Table Of Contents
Bonjour Gateway Wireless LAN Controller Deployment Guide, Release 7.5
Last Updated: August, 2013
Bonjour is Apple's service discovery protocol which locates devices such as printers, other computers, and the services that those devices offer on a local network using multicast Domain Name System (mDNS) service records.
Bonjour Phase 2 for 7.5 release is an enhancement to Bonjour features introduced in 7.4 release. Bonjour feature includes the following:
•Location Specific Services (LSS) for wireless service.
•mDNS-AP (enhance VLAN visibility at WLC for non-layer 2 VLANs)
•Priority MAC support
•Origin based service discovery
•Per-service SP count limit is removed
•Bonjour browser (services that are not learnt)
Scope, Objectives, and Expectations
In this guide the newly added features mentioned will be discussed and implemented:
1. LSS — Location Specific Services
2. mDNS-AP — mDNS packet forwarded by AP to Controller.
3. Priority Mac — To ensure SP with priority Mac is learnt.
4. Origin of service — wired/wireless/all
Before you implement and test new bonjour features, you will have to set up initial bonjour gateway configuration on WLC. The complete details are described in Bonjour Deployment using mDNS Gateway.
Note Currently, all the new Bonjour Gateway (7.5) feature sets are configured/enabled/disabled through WLC CLI only.
Bonjour protocol operates on service announcements and service queries which allow devices to ask and advertise specific applications such as:
•File Sharing Services
•Remote Desktop Services
•iTunes File Sharing
•iTunes Wireless iDevice Syncing (in Apple iOS v5.0+)
•AirPlay offering the following streaming services:
–Music broadcasting in iOS v4.2+
–Video broadcasting in iOS v4.3+
–Full screen mirroring in iOS v5.0+ (iPad2, iPhone4S or later)
Each query or advertisement is sent to the Bonjour multicast address for delivery to all clients on the subnet. Apple's bonjour protocol relies on mDNS operating at UDP port 5353 and each query or advertisement are sent to the following reserved group addresses:
•IPv4 Group Address - 184.108.40.206
•IPv6 Group Address - FF02::FB
The addresses used by the Bonjour protocol are link-local multicast addresses and thus are only forwarded on the local L2 domain. Routers cannot use multicast routing to redirect the traffic because the time to live (TTL) is set to one, and link-local multicast is meant to stay local by design.
Cisco Bonjour Gateway Solution in Release 7.4
Bonjour is Apple's version of Zeroconf - mDNS with DNS-SD. Apple devices will advertise their services via IPv4 and IPv6 simultaneously (IPv6 link local and Globally Unique). Current 7.4 implementation does not support Bonjour Snooping for IPv6 addresses. On an iPad, IPv6 cannot be turned off and no change can be made to any of the Bonjour settings.
If you want to control mDNS/Bonjour, the key is to limit the size of the local segment.
To address this issue Cisco WLC acts as a Bonjour Gateway. The WLC listens for Bonjour services and by caching those Bonjour advertisements (AirPlay, AirPrint etc.) from the source/host e.g. AppleTV, responds back to Bonjour clients when a request for service is initiated. The following illustrates this process.
1. The Controller listens for the bonjour services
2. The WLC then cache those bonjour services
3. Listens for the client queries for services
4. The WLC sends a unicast response to the client queries for bonjour services
Bonjour Deployment using mDNS Gateway
From 7.4 release, WLC supports bonjour gateway functionality on WLC itself for which you need not enable multicast on the controller. The WLC will snoop all bonjour discovery packets and will not forward the same on AIR or Infra network.
Configuring Bonjour on WLAN through GUI
To configure Bonjour on WLAN through GUI:
Step 1 To configure and demonstrate Bonjour feature on WLC, create a dynamic interface for Bonjour services on separate VLAN than the Client VLAN. Here is an example showing different interfaces and VLANs for Clients and Apple TV:
Step 2 Create a WLAN for clients with any security type. By default mDNS Snooping is enabled on WLAN. To confirm, choose WLAN id > Advanced tab and make sure that the mDNS Snooping option is Enabled. Select the mDNS Profile as the default-mdns-profile to allow the Bonjour services that you require to be advertised on a particular WLAN. Click Apply.
Note Only one mDNS profile can be applied to one WLAN.
Step 3 Create another WLAN for services and make sure WLAN is mapped to an interface other than management as shown in the example below:
Note Apple TV (release v5.0) does not support WPA2-Enterprise authentication. For 802.1x networks, a work around is to create a WPA2-PSK WLAN using the same wired interface.
