Example: Configuring AP position-based filtering and control for the Bonjour gateway

Introduction

The Bonjour gateway uses AP position-based filtering and control to identify and filter Bonjour service discovery. This allows teacher clients (such as MacBook and iPad) to discover and access only the services that match the position of the AP they are connected to. This example isolates Apple TV casting services by AP position to avoid cross-area interference.

Network configuration

As shown in Figure 1, the network uses a centralized wireless forwarding architecture. The AC connects to Switch1 through out-of-path deployment. The Ethernet interface on Switch1 connects upstream to the gateway and downstream to Switch2 (a PoE switch). Switch2 provides the APs with both data connection and PoE power supply. The specific requirements are as follows:

·     Create an AP management VLAN and a client service VLAN on Switch1. Configure Switch1 as a DHCP server to assign IP addresses to APs and clients.

·     Make sure the links between Switch1 and the AC, Switch1 and Switch2, and Switch2 and the APs can transparently transmit both management and service traffic, enabling bidirectional reachability.

·     Create two service templates on the AC, one for Apple TV and one for teacher clients.

Figure 1 Network diagram

 

Table 1 Data planning

Device	Interface	IP address
AC	Vlan-int 20 (management VLAN)	192.168.20.2/24
	Vlan-int 30 (service VLAN for Apple TV)	N/A
	Vlan-int 31 (service VLAN for teacher clients)	N/A
Switch1	Vlan-int 20 (management VLAN)	192.168.20.1/24
	Vlan-int 30 (service VLAN for Apple TV)	192.168.30.1/24
	Vlan-int 31 (service VLAN for teacher clients)	192.168.31.1/24

Analysis

·     Complete the basic network setup to ensure network connectivity between the APs, AC, and clients.

·     Create separate wireless services for Apple TV and teacher clients.

·     Enable the Bonjour gateway function and configure an AP position-based filtering policy. Apply this policy to the service template for teacher clients.

Restrictions and guidelines

·     Use the serial ID labeled on the AP's rear panel to specify an AP.

·     Configure the interface connecting the switch and the APs as an access port. Block VLAN 1 traffic to prevent excessive packets within VLAN 1.

·     You can specify only one position name for each AP. If you execute this command multiple times, the most recent one takes effect.

·     Enable the Bonjour gateway function globally first. Then make sure you enable it for the AP group or the APs. The AP group has it enabled by default.

·     In centralized forwarding mode, APs send both service traffic and Bonjour service discovery traffic through CAPWAP tunnels to the AC for processing. This example only works in centralized forwarding mode. It does not apply to local forwarding mode.

Procedure

Configuring Switch1

Configuring interfaces

1.     Create VLAN 20 and assign an IP address to VLAN-interface 20. This address will be used to forward traffic within the CAPWAP tunnels between AC and AP.

<Switch1> system-view

[Switch1] vlan 20

[Switch1-vlan20] quit

[Switch1] interface vlan-interface 20

[Switch1-Vlan-interface20] ip address 192.168.20.1 255.255.255.0

[Switch1-Vlan-interface20] quit

2.     Create VLAN 30 and assign an IP address to VLAN-interface 30. Clients will use this VLAN to connect to the Apple TV wireless network.

[Switch1] vlan 30

[Switch1-vlan30] quit

[Switch1] interface vlan-interface 30

[Switch1-Vlan-interface30] ip address 192.168.30.1 255.255.255.0

[Switch1-Vlan-interface30] quit

3.     Create VLAN 31 and assign an IP address to VLAN-interface 31 will use this VLAN to access the wireless network for teacher clients.

[Switch1] vlan 31

[Switch1-vlan31] quit

[Switch1] interface vlan-interface 31

[Switch1-Vlan-interface31] ip address 192.168.31.1 255.255.255.0

[Switch1-Vlan-interface31] quit

4.     Configure GigabitEthernet1/0/1 that connects Switch1 to the AC as a trunk port, remove the port from VLAN 1, and assign the port to VLAN 20, VLAN 30, and VLAN 31.

[Switch1] interface GigabitEthernet 1/0/1

[Switch1-GigabitEthernet1/0/1] port link-type trunk

[Switch1-GigabitEthernet1/0/1] undo port trunk permit vlan 1

[Switch1-GigabitEthernet1/0/1] port trunk permit vlan 20 30 31

[Switch1-GigabitEthernet1/0/1] quit

5.     Configure GigabitEthernet1/0/2 that connects Switch1 to Switch2 as a trunk port, remove the port from VLAN 1, and assign the port to VLAN 20.

[Switch1] interface GigabitEthernet 1/0/2

[Switch1-GigabitEthernet1/0/2] port link-type trunk

[Switch1-GigabitEthernet1/0/2] undo port trunk permit vlan 1

[Switch1-GigabitEthernet1/0/2] port trunk permit vlan 20

[Switch1-GigabitEthernet1/0/2] quit

Configuring the DHCP server

1.     Enable the DHCP server function.

[Switch1] dhcp enable

2.     Configure DHCP address pool 2 to assign AP addresses from the range 192.168.20.0/24 with a gateway address of 192.168.20.1. Exclude the IP address 192.168.20.2 from allocation, which is the address of VLAN-interface 20 on the AC.

[Switch1] dhcp server ip-pool 2

[Switch1-dhcp-pool-2] network 192.168.20.0 mask 255.255.255.0

[Switch1-dhcp-pool-2] gateway-list 192.168.20.1

[Switch1-dhcp-pool-2] forbidden-ip 192.168.20.2

[Switch1-dhcp-pool-2] quit

3.     Configure DHCP address pool 3 to assign IP addresses from the 192.168.30.0/24 range to clients on the Apple TV network. Set the DNS server address. Set the gateway address to 192.168.30.1. In this example, the DNS server address is the same as the gateway address.

[Switch1] dhcp server ip-pool 3

[Switch1-dhcp-pool-3] network 192.168.30.0 mask 255.255.255.0

[Switch1-dhcp-pool-3] gateway-list 192.168.30.1

[Switch1-dhcp-pool-3] dns-list 192.168.30.1

[Switch1-dhcp-pool-3] quit

4.     Configure DHCP address pool 4 to assign IP addresses from the 192.168.31.0/24 range to clients on the teacher client network. Set the DNS server address. Set the gateway address to 192.168.31.1. In this example, the DNS server address is the same as the gateway address.

[Switch1] dhcp server ip-pool 4

[Switch1-dhcp-pool-4] network 192.168.31.0 mask 255.255.255.0

[Switch1-dhcp-pool-4] gateway-list 192.168.31.1

[Switch1-dhcp-pool-4] dns-list 192.168.31.1

[Switch1-dhcp-pool-4] quit

Configuring Switch2

1.     Create VLAN 20. This VLAN will be used to forward traffic within the CAPWAP tunnels between AC and AP.

<Switch2> system-view

[Switch2] vlan 20

[Switch2-vlan20] quit

2.     Configure GigabitEthernet1/0/1 that connects Switch2 to Switch1 as a trunk port, remove the port from VLAN 1, and assign the port to VLAN 20.

[Switch2] interface GigabitEthernet 1/0/1

[Switch2-GigabitEthernet1/0/1] port link-type trunk

[Switch2-GigabitEthernet1/0/1] undo port trunk permit vlan 1

[Switch2-GigabitEthernet1/0/1] port trunk permit vlan 20

[Switch2-GigabitEthernet1/0/1] quit

3.     Configure GigabitEthernet 1/0/2 that connects Switch2 to AP1 as an access port, assign the port to VLAN 20, and enable PoE.

[Switch2] interface GigabitEthernet 1/0/2

[Switch2-GigabitEthernet1/0/2] port link-type access

[Switch2-GigabitEthernet1/0/2] port access vlan 20

[Switch2-GigabitEthernet1/0/2] poe enable

[Switch2-GigabitEthernet1/0/2] quit

4.     Configure GigabitEthernet 1/0/3 that connects Switch2 to AP2 as an access port, assign the port to VLAN 20, and enable PoE.

[Switch2] interface GigabitEthernet 1/0/3

[Switch2-GigabitEthernet1/0/3] port link-type access

[Switch2-GigabitEthernet1/0/3] port access vlan 20

[Switch2-GigabitEthernet1/0/3] poe enable

[Switch2-GigabitEthernet1/0/3] quit

5.     Configure GigabitEthernet 1/0/4 that connects Switch2 to AP3 as an access port, assign the port to VLAN 20, and enable PoE.

[Switch2] interface GigabitEthernet 1/0/4

[Switch2-GigabitEthernet1/0/4] port link-type access

[Switch2-GigabitEthernet1/0/4] port access vlan 20

[Switch2-GigabitEthernet1/0/4] poe enable

[Switch2-GigabitEthernet1/0/4] quit

Configuring the AC

Configuring interfaces

1.     Create VLAN 20 and VLAN-interface 20, and assign an IP address for the interface. The AP will obtain the IP address to establish a CAPWAP tunnel with the AC.

[AC] vlan 20

[AC-vlan20] quit

[AC] interface vlan-interface 20

[AC-Vlan-interface20] ip address 192.168.20.2 255.255.255.0

[AC-Vlan-interface20] quit

2.     Create VLAN 30 to carry Apple TV service traffic.

[AC] vlan 30

[AC-vlan30] quit

3.     Create VLAN 31 to carry teacher client service traffic.

[AC] vlan 31

[AC-vlan31] quit

4.     Configure GigabitEthernet1/0/1 that connects the AC to Switch1 as a trunk port, remove the port from VLAN 1, and assign the port to VLAN 20, VLAN 30, and VLAN 31.

[AC] interface GigabitEthernet 1/0/1

[AC-GigabitEthernet1/0/1] port link-type trunk

[AC-GigabitEthernet1/0/1] undo port trunk permit vlan 1

[AC-GigabitEthernet1/0/1] port trunk permit vlan 20 30 31

[AC-GigabitEthernet1/0/1] quit

Configuring wireless services

1.     Create service template apple_tv. Set the SSID to apple_tv and specify the VLAN as VLAN 30.

[AC] wlan service-template apple_tv

[AC-wlan-st-apple_tv] ssid apple_tv

[AC-wlan-st-apple_tv] vlan 30

2.     Specify the authentication and key management mode as PSK and set the PSK key to plaintext string 12345678.

[AC-wlan-st-apple_tv] akm mode psk

[AC-wlan-st-apple_tv] preshared-key pass-phrase simple 12345678

3.     Specify the cipher suite as CCMP and the security IE as RSN.

[AC-wlan-st-apple_tv] cipher-suite ccmp

[AC-wlan-st-apple_tv] security-ie rsn

4.     Enable the service template.

[AC-wlan-st-apple_tv] service-template enable

[AC-wlan-st-apple_tv] quit

5.     Create service template teacher. Set its SSID to teacher and specify the VLAN as VLAN 31.

[AC] wlan service-template teacher

[AC-wlan-st-teacher] ssid teacher

[AC-wlan-st-teacher] vlan 31

6.     Specify the authentication and key management mode as PSK and set the PSK key to plaintext string 12345678.

[AC-wlan-st-teacher] akm mode psk

[AC-wlan-st-teacher] preshared-key pass-phrase simple 12345678

7.     Specify the cipher suite as CCMP and the security IE as RSN.

[AC-wlan-st-teacher] cipher-suite ccmp

[AC-wlan-st-teacher] security-ie rsn

8.     Enable the service template.

[AC-wlan-st-teacher] service-template enable

[AC-wlan-st-teacher] quit

Configuring APs

1.     Create a manual AP named ap1. Specify the AP model and serial number, and bind the service template apple_tv to the corresponding radio. Enable the radio.

[AC] wlan ap ap1 model WA6320

[AC-wlan-ap-ap1] serial-id 219801A28N819CE0001T

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] service-template apple_tv

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] quit

[AC-wlan-ap-ap1] quit

2.     Create a manual AP named ap2. Specify the AP model and serial number, and bind the service template apple_tv to the corresponding radio. Enable the radio.

