The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The following topics are covered under this chapter:
To configure and demonstrate the Service Discovery gateway/mDNS feature on WLC, users can create a VLAN interface for Bonjour Services on a separate VLAN than the Client VLAN.
Here is an example showing different interfaces and VLANs for Clients (VLAN10) and AppleTV (VLAN11):
Active Queries are specific filters that actively query for services attached to local segments. This helps to keep services ‘fresh’ in the cache. If a device queries for a specific service, the cache already holds a valid record and it does not need to proxy the service query to the attached network segments, but can respond immediately. This also helps to quickly detect the removal of a service (For example: A device is turned off without proper announcement of the service removal).
service-list mdns-sd <name> query service-type <service type string>
service-list mdns-sd active-query query service-type _airplay._tcp.local service-type _scanner._tcp.local service-type _printer._tcp.local service-type _raop._tcp.local service-type _ipp._tcp.local ! service-routing mdns-sd service-policy-query active-query 60
In most scenarios, printers are connected through wires on the network. The printer might be on the same network as other Bonjour services or on a different network. To showcase and verify that the Air Print Services are accessible to users:
Service policy can be applied on an interface as well. On the WLC main menu, navigate to Controller > mDNS > Interface and then click the desired interface name on which you want the service policy to be enabled. From the Service Policy IN/OUT drop-down menu, select the Service Policy and click Apply. Here we have selected the default service policy gui-permit-all for Service Policy IN and Service Policy OUT.
You can create a Service List, define a service rule (Permit or Deny), and select a service type as shown below.
Note | Currently on WLC GUI, only one service can be selected from Learned Services to Selected Service. You can add more services to the Service Policy List from the WLC CLI. |
Service lists are configured to permit or deny statements matching a certain part of the mDNS record which make up the filter. These use regular expression for string match (e.g. service type match or instance name match).
In the example shown below we will deny AirPlay service (AppleTV) to certain users (which belong to group Student) and permit AirPlay and AirPrint (Bonjour Printer) services for other users (group Staff).
It is assumed that the user has pre-configured the controller for AAA authentication (802.1x authentication).
Step 1 | To configure and
demonstrate the service filtering of specific service on a particular
interface, we created another WLAN with L2 Security set to WPA2/802.1x which is
mapped to the management interface as shown in example below.
Now, navigate to Security > AAA Server and from the Authentication Method drop-down menu select the Authentication method.
From the WLAN Advanced tab, enable Allow AAA Override. In this scenario, we have a single SSID (Security WPA2/dot1x) with two user profiles/groups. The users for "Staff" and "Student" is already configured on ISE server (AAA server). The "Staff" users should be able to access all the bonjour services i.e AppleTV and bonjour printer while "Student" users should only have access to the bonjour printer. In order to implement this scenario, we need to configure the Service list which should deny AppleTV/Airplay services and only allow the Printer services on the VLAN which is tied to the profile 'Student'. | ||
Step 2 | Navigate to Configuration > Controller > mDNS > Service List and click the CreateService tab. | ||
Step 3 | Now, configure
the
Service List
Name, users can assign any intuitive name to configure the service list.
Here, we are naming it as
Deny-Airplay. From the
Service rule
drop-down menu, select
deny and add
a
Sequence
number
(sequence number
can be from 0-100). Under
service Type
there are two options available, you can leave the
Custom
option as is and choose the service you want to deny from the
Learned
Services list and add it to the
Selected
Service list.
In our case it is airplay service which we want to deny, so select _airplay._tcp.local and then click Apply. Similarly, to permit bonjour printer services, create a Service List permit rule with the same list name Deny-Airplay, but with a higher Sequence Number. Select the _ipp._tcp.local from the Learned Services list as shown in example below to allow printer service. | ||
Step 4 | Once the
Service List is created, we need to apply it on the interface for it to take
effect. Navigate to
mDNS >
Interface and click the VLAN on which you want to apply this rule. In this
example we are using the VLAN interface (VLAN13) to implement this policy.
From the Service Policy IN drop-down menu, select the rule created above i.e Deny-Airplay and select the same for Service Policy OUT as well. The Service List rule with the lower sequence number will be processed first.
| ||
Step 5 | Now, to ensure
if the Service list rule is being applied correctly, connect an iOS client to
Dot1x SSID, when prompted for username/password, enter the credentials.
| ||
Step 6 | After the
client is authenticated as a "Staff" user, try accessing bonjour services as
shown earlier in this guide. The Staff user should be able to access AppleTV
and Printer services.
Similarly, connect with student credentials to the same SSID and verify that the student is placed on the desired VLAN (i.e. VLAN13 in our example), you will see that only printer service is available for that user profile. |