RE: [WIRELESS-LAN] Controlling Bonjour Zones
Thanks James, That's a pretty good way to get around what's currently missing in the wireless software. -- Jason Cook Technology Services The University of Adelaide, AUSTRALIA 5005 Ph : +61 8 8313 4800 -Original Message- From: James Andrewartha [mailto:jandrewar...@ccgs.wa.edu.au] Sent: Wednesday, 10 July 2013 12:18 PM To: The EDUCAUSE Wireless Issues Constituent Group Listserv Cc: Jason Cook Subject: Re: [WIRELESS-LAN] Controlling Bonjour Zones On 27/05/13 10:02, Jason Cook wrote: For something like this wed like to restrict the advertisements to location by building/level/room/AP, it will help it scale better for users devices when scrolling through the list of available devices to connect to like an Apple TV. Users in building 1 dont need to see an Apple TV in a meeting room in building 2. Using separate SSIDs is also not really a scalable solution though does work of course with a dedicated subnet and multicast enabled. I've managed to do this, and it was surprisingly simple. We're an Enterasys shop, and the trick is to get the MAC (or IP) addresses of the Apple TVs, then map them to a policy at the core (an S4 in our case) that drops port 5353. One thing to note is our wireless is bridged at the AP to a campus-wide flat L2 network that the Apple TVs are also plugged in to. Enterasys have some bridging features in wireless version 8.31 that let you move certain traffic to a different VLAN, but I haven't upgraded yet, and we don't need it because of our topology. Also S/K firmware 8.11 can apply policy based on whether it's a Bonjour (or LLMNR/SSDP) query or response, but for the simple case of Apple TVs, which only ever respond, just dropping all UDP port 5353 is enough. In the future I'm thinking about MAC authenticating the Apple TVs at the edge switches, then ToS marking their packets and using the ToS to drop at the core, but for the moment it's working well enough. Here's the config (although I used policy manager to generate it). My SE notes that it'll only work on N/S/K switches. set policy profile 14 name Apple TV Block set policy rule admin-profile macsource 7c-d1-c3-00-00-00 mask 24 admin-pid 14 set policy rule admin-profile macsource 9c-20-7b-00-00-00 mask 24 admin-pid 14 set policy rule 14 udpsourceportIP 5353 mask 16 drop set policy rule 14 udpdestportIP 5353 mask 16 drop Thanks, -- James Andrewartha Network Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. smime.p7s Description: S/MIME cryptographic signature
RE: [WIRELESS-LAN] Controlling Bonjour Zones
Thanks Mark, Yeah we are in the same boat with only a handful of actual uses at the moment, but this will just grow and we are keen to build a scalable solution from the start. For the moment I guess it's do what you can and wait. As you say most users do seem to understand these days that some Apple features aren't as simple on campus as they are at home. With what you/Bruce have commented on with Aruba, I'm sure something is in line for Cisco already. Catching up with them soon, so I guess I'll find out then -- Jason Cook Technology Services The University of Adelaide, AUSTRALIA 5005 Ph: +61 8 8313 4800 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mark Duling Sent: Wednesday, 29 May 2013 4:03 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Controlling Bonjour Zones Airplay support is a work in progress and there is no location control. I don't know if the RFC will bear fruit, but I think individual vendors will try to come up with their own solutions to gain a competitive advantage. Aruba has announced some location-based advertisement thing but it is vaporware at this point I think. For those who want building based or other network segregation models anyway that may be fine, but for those that don't re-architecting a network for airplay zone control isn't very attractive. In our case there aren't that many AppleTVs on campus, and we aren't officially supporting it anyway, so it isn't an issue now. People understand that it is experimental but appreciate that it works nonetheless. The fact that it is usable and reliable is a great thing, and we'll look forward to see what developments for zoning come down the pike. On Sun, May 26, 2013 at 7:02 PM, Jason Cook jason.c...@adelaide.edu.aumailto:jason.c...