Example: Configuring AP name-based filtering and control for the Bonjour gateway

Introduction

The Bonjour gateway uses AP name-based filtering and control to identify and filter Bonjour service discovery. This allows teacher clients (such as MacBook and iPad) to discover and access only the services that match the name of the AP they are connected to. This example isolates Apple TV casting services by AP name to avoid cross-area interference.

Network configuration

As shown in Figure 1, the network uses a centralized wireless forwarding architecture. The AC connects to Switch1 through out-of-path deployment. The Ethernet interface on Switch1 connects upstream to the gateway and downstream to Switch2 (a PoE switch). Switch2 provides the APs with both data connection and PoE power supply. The specific requirements are as follows:

·     Create an AP management VLAN and a client service VLAN on Switch1. Configure Switch1 as a DHCP server to assign IP addresses to APs and clients.

·     Make sure the links between Switch1 and the AC, Switch1 and Switch2, and Switch2 and the APs can transparently transmit both management and service traffic, enabling bidirectional reachability.

·     Create two service templates on the AC, one for Apple TV and one for teacher clients.

Figure 1 Network diagram

 

Table 1 Data planning

Device	Interface	IP address
AC	Vlan-int 20 (management VLAN)	192.168.20.2/24
	Vlan-int 30 (service VLAN for Apple TV)	N/A
	Vlan-int 31 (service VLAN for teacher clients)	N/A
Switch1	Vlan-int 20 (management VLAN)	192.168.20.1/24
	Vlan-int 30 (service VLAN for Apple TV)	192.168.30.1/24
	Vlan-int 31 (service VLAN for teacher clients)	192.168.31.1/24

Analysis

·     Complete the basic network setup to ensure network connectivity between the APs, AC, and clients.

·     Create separate wireless services for Apple TV and teacher clients.

·     Enable the Bonjour gateway function and configure an AP name-based filtering policy. Apply this policy to the service template for teacher clients.

Restrictions and guidelines

·     Use the serial ID labeled on the AP's rear panel to specify an AP.

·     Configure the interface connecting the switch and the APs as an access port. Block VLAN 1 traffic to prevent excessive packets within VLAN 1.

·     Enable the Bonjour gateway function globally first. Then make sure you enable it for the AP group or the APs. The AP group has it enabled by default.

·     In centralized forwarding mode, APs send both service traffic and Bonjour service discovery traffic through CAPWAP tunnels to the AC for processing. This example only works in centralized forwarding mode. It does not apply to local forwarding mode.

Procedure

Configuring Switch1

Configuring interfaces

1.     Create VLAN 20 and assign an IP address to VLAN-interface 20. This address will be used to forward traffic within the CAPWAP tunnels between AC and AP.

<Switch1> system-view

[Switch1] vlan 20

[Switch1-vlan20] quit

[Switch1] interface vlan-interface 20

[Switch1-Vlan-interface20] ip address 192.168.20.1 255.255.255.0

[Switch1-Vlan-interface20] quit

2.     Create VLAN 30 and assign an IP address to VLAN-interface 30. Clients will use this VLAN to connect to the Apple TV wireless network.

[Switch1] vlan 30

[Switch1-vlan30] quit

[Switch1] interface vlan-interface 30

[Switch1-Vlan-interface30] ip address 192.168.30.1 255.255.255.0

[Switch1-Vlan-interface30] quit

3.     Create VLAN 31 and assign an IP address to VLAN-interface 31. Clients will use this VLAN to access the wireless network for teacher clients.

[Switch1] vlan 31

[Switch1-vlan31] quit

[Switch1] interface vlan-interface 31

[Switch1-Vlan-interface31] ip address 192.168.31.1 255.255.255.0

[Switch1-Vlan-interface31] quit

4.     Configure GigabitEthernet1/0/1 that connects Switch1 to the AC as a trunk port, remove the port from VLAN 1, and assign the port to VLAN 20, VLAN 30, and VLAN 31.

[Switch1] interface GigabitEthernet 1/0/1

[Switch1-GigabitEthernet1/0/1] port link-type trunk

[Switch1-GigabitEthernet1/0/1] undo port trunk permit vlan 1

[Switch1-GigabitEthernet1/0/1] port trunk permit vlan 20 30 31

[Switch1-GigabitEthernet1/0/1] quit

5.     Configure GigabitEthernet1/0/2 that connects Switch1 to Switch2 as a trunk port, remove the port from VLAN 1, and assign the port to VLAN 20.

[Switch1] interface GigabitEthernet 1/0/2

[Switch1-GigabitEthernet1/0/2] port link-type trunk

[Switch1-GigabitEthernet1/0/2] undo port trunk permit vlan 1

[Switch1-GigabitEthernet1/0/2] port trunk permit vlan 20

[Switch1-GigabitEthernet1/0/2] quit

Configuring the DHCP server

1.     Enable the DHCP server function.

[Switch1] dhcp enable

2.     Configure DHCP address pool 2 to assign AP addresses from the range 192.168.20.0/24 with a gateway address of 192.168.20.1. Exclude the IP address 192.168.20.2 from allocation, which is the address of VLAN-interface 20 on the AC.

[Switch1] dhcp server ip-pool 2

[Switch1-dhcp-pool-2] network 192.168.20.0 mask 255.255.255.0

[Switch1-dhcp-pool-2] gateway-list 192.168.20.1

[Switch1-dhcp-pool-2] forbidden-ip 192.168.20.2

[Switch1-dhcp-pool-2] quit

3.     Configure DHCP address pool 3 to assign IP addresses from the 192.168.30.0/24 range to clients on the Apple TV network. Set the DNS server address. Set the gateway address to 192.168.30.1. In this example, the DNS server address is the same as the gateway address.

[Switch1] dhcp server ip-pool 3

[Switch1-dhcp-pool-3] network 192.168.30.0 mask 255.255.255.0

[Switch1-dhcp-pool-3] gateway-list 192.168.30.1

[Switch1-dhcp-pool-3] dns-list 192.168.30.1

[Switch1-dhcp-pool-3] quit

4.     Configure DHCP address pool 4 to assign IP addresses from the 192.168.31.0/24 range to clients on the teacher client network. Set the DNS server address. Set the gateway address to 192.168.31.1. In this example, the DNS server address is the same as the gateway address.

[Switch1] dhcp server ip-pool 4

[Switch1-dhcp-pool-4] network 192.168.31.0 mask 255.255.255.0

[Switch1-dhcp-pool-4] gateway-list 192.168.31.1

[Switch1-dhcp-pool-4] dns-list 192.168.31.1

[Switch1-dhcp-pool-4] quit

Configuring Switch2

1.     Create VLAN 20. This VLAN will be used to forward traffic within the CAPWAP tunnels between AC and AP.

<Switch2> system-view

[Switch2] vlan 20

[Switch2-vlan20] quit

2.     Configure GigabitEthernet1/0/1 that connects Switch2 to Switch1 as a trunk port, remove the port from VLAN 1, and assign the port to VLAN 20.

[Switch2] interface GigabitEthernet 1/0/1

[Switch2-GigabitEthernet1/0/1] port link-type trunk

[Switch2-GigabitEthernet1/0/1] undo port trunk permit vlan 1

[Switch2-GigabitEthernet1/0/1] port trunk permit vlan 20

[Switch2-GigabitEthernet1/0/1] quit

3.     Configure GigabitEthernet 1/0/2 that connects Switch2 to AP1 as an access port, assign the port to VLAN 20, and enable PoE.

[Switch2] interface GigabitEthernet 1/0/2

[Switch2-GigabitEthernet1/0/2] port link-type access

[Switch2-GigabitEthernet1/0/2] port access vlan 20

[Switch2-GigabitEthernet1/0/2] poe enable

[Switch2-GigabitEthernet1/0/2] quit

4.     Configure GigabitEthernet 1/0/3 that connects Switch2 to AP2 as an access port, assign the port to VLAN 20, and enable PoE.

[Switch2] interface GigabitEthernet 1/0/3

[Switch2-GigabitEthernet1/0/3] port link-type access

[Switch2-GigabitEthernet1/0/3] port access vlan 20

[Switch2-GigabitEthernet1/0/3] poe enable

[Switch2-GigabitEthernet1/0/3] quit

Configuring the AC

Configuring interfaces

1.     Create VLAN 20 and VLAN-interface 20, and assign an IP address for the interface. APs will obtain the IP address to establish CAPWAP tunnels with the AC.

[AC] vlan 20

[AC-vlan20] quit

[AC] interface vlan-interface 20

[AC-Vlan-interface20] ip address 192.168.20.2 255.255.255.0

[AC-Vlan-interface20] quit

2.     Create VLAN 30 to carry Apple TV service traffic.

[AC] vlan 30

[AC-vlan30] quit

3.     Create VLAN 31 to carry iPad service traffic.

[AC] vlan 31

[AC-vlan31] quit

4.     Configure GigabitEthernet1/0/1 that connects the AC to Switch1 as a trunk port, remove the port from VLAN 1, and assign the port to VLAN 20, VLAN 30, and VLAN 31.

[AC] interface GigabitEthernet 1/0/1

[AC-GigabitEthernet1/0/1] port link-type trunk

[AC-GigabitEthernet1/0/1] undo port trunk permit vlan 1

[AC-GigabitEthernet1/0/1] port trunk permit vlan 20 30 31

[AC-GigabitEthernet1/0/1] quit

Configuring wireless services

1.     Create service template apple_tv. Set the SSID to apple_tv and specify the VLAN as VLAN 30.

[AC] wlan service-template apple_tv

[AC-wlan-st-apple_tv] ssid apple_tv

[AC-wlan-st-apple_tv] vlan 30

2.     Specify the authentication and key management mode as PSK and set the PSK key to plaintext string 12345678.

[AC-wlan-st-apple_tv] akm mode psk

[AC-wlan-st-apple_tv] preshared-key pass-phrase simple 12345678

3.     Specify the cipher suite as CCMP and the security IE as RSN.

[AC-wlan-st-apple_tv] cipher-suite ccmp

[AC-wlan-st-apple_tv] security-ie rsn

4.     Enable the service template.

[AC-wlan-st-apple_tv] service-template enable

[AC-wlan-st-apple_tv] quit

5.     Create service template teacher. Set its SSID to teacher and specify the VLAN as VLAN 31.

[AC] wlan service-template teacher

[AC-wlan-st-teacher] ssid teacher

[AC-wlan-st-teacher] vlan 31

6.     Specify the authentication and key management mode as PSK and set the PSK key to plaintext string 12345678.

[AC-wlan-st-teacher] akm mode psk

[AC-wlan-st-teacher] preshared-key pass-phrase simple 12345678

7.     Specify the cipher suite as CCMP and the security IE as RSN.

[AC-wlan-st-teacher] cipher-suite ccmp

[AC-wlan-st-teacher] security-ie rsn

8.     Enable the service template.

[AC-wlan-st-teacher] service-template enable

[AC-wlan-st-teacher] quit

Configuring the APs

1.     Create a manual AP named ap1. Specify the AP model and serial number, and bind the service templates to the corresponding radios. Enable the radio.

[AC] wlan ap ap1 model WA6320

[AC-wlan-ap-ap1] serial-id 219801A28N819CE0001T

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] service-template apple_tv

[AC-wlan-ap-ap1-radio-1] service-template teacher

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] quit

[AC-wlan-ap-ap1] quit

2.     Create a manual AP named ap2. Specify the AP model and serial number, and bind the service templates to the corresponding radios. Enable the radio.

