The following topics are covered under this chapter:
Configuration for Service Discovery Gateway (SDG)
To configure and
demonstrate the Service Discovery gateway/mDNS feature on WLC, users can create
a VLAN interface for Bonjour Services on a separate VLAN than the Client VLAN.
Here is an example
showing different interfaces and VLANs for Clients (VLAN10) and AppleTV
|| Create one WLAN
for clients with any security type and another WLAN for AppleTV with security
set to WPA2-PSK. Map the WLANs to the respective interfaces. The example below
is of WLAN for AppleTV.
Discovery Gateway—Now, to enable the Bonjour services, navigate to
> Controller > mDNS > Global. Under Global Service Rules,
by checking the
checkbox because it is disabled by default. Also, from the
Service drop-down menu, select
Service is enabled, the default service policies are created and applied.
Policy IN and
Service Policy helps discover and cache the mDNS services on the WLC without
them being advertised on the network.
|| Now, connect
the Apple TV to the SSID for Bonjour services and the Bonjour client
(iPad/iPhone) to SSID for Clients. Navigate to
Clients and you will see that the Bonjour servicing the Apple TV and the
Bonjour Client (your iPad/IPhone) are associated to two different SSIDs as
||Once the clients
are connected and the Global mDNS has been enabled, you can confirm which mDNS
services are discovered and cached by navigating to
Controller > mDNS > Service Cache.
You can also
check if the Bonjour services are being discovered in the IOS controller by
issuing the following command from the CLI:
show mdns cache
global configuration so that the cached mDNS services can be accessible to the
clients which are requesting the services. To check what services are available
in the default list, navigate to
Service list and click
||Now, navigate to
> Controller > mDNS > Global and from the
Service drop-down menu, select
IN drop-down menu, select the
gui-permit-all option. Do the same for
gui-deny-all are the default lists. You can create a
customized Service List and define a service rule and service type as well.
These rules are available to control the mDNS messages coming into and going
out from the cache.
filters must be specified to allow records into and out of the cache because
there is a ‘deny any’ policy installed by default. In other words, if no
explicit filter policy is installed either globally or per interface, no
records will make it into the cache and the cache will not answer to any
Active Queries are
specific filters that actively query for services attached to local segments.
This helps to keep services ‘fresh’ in the cache. If a device queries for a
specific service, the cache already holds a valid record and it does not need
to proxy the service query to the attached network segments, but can respond
immediately. This also helps to quickly detect the removal of a service (For
example: A device is turned off without proper announcement of the service
Currently, the GUI is
not available to configure the active query. From the WLC CLI prompt, users can
configure an active query by issuing the following command:
service-list mdns-sd <name> query
service-type <service type string>
service-list mdns-sd active-query query
service-policy-query active-query 60
- Once the mDNS is enabled and
Bonjour services are being cached as shown in above steps, proceed with testing
to see if the Bonjour services are routed across the VLANs.
- Make sure your Apple
(iPhone/iPad) client is connected to the SSID for
the Apple TV is connected to the SSID for Bonjour services.
- Ensure that the Apple TV has
enabled by checking the
AirPlay menu from the home screen using the TV remote for the Monitor. An
optional passcode can be set for security.
- On your Apple iOS device,
double-click the home button
to reveal the
multi-tasking view. If you are using iOS7, swipe up the screen to see the
- Swipe left to right (twice
for iPhone, once for iPad) to reveal a menu with the AirPlay icon as depicted
in the below screenshot for iOS6 and iOS7 respectively.
- Select the Apple TV from the
list, and enable mirroring.
- The status bar of the Apple
device will turn blue along with adding an icon for AirPlay, signifying that
you are broadcasting your screen on the Apple TV.
In most scenarios,
printers are connected through wires on the network. The printer might be on
the same network as other Bonjour services or on a different network. To
showcase and verify that the Air Print Services are accessible to users:
- Create a VLAN interface on
the WLC on which the Bonjour Printer is connected (In this example, it is VLAN
105) by navigating to
Controller > System > VLAN > Layer2 VLAN and click
the VLAN ID and click
- Similarly, create a L3
interface by navigating to
Controller > System > VLAN > Layer3 Interface and click
VLAN Id and
IP Address and
- To check if the Bonjour
Printer service is being discovered and cached by the WLC, navigate to
Controller > mDNS > Service Cache and you will see the printer being
discovered and cached as shown below.
