On 27/05/13 10:02, Jason Cook wrote: > For something like this we’d like to restrict the advertisements to > location by building/level/room/AP, it will help it scale better for > users devices when scrolling through the list of available devices to > connect to like an Apple TV. Users in building 1 don’t need to see an > Apple TV in a meeting room in building 2. Using separate SSID’s is also > not really a scalable solution… though does work of course with a > dedicated subnet and multicast enabled.
I've managed to do this, and it was surprisingly simple. We're an Enterasys shop, and the trick is to get the MAC (or IP) addresses of the Apple TVs, then map them to a policy at the core (an S4 in our case) that drops port 5353. One thing to note is our wireless is bridged at the AP to a campus-wide flat L2 network that the Apple TVs are also plugged in to. Enterasys have some bridging features in wireless version 8.31 that let you move certain traffic to a different VLAN, but I haven't upgraded yet, and we don't need it because of our topology. Also S/K firmware 8.11 can apply policy based on whether it's a Bonjour (or LLMNR/SSDP) query or response, but for the simple case of Apple TVs, which only ever respond, just dropping all UDP port 5353 is enough. In the future I'm thinking about MAC authenticating the Apple TVs at the edge switches, then ToS marking their packets and using the ToS to drop at the core, but for the moment it's working well enough. Here's the config (although I used policy manager to generate it). My SE notes that it'll only work on N/S/K switches. set policy profile 14 name "Apple TV Block" set policy rule admin-profile macsource 7c-d1-c3-00-00-00 mask 24 admin-pid 14 set policy rule admin-profile macsource 9c-20-7b-00-00-00 mask 24 admin-pid 14 set policy rule 14 udpsourceportIP 5353 mask 16 drop set policy rule 14 udpdestportIP 5353 mask 16 drop Thanks, -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