[AC] wlan ap ap2 model WA6320

[AC-wlan-ap-ap2] serial-id 219801A28N819CE0002T

[AC-wlan-ap-ap2] radio 1

[AC-wlan-ap-ap2-radio-1] service-template apple_tv

[AC-wlan-ap-ap2-radio-1] service-template teacher

[AC-wlan-ap-ap2-radio-1] radio enable

[AC-wlan-ap-ap2-radio-1] quit

[AC-wlan-ap-ap2] quit

Configuring Bonjour gateway functions

1.     Set the Bonjour gateway mode to custom.

[AC] bonjour service-mode custom

2.     Activate service types required by the Apple TV service.

[AC] bonjour activate service type airplay

[AC] bonjour activate service type raop

 

NOTE: Due to iOS restrictions, you must activate at least the airplay and raop services to use Apple TV.

 

3.     Enable the Bonjour gateway feature globally.

[AC] bonjour global enable

4.     Enter AP view of AP1 and enable the Bonjour gateway feature.

[AC] wlan ap ap1

[AC-wlan-ap-ap1] bonjour enable

[AC-wlan-ap-ap1] quit

5.     Enter AP view of AP2 and enable the Bonjour gateway feature.

[AC] wlan ap ap2

[AC-wlan-ap-ap2] bonjour enable

[AC-wlan-ap-ap2] quit

6.     Create a Bonjour policy named teacher and configure the AP name-based proxy filtering method. Clients connected through the teacher SSID can discover services in VLAN 30 (Apple TV network).

[AC] bonjour policy teacher

[AC-bp-teacher] service vlan 30

[AC-bp-teacher] proxy-target ap-name

[AC-bp-teacher] quit

7.     Apply the created Bonjour policy to the service template with the SSID teacher.

[AC] wlan service-template teacher

[AC-wlan-st-teacher] bonjour apply policy teacher

[AC-wlan-st-teacher] quit

Verifying the configuration

1.     View information about Bonjour policy teacher and verify that the policy is configured correctly.

[AC] display bonjour policy teacher

Bonjour policy name                    : teacher

VLAN                                      : 30

Access-VLAN                              : Disable

Proxy-target                             : ap-name

The output shows that the policy teacher has been successfully created, with its service VLAN set to 30, and it has been configured for service filtering based on AP name.

2.     Verify whether AP name-based filtering works as expected through the following typical client connection scenarios.

¡     Scenario 1: Teacher client and Apple TV connected to the same AP

Check the client connection status.

[AC] display wlan client

Total number of clients: 2

MAC address      User name   AP name   R   SSID       IP address     VLAN 

aa5e-3060-5d4e   N/A          ap1       1   teacher    192.168.31.2   31 

ac64-cf13-4544   N/A          ap1       1   apple_tv   192.168.30.2   30 

The command output shows that both the teacher client (MAC: aa5e-3060-5d4e) and the Apple TV (MAC: ac64-cf13-4544) are connected to AP ap1. Since both devices are connected to the same AP, they meet the filtering rule for proxy-target ap-name in the teacher policy. Therefore, the teacher client can discover and successfully cast to the Apple TV under the same AP.

¡     Scenario 2: Teacher client and Apple TV are connected to different APs

Check the client connection status.

[AC] display wlan client

Total number of clients: 2

MAC address      User name   AP name   R   SSID       IP address     VLAN 

aa5e-3060-5d4e   N/A          ap2       1   teacher    192.168.31.2   31 

ac64-cf13-4544   N/A          ap1       1   apple_tv   192.168.30.2   30 

The command output shows that the teacher client (MAC: aa5e-3060-5d4e) is connected to AP ap2, while the Apple TV (MAC: ac64-cf13-4544) is connected to AP ap1. Since they are connected to different APs, this does not comply with the filtering rule of proxy-target ap-name in the teacher policy. As a result, the teacher client will be unable to discover the Apple TV located on the other AP ap1 during screen casting.

