Controllerless Networks

Reply
ryh
Contributor I

Airgroup services not seen throughout IAP cluster

I have tried solving an Airgroup issue (no CPPM) with a not-small cluster of newer IAPs (6.5.2.1), wherein the allowed services are not being discovered by user devices.  What I want is all wireless clients to see all of the allowed services from any of the other IAPs in the cluster.

 

A few preliminary notes:

   -  whoever made the "allowall" service simply select the already-defined "service-id" strings instead of actually making any/all service strings allowed -- to you I ask "why? why make the label not match a desired function?"

   -  I am using ARD (apple remote desktop) and chrome books in an educational environment. Chromecast and appleTV are heavily utilized here.

   -  There is only 1 VLAN here.  There is an IP set for the IAP VC.  User traffic and

   -  Even my home lab of 2 IAPs shows services available on one AP but not on the other.

   -  I have broadcast filtering disabled.  Multicast transmission optimization is set, as is DMO.  This, as I understand it, should allow any requests through.

 

On AP-1 to which I connect a Chromecast device, on the same AP-1 my laptop is able to cast/stream directly to it.  This is the desired effect.

 

When I try to cast from my laptop associated to AP-2, also in the same general region, it does not function.  "show airgroup swarm-info" or "cache entries" shows one AP and its entries, but not that of the others (typically).  Sometimes it does show 2 APs in the swarm-info command, but in a group of 60+ I would expect the cached entries to be shared amongst them frequently and completely.

 

The Main Questions I want answered are:

   -  Is there a way to disable the Airgroup feature so that it doesn't interfere with any of the mDNS/Bonjour/DLNA traffic and simply lets everything through? What is needed from the GUI for WLAN config, and Airgroup GUI or Airgroup CLI config to make this happen?

   -  Why does an adjacent IAP not discover and report the services which I have enabled in the Airgroup tab?

   -  What is the logic for IAPs to discover wireless clients that offer service-id strings, how often does this occur, and how do they discover/(and ultimately report) those learned from a different IAP?

 

Thank you for any clarification offered.

 

Frequent Contributor I

Re: Airgroup services not seen throughout IAP cluster

If you are operating on a flat layer 2 subnet you do not need AirGroup. Disable it and then check and test your device access. 

 

AirGroup is a solution to enable Bonjour/mDNS, DLNA, UPnP, etc.. to operate in a segmented/layer 3 network. It sounds like you are flat and as such when enabling AirGroup you are "breaking" the discovery process that these products use to find each other. 

Michael McNamee
Sr. Network Engineer - SecurEdge Networks
ACMP / ACDX / AWMP

http://www.securedgenetworks.com/secure-edge-networks-blog/
ryh
Contributor I

Re: Airgroup services not seen throughout IAP cluster

So Airgroup will only function correctly when there are different VLANs being bridged?  As I understood it, the Airgroup service steps in to fill the role of mDNS responder and querier, so should work on the same L2 domain as well.  I just thought it served as a Per-AP bonjour gateway that listened in on UDP 224.0.0.251 w/ MAC 01:00:5E:00:00:FB and performed service-id filtering on what it saw on its interfaces. Could you explain the operation if it differs from this?

 

Issuing "no airgroup" from the CLI "configure terminal" section did make all of the services be broadcast on this AP, which is very helpful.  I'll test to see if the other AP is letting those through as well.  Thank you for that: this accomplishes my "allowall" that I was expecting for testing purposes.

 

I still would like the ability to filter out certain services, and permit only a few, even on the flat network. 

 

If not possible, I can go back to the customer with this information that a flat network has troubles with filtering mDNS, but I would like to know if there are any options before saying so.

ryh
Contributor I

Re: Airgroup services not seen throughout IAP cluster

No dice.

 

Well, disabling airgroup (cli: "no airgroup") doesn't seem to have the desired effect.  None of the services are seen now, whether wireless or wired, on wireless devices.  I've tried disabling any of the multicast/broadcast optimizations, and no change.

 

How do I enable all mDNS traffic to proceed between devices in an IAP network?

 

 

Frequent Contributor I

Re: Airgroup services not seen throughout IAP cluster

Check and verify if deny inter user bridging is enabled. If all of your devices are wireless this setting would preclude them from being reached. The setting is found under System > General "Show Advanced Options" it is near the bottom of the page. 

 

If you have disabled AirGroup and the Broadcast Filtering on the SSID then all layer 2 broadcasts should be allowed via wireless and wired. Essentially nothing should be blocked. 

 

I recommend downloading and referring to the user guide which discusses AirGroup in depth in Chapter 23. 

Michael McNamee
Sr. Network Engineer - SecurEdge Networks
ACMP / ACDX / AWMP

http://www.securedgenetworks.com/secure-edge-networks-blog/
ryh
Contributor I

Re: Airgroup services not seen throughout IAP cluster

Thank you for your suggestions and explanations.  I will check again today and re-read chapter 23.

 

Thanks.

ryh
Contributor I

Re: Airgroup services not seen throughout IAP cluster

As you had said for this single-vlan deployment, disabling the Airgroup feature in the CLI (with the command "no airgroup") did the trick, when used in conjunction with disabling "broadcast/multicast filtering" and also disabling "deny interuser traffic".

 

Thanks!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: