Wireless Access

If AIRGROUP is Enabled.....

 

Not much experience with AppleTVs and Airgroup here so i apologize. I have been attempting to test this scenario

 

* Wired AppleTV is in VLAN X

* Wireless Macbook Air is connected via 802.1x and is put on VLAN X

DHCP server is a Firewall

Firewall -> Switch -> Controller -> APs

                   |                                      |

                 Apple TV                        MAC OS  

So trying to get this to work with drop broadcast and unknown multicast enabled and Airgroup enabled.

It won't let me discover it

 

If I disable Airgroup and uncheck drop broadcast and unknown multicast. I can discover it and mirror as we are in the same vlan.

 

TAC is telling me that i have to have drop broadcast and unknown multicast unchecked along with Airgroup disabled for this to work..

 

Isn't there another way?

This is a flat vlan setup. The mac book should discover the AppleTV with AirGroup enabled even if broadcast filter is on.

 

Not sure what was TAC's findings. Do you have the case number? 

 

 

Correct that is my assumption. TAC told me sorry i have to have it disabled which i did not agree with obviously.

AOS code 6.5.1.3

I do have a case number.

With Airgroup on regardless if broadcast filter is on or not, it will not discover the apple tv.

When Airgroup and drop MC/BC are on.

I see the following:

172.30.207.3    224.0.0.251     17   5353  5353   0/0     0    0   0   tunnel 17   1    2          154        FCI

(CDPQ-CTRL-1-LAB) #show airgroup servers

AirGroup Servers
----------------
MAC                IP            Type  Host Name               Service  VLAN  Wired/Wireless  Role         Group  Username    AP-Name
---                --            ----  ---------               -------  ----  --------------  ----         -----  --------    -------
xx:xx:xx:xx:xx:e7 172.30.207.2  mDNS  Apple-TV-2              airplay  207   N/A
xy:xy:xy:xy:xy:xy  172.30.207.3  mDNS  Datavalets-MacBook-Air  itunes   207   wireless        role_iNovia         testinovia  xz:xy:xy:xy:xy:xz
Num Servers: 2.

(CDPQ-CTRL-1-LAB) #show airgroup users

AirGroup Users
--------------
MAC  IP  Type  Host Name  VLAN  Role  Group  Username  AP-Name
---  --  ----  ---------  ----  ----  -----  --------  -------
Num Users: 0.

(CDPQ-CTRL-1-LAB) #

No airgroup user but my macbook falls in the airgroup server...

(CDPQ-CTRL-1-LAB) #show airgroup policy-entries

AirGroup Device Policy Information
----------------------------------
Device             device-owner  shared location-id AP-name  shared location-id AP-FQLN  shared location-id AP-group  shared user-list  shared group-list  shared role-list  CPPM-Req  CPPM-Resp  source  Auto-Associate  Neighborhood
------             ------------  --------------------------  --------------------------  ---------------------------  ----------------  -----------------  ----------------  --------  ---------  ------  --------------  ------------
xx:xx:xx:xx:xx:e7  N/A                                                                   eCDPQ-dot1x                                                       role_inovia                            CLI                     Yes
yy:yy:yy:yy:yy:yy  N/A                                                                   eCDPQ-dot1x                                                       role_iNovia                            CLI     AP-Group        Yes
Num Policy Entries:2

(CDPQ-CTRL-1-LAB) #

# e7 is the apple tv

With airgroup and drop MC/BC enabled now

i discovered that the role it was associated to was incorrect, I corrected it and it now could see it.
I also disabled auto-association to Ap-group in the Airplay service.

I can connect now but staying connected is another story (i have a low signal to my ap so that could be it).

I can now Airplay which means in this case TAC was incorrect. I will let them know.

EDIT: My MAC discovers the AppleTV but mirroring does not work. The screen on my MAC changes (looks like it is mirroring it) but when looking at the monitor, it does not mirror and my MAC will then tell me after 30 sec that it cannot connect to it.

I will now troubleshoot why it does not work in my production environment but works in lab

Hi Pasquale,

 

1. mac book falling under airgroup servers may cause some issue. It is acting as a itunes server. That is not a problem, but expected when you have itunes configured to work as a server. Turn off itunes.

 

2. From the output of "show airgroup policy-entries", I can see you've configured location based shared. It need location based discovery to be enabled. To keep configuration simple for testing, keep cppm enforcement and location discovery disabled if they are already enabled.

 

Finally, you got discovery working. If streaming alone is the problem, there could be settings like "deny inter user traffic, deny inter user bridging" blocking the streaming or the port required for Airplay are not allowed. 

 

Though the discovery works by multicast, streaming would be unicast between the macbook and AppleTV. Check "show datapath session table <apple-tv-ip> | include <macbook-ip>" to see if there is any deny. 

 

 

Hi Raj,

I removed the policies and CPPM enforcement was already disabled.

Deny inter-user bridging and traffic is not enabled globally. Deny inter-user traffic is not enabled on the VAP.

I do see a deny as soon as I attempt to connect

.2 is the AppleTV and .3 is my Macbook

172.30.207.2    172.30.207.3    17   52160 64035  0/0     0    0   0   0/0/0       0    0          0          FDYCA

 

Then it looks like

(CDPQ-CTRL-1-LAB) #show datapath session table 172.30.207.2 | include 172.30.207.3
172.30.207.3    172.30.207.2    6    60838 49908  0/0     0    0   1   tunnel 17   1    2          116        CA
172.30.207.3    172.30.207.2    6    60837 7000   0/0     0    0   0   tunnel 17   2    30         6939       C
172.30.207.2    172.30.207.3    6    7000  60837  0/0     0    0   0   tunnel 17   2    29         5987
172.30.207.2    172.30.207.3    6    49908 60838  0/0     0    0   0   tunnel 17   1    2          116        A
172.30.207.2    172.30.207.3    17   52160 64035  0/0     0    48  0   0/0/0       0    2          120        FDC

 

I had BC/MC Rate Optimization enabled on the SSID, i disabled that, same result. It is not enabled on the VLAN either.

 

My user role rights are as follows:

Priority  Source  Destination    Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------    -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any            udp 68                 deny                             Low                                                           4
2         any     any            svc-dhcp               permit                           Low                                                           4
3         user    DVDNS          svc-dns                permit                           Low                                                           4
4         user    iNovia_subnet  any                    permit                           Low                                                           4
5         user    private_range  any                    deny                             Low                                                           4
6         user    any            any                    permit                           Low                                                           4

Where iNovia_subnet is 
network  172.30.207.0   255.255.255.0

Even if i put authenticated as the user role, it is the same story.

 

The deny is going from the AppleTV to the macbook, the macbook firewall is disabled.

 

 

Hi Pasquale, 

 

The problem is with the ACLs, mainly the ACLs that have the source as "user". 

 

If all the sessions are initiated by the macbook to AppleTV, that ACL would work. But in case of AirPlay mirroring, there are some sessions initiated by Macbook-->AppleTV and some sessions initiated by AppleTV-->Macbook. This is also the reason why AirPlay doesn't support NAT. 

 

So the "user any any permit" statement will allow the session from Macbook-->AppleTV, but will not allow the new session created from AppleTV-->Macbook. 

 

You need to have "any any any permit" for AirPlay to work. 

 

The specific and dynamic range of ports used by AirPlay are at https://community.arubanetworks.com/t5/Controller-Based-WLANs/What-are-the-port-based-recommendations-for-Airplay-and-Airprint/ta-p/184424

 

 

 

yup that did it...wow.
Thanks again for your help.

I will go back to TAC and explain how it works and let the agent know they were incorrect and how i solved it with your help (i'll include the post)