Step 4 Connect the Apple TV to the SSID created for device services and the Bonjour client (iPad/iPhone) to SSID for clients. Navigate to Monitor > Clients, the Bonjour servicing Apple TV and Bonjour Client (your iPad/IPhone) are associated to two different SSID's as shown below:
From the example above, it is implied that the Apple TV and the client are connected on different VLANs.
Step 5 Click on the client's MAC address of bonjour device Apple TV as shown in the image above to view its details. Similarly, check to see if the Apple TV is associated to the interface mapped to a different VLAN than that of a client'. In this case it is VLAN 11.
Step 6 Now go back and click the MAC Address of client (iPad/iPhone) to view its details. Similar to the below diagram, check to see if iPad/iPhone is associated to the interface other than the services interface. In this case it is VLAN 10.
Configuring mDNS Profile through GUI
To configure mDNS profile through GUI:
Step 1 To create and apply Bonjour services, navigate to CONTROLLER > mDNS > General. To enable mDNS Global Snooping, check the mDNS Global Snooping check box under Global Configuration; as it is disabled by default and click Apply. Also, the Master Services Database shows the default profiles which are preconfigured.
The Master Service Database is a user configured database for all the bonjour services supported by WLC. As shown in the above figure, there is a default list of services like Apple TV and printer added to this list on start-up in the master service database. WLC snoops and learns about mDNS service advertisements only if the service is present in the master service list database. Similarly only those queries for services listed in the master-service-list will be responded back to clients subject to the condition that the bonjour profile name associated with the client allows for the service being queried for. Currently a maximum of 64 services can be included into the master-service-list database, this means that the controller has the potential to snoop and learn about 64 different services.
Step 2 To add bonjour services to the master-service-list database, from the Select Service drop-down list that display all services, choose the desired option. For the demonstration here, choose Scanner.
Step 3 After selecting the desired Service, click Add button and Apply. Each Service Name has a predefined service string.
Step 4 To select which services to be advertised click mDNS and then click Profiles. The default profile will appear. Navigate to Controller > mDNS > Profiles and select the default-mdns-profile.
Note If the requirement is to use only default services then assign the default-mdns-profile to that particular WLAN on which you want to enable mDNS services.
Step 5 To check which bonjour services are running, click mDNS > Domain Names. In the example below, you will notice Apple TV is being discovered as a Wireless Medium.
Step 6 When Bonjour Service shows up under Domain Name, verify to which mDNS profile it is tied to by navigating to mDNS > General > AppleTV. As only the default profile is used, the services will show up under Profile Name, default-mdns-profile.
Accessing and Testing Bonjour
To access and test Bonjour:
Step 1 Once the profile is attached to the WLAN as shown in previous procedure, proceed with testing to see if the Bonjour services are routed across the VLANs.
Step 2 Make sure your Apple iPhone/iPad Client is connected to the client SSID.
Step 3 Ensure that the Apple TV has AirPlay enabled by navigating to Settings > AirPlay from the home screen using the TV remote for the Monitor. An optional passcode can be set for security.
Step 4 On your Apple iOS device, double-click the home button
to reveal multi-tasking view.
Step 5 Swipe left to right (twice for iPhone, once for iPad) to reveal a menu with the AirPlay icon as depicted in the below screenshot.
Step 6 Select the Apple TV from the list, and enable mirroring.
Step 7 The status bar at the top of the Apple device will turn blue along with adding an icon for AirPlay, signifying that you are broadcasting your screen on the Apple TV.
mDNS Services with Wired Bonjour Devices
In most scenarios, some bonjour devices may be directly connected to the switch or device. Bonjour services can be accessed even when the bonjour device is connected via an Ethernet cable on a network.
The VLAN of wired Bonjour devices must be trunked to the controller so that their advertisements can be seen and sent out to wireless clients. In our example the bonjour device (Apple TV) is on VLAN 11 tied to the dynamic interface on the controller.
Note In 7.5 release, mDNS AP has the ability to snoop wired Services on VLANS invisible to WLC which will be discussed in detail later in this document.
Step 1 On the WLC GUI, navigate to Controller > mDNS > Domain Names, you will now notice Apple TV is being discovered as the Wired Medium in the dynamic VLAN as shown in the example below.
Step 2 Now using your Apple Client (iPhone/iPad) you should check to make sure that the Apple services are still being broadcasted.