The verification results indicate that the Bonjour gateway filtering function based on AP name has taken effect normally, achieving the isolation of screen-casting devices by AP and effectively avoiding cross-AP screen-casting interference.

Configuration files

·     Switch1:

#

dhcp enable

#

vlan 20

#

vlan 30

#

vlan 31

#

dhcp server ip-pool 2

 network 192.168.20.0 mask 255.255.255.0

 gateway-list 192.168.20.1

 forbidden-ip 192.168.20.2

#

dhcp server ip-pool 3

 network 192.168.30.0 mask 255.255.255.0

 gateway-list 192.168.30.1

 dns-list 192.168.30.1

#

dhcp server ip-pool 4

 network 192.168.31.0 mask 255.255.255.0

 gateway-list 192.168.31.1

 dns-list 192.168.31.1

#

interface vlan-interface 20

 ip address 192.168.20.1 255.255.255.0

#

interface vlan-interface 30

 ip address 192.168.30.1 255.255.255.0

#

interface vlan-interface 31

 ip address 192.168.31.1 255.255.255.0

#

interface GigabitEthernet 1/0/1

 port link-type trunk

 undo port trunk permit vlan 1

 port trunk permit vlan 20 30 31

#

interface GigabitEthernet 1/0/2

 port link-type trunk

 undo port trunk permit vlan 1

 port trunk permit vlan 20

#

·     Switch2:

#

vlan 20

#

interface GigabitEthernet 1/0/1

 port link-type trunk

 undo port trunk permit vlan 1

 port trunk permit vlan 20

#

interface GigabitEthernet 1/0/2

 port link-type access

 port access vlan 20

 poe enable

#

interface GigabitEthernet 1/0/3

 port link-type access

 port access vlan 20

 poe enable

#

·     AC:

#

vlan 20

#

vlan 30

#

vlan 31

#

interface vlan-interface 20

 ip address 192.168.20.2 255.255.255.0

#

interface GigabitEthernet 1/0/1

 port link-type trunk

 undo port trunk permit vlan 1

 port trunk permit vlan 20 30 31

#

 bonjour service-mode custom

 bonjour global enable

 bonjour activate service type airplay

 bonjour activate service type raop

#

bonjour policy teacher

 service vlan 30

 proxy-target ap-name

#

wlan service-template apple_tv

 ssid apple_tv

  vlan 30

 akm mode psk

 preshared-key pass-phrase simple $c$3$N//5BVbsOqdBTxi+7MJZKT6Zqh5MAmYs2ZzM

 cipher-suite ccmp

 security-ie rsn

 client forwarding-location ac

 undo bss transition-management enable

 service-template enable

#

wlan service-template teacher

 ssid teacher

  vlan 31

 akm mode psk

 preshared-key pass-phrase simple $c$3$N//5BVbsOqdBTxi+7MJZKT6Zqh5MAmYs2ZzM

 cipher-suite ccmp

 security-ie rsn

 client forwarding-location ac

 undo bss transition-management enable

 service-template enable

 bonjour apply policy teacher

#

wlan ap ap1 model WA7538

 serial-id 219801A28N819CE0001T

 vlan 1

 bonjour enable

 radio 1

  radio enable

  service-template apple_tv

  service-template teacher

  radio 2

 gigabitethernet 1

#

wlan ap ap2 model WA7538

 serial-id 219801A28N819CE0002T

 vlan 1

 bonjour enable

 radio 1

  radio enable

  service-template apple_tv

  service-template teacher

 radio 2 

 gigabitethernet 1

Related documentation

·     Bonjour gateway configuration from the H3C Wireless Controller Configuration Guides.

·     Bonjour gateway commands from the H3C Wireless Controller Command References.