- In your iOS device, open an
application such as Safari, Note, or Photos. If you are using iOS6, click the
as shown below.
This should show the bonjour printer which is discovered by the device.
- In iOS7, from the
application, click the icon
and then click
Options as shown below.
Policy on Interface
Service policy can be
applied on an interface as well. On the WLC main menu, navigate to
Controller > mDNS
> Interface and then click the desired interface name on which you want
the service policy to be enabled. From the
IN/OUT drop-down menu, select the Service Policy and click
Apply. Here we
have selected the default service policy
for Service Policy IN and Service Policy OUT.
You can create a
Service List, define a service rule (Permit or Deny), and select a service type
as shown below.
WLC GUI, only one service can be selected from
Service. You can add more services to the Service Policy List from the WLC
Service lists are
configured to permit or deny statements matching a certain part of the mDNS
record which make up the filter. These use regular expression for string match
(e.g. service type match or instance name match).
You can have
different filters based on your network requirements:
- Filtering of certain services
from certain subnets (for example, no Music sharing across subnet boundaries).
- Exclusion of specific
services from being visible on the network.
Service Filtering on an Interface with AAA Override
In the example shown
below we will deny AirPlay service (AppleTV) to certain users (which belong to
group Student) and permit AirPlay and AirPrint (Bonjour Printer) services for
other users (group Staff).
It is assumed that
the user has pre-configured the controller for AAA authentication (802.1x
||To configure and
demonstrate the service filtering of specific service on a particular
interface, we created another WLAN with L2 Security set to WPA2/802.1x which is
mapped to the management interface as shown in example below.
AAA Server and from the
Method drop-down menu select the Authentication method.
From the WLAN
scenario, we have a single SSID (Security WPA2/dot1x) with two user
profiles/groups. The users for "Staff" and "Student" is already configured on
ISE server (AAA server). The "Staff" users should be able to access all the
bonjour services i.e AppleTV and bonjour printer while "Student" users should
only have access to the bonjour printer.
In order to
implement this scenario, we need to configure the Service list which should
deny AppleTV/Airplay services and only allow the Printer services on the VLAN
which is tied to the profile 'Student'.
> Controller > mDNS > Service List and click the
|| Now, configure
Name, users can assign any intuitive name to configure the service list.
Here, we are naming it as
Deny-Airplay. From the
drop-down menu, select
deny and add
can be from 0-100). Under
there are two options available, you can leave the
option as is and choose the service you want to deny from the
Services list and add it to the
In our case it
is airplay service which we want to deny, so select
_airplay._tcp.local and then click
permit bonjour printer services, create a
List permit rule with the same list name
Deny-Airplay, but with a higher
Number. Select the
_ipp._tcp.local from the Learned Services
list as shown in example below to allow printer service.
|| Once the
Service List is created, we need to apply it on the interface for it to take
effect. Navigate to
Interface and click the VLAN on which you want to apply this rule. In this
example we are using the VLAN interface (VLAN13) to implement this policy.
IN drop-down menu, select the rule created above i.e Deny-Airplay and
select the same for
Policy OUT as well. The Service List rule with the lower sequence number
will be processed first.
is the process of forwarding service announcements to other segments. This is
turned off by default. If a service is announced on one segment it will be
recorded in the cache. However, other segments will not ‘see’ this service
instance unless the service is actively queried. If the service should be
visible on other segments at the time of its original announcement on the
originating segment, redistribution must be enabled.
|| Now, to ensure
if the Service list rule is being applied correctly, connect an iOS client to
Dot1x SSID, when prompted for username/password, enter the credentials.
accessing bonjour services on your client, go to the WLC to check if the mDNS
cache has an entry for those services.
|| After the
client is authenticated as a "Staff" user, try accessing bonjour services as
shown earlier in this guide. The Staff user should be able to access AppleTV
and Printer services.
Similarly, connect with student credentials to the same SSID and
verify that the student is placed on the desired VLAN (i.e. VLAN13 in our
example), you will see that only printer service is available for that user
- AIR-CT5760 (14K services),
WS-C3850 (14K services) and WS-3650 (8K services) in IOS-XE 3.3.
- Supported with Centralized
and Converged Access mode.
- Detect wired and wireless
services on VLANs that are L2 adjacent to the WLC.
- Each Bonjour service has an
advertised Time To Live (TTL). The controller will ask the device for an update
at 85% of this TTL.