To support SMD / CMD / Chromecast while maintaining peer-to-peer device security in Hospitality networks, the WLAN must be configured in a specific way:
Most Chromecast dongles will be connected via Wi-Fi. In this case, create a dedicated 5Ghz only WLAN on a dedicated VLAN for the Chromecast dongles themselves. On this VLAN you will need a Chromecast Proxy such as Avahi, Gandem or the proprietary Marriott Staycast gateway.
It may be useful to also create a CLI script to turn off Directed Multicast and IGMP/MLD on the APs
*fw_version=[insert AP firmware version]
model=H550,H350
set qos eth0 directed multicast disable
set qos eth0 igmp-snooping disable
set qos eth1 directed multicast disable
set qos eth1 igmp-snooping disable
set qos igmp_query v3 disable
set qos mld_query v2 disable*
Since we cannot enable the Isolate Multicast/Broadcast feature on the Guest WLAN, Multicast and Broadcast traffic from Guest devices will propagate across the entire network and out to the Wi-Fi clients, which will cause considerable RF Utilization and is a security concern. Think of all those guest MacOS, iOS and Android devices all responding to all that Bonjour traffic (AirPlay, AirPrint, etc) from all the other guest devices!
To avoid this, we need to stop mDNS traffic from propagating between APs. This is easy to do on ICX. All you need to do is define an access-list and apply it to all the ports which lead to an AP.
<aside> 🚨 Keep ACLs short! ACLs are CPU processed so if there is an excessive amount of traffic it will cause the CPU to overload and the switch will reboot. Try to stick with 3 lines as shown in the example below.
</aside>
Connect to the ICX switch, go into Config mode and configure the following:
ip access-list extended Filter_mDNS sequence 10 permit udp host [IP of Chromecast gateway/proxy on the Guest VLAN, eg 192.168.22.10] any eq 5353 sequence 15 permit udp host [IP of Chromecast gateway/proxy on the Chromecast VLAN, eg 10.5.5.10] any eq 5353 OPTIONAL sequence 20 deny udp [Subnet of Guest VLAN devices in network inverse mask format, eg 192.168.22.0 0.0.0.255] host 224.0.0.251 eq 5353 sequence 25 deny udp [Subnet of Chromecast VLAN devices in network inverse mask format, eg 10.5.5.0 0.0.0.255] host 224.0.0.251 eq 5353 OPTIONAL sequence 30 permit ip any any
OPTIONAL = These lines should only be used when you are using consumer Chromecast dongles and they are connected via Wi-Fi. In some cases, consumer-grade Chromecast dongles create an mDNS amplification storm.
Most hospitality-specific Chromecast implementations built into Hospitality TVs do not cause this mDNS storm therefore these lines are not needed.
If you’re unsure, first try to set the ACL without the Optional lines. If you see a significant amount of traffic on the Chromecast WLAN, add these two lines.
or via the GUI:
Simply apply the Access List to all downstream ports - whether there is an Access Point, a TV, a wired Chromecast, a server, or a downstream switch.
interface ethernet x/x/x [downstream-facing ethernet ports] ip access-group Filter_mDNS out
Note that you cannot configure multiple ports at once by using port ranges.