01-17-2013 05:20 AM
we are already using AirGroup an AirPlay in our environment but now we have the special requirement that guests should be able to connect to our Apple TV boxes in the conference rooms.
The Guests are usually separated into there own VLAN 98 going out to one interface of the 650 controller to the internet uplink.
The Apple TV resides in the VLAN 100. Firewall Rules explicitly deny all traffic from guest nets to the internal networks. Additionally I always disable "inter vlan routing" and enable "inter user bridging" and "inter user traffic".
The point is that I'm only able to see AirGroup users from the VLAN 100 if I do a "show airgroup users" and no client (like iPad) from the VLAN 98. But if I do a "show airgroup vlan" I can see that air group is enabled for all VLANs. Why?
And generally: Is AirGroup a "secure" solution to give Guests Access to the Apple TV? Or is it more a way to allow Bonjour accross different subnetworks...?
Thanks in advance,
01-29-2013 04:33 PM
Utimately, what you allow from a protocol and firewall perspective will dictate your security posture. Airgroup is not a security mechanism and anyone that you don't want talking across VLANs with certain protocols, you should block. Airgroup does not violate security policy but ensures that users who would not normally see bonjour devices across subnets will then be able to. if you have port udp 5353 blocked, they will not be able to see regardless.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs