Wireless Access

Reply
Contributor II

Airgroup with Clearpass

Hi all,

 

I am planning to install the code 6.3 to enable airgroup.

 

We have 3 kinds of users in the network. Domain users, Onboarded BYOD's and Guest. I am allowing domain users to pass through core network. I have dedicated one port directly to core network to pass the traffic.

 

And for Onboarded devices and guest, they are completely isolated from network  and they assigned to one port which directly goes to firewall ( default gateway for BYOD'S and guests) and then internet.

 

Now if i want domain users, BYOD's and guest to access bonjour devices which i may place in BYOD subnet. Will all three kinds of users can access bonjour devices or else all three vlans should be able to communicate i mean inter vlan routing. Present situation , these three subnets cant reach each other.

 

 

 

Thanks

srikanth

Guru Elite

Re: Airgroup with Clearpass

All AirGroup does is proxy and re-advertise the requests. The actual media traffic is unicast so if the Android device is in one segment of the network and the chromecast in another, they will need to be able to reach each other.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: Airgroup with Clearpass

So they should be able to reach other.

 

So in my case, if i do routing between these 3 segments from firewall would be fine ri8.

 

Does NATing breaks air group requests or will it forward ??

 

Warm regards

srikanth

Guru Elite

Re: Airgroup with Clearpass

AirGroup does not work across NAT boundaries.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: Airgroup with Clearpass

U mean to say I can't route from firewall or I shoudnt do nating.

Guru Elite

Re: Airgroup with Clearpass

If you're doing NAT on the firewall, you joules be all set. You just can't cross NAT boundaries.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: Airgroup with Clearpass

I understood that airgroup does proxy for user requests and unicast responses.

 

Airgroup controller will discover all the devcies providing bonjour services.

If i am trying to find apple tv from ipad where this both in different vlans. So airgroup jus recieves the mdns query (ipad) and ipad will see the devices which are cached in airgroup table or else it will readvertise across all the vlans on the controller as L3 multicast to discover the bonjour devices.

 

Guru Elite

Re: Airgroup with Clearpass

At a high level, yes that's correct.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: Airgroup with Clearpass

And will it readvertise  from source ip(ipad) to 224.0.0.251 ??

 

 

So controller re advertises accross the vlans and gets MDNS responses for MDNS queries and converts them to unicast mdns response and directs to User who initiated MDNS query.

 

So in that case there is no intervlan routing happening. Controller jus recieving MDNS responses/queries and forwarding to user????

Guru Elite

Re: Airgroup with Clearpass

The controller actively searches for mDNS and SSDP services and/or listens for advertisements. The controller receives the advertisements and then based on rules and roles, the controller will send a new advertisement out the user VLAN.

The user subnet needs to be routable to the media server as the actual media transmission is unicast.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: