Thanks James, That's a pretty good way to get around what's currently missing in the wireless software.
-- Jason Cook Technology Services The University of Adelaide, AUSTRALIA 5005 Ph : +61 8 8313 4800 -----Original Message----- From: James Andrewartha [mailto:[email protected]] Sent: Wednesday, 10 July 2013 12:18 PM To: The EDUCAUSE Wireless Issues Constituent Group Listserv Cc: Jason Cook Subject: Re: [WIRELESS-LAN] Controlling Bonjour Zones On 27/05/13 10:02, Jason Cook wrote: > For something like this wed like to restrict the advertisements to > location by building/level/room/AP, it will help it scale better for > users devices when scrolling through the list of available devices to > connect to like an Apple TV. Users in building 1 dont need to see an > Apple TV in a meeting room in building 2. Using separate SSIDs is > also not really a scalable solution though does work of course with a > dedicated subnet and multicast enabled. I've managed to do this, and it was surprisingly simple. We're an Enterasys shop, and the trick is to get the MAC (or IP) addresses of the Apple TVs, then map them to a policy at the core (an S4 in our case) that drops port 5353. One thing to note is our wireless is bridged at the AP to a campus-wide flat L2 network that the Apple TVs are also plugged in to. Enterasys have some bridging features in wireless version 8.31 that let you move certain traffic to a different VLAN, but I haven't upgraded yet, and we don't need it because of our topology. Also S/K firmware 8.11 can apply policy based on whether it's a Bonjour (or LLMNR/SSDP) query or response, but for the simple case of Apple TVs, which only ever respond, just dropping all UDP port 5353 is enough. In the future I'm thinking about MAC authenticating the Apple TVs at the edge switches, then ToS marking their packets and using the ToS to drop at the core, but for the moment it's working well enough. Here's the config (although I used policy manager to generate it). My SE notes that it'll only work on N/S/K switches. set policy profile 14 name "Apple TV Block" set policy rule admin-profile macsource 7c-d1-c3-00-00-00 mask 24 admin-pid 14 set policy rule admin-profile macsource 9c-20-7b-00-00-00 mask 24 admin-pid 14 set policy rule 14 udpsourceportIP 5353 mask 16 drop set policy rule 14 udpdestportIP 5353 mask 16 drop Thanks, -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
smime.p7s
Description: S/MIME cryptographic signature
