Apple’s Bonjour and Google’s Chromecast > mDNS Gateway

  

 next

mDNS Gateway

The mDNS gateway, running on a switch, will listen for Bonjour responses and Bonjour queries and forward them to different subnets. Its main function is to forward Bonjour traffic by re-transmitting the traffic between reflection enabled VLANs. The switches are configured interfaces in the VLANs for which they are performing packet reflection.
[NOTE: ]

NOTE: The mDNS gateway in a switch acts as an application layer gateway between subnets. An IP interface is required on each of the network that it is reflecting between.

Service filtering

The mDNS profiles feature is responsible for applying filter profiles to mDNS resource records in mDNS response/query packets. The mDNS response/query can be filtered to give better control of the services. Service filtering allows network administrators to manipulate both the responses sent to and coming from clients in order to allow or deny mDNS services. This mechanism prevents clients from being aware of both specified services and announce specific services. These filters can be outbound from the switch to clients or inbound from clients to the switch. Profiles can be applied per-VLAN.

There is a global default which allows or denies traffic that does not match any rule. After a match is found other filter rules are ignored.
[NOTE: ]

NOTE: Service filtering cannot block the connection between devices. For example, if the client knows the remote device’s IP address, they can still establish a connection without utilizing the mDNS protocol. Service filtering functions to keep names and addresses out services out of mDNS responses.

mDNS query and response assessment

mDNS query and response assessment

  • Switch 1 — Reflection enabled on VLAN 2 and VLAN 3

  • Global Filters — set to permit both inbound and outbound mDNS traffic on Switch 1, 2 and 3.

  • Specific Filter — Switch 1 – VLAN 3 – Deny –outbound – service type – wireless printer.

  • Specific Filter — Switch 1 – VLAN 2 – Permit – inbound – instance name – Host 2.

Wireless printer service process

Process overview of service for a wireless printer:

  1. Wireless Printer 1 sends an mDNS response advertising printer services in Switch 1 on VLAN 1.

  2. Switch 1 has no inbound filter in VLAN 1. The global filter set to permit all.

  3. Switch 1 checks the outbound filter in VLAN 1. As there is no specific outbound filter, the global status is permit all. It will flood the packet in VLAN 1 except the source port.

  4. iPhone 1 in VLAN 1 receives the service announcement.

  5. Switch 1 checks the reflection status. Reflection is enabled on VLAN 2 and 3.

  6. Switch 1 checks the outbound filter in VLAN 2. As there is no specific outbound filter, it will forward the service announcement in VLAN 2.

    Default action permit all.

  7. Switch 1 checks the outbound filter in VLAN 3. The outbound filter is set to deny wireless printer therefore the packet will not be forwarded to VLAN 3.

  8. Switch 3 receives the service advertisement in VLAN 2. It will flood the packet in VLAN 2 except the source port.

  9. Host 2 in Switch 3 receives the service announcement.

Wireless Printer advertising printer service

The following procedure depicts an advertising service process for a wireless printer in the form of an example.

  1. Wireless Printer 2 sends an mDNS response advertising printer services in VLAN 3.

  2. Switch 2 does not have any inbound filter in VLAN 3, so it receives the wireless printer service announcement.

  3. Switch 2 checks the outbound filter in VLAN 3. There is no specific outbound filter on VLAN 3, so it floods the service announcement in VLAN 3 (except at the source port.)

  4. Switch 2 checks the reflection status. Since switch 2 is not enabled, switch 2 does not forward.

  5. As there is no inbound filter in VLAN 3 of switch 1, it receives the service announcement on VLAN 3. When switch 1 checks the outbound filter in VLAN 3, there is deny operation for service type wireless printer error message. Therefore switch 1 will not flood the packet in VLAN 3.

  6. Switch 1 checks the reflection status. The reflection is enabled on VLAN 2 and 3 however VLAN 3 is incoming so the reflection will not function. In VLAN 2 it checks the outbound filter. There is no outbound filter in VLAN 2 so switch 1 forwards the service announcement in VLAN 2.

