Example: Configuring AP group-based filtering and control for the Bonjour gateway

Introduction

The Bonjour gateway uses AP group-based filtering and control to identify and filter Bonjour service discovery. This allows teacher clients (such as MacBook and iPad) to discover and access only the services that match the group of the AP they are connected to. This example isolates Apple TV casting services by AP group to avoid cross-area interference.

Network configuration

As shown in Figure 1, the network uses a centralized wireless forwarding architecture. The AC connects to Switch1 through out-of-path deployment. The Ethernet interface on Switch1 connects upstream to the gateway and downstream to Switch2 (a PoE switch). Switch2 provides the APs with both data connection and PoE power supply. The specific requirements are as follows:

·     Create an AP management VLAN and a client service VLAN on Switch1. Configure Switch1 as a DHCP server to assign IP addresses to APs and clients.

·     Make sure the links between Switch1 and the AC, Switch1 and Switch2, and Switch2 and the APs can transparently transmit both management and service traffic, enabling bidirectional reachability.

·     Create two service templates on the AC, one for Apple TV and one for teacher clients.

Figure 1 Network diagram

 

Table 1 Data planning

Device	Interface	IP address
AC	Vlan-int 20 (management VLAN)	192.168.20.2/24
	Vlan-int 30 (service VLAN for Apple TV)	N/A
	Vlan-int 31 (service VLAN for teacher clients)	N/A
Switch1	Vlan-int 20 (management VLAN)	192.168.20.1/24
	Vlan-int 30 (service VLAN for Apple TV)	192.168.30.1/24
	Vlan-int 31 (service VLAN for teacher clients)	192.168.31.1/24

Analysis

·     Complete the basic network setup to ensure network connectivity between the APs, AC, and clients.

·     Create separate wireless services for Apple TV and teacher clients.

·     Enable the Bonjour gateway function and configure an AP group-based filtering policy. Apply this policy to the service template for teacher clients.

Restrictions and guidelines

·     Use the serial ID labeled on the AP's rear panel to specify an AP.

·     Configure the interface connecting the switch and the APs as an access port. Block VLAN 1 traffic to prevent excessive packets within VLAN 1.

·     For Bonjour gateway to take effect, you must first enable it globally and then enable it for the AP group or specific APs. By default, this feature is enabled for an AP group.

·     In centralized forwarding mode, APs send both service traffic and Bonjour service discovery traffic through CAPWAP tunnels to the AC for processing. This example only works in centralized forwarding mode. It does not apply to local forwarding mode.

Procedure

Configuring Switch1

Configuring interfaces

1.     Create VLAN 20 and assign an IP address to VLAN-interface 20. This address will be used to forward traffic within the CAPWAP tunnels between AC and AP.

<Switch1> system-view

[Switch1] vlan 20

[Switch1-vlan20] quit

[Switch1] interface vlan-interface 20

[Switch1-Vlan-interface20] ip address 192.168.20.1 255.255.255.0

[Switch1-Vlan-interface20] quit

2.     Create VLAN 30 and assign an IP address to VLAN-interface 30. Clients will use this VLAN to connect to the Apple TV wireless network.

[Switch1] vlan 30

[Switch1-vlan30] quit

[Switch1] interface vlan-interface 30

[Switch1-Vlan-interface30] ip address 192.168.30.1 255.255.255.0

[Switch1-Vlan-interface30] quit

3.     Create VLAN 31 and assign an IP address to VLAN-interface 31 will use this VLAN to access the wireless network for teacher clients.

[Switch1] vlan 31

[Switch1-vlan31] quit

[Switch1] interface vlan-interface 31

[Switch1-Vlan-interface31] ip address 192.168.31.1 255.255.255.0

[Switch1-Vlan-interface31] quit

4.     Configure GigabitEthernet1/0/1 that connects Switch1 to the AC as a trunk port, remove the port from VLAN 1, and assign the port to VLAN 20, VLAN 30, and VLAN 31.

[Switch1] interface GigabitEthernet 1/0/1

[Switch1-GigabitEthernet1/0/1] port link-type trunk

[Switch1-GigabitEthernet1/0/1] undo port trunk permit vlan 1

[Switch1-GigabitEthernet1/0/1] port trunk permit vlan 20 30 31

[Switch1-GigabitEthernet1/0/1] quit

5.     Configure GigabitEthernet1/0/2 that connects Switch1 to Switch2 as a trunk port, remove the port from VLAN 1, and assign the port to VLAN 20.

[Switch1] interface GigabitEthernet 1/0/2

[Switch1-GigabitEthernet1/0/2] port link-type trunk

[Switch1-GigabitEthernet1/0/2] undo port trunk permit vlan 1

[Switch1-GigabitEthernet1/0/2] port trunk permit vlan 20

[Switch1-GigabitEthernet1/0/2] quit

Configuring the DHCP server

1.     Enable the DHCP server function.

[Switch1] dhcp enable

2.     Configure DHCP address pool 2 to assign AP addresses from the range 192.168.20.0/24 with a gateway address of 192.168.20.1. Exclude the IP address 192.168.20.2 from allocation, which is the address of VLAN-interface 20 on the AC.

[Switch1] dhcp server ip-pool 2

[Switch1-dhcp-pool-2] network 192.168.20.0 mask 255.255.255.0

[Switch1-dhcp-pool-2] gateway-list 192.168.20.1

[Switch1-dhcp-pool-2] forbidden-ip 192.168.20.2

[Switch1-dhcp-pool-2] quit

3.     Configure DHCP address pool 3 to assign IP addresses from the 192.168.30.0/24 range to clients on the Apple TV network. Set the DNS server address. Set the gateway address to 192.168.30.1. In this example, the DNS server address is the same as the gateway address.

[Switch1] dhcp server ip-pool 3

[Switch1-dhcp-pool-3] network 192.168.30.0 mask 255.255.255.0

[Switch1-dhcp-pool-3] gateway-list 192.168.30.1

[Switch1-dhcp-pool-3] dns-list 192.168.30.1

[Switch1-dhcp-pool-3] quit

4.     Configure DHCP address pool 4 to assign IP addresses from the 192.168.31.0/24 range to clients on the teacher client network. Set the DNS server address. Set the gateway address to 192.168.31.1. In this example, the DNS server address is the same as the gateway address.

[Switch1] dhcp server ip-pool 4

[Switch1-dhcp-pool-4] network 192.168.31.0 mask 255.255.255.0

[Switch1-dhcp-pool-4] gateway-list 192.168.31.1

[Switch1-dhcp-pool-4] dns-list 192.168.31.1

[Switch1-dhcp-pool-4] quit

Configuring Switch2

1.     Create VLAN 20. This VLAN will be used to forward traffic within the CAPWAP tunnels between AC and AP.

<Switch2> system-view

[Switch2] vlan 20

[Switch2-vlan20] quit

2.     Configure GigabitEthernet1/0/1 that connects Switch2 to Switch1 as a trunk port, remove the port from VLAN 1, and assign the port to VLAN 20.

[Switch2] interface GigabitEthernet 1/0/1

[Switch2-GigabitEthernet1/0/1] port link-type trunk

[Switch2-GigabitEthernet1/0/1] undo port trunk permit vlan 1

[Switch2-GigabitEthernet1/0/1] port trunk permit vlan 20

[Switch2-GigabitEthernet1/0/1] quit

3.     Configure GigabitEthernet 1/0/2 that connects Switch2 to AP1 as an access port, assign the port to VLAN 20, and enable PoE.

[Switch2] interface GigabitEthernet 1/0/2

[Switch2-GigabitEthernet1/0/2] port link-type access

[Switch2-GigabitEthernet1/0/2] port access vlan 20

[Switch2-GigabitEthernet1/0/2] poe enable

[Switch2-GigabitEthernet1/0/2] quit

4.     Configure GigabitEthernet 1/0/3 that connects Switch2 to AP2 as an access port, assign the port to VLAN 20, and enable PoE.