Feature Enhancements in 7.5 Release
LSS (Location Specific Services)
Processing of mDNS service advertisements and mDNS query packets is enhanced to support LSS. All valid mDNS service advertisements received at the WLC will be tagged with the MAC address of the AP associated with the service advertisement from the SP while inserting the new entry into the SP-DB. Subsequently response formulation to client query would filter the wireless entries in the SP-DB using the MAC address of the AP associated with the querying client. LSS only applies to wireless SP-DB entries. There is no location awareness for wired SP devices.
•LSS filtering applies only to wireless SP-DB entries.
•Querying-client's AP base radio MAC address is used to query the RRM-DB to get the AP-NEIGHBOR-LIST.
•Wireless SP-DB entries are filtered based on the AP-NEIGHBOR-LIST if LSS is enabled for the service.
•If LSS is disabled for any other service then the wireless SP-DB entries will not be filtered while responding to any query from a wireless client for the said service.
•Wired SP-DB entries are never filtered.
•LSS status cannot be enabled for services with ORIGIN set to WIRED and vice-versa.
LSS Configuration on WLC
Once the basic bonjour gateway setup is configured, LSS can be enabled by accessing the WLC CLI. LSS is disabled by default on WLC. You can check this by running the following command:
(WLC) > show mdns service summary
This is an existing CLI and is updated to display the LSS status / Origin Status for each string in the summary page itself so that the user can quickly know if the service is being enabled or disabled for LSS without having to go into the detail of each service by issuing.
Now to enable LSS issue the following command:
(WLC) >config mdns service lss <enable / disable> <service_name/all>
This CLI command is used to enable or disable location specific service on a specific service or all services.
The location of clients and service providers is established by the MAC address of their associated AP's.
The RRM DB provides a list of neighboring AP for any given AP and this information will be acted upon while filtering the SP-DB wireless entries in response to mDNS queries originating from wireless clients.
Note For wired clients/service providers there is no sense of location that could be applied similarly and so the wired SP-DB entries cannot be filtered similarly.
The below figure shows the network diagram of LSS enabled bonjour gateway.
When a client queries for a service, the WLC using the client's AP MAC address looks up RRM DB for the neighbor AP-list. WLC then filters the SP-DB for the service along with the service providers associated with the AP-list and responds back to the client query.
1. This feature enhancement allow controllers to have the visibility of wired service providers which are on VLANs that are not visible to the controller.
2. User configuration is required to configure APs as mDNS AP. This configuration allows AP to forward mDNS packets to WLC.
3. VLAN's visibility at WLC is achieved by APs forwarding the mDNS advertisements to controllers. The mDNS packet between AP and controller are forwarded in CAPWAP data tunnel similar to mDNS packets from wireless client.
4. APs can either be in access or trunk mode to learn the mDNS packets from wired side and forward it to the controller.
5. This configuration also allows the user to specify the VLANs from which the AP should snoop the mDNS advertisements from wired side. The maximum number of VLANs that AP can snoop is 10.
6. If the AP is in access mode, the user should NOT configure any VLANs for AP to snoop.
AP will send untagged packets when a query is to be sent. When an mDNS advertisement is received by mDNS AP, VLAN information is not passed to the controller. Hence the service provider's VLAN, learnt via mDNS AP's access VLAN will be maintained as 0 in the controller.
7. If the AP is in trunk mode, then the user has to configure the VLAN on the controller on which AP would snoop & forward the mDNS packets. The native VLAN snooping is enabled by default when mDNS AP is enabled. AP will send VLAN information as 0 for packets snooped on native VLAN.
8. This feature is supported on local and monitor mode AP, and not on Flexconnect mode APs.
9. If a mDNS AP joins/resets (or) joins the same/another controller, the behavior is as follows:
a. If global snooping is disabled on the controller, then a payload will be sent to AP to disable mDNS snooping.
b. If global snooping is enabled on the controller, then configuration of the AP previous to reset/join procedure will be retained.
Note There are no policies for non-layer 2 adjacent VLANs.
•Uplink [Wired infra->AP-> WLC]:
–Receives 802.3 mDNS packet on configured VLANs
–Forwards received mDNS packet over CAPWAP
–Populates mgid based on received VLAN.
•Downlink [WLC-> AP-> Wired infra]:
–Receives mDNS queries over CAPWAP from WLC.
–Forwards query as 802.3 packet to wired infra.
