WLC blocking bonjour traffic

Started by dlots, January 08, 2016, 09:42:15 AM

Previous topic - Next topic

dlots

My WLC is blocking bonjour traffic (224.0.0.251) on the same vlan/SSID I have

Enabled mDNS with the default profile
Enabled mDNS global snooping and Global multicast mode in the controller
Added everything to the Master Services Database
Enabled mDNS snooping under the WLAN profile

Ya'll know of anything else I need to do?

Under monitor/multicast I never see IPs show up.

deanwebb

Maybe it's just had enough of that bonjour nonsense and wants your Apples to use a proper protocol.

How about DNS-SD? Is that running? Ironic link with info on that: http://scottiestech.info/2015/05/14/how-to-block-apple-bonjour-on-your-local-network/

Cisco talks about *enabling* bonjour here: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide/BYOD_Bonjour.html Does that help?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

dlots

Yeah, that's the same general config guide I was going though already.

Sadly we are doing this for custom programming work: that's right our developers chose to use bonjour for file transfer rather than FTP or some other normal protocol.  It's going to cost us tens of thousands of dollars as we have to buy high end gear and place it in customer locations place rather than just open FTP ports on our firewalls to the internet.

deanwebb

Make the developers pay for it out of their budget.

Three minutes later, your phone will ring, asking for a cost estimate about an FTP solution.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

dlots

#4
We tried to get them to change, they basically said "Fuck you we aren't changing or supporting anything".  This is one of the reasons we are using a windows 8 box to be the update server, and as long as there is no support for not doing "Stupid shit" from their bosses there isn't much we can do but try and make it work

deanwebb

Sounds like a war could break out over this issue... you'll need to take this up with TAC, and they'll either fix it, RMA the defective box, or give it to you in writing that what you're doing won't work. Any one of those would be invaluable to you.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

dlots

That was the conversation with the developers, we are on the phone with TAC trying to get the multicast though currently

wintermute000

stupid question: is multicast even enabled on your WLC and / or the VLAN the local interface is on? Is the mDNS packets even getting into the WLC for example? (span the WLC port)


protip for your developers: if you are selling an enterprise product, using bonjour is a no-no

dlots

Yep we actually found the issues
1.) In the bonjour protocol there is a string that IDs what it's doing. So airplay has "_airplay._tcp.local." in it, so we needed a "our-productname._tcp.local." in our mDNS group.  Also we needed under roll names any and usernames any (Gonna have to re-visit that and make it whatever it actually needs to be"