Reply
Occasional Contributor II

Allowing MDNS

Hello everyone,

We have RAP users at home can't see their share, like iTune. How do I allow MDNS traffic to get through hosts behind the RAP?

I have enabled IGMP and update the ACL to allow any traffic going from and to 224.0.0.0 255.0.0.0, but still no luck.


Thanks,
Eva
Aruba Employee

Re: Allowing MDNS

That looks like it should have worked, from my notes on this the example I have is:

alias home-network network 224.0.0.0 255.0.0.0 any permit

Where home-network contains the local subnet. This was for use between bridged users that are on the same subnet. Is that what you're trying to do? Can you explain a bit more about your hosts, forwarding types, and maybe post your policy for us to look at?

-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Occasional Contributor II

Re: Allowing MDNS

Thanks, Andy.

We are not using Bridge mode. The MDNS traffic comes from CORPNET. Here is how the ACL looks like:


CORPNET
-------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any svc-dhcp permit Low
2 CORPNET 224.0.0.0 255.0.0.0 any permit Yes Low Yes
3 any CORPNET any permit Yes Low Yes
4 any any any route src-nat Yes Low Yes

Any help will be greatly appreciated.


Thanks,
Eva
Aruba Employee

Re: Allowing MDNS

Hi Eva,

Looking at this, what the rule is saying is from corpnet to mDNS ports allow anything, but are the devices on the RAP also in that same corpnet alias? You may need something like the following as well:

rap-clients 224.0.0.0 255.0.0.0 any permit

See if that works for you...
-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Occasional Contributor II

Re: Allowing MDNS

Re: "are the devices on the RAP also in that same corpnet alias? "
Yes, in the test environment, Mac connects behind the RAP is on the the same CORPNET space.

Re: "rap-clients 224.0.0.0 255.0.0.0 any permit"
I tried but still not working.

I have also tried "any 224.0.0.0 255.0.0.0 any permit".

Is there a way that we can mirror MDNS traffic from E0 to all the down links port 1 - 4?

Thanks again,
Eva
Aruba Employee

Re: Allowing MDNS

Is the resource they are trying to reach really remote, or is it off the E0 port? There is a default ACL on the uplink port that will block mDNS unless you modify it, you can find it in ap system profile.

-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Occasional Contributor II

Re: Allowing MDNS

"Is the resource they are trying to reach really remote, or is it off the E0 port?"
The resource is off the E0 port.

"There is a default ACL on the uplink port that will block mDNS unless you modify it, you can find it in ap system profile."
I modified the ap-uplink-acl to allow mDNS, but still not working.
Aruba Employee

Re: Allowing MDNS

Just to be clear, by saying off port 0 I meant that it was local to the AP, not across the tunnel. If that is the case I believe that your users need to be in bridge mode to access that resource. If its on the other side of the tunnel you should open a ticket with TAC at this point, it seems like you're doing the right things.

Sorry I couldn't be more help,
-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Occasional Contributor II

Re: Allowing MDNS

Re:"port 0 I meant that it was local to the AP, not across the tunnel"
Correct, mDNS was local to the AP, and not across the tunnel.

"If that is the case I believe that your users need to be in bridge mode to access that resource."
I will test out the bridge mode again to see if the issue that I ran into was resolved in the recent release.

I do appreciate your help, awl!