  7. Switch 3 does not have any inbound filter therefore It receives service announcements in VLAN 2.

  8. Switch 2 checks the outbound filter in VLAN 2. As there is no specific outbound filter, the global action is to permit all so switch 2 floods the packet in VLAN 2 (except the source port.)

  9. Host 2 receives the switch 2 print service announcement.

Host 2 queries for printers

The following procedure depicts a service process for mDNS queries for a wireless printer in the form of an example.

  1. Host 2 sends an mDNS query for printers.

  2. There is no inbound filter in VLAN 2 of Switch 3 therefore it receives the query.

  3. Switch 3 checks the outbound filter in VLAN 2. As there is no specific outbound filter the default action is permit all.

  4. Switch 3 floods the query in VLAN 2 (except the source port.)

  5. Switch 1 receives the query and check the inbound filters. Permit for the instance name, Host 2, allows the packet on VLAN 2.

  6. Switch 1 checks the outbound filter for VLAN 2. As there is no specific filter and global filter is permit all, it will flood the packet in VLAN 2 (except the source port.)

  7. Switch 1 checks the reflection status. Reflection is enabled on VLAN 2 and VLAN 3. Since VLAN 2 is an incoming VLAN, it will not pass the reflection on VLAN 2.

  8. Switch 1 checks the outbound filters on VLAN 3. There is no rule to deny Host 2 query and the global filter is set to permit all so it will forward the packet to VLAN 3.

  9. Switch 2 receives the service and checks for any inbound and outbound filters in VLAN 3.

  10. There is no specific inbound and outbound filter in VLAN 3 therefore it will flood the query in VLAN 3 (except the source port.)

  11. Reflection is not enabled in Switch 2 therefore it will not pass any further reflection.

  12. Wireless printer 2 responses to the query and switch 2 does not have any inbound and outbound filters therefore it will flood the response to VLAN 3 (except the source port.)

  13. Switch 1 receives the packet as there are no inbound filters in VLAN 3. VLAN 3 has an outbound filter set to deny wireless printer service. The service will not flood VLAN 3.

  14. Switch 1 checks the reflection status which is enabled in VLAN 2 and 3. Since the incoming VLAN is 3, the packet will not forward to VLAN 3.

  15. Switch 1 checks the outbound filter in VLAN 2. As there is no specific filter, it will forward the response to VLAN 2.

  16. Switch 3 receives the response on VLAN 2 as there is no inbound filter to deny this service.

  17. Switch 3 does not have any outbound filters in VLAN 2, so it will flood the response in VLAN 2 (except the source port.)

  18. Host 2 receives the Wireless Printer 2 service response.

iPhone 1 queries for printers

The following depicts a service process for iPhone queries for a wireless printer in the form of an example .

  1. iPhone 1 sends an mDNS query for printers in switch 1 on VLAN 1.

  2. Switch 1 checks the inbound filter in VLAN 1. As there is no specific filters, it receives the query.

  3. Switch 1 checks the outbound filter in VLAN 1. As there is no specific filter therefore it flood the packet in VLAN 1 (except the source port.)

  4. Switch 1 checks the reflection status. The reflection is enabled on VLAN 2 and 3.

  5. Switch 1 checks the outbound filters on VLAN 2 and 3. In VLAN 3 the outbound filter is set to deny wireless printer therefore it will not reflect the packet to VLAN 3. There is no specific outbound filter in VLAN 2 so it will forward the packet to VLAN 2.

  6. In switch 1, wireless printer 1 receives the iPhone 1 query and sends a response. Switch 1 checks the inbound filter, outbound filter and floods the response to VLAN 1 (except the source port.)

  7. Switch 3 receives the iPhone 1 query and floods the packet in VLAN 2. As there is no specific inbound and outbound filters in switch 3, there is no associated printers in switch 3. There will not be any further response.

prev

 

up

 next

Apple’s Bonjour and Google’s Chromecast 

home

 Limitations of the mDNS gateware and Chromecast

Copyright © 2016 Hewlett Packard Enterprise Development LP