vSZ Bonjour Fencing in practice

  • 1
  • Question
  • Updated 3 months ago
Recently upgraded my vSZ instance to 3.5 and discovered the new Bonjour Fencing functionality.  This is something I've been after for quite some time, having upgraded to Ruckus from an old wireless system that included this functionality.

Bonjour fencing on our old system was more like a firewall; I would enable a policy that is either inbound (from client to AP) or outbound (from AP to client) and specify a default of permit all (apart from blocked) or block all (apart from allowed).  I would then set rules either by choosing from a pre-set service list or by entering a custom string.

I blocked all announcements inbound and outbound and then permitted:
  • Outbound Apple TV (enabling access to ethernet-connected devices)
  • Inbound / outbound custom service of *._cros_p2p._tcp._local (enabling Chromebook peer-to-peer updating) 
  • Outbound custom service *Printsrv._ipp._tcp._local (enabling bonjour printer announcements only from our corporate print server)
Any other inbound announcements from clients were blocked, so iTunes libraries, file shares, home printer shares etc were not broadcast on the corporate network.

The Ruckus implementation seems very different to this and the documentation doesn't include any examples.  It looks like there's no separation of inbound / outbound (unless this is wired / wireless?) and no way of using custom services (since you can only select from the predefined list), so it seems we can't filter for specific servers or include services that aren't on the default list.

I'd love to see examples of what others are using this service for so I can try to figure out how I can get back to the level of filtering we used to have.
Photo of Chris Beattie

Chris Beattie

  • 1 Post
  • 0 Reply Likes
  • confused

Posted 3 months ago

  • 1

Be the first to post a reply!