Security

Reply
paw
Contributor I
Posts: 27
Registered: ‎09-13-2011

AirPlay with AirGroup for Guests

Hello,

 

we are already using AirGroup an AirPlay in our environment but now we have the special requirement that guests should be able to connect to our Apple TV boxes in the conference rooms.

 

The Guests are usually separated into there own VLAN 98 going out to one interface of the 650 controller to the internet uplink.

The Apple TV resides in the VLAN 100. Firewall Rules explicitly deny all traffic from guest nets to the internal networks. Additionally I always disable "inter vlan routing" and enable "inter user bridging" and "inter user traffic".

 

The point is that I'm only able to see AirGroup users from the VLAN 100 if I do a "show airgroup users" and no client (like iPad) from the VLAN 98. But if I do a "show airgroup vlan" I can see that air group is enabled for all VLANs. Why?

 

And generally: Is AirGroup a "secure" solution to give Guests Access to the Apple TV? Or is it more a way to allow Bonjour accross different subnetworks...?

 

Thanks in advance,

 

PAW

 

 

Guru Elite
Posts: 20,015
Registered: ‎03-29-2007

Re: AirPlay with AirGroup for Guests

Utimately, what you allow from a protocol and firewall perspective will dictate your security posture.  Airgroup is not a security mechanism and anyone that you don't want talking across VLANs with certain protocols, you should block.  Airgroup does not violate security policy but ensures that users who would not normally see bonjour devices across subnets will then be able to.  if you have port udp 5353 blocked, they will not be able to see regardless.

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Search Airheads
Showing results for 
Search instead for 
Did you mean: