Wireless Access

All,

I have several VLAN pools setup for schools around our district.  Is there a way to limit Airgroup to only show the Apple TV's in each Vlan Pool?

We have several vlans in the pool, and right now we're running 2 SSID's to the pool.  One for the Apple TV's, and one for the clients.  If they should happen to be setup on a different VLAN, then they are unable to communicate.  If I enable AirGroup, then they can (sometimes) see each other, but there are also ~130 other Apple TV's they see.  Some of the apps they're using (like Reflector and AirParrot) only show partial lists, as well as the built in Airplay in OS 10.8.4.

We are trying to do this without Clearpass.

Is there a way to setup an Access List on the controller to accomplish this?

Any assistance would be appreciated!!!

Thanks!

Yes you can:

(192.168.1.32) #  show airgroup vlan 

VLAN Table
----------
Vlan-Id  IP-Address     IPv6-Address  Status
-------  ----------     ------------  ------
1        192.168.1.3    ::/0          Allowed
2        0.0.0.0        ::/0          Allowed
1000     1.1.1.1        ::/0          Allowed
1500     192.168.2.200  ::/0          Allowed
default  169.254.53.53  N/A           Allowed
Num Vlans:5

(192.168.1.32) #configure t
Enter Configuration commands, one per line. End with CNTL/Z

(192.168.1.32) (config) #airgroup?
airgroup                AirGroup information
airgroupservice         Configure AirGroupService

(192.168.1.32) (config) #airgroup vlan ?
NUMBER                  VLAN 1..4094

(192.168.1.32) (config) #airgroup vlan 30 ?
allow                   allow VLAN
disallow                disallow VLAN

(192.168.1.32) (config) #airgroup vlan 30 disallow

 You can also block port 5353 (bonjour) on subnets in any user role where you don't want them to discover bonjour devices.

Can you do this to seperate Airgroup Groups?  We have about 60 locations I'd like to seperate out so that they only see the devices at the location they are at.  Like have an ACL which says something like "These 3 vlans accept bonjour traffic, but accept no bonjour traffic from other vlans"

It's nice to be able to limit which vlans participate in Airgroup, I'm just trying to take it one step further.

Thanks for the assistance!!!

You cannot have separate Airgroup Groups without ClearPass.  ArubaOS 6.3.0.1 also has improvements to Airgroup over the technology release 6.1.3.6-Airgroup and as soon as you have tested it in your lab, you should be targeting 6.3.1.0 for Airgroup control.

The only way to have different users see different devices is to define each user at a site a role name and block traffic using session ACLs in the role to any location you don't want them to discover devices.

Since Airgroup and what it can do is new, how do you do this now without Airgroup?

Right now, we have Airgroup disabled.  The users can only see the Apple TV in their area if they should get on the same VLAN as the Apple TV.  We've tried turning Airgroup on, but it does not show all of the Apple TV's, only a subset.  We have around 200 Apple TV's on, and it only shows around 40 (often times not the Apple TV you're looking for in the list).

We are targeting 6.3.1.0 for a number of reasons, and are waiting for a production release.  Any idea when that may be out?

I thought there may be a way to setup the ACL within the controller to limit port 5353.  Can you only do this with different user roles instead of different subnets?  

Is the Airgroup 'sharing' between subnets done on the controller, or does it repackage the content and send it through the default gateway?  I don't fully understand how it works.

Thanks again!

Just got off the phone with Support.  This is not possible without Clearpass.  Also, if you have more than 30 Apple TV's, IOS devices will not always see them all.  If you have more than 60 Apple TV's, OS X devices will not always see them all.

The solution looks like getting Clearpass if you want to do this.