Controller Based WLANs

Why does my mDNS not work when the RAP is in Bridge or Split Tunnel mode? Why are my clients connecting to the RAP unable to use the local printer when the RAP is in Spilt Tunnel

Question: Why does my mDNS not work when the RAP is in Bridge or Split Tunnel mode? Why are my clients connecting to the RAP unable to use the local printer when the RAP is in Spilt Tunnel

 

Product and Software: This article applies to all RAPs that terminate on a controller that runs RN 3.x code.
In RN 3.x code, the 'ap system profile' by default has an ACL named 'ap-uplink-acl', which allows only DHCP port 68 and ICMP. You can view the ACL on the AP uplink port by issuing the 'show ap system profile' command. This ACL is meant to protect the AP from unwanted traffic or DOS attack as a security measure. This ACL can be modified to allow mDNS traffic or any other traffic of interest, when operating in Bridge or Split Tunnel mode:
(A3600) #show ap system-profile default

AP system profile "default"
---------------------------
Parameter Value
--------- -----
LMS IP N/A
Backup LMS IP N/A
LMS Preemption Disabled
LMS Hold-down Period 600 sec
Number of IPSEC retries 360
Master controller IP address N/A
LED operating mode (AP-12x/RAP-5x only) normal
RF Band g
Double Encrypt Disabled
Native VLAN ID 1
SAP MTU N/A
Bootstrap threshold 8
Request Retry Interval 10 sec
Maximum Request Retries 10
Keepalive Interval 60 sec
Dump Server N/A
Telnet Disabled
SNMP sysContact N/A
RFprotect Server IP N/A
RFprotect Backup Server IP N/A
AeroScout RTLS Server N/A
RTLS Server configuration N/A
Remote-AP DHCP Server VLAN N/A
Remote-AP DHCP Server Id 192.168.11.1
Remote-AP DHCP Default Router 192.168.11.1
Remote-AP DHCP DNS Server N/A
Remote-AP DHCP Pool Start 192.168.11.2
Remote-AP DHCP Pool End 192.168.11.254
Remote-AP DHCP Pool Netmask 255.255.255.0
Remote-AP DHCP Lease Time 0 days
Heartbeat DSCP 0
Session ACL ap-uplink-acl
Corporate DNS Domain N/A
Maintenance Mode Disabled

(A3600) #show ip access-list ap-uplink-acl
ip access-list session ap-uplink-acl
ap-uplink-acl
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any udp 68 permit Low
2 any any svc-icmp permit Low

For example, to allow mDNS add the following rule to the ap-uplink-acl:
any any udp 5353 permit
The modified 'ap-uplink-acl' looks like this:
(A3600) #show ip access-list ap-uplink-acl
ip access-list session ap-uplink-acl
ap-uplink-acl
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any udp 68 permit Low
2 any any svc-icmp permit Low
3 any any udp 5353 permit Low

Version history
Revision #:
1 of 1
Last update:
‎07-08-2014 11:18 AM
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.