–VLAN identified from dedicated mgids
Configuring mDNS AP on WLC
The AP interface on a switch can be configured in access mode or in trunk mode to snoop services.
mDNS AP in Trunk Mode
To configure mDNS AP in trunk mode:
Step 1 Configure an AP (AP3600-1) on a trunk mode to snoop wired advertisements from multiple VLANS.
Example of switch port configuration to which AP is connected.
Step 2 There is no default mDNS AP, you will need to enable default mDNS AP in WLC. The configuration of mDNS AP is currently done through CLI. Run the following command to see if there is any AP configured as mDNS AP.
(WLC) > show mdns ap summary
This is a new CLI command which displays all the APs for which mDNS forwarding is enabled. As mDNS snooping is not enabled on AP the summary displays 0 number of mDNS APs.
Step 3 Before enabling mDNS AP, check to see what services have already been cached on WLC. Navigate to CONTROLLER > mDNS > Domain Names. In the below illustration, an AppleTV is being discovered as a wireless medium on VLAN 11 (There are no wired services being discovered)
Step 4 Now to enable mDNS AP, run the following command:
(WLC)> config mdns ap enable/disable <APName/all> vlan <vlan-id>
This CLI command allows the user to enable/disable mDNS forwarding on an AP joined to the controller. This CLI also allows the user to configure the VLAN on which the AP should snoop and forward the mDNS packets.
In the above example AP3600-1 as a mDNS AP is configured to snoop any mDNS packets on VLAN 105 and then forward it to the WLC.
Step 5 Once mDNS AP is configured, navigate to CONTROLLER > mDNS> Domain Names, you can see that wired services are being discovered on VLAN 105 and cached on the WLC under type mDNS AP.
Step 6 Now to configure mDNS AP to snoop traffic from other or multiple VLANs, use the following command:
(WLC) >config mdns ap vlan add/delete <vlanid> <AP Name>
This CLI command allows the user to add/delete VLAN on which the mDNS AP should snoop and forward mDNS packets.
Note The maximum number of VLANs that AP can snoop is 10.
Step 7 After adding the VLAN, verify that the bonjour services are getting discovered on that VLAN. Here the bonjour advertisement is snooped on VLAN 200 and forwarded to WLC.
Step 8 Now using your Apple Client (iPhone/iPad) you should check to make sure that the Apple services are still being broadcasted.
mDNS AP in Access Mode
To configure a mDNS AP in access mode:
Step 1 Example of switch port configuration to which AP is connected.
If the AP is in access mode, the user should NOT configure any VLANs on AP to snoop. AP will send untagged packets when query is to be sent. When an mDNS advertisement is received by mDNS AP, VLAN information is not passed to the controller. Hence the Service provider's VLAN, learnt via mDNS AP's access VLAN will be maintained as 0 in the controller.
Step 2 Use the following command to configure mDNS AP to snoop the traffic:
(WLC)> config mdns ap enable/disable <APName/all>
Step 3 Then verify by running show mdns ap summary command.
Here a mDNS AP( AP3600-2) on access mode is configured and it snooped services on VLAN 40.
Step 4 Now using your Apple Client (iPhone/iPad) you should check to make sure that the Apple services are still being broadcasted.
In 7.4 release there was a limitation of 100 service providers per 64 service types and this was insufficient for some services like AppleTV. In the current 7.5 implementation this restriction is removed and there is only a global service-provider limit per platform i.e. 6400 on WLC 2500/5500/WiSM-2 and 16000 on WLC7500/8500.
As long as the total number of service providers for all services is within this limit any service is free to learn/discover as many services and there is no per service reservation/restriction. This allows flexibility to accommodate more service providers for any service w.r.t other services. In addition to this there is provision to configure 50 MAC addresses per service and these mac addresses are the SP MAC which needs priority. This guarantees that any service advertisements originating from these MACs for the configured services will be learnt even if the SP-DB is full by deleting the last non-priority SP from the service having the highest number of SP. While configuring the priority MAC address for a service, there is an optional parameter i.e. ap-group which only applies to WIRED Service Providers to associate a sense of location to the wired SP devices. When a client mNDS query originates from this ap-group the wired entries with priority MAC and ap-group will be looked up and those entries will be listed first in the aggregated response.
Priority MAC Configuration
To configure priority MAC run the following command from WLC CLI:
(WLC) >config mdns service priority-mac <add /delete> <service_name> [ap-group <group-name]
This allows user to configure per service MAC addresses of service-providing devices so that they are guaranteed to be snooped and discovered even if the SP-DB is full. The optional ap-group applies only to WIRED SP devices to given them a sense of location and those SP will be placed higher in the order than the other wired devices. Please note only the order is changing and not the contents for the wired SP.
show mdns service detailed <service_name>will show the priority MAC addresses configured for the service.
