Wireless Access

last person joined: 23 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Airgroup Disallowed On Certain VLANs

This thread has been viewed 7 times

  • 1.  Airgroup Disallowed On Certain VLANs

    Posted Oct 07, 2019 12:32 PM

    AirGroup is enabled in Centralised mode on 8.3.0.5. Now things need to be tweaked and my understanding of how things work is a bit lacking.

     

    When AirGroup was enabled with default-airplay, default-dial, and default-googlecast, servers became visible across VLANs. But, some of these VLANs are DMZs and shouldn't be visible outside their VLAN. These services were disallowed on DMZ VLANs which appears to hide them.  But, disallowing these services may have broken things on the DMZ VLANs as we are starting to get reports of users not being able to see things.

     

    I would hope that by disallowing AirGroup services on a VLAN that it would be treated as if AirGroup wasn't enabled. Does disallowing AirGroup services on a VLAN just stop the gateway features or does it also disable AirGroup services on that VLAN? 

    Thanks,



  • 2.  RE: Airgroup Disallowed On Certain VLANs

    EMPLOYEE
    Posted Oct 08, 2019 04:58 AM

    Disallowing services / VLANs / roles will prevent Airgroup to learn (for servers) or proxy (for users) services.

     

    The Airgroup section in the ArubaOS User Guide is actually quite extensive. What also may help is to check the Airgroup blocked-queries:

    (MM) [mynode] #show airgroup blocked-queries

AirGroup dropped Query IDs
--------------------------
Service ID                                           #query-hits  Thread Num
----------                                           -----------  ----------
uuid:7076436f-6e65-1063-8074-0090a9b07edc            17           1
uuid:55076f6e-6b79-4d65-6436-0090a93dc05c            17           1
uuid:73656761-7465-7375-636b-0090a9b07edc            17           1
urn:schemas-upnp-org:service:WANPPPConnection:1      394          1
uuid:7031fdaa-8058-4886-b2e7-d7e3fe658dea            17           1
urn:schemas-upnp-org:service:WANIPConnection:1       396          1
uuid:73656761-7465-7375-636b-0090a93dc05c            17           1
uuid:7a88e66f-f243-4764-a2d6-070162de8d20            17           1
uuid:d0843402-4016-4671-842f-b3ec23be1a53            17           1
urn:schemas-upnp-org:device:MediaServer:1            4            1
urn:dial-multiscreen-org:service:dial:1              7352         1
uuid:4D454930-0100-1000-8001-CC7EE7716A21            17           1
urn:schemas-upnp-org:device:InternetGatewayDevice:1  2039         1
urn:mdx-netflix-com:service:target:0                 6            2
_fb._tcp                                             44           2
_companion-link._tcp                                 1937         2
    ....

    As well, you can check the servers and users (including VLAN/role) before you start blocking to find out what is actually used:

    (MM) [mynode] #show airgroup servers /md/ArubaLAB

Showing AirGroup servers under /md/ArubaLAB

AirGroup Servers
----------------
MAC                IP             Type  Host Name  Service             VLAN  Wired/Wireless  Role  Group  Username  AP-Name
---                --             ----  ---------  -------             ----  --------------  ----  -----  --------  -------
00:1e:06:33:a7:52  192.168.12.12  mDNS  kodi       default-remotemgmt  12    N/A
                                                   default-airplay
Num Servers: 1.
(MM) [mynode] #show airgroup users /md/ArubaLAB

Showing AirGroup users under /md/ArubaLAB

AirGroup Users
--------------
MAC                IP              Type       Host Name       VLAN  Wired/Wireless  Role          Group  Username        AP-Name
---                --              ----       ---------       ----  --------------  ----          -----  --------        -------
b8:27:eb:aa:f4:72  192.168.13.203  mDNS       pi03            13    wireless        iot-rpi              pi03            NLPD-AP215-1IKL-e0:0e
    ....
Num Users: 9.
(MM) [mynode] #

    For centralized mode, you will run the command on the MM.

    Aruba Support should be able to assist you as well to get this tuned.



  • 3.  RE: Airgroup Disallowed On Certain VLANs

    Posted Oct 15, 2019 10:15 AM

    Thanks for your response Herman. I've read the users guide on it. I'll read it again after working with this a bit to see if things make more sense. 

     

    You said, "Disallowing services / VLANs / roles will prevent Airgroup to learn (for servers) or proxy (for users) services." Does the AirGroup profile affect the VLANs where AirGroup is disabled. It seems that it does.

     

    So show airgroup servers shows the services a device is using? I've been doing packet captures to try to determine that. 

     

    Thanks,

    Robert