[Switch2] interface GigabitEthernet 1/0/3

[Switch2-GigabitEthernet1/0/3] port link-type access

[Switch2-GigabitEthernet1/0/3] port access vlan 20

[Switch2-GigabitEthernet1/0/3] poe enable

[Switch2-GigabitEthernet1/0/3] quit

5.     Configure GigabitEthernet 1/0/4 that connects Switch2 to AP3 as an access port, assign the port to VLAN 20, and enable PoE.

[Switch2] interface GigabitEthernet 1/0/4

[Switch2-GigabitEthernet1/0/4] port link-type access

[Switch2-GigabitEthernet1/0/4] port access vlan 20

[Switch2-GigabitEthernet1/0/4] poe enable

[Switch2-GigabitEthernet1/0/4] quit

Configuring the AC

Configuring interfaces

1.     Create VLAN 20 and VLAN-interface 20, and assign an IP address for the interface. The AP will obtain the IP address to establish a CAPWAP tunnel with the AC.

[AC] vlan 20

[AC-vlan20] quit

[AC] interface vlan-interface 20

[AC-Vlan-interface20] ip address 192.168.20.2 255.255.255.0

[AC-Vlan-interface20] quit

2.     Create VLAN 30 to carry Apple TV service traffic.

[AC] vlan 30

[AC-vlan30] quit

3.     Create VLAN 31 to carry teacher client service traffic.

[AC] vlan 31

[AC-vlan31] quit

4.     Configure GigabitEthernet1/0/1 that connects the AC to Switch1 as a trunk port, remove the port from VLAN 1, and assign the port to VLAN 20, VLAN 30, and VLAN 31.

[AC] interface GigabitEthernet 1/0/1

[AC-GigabitEthernet1/0/1] port link-type trunk

[AC-GigabitEthernet1/0/1] undo port trunk permit vlan 1

[AC-GigabitEthernet1/0/1] port trunk permit vlan 20 30 31

[AC-GigabitEthernet1/0/1] quit

Configure wireless services

1.     Create service template apple_tv. Set the SSID to apple_tv and specify the VLAN as VLAN 30.

[AC] wlan service-template apple_tv

[AC-wlan-st-apple_tv] ssid apple_tv

[AC-wlan-st-apple_tv] vlan 30

2.     Specify the authentication and key management mode as PSK and set the PSK key to plaintext string 12345678.

[AC-wlan-st-apple_tv] akm mode psk

[AC-wlan-st-apple_tv] preshared-key pass-phrase simple 12345678

3.     Specify the cipher suite as CCMP and the security IE as RSN.

[AC-wlan-st-apple_tv] cipher-suite ccmp

[AC-wlan-st-apple_tv] security-ie rsn

4.     Enable the service template.

[AC-wlan-st-apple_tv] service-template enable

[AC-wlan-st-apple_tv] quit

5.     Create service template teacher. Set its SSID to teacher and specify the VLAN as VLAN 31.

[AC] wlan service-template teacher

[AC-wlan-st-teacher] ssid teacher

[AC-wlan-st-teacher] vlan 31

6.     Specify the authentication and key management mode as PSK and set the PSK key to plaintext string 12345678.

[AC-wlan-st-teacher] akm mode psk

[AC-wlan-st-teacher] preshared-key pass-phrase simple 12345678

7.     Specify the cipher suite as CCMP and the security IE as RSN.

[AC-wlan-st-teacher] cipher-suite ccmp

[AC-wlan-st-teacher] security-ie rsn

8.     Enable the service template.

[AC-wlan-st-teacher] service-template enable

[AC-wlan-st-teacher] quit

Configuring APs

1.     Create a manual AP named ap1. Specify the AP model and serial number, and bind the service template apple_tv to the corresponding radio. Enable the radio.

[AC] wlan ap ap1 model WA6320

[AC-wlan-ap-ap1] serial-id 219801A28N819CE0001T

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] service-template apple_tv

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] quit

[AC-wlan-ap-ap1] quit

2.     Create a manual AP named ap2. Specify the AP model and serial number, and bind the service template apple_tv to the corresponding radio. Enable the radio.

[AC] wlan ap ap2 model WA6320

[AC-wlan-ap-ap2] serial-id 219801A28N819CE0002T

[AC-wlan-ap-ap2] radio 1

[AC-wlan-ap-ap2-radio-1] radio enable

[AC-wlan-ap-ap2-radio-1] service-template apple_tv

[AC-wlan-ap-ap2-radio-1] quit

[AC-wlan-ap-ap2] quit

3.     Create a manual AP named ap3. Specify the AP model and serial number, and bind the service template teacher to the corresponding radio. Enable the radio.

[AC] wlan ap ap3 model WA6320

[AC-wlan-ap-ap3] serial-id 219801A28N819CE0003T

[AC-wlan-ap-ap3] radio 1

[AC-wlan-ap-ap3-radio-1] service-template teacher

[AC-wlan-ap-ap3-radio-1] radio enable

[AC-wlan-ap-ap3-radio-1] quit

[AC-wlan-ap-ap3] quit

Configuring Bonjour gateway functions

1.     Set the Bonjour gateway mode to custom.

[AC] bonjour service-mode custom

2.     Activate service types required by the Apple TV service.

[AC] bonjour activate service type airplay

[AC] bonjour activate service type raop

 

NOTE: Due to iOS restrictions, you must activate at least the airplay and raop services to use Apple TV.

 

3.     Enable the Bonjour gateway feature globally.

[AC] bonjour global enable

4.     Enter AP group view of group group1, add APs ap1 and ap3 to the group, and enable the Bonjour gateway feature.

[AC] wlan ap-group group1

[AC-wlan-ap-group-group1] ap ap1

[AC-wlan-ap-group-group1] ap ap3

[AC-wlan-ap-group-group1] bonjour enable

[AC-wlan-ap-group-group1] quit

5.     Enter AP group view of group group2, add AP ap2 to the group, and enable the Bonjour gateway feature.

[AC] wlan ap-group group2

[AC-wlan-ap-group-group2] ap ap2

[AC-wlan-ap-group-group2] bonjour enable

[AC-wlan-ap-group-group2] quit

6.     Create a Bonjour policy named teacher and configure the AP group-based proxy filtering method. Clients connected through SSID teacher can only discover service resources that match their connected AP group (group 1), and will automatically filter out services in group 2.

[AC] bonjour policy teacher

[AC-bp-teacher] service vlan 30

[AC-bp-teacher] proxy-target ap-group

[AC-bp-teacher] quit

7.     Apply the created Bonjour policy to the service template with the SSID teacher.

[AC] wlan service-template teacher

[AC-wlan-st-teacher] bonjour apply policy teacher

[AC-wlan-st-teacher] quit

Verifying the configuration

1.     View information about Bonjour policy teacher and verify it is configured successfully.

[AC] display bonjour policy teacher

Bonjour policy name                    : teacher

VLAN                                      : 30

Access-VLAN                              : Disable

Proxy-target                             : ap-group

The output shows that the policy teacher has been successfully created, with its service VLAN set to 30, and it has been configured for service filtering based on AP groups.

2.     View AP group information.

[AC] display current-configuration | include ap

wlan ap-group group1

 ap ap1

 ap ap3

wlan ap-group group2

 ap ap2

3.     Verify AP group-based filtering.

Based on the above configuration, the teacher client is connected to AP3, Apple TV1 is connected to AP1, and Apple TV2 is connected to AP2. AP1 and AP3 belong to group 1, while AP2 belongs to group 2. When the screen casting function is activated on the teacher client, if only Apple TV1 is visible in the available device list while Apple TV2 is not, it confirms that the Bonjour gateway filtering function based on AP group has taken effect, successfully achieving isolation by AP group.

4.     View wireless client connection status for auxiliary verification.

Use the display wlan client command to view all connected wireless clients and confirm that the clients have correctly accessed their respective SSIDs and APs. This command lists all online clients, regardless of whether their Bonjour service is filtered by the gateway.

