12-01-2014 01:15 PM
I have a 1 master / 2 local architecture with controlers in 18.104.22.168. All the WLANs are in tunnel mode.
My needs seem very basic:
- One of my VLAN / WLAN is dedicated to wired and wireless printers (for regular computers),
- Another VLAN / WLAN is dedicated to internal iPhone and iPad (last iOS versions),
- I would like to use Airgroup to make iPhone/iPad print on 2 wireless printers...
- I would like to deploy AppleTVs within the VLAN of iPhone / iPad
- I don't want the other VLAN / WLAN to receive the Bonjour announce.
I did read that (please correct me if i'm wrong :) )
- Airgroup is involved only for the search and answer steps... then it's regular unicast flow (and so through the default gateway...),
- Bonjour is multicast DNS so i need to check on the concerned VLANs that multicast packets are not dropped,
- If i deploy AppleTV in the same VLANs of iPhone/iPad, i need to check that inter-user trafic is allowed
- Airgroup can be disallowed for specific VLANs,
- I need Clearpass to restrict AirGroup within an AP-Group.
So first problem about my printing needs:
- I try to set up Airgroup: iPhone find the printer and the flow is OK but other devices on "disallowed" VLANs can see the printer...
Second problem about AppleTV:
- Other devices can also see the AppleTV on "disallowed" VLANs,
- On iPhone, if Bluetooth is off, AirPlay doesn't appear... Does it mean that AppleTV and the iPhone have to be close to each other ?
I can't find any resolved issues on the release notes about that kind of problems.
Thanks for your help.
12-01-2014 01:59 PM
03-18-2015 06:27 AM
We see the same issue of being able to discover Apple TV's from a disallowed vlan.
It is not via Bluetooth, as it works from a Windows Box (using AirParrot), or an OS X box with Bluetooth disabled.
In short, the Apple TV is connected to an allowed vlan.
Client device is connected to a disallowed vlan.
Client device can see the Apple TV.
I'm working with support on a resolution now
04-23-2015 09:25 AM
I believe the disallow was only for Airgroup servers, not for clients.
We ended up setting a guest role for the users on our Public Wireless, and disallowing the mdns service to the guest role.