@adelaide.edu.au wrote: Hi, We have Cisco wireless and are currently dev'ing up the bonjour gateway service release in 7.4. I know other vendors have similar workaround features and am interested see how people have gone with it, keen to hear from users of other vendors as well. So far it all seems to work as advertised, was pretty easy setup with good control over what services you advertise. However I find there to be a lack of location control, and would like to know if anyone has implemented ways to control the location where the advertisements go. For something like this we'd like to restrict the advertisements to location by building/level/room/AP, it will help it scale better for users devices when scrolling through the list of available devices to connect to like an Apple TV. Users in building 1 don't need to see an Apple TV in a meeting room in building 2. Using separate SSID's is also not really a scalable solution... though does work of course with a dedicated subnet and multicast enabled. We currently don't have building based networks, which would be one way to control advertisements. This is something we are planning, but are a while off yet, also the ability to go more granular than just buildings would be useful. I've started a conversation with our local Cisco office, but am interested see what others may have done or believe could be useful for this. Regards Jason -- Jason Cook Technology Services The University of Adelaide, AUSTRALIA 5005 Ph: +61 8 8313 4800tel:%2B61%208%208313%204800 e-mail: jason.c...@adelaide.edu.aumailto:jason.c...@adelaide.edu.au CRICOS Provider Number 00123M --- This email message is intended only for the addressee(s) and contains information which may be confidential and/or copyright. If you are not the intended recipient please do not read, save, forward, disclose, or copy the contents of this email. If this email has been sent to you in error, please notify the sender by reply email and delete this email and any copies or links to this email completely and immediately from your system. No representation is made that this email is free of viruses. Virus scanning is recommended and is the responsibility of the recipient. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Controlling Bonjour Zones
Ruckus has announced their option will be coming Q3 (as I recall) and is supposed to allow grouping of APs and be able to fence the Apple TVs into these groups. The only option I have successfully used is blocking multicast at the AP level. Problem being the client would then have to be on the same AP in order to see the Apple TV. Bob Williamson Network Administrator Annie Wright Schools | 827 N Tacoma Ave, Tacoma, WA 98403 | www.aw.orghttp://www.aw.org/ D: 253.272.2216 | F: 253.572.3616 | bob_william...@aw.org Mission: Annie Wright's strong community cultivates individual learners to become well-educated, creative, and responsible citizens for a global society. Find Annie Wright Schools on Facebookhttp://www.facebook.com/anniewrightschools Follow our Head of Schools on Twitter @AWSheadhttp://www.twitter.com/awshead Be green; keep it on the screen. ~ AWS Green Team From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Cook Sent: Thursday, May 30, 2013 12:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Controlling Bonjour Zones Thanks Mark, Yeah we are in the same boat with only a handful of actual uses at the moment, but this will just grow and we are keen to build a scalable solution from the start. For the moment I guess it's do what you can and wait. As you say most users do seem to understand these days that some Apple features aren't as simple on campus as they are at home. With what you/Bruce have commented on with Aruba, I'm sure something is in line for Cisco already. Catching up with them soon, so I guess I'll find out then -- Jason Cook Technology Services The University of Adelaide, AUSTRALIA 5005 Ph: +61 8 8313 4800 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mark Duling Sent: Wednesday, 29 May 2013 4:03 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Controlling Bonjour Zones Airplay support is a work in progress and there is no location control. I don't know if the RFC will bear fruit, but I think individual vendors will try to come up with their own solutions to gain a competitive advantage. Aruba has announced some location-based advertisement thing but it is vaporware at this point I think. For those who want building based or other network segregation models anyway that may be fine, but for those that don't re-architecting a network for airplay zone control isn't very attractive. In our case there aren't that many AppleTVs on campus, and we aren't officially supporting it anyway, so it isn't an issue now. People understand that it is experimental but appreciate that it works nonetheless. The fact that it is usable and reliable is a great thing, and we'll look forward to see what developments for zoning come down the pike. On Sun, May 26, 2013 at 7:02 PM, Jason Cook jason.c...@adelaide.edu.aumailto:jason.c...@adelaide.edu.au wrote: Hi, We have Cisco wireless and are currently dev'ing up the bonjour gateway service release in 7.4. I know other vendors have similar workaround features and am interested see how people have gone with it, keen to hear from users of other vendors as well. So far it all seems to work as advertised, was pretty easy setup with good control over what services you advertise. However I find there to be a lack of location control, and would like to know if anyone has implemented ways to control the location where the advertisements go. For something like this we'd like to restrict the advertisements to location by building/level/room/AP, it will help it scale better for users devices when scrolling through the list of available devices to connect to like an Apple TV. Users in building 1 don't need to see an Apple TV in a meeting room in building 2. Using separate SSID's is also not really a scalable solution... though does work of course with a dedicated subnet and multicast enabled. We currently don't have building based networks, which would be one way to control advertisements. This is something we are planning, but are a while off yet, also the ability to go more granular than just buildings would be useful. I've started a conversation with our local Cisco office, but am interested see what others may have done or believe could be useful for this. Regards Jason -- Jason Cook Technology Services The University of Adelaide, AUSTRALIA 5005 Ph: +61 8 8313 4800tel:%2B61%208%208313%204800 e-mail: jason.c...@adelaide.edu.aumailto:jason.c...@adelaide.edu.au CRICOS Provider Number 00123M --- This email message is intended only for the addressee(s) and contains information which may be confidential and/or copyright. If you are not the intended recipient please do not read, save, forward, disclose, or copy
Re: [WIRELESS-LAN] Controlling Bonjour Zones
Ruckus has announced their option will be coming Q3 (as I recall) and is supposed to allow grouping of APs and be able to fence the Apple TVs into these groups. The only option I have successfully used is blocking multicast at the AP level. Problem being the client would then have to be on the same AP in order to see the Apple TV. Bob Williamson Network Administrator Annie Wright Schools | 827 N Tacoma Ave, Tacoma, WA 98403 | www.aw.orghttp://www.aw.org/ D: 253.272.2216 | F: 253.572.3616 | bob_william...@aw.org Mission: Annie Wright's strong community cultivates individual learners to become well-educated, creative, and responsible citizens for a global society. Find Annie Wright Schools on Facebookhttp://www.facebook.com/anniewrightschools Follow our Head of Schools on Twitter @AWSheadhttp://www.twitter.com/awshead Be green; keep it on the screen. ~ AWS Green Team From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Cook Sent: Thursday, May 30, 2013 12:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Controlling Bonjour Zones Thanks Mark, Yeah we are in the same boat with only a handful of actual uses at the moment, but this will just grow and we are keen to build a scalable solution from the start. For the moment I guess it's do what you can and wait. As you say most users do seem to understand these days that some Apple features aren't as simple on campus as they are at home. With what you/Bruce have commented on with Aruba, I'm sure something is in line for Cisco already. Catching up with them soon, so I guess I'll find out then -- Jason Cook Technology Services The University of Adelaide, AUSTRALIA 5005 Ph: +61 8 8313 4800 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mark Duling Sent: Wednesday, 29 May 2013 4:03 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Controlling Bonjour Zones Airplay support is a work in progress and there is no location control. I don't know if the RFC will bear fruit, but I think individual vendors will try to come up with their own solutions to gain a competitive advantage. Aruba has announced some location-based advertisement thing but it is vaporware at this point I think. For those who want building based or other network segregation models anyway that may be fine, but for those that don't re-architecting a network for airplay zone control isn't very attractive. In our case there aren't that many AppleTVs on campus, and we aren't officially supporting it anyway, so it isn't an issue now. People understand that it is experimental but appreciate that it works nonetheless. The fact that it is usable and reliable is a great thing, and we'll look forward to see what developments for zoning come down the pike. On Sun, May 26, 2013 at 7:02 PM, Jason Cook jason.c...@adelaide.edu.aumailto:jason.c...@adelaide.edu.au wrote: Hi, We have Cisco wireless and are currently dev'ing up the bonjour gateway service release in 7.4. I know other vendors have similar workaround features and am interested see how people have gone with it, keen to hear from users of other vendors as well. So far it all seems to work as advertised, was pretty easy setup with good control over what services you advertise. However I find there to be a lack of location control, and would like to know if anyone has implemented ways to control the location where the advertisements go. For something like this we'd like to restrict the advertisements to location by building/level/room/AP, it will help it scale better for users devices when scrolling through the list of available devices to connect to like an Apple TV. Users in building 1 don't need to see an Apple TV in a meeting room in building 2. Using separate SSID's is also not really a scalable solution... though does work of course with a dedicated subnet and multicast enabled. We currently don't have building based networks, which would be one way to control advertisements. This is something we are planning, but are a while off yet, also the ability to go more granular than just buildings would be useful. I've started a conversation with our local Cisco office, but am interested see what others may have done or believe could be useful for this. Regards Jason -- Jason Cook Technology Services The University of Adelaide, AUSTRALIA 5005 Ph: +61 8 8313 4800tel:%2B61%208%208313%204800 e-mail: jason.c...@adelaide.edu.aumailto:jason.c...@adelaide.edu.au CRICOS Provider Number 00123M --- This email message is intended only for the addressee(s) and contains information which may be confidential and/or copyright. If you are not the intended recipient please do not read, save, forward, disclose, or copy
Re: [WIRELESS-LAN] Controlling Bonjour Zones
Airplay support is a work in progress and there is no location control. I don't know if the RFC will bear fruit, but I think individual vendors will try to come up with their own solutions to gain a competitive advantage. Aruba has announced some location-based advertisement thing but it is vaporware at this point I think. For those who want building based or other network segregation models anyway that may be fine, but for those that don't re-architecting a network for airplay zone control isn't very attractive. In our case there aren't that many AppleTVs on campus, and we aren't officially supporting it anyway, so it isn't an issue now. People understand that it is experimental but appreciate that it works nonetheless. The fact that it is usable and reliable is a great thing, and we'll look forward to see what developments for zoning come down the pike. On Sun, May 26, 2013 at 7:02 PM, Jason Cook jason.c...@adelaide.edu.auwrote: Hi, We have Cisco wireless and are currently dev’ing up the bonjour gateway service release in 7.4. I know other vendors have similar workaround features and am interested see how people have gone with it, keen to hear from users of other vendors as well. ** ** So far it all seems to work as advertised, was pretty easy setup with good control over what services you advertise. However I find there to be a lack of location control, and would like to know if anyone has implemented ways to control the location where the advertisements go. ** ** For something like this we’d like to restrict the advertisements to location by building/level/room/AP, it will help it scale better for users devices when scrolling through the list of available devices to connect to like an Apple TV. Users in building 1 don’t need to see an Apple TV in a meeting room in building 2. Using separate SSID’s is also not really a scalable solution… though does work of course with a dedicated subnet and multicast enabled. ** ** We currently don’t have building based networks, which would be one way to control advertisements. This is something we are planning, but are a while off yet, also the ability to go more granular than just buildings would be useful. ** ** I’ve started a conversation with our local Cisco office, but am interested see what others may have done or believe could be useful for this. Regards Jason ** ** -- Jason Cook Technology Services The University of Adelaide, AUSTRALIA 5005 Ph: +61 8 8313 4800 e-mail: jason.c...@adelaide.edu.au ** ** CRICOS Provider Number 00123M --- This email message is intended only for the addressee(s) and contains information which may be confidential and/or copyright. If you are not the intended recipient please do not read, save, forward, disclose, or copy the contents of this email. If this email has been sent to you in error, please notify the sender by reply email and delete this email and any copies or links to this email completely and immediately from your system. No representation is made that this email is free of viruses. Virus scanning is recommended and is the responsibility of the recipient. ** ** ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
