Wireless Access

We are trying to master the use of Airgroup on the controller and it seems like there isn't a whole ton of options. However, I was wondering if anybody has figured out (Without Clearpass) how to limit the list that gets brought up on the IPad.  I don't want to get as granual as per person but I was thinking more like per ap group or per vlan or something like that.  Has anybody done anything like this?  Is it even possible?

You can block services via role:

config t
airgroupservice airplay
disallow-role Students

That will block anyone in the Students role from seeing any Airplay devices.

Can it be done per VLAN rather than per role?

It would be nice to limit users to seeing Airplay devices in their building.

Thanks,

Brad

There is an option for that.

To disallow a VLAN:

airgroupservice airplay

   disallow-vlan <id>

To cofirm:

show airgroupservice

show airgroup vlan

I'm not looking to disallow AirGroup, I'm looking to isolate it by building.

Brad

Sorry, thought you asked how to do it by VLAN?  How are you differentiating your buildings?  Roles?  VLANs?   AP Groups?

It would be nice if you can do it per Ap-group land vlan. However, if somehow we can't figure out how to do it with one of them that would work.

Example would be-

ipad connects to ap group ms. It sees list apple devices only in the ms ap group and/or certain vlan. 

Then ipad connects to app in HS group and that iPad only sees ones in the Hs ap group and/or a certain vlan. 

Make sense?

i believe this is already possible with an airgroup intergrated setup, you can do something with the AP group and vlan if im not mistaken.

I am trying to deploy an almost identical Airgroup scenario.

I have roughly 150 schools, each of which has a unique AP-Group and vlan pool.

We would like to be able to enable AirPlay but we need to keep the visable devices in each school limited only to those which are in the same vlan pool.  In other words keep the iPad in school "A" from playing to the AppleTV in school "B"  Is there a way to accomplish this without the benefits of having Clearpass?

I should point out that I was planning on using an overlay controller in my test deployment.

Thanks in advance.

Why don't you just block the bonjour protocol at the border of each school using your layer-3 switch?  If you have not built it yet, it looks like you have to schedule a design session with your Aruba SE to determine the best way to do what you require.  There are potentially alot of moving parts in what you are proposing.

You may be onto something there. Something I had not considered.

You are correct about the large number of moving parts, but all of my user VLANs are terminated back here at the data centre and all on the same core switch.

I will have to discuss the possibility of blocking Bonjour on a per site basis with my collegue at the next desk.

Thanks for the ah-ha! moment.

/Terry

Have you found a solution for this yet?

We are a school district running into the same issue.

We terminate all the AP's back at the data center.  We have Vlan Pools setup for each school.  Right now, all the schools can see each others ATV's.  Is there a way to limit this from the controller?

edit - I've created a new thread on this.

Any update on this for 6.3.0.1?

Would be nice if there is an idea on how to limit bonjour per building or AP group without ClearPass.

Thanks