vSZ Bonjour Fencing in practice

  • 2
  • Question
  • Updated 7 months ago
Recently upgraded my vSZ instance to 3.5 and discovered the new Bonjour Fencing functionality.  This is something I've been after for quite some time, having upgraded to Ruckus from an old wireless system that included this functionality.

Bonjour fencing on our old system was more like a firewall; I would enable a policy that is either inbound (from client to AP) or outbound (from AP to client) and specify a default of permit all (apart from blocked) or block all (apart from allowed).  I would then set rules either by choosing from a pre-set service list or by entering a custom string.

I blocked all announcements inbound and outbound and then permitted:
  • Outbound Apple TV (enabling access to ethernet-connected devices)
  • Inbound / outbound custom service of *._cros_p2p._tcp._local (enabling Chromebook peer-to-peer updating) 
  • Outbound custom service *Printsrv._ipp._tcp._local (enabling bonjour printer announcements only from our corporate print server)
Any other inbound announcements from clients were blocked, so iTunes libraries, file shares, home printer shares etc were not broadcast on the corporate network.

The Ruckus implementation seems very different to this and the documentation doesn't include any examples.  It looks like there's no separation of inbound / outbound (unless this is wired / wireless?) and no way of using custom services (since you can only select from the predefined list), so it seems we can't filter for specific servers or include services that aren't on the default list.

I'd love to see examples of what others are using this service for so I can try to figure out how I can get back to the level of filtering we used to have.
Photo of Chris Beattie

Chris Beattie

  • 1 Post
  • 0 Reply Likes
  • confused

Posted 2 years ago

  • 2
Photo of Stephen Hall

Stephen Hall

  • 33 Posts
  • 2 Reply Likes
im in the same boat,  and cant find any relevant docs or info on the ruckus implementation.

my goal is, we have a large FLAT network (ie 60+ ruk aps, all on vSZ 3.6.2, no VLANs, all Clients are on the same /21 subnet), i would like to LIMIT all bonjour broadcast traffic to only the AP that the user is on.

Ie users iphone and apple TV are on the same ruckus AP "B", so they can see each other.

but any user on ruckus AP "C" can NOT see bonjour traffic from above, ruckua AP "B",  they can only see bonjour data local to their AP.

how do we do this?  the settings for bonjour fencing seem to require specifying a specific MAC , which does not line up with what we want to accomplish.

thanks
Photo of Andrew Giancola

Andrew Giancola

  • 80 Posts
  • 23 Reply Likes
In some switches, you could 'Snoop IGMP', then set your IGMP filter to DROP mDNS, or the multicast address from which Bonjour devices discover each other on. That's a place to start.