Wireless Access

I've been attempting to get a grasp over all the multicast configurations that are available on our controllers and the behavior each one causes. I'm getting their slowly after reviewing the Roaming VRD ("chatty protocols") and other Airheads posts. Wanted to check if I'm on the right-track with each setting.

• Enable BCMC Optimization (VLAN Level) - Drops Broadcast/Multicast traffic originating from wireless clients to wired network - vice-versa. Applied at Control Plane level before any ACLs. Configured for locations where multicast is not needed?
• IGMP Snooping/Proxy and AirGroup - This one I'm struggling a bit on. I know IGMP Snooping is required/implemented on our wired network for multicast between our VLANs. Does AirGroup server as a replacement/alternative to IGMP Snooping?
• Drop Broadcast and Unknown Multicast (VAP Level) - From packet-captures can tell that the air isn't being flooded with multicast packets. Necessary for environments where some multicast users are necessary? Is this the situation where ACLs limiting "chatty protocols" would be required - or would this be handled by AirGroup?

Currently we have "BCMC Optimaztion" disabled, Drop Broadcast/Unknown Multicast enabled, and Airgroup disabled due to our authentication server being hit with with hundreds of Airgroup authentication requests that it started to affect ability of students to authenticate to the wireless network. I'm curious if by disabling AirGroup - we've inadvertently causing a flood of traffic to the wired network?

 

We've recently discovered that our uplink switch - a VSS - is being hammered by multicast originating from wireless clients - primarily - SSDP (239.255.255.250). I'm trying to understand the different between Unknown Multicast and what's considered a "Subscribed" client - since this setting was originally Drop Broadcast and Multicast.

Sorry if my questions are over-the-place/odd, I've been more familiar with the multicast settings on our old Meru Controllers. Thank you.

Any multicast and broadcast will only be dropped in the direction going towards the wireless if any broadcast filtering is enabled.  Wired multicast and broadcast will always be propagated just like it should be on the wired network.  Enabling bcmc optimization at the VLAN level will make sure that all broadcasts except DHCP and ARP do not leak from the wired to the wireless.

 

Very few applications depend on broadcasts or multicast.  The ones that do, can be handled by Airgroup if they are Mdns or DLNA-based.  If they are not mdns or DLNA-based and your multicast clients legitimately subscribe to a multicast group, those multicast streams will be allowed even though "drop broadcast and KNOWN multicast is enabled at the VAP level"

 

  As for your radius server getting hammered by authentication when airgroup is turned on; if you make sure the airgroup server group is N/A, it will not hit your radius server; it will be contained within the Aruba Controller.

Thanks Colin, 1. Stupid question as it may be part of a standard but do you have explanation of this behavior. They were looking into preventing all multicast from wireless to wired side. "Wired multicast and broadcast will always be propagated just like it should be on the wired network." 2. Airgroup Server Group (N/A) - This also intrigues me. AirGroup was in a "test phase" before I joined the team and has yet to be implemented - although the configuration remained for the Clearpass Server (Supported/Maintained) by another team. Since there isn't an authentication specified - what is the behavior of clients and multicast traffic? Sorry, I'm new to AirGroup service and have yet to get into the details behind it. As always, thanks for your time.


#AirheadsMobile

1.  You cannot stop wired broadcasts from propagating on the layer 2 wired network.  Wireless to wired broadcasts just emulates this fact.

2.  By default Airgroup will allow (1) users to see mdns and DLNA devices that are not on their current layer 2 VLAN (2) an administrator to turn on "drop broadcasts and multicast" but still have users discovery mdns and DLNA devices. 

 

Pointing Airgroup at a CPPM server allows you to define granular policies about who can discover what mdns and DLNA devices.  Not pointing allows everyone to see every mdns and DLNA device, but you can also filter based on service or VLAN.