[AC] wlan ap ap2 model WA6320

[AC-wlan-ap-ap2] serial-id 219801A28N819CE0002T

[AC-wlan-ap-ap2] radio 1

[AC-wlan-ap-ap2-radio-1] service-template apple_tv

[AC-wlan-ap-ap2-radio-1] radio enable

[AC-wlan-ap-ap2-radio-1] quit

[AC-wlan-ap-ap2] quit

3.     Create a manual AP named ap3. Specify the AP model and serial number, and bind the service template teacher to the corresponding radio. Enable the radio.

[AC] wlan ap ap3 model WA6320

[AC-wlan-ap-ap3] serial-id 219801A28N819CE0003T

[AC-wlan-ap-ap3] radio 1

[AC-wlan-ap-ap3-radio-1] service-template teacher

[AC-wlan-ap-ap3-radio-1] radio enable

[AC-wlan-ap-ap3-radio-1] quit

[AC-wlan-ap-ap3] quit

Configuring Bonjour gateway functions

1.     Set the Bonjour gateway mode to custom.

[AC] bonjour service-mode custom

2.     Activate service types required by the Apple TV service.

[AC] bonjour activate service type airplay

[AC] bonjour activate service type raop

 

NOTE: Due to iOS restrictions, you must activate at least the airplay and raop services to use Apple TV.

 

3.     Enable the Bonjour gateway feature globally.

[AC] bonjour global enable

4.     Enter AP view of AP1, specify the AP position as class1, and enable the Bonjour gateway feature.

[AC] wlan ap ap1

[AC-wlan-ap-ap1] ap-position class1

[AC-wlan-ap-ap1] bonjour enable

[AC-wlan-ap-ap1] quit

5.     Enter AP view of AP2, specify the AP position as class2, and enable the Bonjour gateway feature.

[AC] wlan ap ap2

[AC-wlan-ap-ap2] ap-position class2

[AC-wlan-ap-ap2] bonjour enable

[AC-wlan-ap-ap2] quit

6.     Enter AP view of AP3, specify the AP position as class1, and enable the Bonjour gateway feature.

[AC] wlan ap ap3

[AC-wlan-ap-ap3] ap-position class1

[AC-wlan-ap-ap3] bonjour enable

[AC-wlan-ap-ap3] quit

7.     Create a Bonjour policy named teacher and configure the AP position-based proxy filtering method. Clients connected through the teacher SSID can discover services in VLAN 30.

[AC] bonjour policy teacher

[AC-bp-teacher] service vlan 30

[AC-bp-teacher] proxy-target ap-position

[AC-bp-teacher] quit

8.     Apply the created Bonjour policy to the service template with the SSID teacher.

[AC] wlan service-template teacher

[AC-wlan-st-teacher] bonjour apply policy teacher

[AC-wlan-st-teacher] quit

Verifying the configuration

1.     View AP position information. The Bonjour gateway uses the information to perform AP position-based filtering.

[AC] display bonjour ap-position

AP name                                                        Position

ap1                                                              class1

ap2                                                              class2

ap3                                                              class1

The output shows that the position of both AP1 and AP3 is class1 and the position of AP2 is class2.

2.     Verify AP position-based filtering.

Based on the above configuration, the teacher client (connected to AP3) and Apple TV1 (connected to AP1) belong to the same class1 area, while Apple TV2 (connected to AP2) belongs to the class2 area. If the teacher client can only see Apple TV1 in the available device list when starting the screen casting function, but cannot see Apple TV2, it proves that the Bonjour gateway filtering function based on AP position has taken effect, successfully achieving isolation by AP location.

3.     View the wireless client connection status for auxiliary verification.

View all connected wireless clients and confirm that the clients are correctly connected to their respective SSIDs and APs. This command output lists all online clients, regardless of whether their Bonjour service is filtered by the gateway.