[AC] display wlan client

Total number of clients: 3

MAC address      User name    AP name         R    SSID              IP address       VLAN

ac64-cf13-4544   N/A           ap1              1  apple_tv           192.168.30.2     30

6839-4331-2677   N/A           ap2              1  apple_tv           192.168.30.5     30

aa5e-3060-5d4e   N/A           ap3              1  teacher            192.168.31.2     31

Configuration files

·     Switch1:

#

dhcp enable

#

vlan 20

#

vlan 30

#

vlan 31

#

dhcp server ip-pool 2

 network 192.168.20.0 mask 255.255.255.0

 gateway-list 192.168.20.1

 forbidden-ip 192.168.20.2

#

dhcp server ip-pool 3

 network 192.168.30.0 mask 255.255.255.0

 gateway-list 192.168.30.1

 dns-list 192.168.30.1

#

dhcp server ip-pool 4

 network 192.168.31.0 mask 255.255.255.0

 gateway-list 192.168.31.1

 dns-list 192.168.31.1

#

interface vlan-interface 20

 ip address 192.168.20.1 255.255.255.0

#

interface vlan-interface 30

 ip address 192.168.30.1 255.255.255.0

#

interface vlan-interface 31

 ip address 192.168.31.1 255.255.255.0

#

interface GigabitEthernet 1/0/1

 port link-type trunk

 undo port trunk permit vlan 1

 port trunk permit vlan 20 30 31

#

interface GigabitEthernet 1/0/2

 port link-type trunk

 undo port trunk permit vlan 1

 port trunk permit vlan 20

#

·     Switch2:

#

vlan 20

#

interface GigabitEthernet 1/0/1

 port link-type trunk

 undo port trunk permit vlan 1

 port trunk permit vlan 20

#

interface GigabitEthernet 1/0/2

 port link-type access

 port access vlan 20

 poe enable

#

interface GigabitEthernet 1/0/3

 port link-type access

 port access vlan 20

 poe enable

#

interface GigabitEthernet 1/0/4

 port link-type access

 port access vlan 20

 poe enable

#

·     AC:

#

vlan 20

#

vlan 30

#

vlan 31

#

interface vlan-interface 20

 ip address 192.168.20.2 255.255.255.0

#

interface GigabitEthernet 1/0/1

 port link-type trunk

 undo port trunk permit vlan 1

 port trunk permit vlan 20 30 31

#

 bonjour service-mode custom

 bonjour global enable

 bonjour activate service type airplay

 bonjour activate service type raop

#

bonjour policy teacher

 service vlan 30

 proxy-target ap-group

#

wlan service-template apple_tv

 ssid apple_tv

  vlan 30

 akm mode psk

 preshared-key pass-phrase simple $c$3$N//5BVbsOqdBTxi+7MJZKT6Zqh5MAmYs2ZzM

 cipher-suite ccmp

 security-ie rsn

 client forwarding-location ac

 undo bss transition-management enable

 service-template enable

#

wlan service-template teacher

 ssid teacher

  vlan 31

 akm mode psk

 preshared-key pass-phrase simple $c$3$N//5BVbsOqdBTxi+7MJZKT6Zqh5MAmYs2ZzM

 cipher-suite ccmp

 security-ie rsn

 client forwarding-location ac

 undo bss transition-management enable

 service-template enable

 bonjour apply policy teacher

#

wlan ap-group group1

 vlan 1

 radio 2.4g

 radio 5g

 radio 6g

 ap ap1

 ap ap3

#

wlan ap-group group2

 vlan 1

 radio 2.4g

 radio 5g

 radio 6g

 ap ap2

#

wlan ap ap1 model WA7538

 serial-id 219801A28N819CE0001T

 vlan 1

 radio 1

  radio enable

  service-template apple_tv

  radio 2

 gigabitethernet 1

#

wlan ap ap2 model WA7538

 serial-id 219801A28N819CE0002T

 vlan 1

 radio 1

  radio enable

  service-template apple_tv

 radio 2

 gigabitethernet 1

#

wlan ap ap3 model WA7538

 serial-id 219801A28N819CE0003T

 vlan 1

 radio 1

  radio enable

  service-template teacher

 radio 2

 gigabitethernet 1

#

Related documentation

·     Bonjour gateway configuration from the H3C Wireless Controller Configuration Guides.

·     Bonjour gateway commands from the H3C Wireless Controller Command References.