Cisco WLC for Wired to Wireless mDNS and Bonjour

Bonjour and mDNS are discovery mechanisms that generally work effortlessly within a single VLAN. Those attempting to implement these protocols in a multi subnet environment often run into some significant challenges. The typical use of CAPWAP in an enterprise wireless network adds to the segmentation between wired and wireless domains and requires special attention with devices like Applet TVs and Bonjour based printers. In this article, I will address the use case of allowing a wired Apple TV to be seen and used by a wireless client. We will also do some basic filtering to contain those advertisements to a single building.

The Starting Topology

The Scenario

Operating with a baseline configuration, users on the BigU SSID are complaining that they cannot access the Apple TV in BLDG – 3. The first task is to make that device available to those users. While the underlying infrastructure is irrelevant to this configuration method, it is MPLS and cannot be changed in our process. All APs are running in LOCAL mode. This mode creates a compulsory CAPWAP tunnel for the data plane through the controller. In the above diagram, VLAN 110 is trunked out of the controller on to the network in BLDG-1. Not only are the laptops not L2 adjacent with the Apple TV, the adjacency is separated by several layer 3 hops into another building.

One possible way to solve this would be to use a Bonjour Gateway on the layer 3 devices and make the wireless network transparent. Since we can’t redesign the wired network, we are going to approach this in the Wireless LAN Controller (WLC).  mDNS snooping is a configuration option in the controller that will solve this use case. Due to the fact that the Apple TV is wired, it will be necessary to see its traffic in an AP that IS layer 2 adjacent. This will feed the mDNS services into the controller that will be leveraged to selectively advertise to the wireless clients.

The completed topology will look like the diagram below. The Apple TV is in VLAN 105 and the mDNS AP will receive its traffic tagged. This means the Apple TV and the mDNS Snooping AP are somewhat local to one another, hearing one another’s multicasts and broadcasts on VLAN 105. In my example, I created a separate VLAN for AP management. That is not required and was provided as an illustration. In practice, this could have shared the management VLAN with the production AP for BLDG-3.

Goal Topology with mDNS Snooping

I have built this lab with a single router and Meraki switch. There are no mDNS Services anywhere except in the WLC. For clarity, the switch configuration is shown below.

WLC mDNS Configuration

At this point, we need to configure mDNS profiles, mDNS policies and configure the mDNS Snooping AP (which is just an AP).

mDNS services can be enabled by choosing the Controller Tab, then mDNS -> General.

Check mDNS Global Snooping and mDNS Policy.

I also enable “Query Status” option for “Airplay” in the Master Services Database (middle of the same page).

Next we create an mDNS Profile. That is located in the next subsection in the left column. I could use the default profile, but it is advantageous to minimize the amount of mDNS objects that are maintained by the WLC.  Therefore, I have created a profile called My_mDNS_Profile and added only the Airplay service.

Next I configure the mDNS Snooping AP in monitor mode and enable mDNS Snooping on the Apple TV VLAN. I am placing this AP in monitor mode because I don’t want to be confused when I test the filtering techniques and configure the mDNS policies. I don’t want this AP servicing my test clients.

In Wireless -> Access Points -> All APs, choose the mDNS Snooping AP by name and set it to AP Mode “Monitor”.

Next, I apply the change, then go to the advanced tab (it may be necessary to wait for the AP to reboot). mDNS Snooping is enabled by checking the appropriate checkbox and doing another Apply. After it is applied, it is then possible to select the VLAN that contains the Apple TV by choosing Vlan List. The AP should be able to receive broadcasts on this VLAN from the Apple TV, but there is no need to configure SPAN on the adjacent switch. It simply needs to be a trunk port with the appropriate VLAN(s).

It is also necessary to snoop the mDNS traffic from the wireless clients. In the WLAN settings for the SSID, this is configured on the advanced tab. Here I enable mDNS Snooping and select the profile that was created earlier (My_mDNS_Profile).

It is important to understand a little about mDNS policies. These are found back on the controller tab in the “mDNS” section. The pre-created policy is called “default-mdns-policy”. It will match anything but only mapped to the role name “admin”. mDNS policies steer advertisements to locations. The default policy goes everywhere but the role “admin” qualifies the advertisements. Unless this role is being delivered by radius there will be no advertisements. There are no location options on the default policy. The role and user used for conditions are derived from radius and are beyond the scope of my configuration. The fact that the role is set to match “admin” by default keeps this from applying to our traffic and therefore the advertisements are filtered. Changing this to the keyword “Any” should allow the policy to permit unfiltered advertisements.

This is a good checkpoint to see if the Apple TV is visible. In my case, the test is successful.


If it works, it is time to on to the filtering section. If not, the following items should be verified.

  • The mDNS Snooping AP is connected to a trunk port
  • Trunk port includes the Apple TV wired VLAN
  • The mDNS Snooping is enabled on the snooping AP and includes the Apple TV in the VLAN List
  • MDNS Snooping is enabled on the WLAN that is servicing the Wireless Clients (and the test client is connected to the correct SSID
  • Debug command for the controller “debug mdns detail enable”

Restricting the Scope of Advertisements

The Apple TV should be visible and functioning as expected. However, there may be a need to filter the advertisement delivery. For example, there is no need to advertise this into BLDG 2 in my example. The mDNS policy allows groups and service sets to be created for this purpose. Delivery is restricted based on AP Location, AP Group or AP Name. The first step is to change the default profile back to required “role=admin”. This should disable the advertisement once again.

One thing to note is that the Apple TV may still be cached in OS X. Assuming that the tests are being done from Sierra, the following command will flush the cache.

sudo killall -HUP mDNSResponder;sudo killall mDNSResponderHelper;sudo dscacheutil -flushcache

Other OSX methods for clearing mDNS/Bonjour Cache can be found here-

Now that the Apple TV is being filtered, we will allow it to be advertised only to BLDG-3_AP. To do this, we need to assign locations to our APs.

It should be noted that AP Name and AP Location can be found on the General Tab of the AP configuration. Options for location filtering include Location, AP Name and AP groups. One thing to note is that the match will be a substring match. In other words, “office” in a policy would match both “office1” and “office2”.

After deciding on a filter strategy and setting the required parameters, a restrictive mDNS policy can be created. For this, the following items will be needed:

  • Location (AP Name, Location or Group)
  • Apple TV MAC address (can be obtained from nDNS Domain Names)
  • Any other filter criteria (user/role)

The mDNS policy is created in Controller -> mDNS -> mDNS Policies.

To create a policy, choose “Add Group”.

I create a group called “Teachers_Building_3”. After creating the group, I added my Apple TV to it as a service. Next I need to choose the group name to modify it.

The visual below shows the end product after I entered the MAC address, provided a name and set the location. For the location, I am using AP Name=BLDG-3. It is very IMPORTANT to choose Add and make certain an entry is added to the middle of the page prior to choosing Apply. It is also necessary to use the keyword Any for the role. It is also worth mentioning that “Any” is an acceptable use for the location as well. The documentation also states that “same” can be used for a Wireless to Wireless advertisement that should be pinned to a single AP.

At this point, Apple TV should only be visible from APs with the location beginning with BLDG-3. My validation shows that it works.


This exercise has demonstrated a method of using mDNS Snooping in the Cisco WLC. When used this way, this feature allows Wired devices in one VLAN to be visible to Wireless users on a different network segment. This feature also gives us the ability to qualify where these devices should be seen.

Additional Reference:

If you have any feedback or comments, please share below.

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.



No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Design. Bookmark the permalink.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.