!