Priority MAC Feature Summary
•There is no per-service limit of SP count.
•Only a global SP-COUNT max is defined.
–WLC 2504/5508 — 6400
–WLC7510/8510 — 16000
•Any service can have any number of SP as long as the global limit allows the same.
•Priority-mac support will ensure each service can have at least 50 SP in the least if the DB is full i.e. Supports a max of 50 MAC addresses per service.
•Ensures that the priority service providers are always discovered even if the SP-DB is FULL.
•The last non-priority SP for the service with the highest number of SP will be deleted to accommodate the priority SP.
•If the MAC address is that of WIRED SP and the ap-group name [ optional ] is configured, it gives a sense of location to the wired SP.
•When a query from a wireless client is processed the WIRED-SP will be ORDERED [ not filtered ] such that the wired SP with ap-group matching the client's ap group are higher up in order. It means that the client will see wired devices nearby first.
Origin Based Service Discovery
In 7.4 release once a service is configured, it will be learnt from wired/wireless and there is no option to restrict the learning to wired only or wireless only or all. This configuration is provided now in 7.5 release. All services learnt from mDNS AP are treated as wired and similarly for guest also they are treated as wired. When the learn origin is WIRED then LSS cannot be enabled for the service, since LSS only applies to wireless services.
Configuring Origin Based Service on WLC
The origin is set to All by default for all the services. The example below shows that the origin is set to All and the number of SP's is 3 for service string _airplay.tcp.local.
From the three SP's shown, one is wireless and the other two are wired as they were discovered by mDNS AP.
To set the service origin as wired/wireless, configure the following on WLC CLI:
(WLC) >config mdns service origin <wired/wireless/all <service_name/all>
This provides greater control to restrict the learning of services from wired or wireless or both. In the below example, In below example we set the origin to wireless on the service AppleTV and restrict the Airplay services on the wired. Even though there are three services being cached on WLC, only one service will be seen on the wireless client.
Service Origin Summary
•Provides flexibility to learn any service based on its origin type i.e [ wireless/wired/all ]. Provides filtering on in-bound mDNS service advertisements.
•If wireless SP are preferred as against wired SP, then the service origin could be set to WIRELESS so that only wireless SP for the said service will be discovered.
•Services with origin set to WIRELESS cannot be changed to WIRED if the LSS status is enabled for the service, since LSS applies only to wireless SP-DB.
•When Origin is changed between wireless and wired, the SP-DB entries with the old origin type will be cleared.
•This can be used to clear SP-DB entries for a service.
Any mDNS configuration performed on Active WLC will be synced up on Standby WLC besides the mDNS AP configuration. For mDNS AP no sync up is needed on standby as the AP configuration information is always stored on AP. Complete bonjour database will be synced to stanby WLC.
Following are the commands to debug bonjour:
debug mdns error enable
debug mdns message enable
debug mdns detail enable
debug mdns all enable
The above debugs are enhanced for the new features also.
Bonjour Browser and show mdns service not-learnt could be used as a debug tool as well.
•Bonjour browser is a cache of all the service advertisements seen at WLC and not discovered because configuration did not allow learning.
•Service advertisements across all VLANs and ORIGIN types that are not learnt are displayed in Bonjour browser.
•Bonjour browser is a cache of top 500 service advertisements entries.
•You can view the services that are not learnt and add them manually.
Configuration and Restrictions
•All platforms already supporting Bonjour in WLC software release 7.4, will support Bonjour in WLC software release 7.5 as well.
•mDNS AP is supported only on local and monitor mode APs.
•LSS filtering will not be applicable to wired services and the services learnt from mDNS-AP which are essentially wired services.
•1240/1130 APs cannot be configured as mDNS APs.
•IPv6 for bonjour services is not supported.
Show Commands on WLC
WLC > show mdns profile summary
WLC > show mdns profile detail <profile-name>
WLC > show mdns service summary
WLC > show mdns service detail <service-name>
WLC > show mdns domain-name-ip summary
WLC > Show interface detail <interface-name>
WLC > Show interface group detail <interface-group-name>
WLC > Show wlan <wlan-id>
WLC > Show client detail <mac-address>
WLC > Show network summary
To clear the mdns database learned dynamically per service:
WLC >clear mdns service-database <service-name / all>
Show Command on AP CLI
AP3600#show capwap mcast mdns