[AC] display wlan client

Total number of clients: 3

MAC address      User name    AP name         R    SSID              IP address       VLAN

ac64-cf13-4544   N/A           ap1              1  apple_tv           192.168.30.2     30

6839-4331-2677   N/A           ap2              1  apple_tv           192.168.30.5     30

aa5e-3060-5d4e   N/A           ap3              1  teacher            192.168.31.2     31

Configuration files

·     Switch1:

#

dhcp enable

#

vlan 20

#

vlan 30

#

vlan 31

#

dhcp server ip-pool 2

 network 192.168.20.0 mask 255.255.255.0

 gateway-list 192.168.20.1

 forbidden-ip 192.168.20.2

#

dhcp server ip-pool 3

 network 192.168.30.0 mask 255.255.255.0

 gateway-list 192.168.30.1

 dns-list 192.168.30.1

#

dhcp server ip-pool 4

 network 192.168.31.0 mask 255.255.255.0

 gateway-list 192.168.31.1

 dns-list 192.168.31.1

#

interface vlan-interface 20

 ip address 192.168.20.1 255.255.255.0

#

interface vlan-interface 30

 ip address 192.168.30.1 255.255.255.0

#

interface vlan-interface 31

 ip address 192.168.31.1 255.255.255.0

#

interface GigabitEthernet 1/0/1

 port link-type trunk

 undo port trunk permit vlan 1

 port trunk permit vlan 20 30 31

#

interface GigabitEthernet 1/0/2

 port link-type trunk

 undo port trunk permit vlan 1

 port trunk permit vlan 20

#

·     Switch2:

#

vlan 20

#

interface GigabitEthernet 1/0/1

 port link-type trunk

 undo port trunk permit vlan 1

 port trunk permit vlan 20

#

interface GigabitEthernet 1/0/2

 port link-type access

 port access vlan 20

 poe enable

#

interface GigabitEthernet 1/0/3

 port link-type access

 port access vlan 20

 poe enable

#

interface GigabitEthernet 1/0/4

 port link-type access

 port access vlan 20

 poe enable

#

·     AC:

#

vlan 20

#

vlan 30

#

vlan 31

#

interface vlan-interface 20

 ip address 192.168.20.2 255.255.255.0

#

interface GigabitEthernet 1/0/1

 port link-type trunk

 undo port trunk permit vlan 1

 port trunk permit vlan 20 30 31

#

 bonjour service-mode custom

 bonjour global enable

 bonjour activate service type airplay

 bonjour activate service type raop

#

bonjour policy teacher

 service  vlan 30

 proxy-target ap-position

#

wlan service-template apple_tv

 ssid apple_tv

  vlan 30

 akm mode psk

 preshared-key pass-phrase simple $c$3$N//5BVbsOqdBTxi+7MJZKT6Zqh5MAmYs2ZzM

 cipher-suite ccmp

 security-ie rsn

 client forwarding-location ac

 undo bss transition-management enable

 service-template enable

#

wlan service-template teacher

 ssid teacher

  vlan 31

 akm mode psk

 preshared-key pass-phrase simple $c$3$N//5BVbsOqdBTxi+7MJZKT6Zqh5MAmYs2ZzM

 cipher-suite ccmp

 security-ie rsn

 client forwarding-location ac

 undo bss transition-management enable

 service-template enable

 bonjour apply policy teacher

#

wlan ap ap1 model WA7538

 serial-id 219801A28N819CE0001T

 vlan 1

 ap-position class1

 bonjour enable

 radio 1

  radio enable

  service-template apple_tv

  radio 2

 gigabitethernet 1

#

wlan ap ap2 model WA7538

 serial-id 219801A28N819CE0002T

 vlan 1

 ap-position class2

 bonjour enable

 radio 1

  radio enable

  service-template apple_tv

 radio 2

 gigabitethernet 1

#

wlan ap ap3 model WA7538

 serial-id 219801A28N819CE0003T

 vlan 1

 ap-position class1

 bonjour enable

 radio 1

  radio enable

  service-template teacher

 radio 2

 gigabitethernet 1

#

Related documentation

·     Bonjour gateway configuration from the H3C Wireless Controller Configuration Guides.

·     Bonjour gateway commands from the H3C Wireless Controller Command References.