To support SMD / CMD / Chromecast while maintaining peer-to-peer device security in Hospitality networks, the WLAN must be configured in a specific way:
Most Chromecast dongles will be connected via Wi-Fi. In this case, create a dedicated 5Ghz only WLAN on a dedicated VLAN for the Chromecast dongles themselves. On this VLAN you will need a Chromecast Proxy such as Avahi, Gandem or the proprietary Marriott Staycast gateway.
It may be useful to also create a CLI script to turn off Directed Multicast and IGMP/MLD on the APs
*fw_version=[insert AP firmware version]
model=H550,H350
set qos eth0 directed multicast disable
set qos eth0 igmp-snooping disable
set qos eth1 directed multicast disable
set qos eth1 igmp-snooping disable
set qos eth2 directed multicast disable
set qos eth2 igmp-snooping disable
set qos eth3 directed multicast disable
set qos eth3 igmp-snooping disable
set qos igmp_query v3 disable
set qos mld_query v2 disable*
Since we cannot enable the Isolate Multicast/Broadcast feature on the Guest WLAN, Multicast and Broadcast traffic from Guest devices will propagate across the entire network and out to the Wi-Fi clients, which will cause considerable RF Utilization and is a security concern. Think of all those guest MacOS, iOS and Android devices all responding to all that Bonjour traffic (AirPlay, AirPrint, etc) from all the other guest devices!
To avoid this, we need to stop mDNS traffic from propagating between APs. This is easy to do on ICX. All you need to do is define an access-list and apply it to all the ports which lead to an AP.
<aside> 🚨 Keep ACLs short! ACLs are CPU processed so if there is an excessive amount of traffic it will cause the CPU to overload and the switch will reboot. Try to stick with 3 lines as shown in the example below.
</aside>
Connect to the ICX switch, go into Config mode and configure the following:
ip access-list extended Filter_mDNS sequence 10 permit udp host [IP of Chromecast gateway/proxy on the Guest VLAN, eg 192.168.22.10] any eq 5353 sequence 15 permit udp host [IP of Chromecast gateway/proxy on the Chromecast VLAN, eg 10.5.5.10] any eq 5353 sequence 20 deny udp [Subnet of Guest VLAN devices in network inverse mask format, eg 192.168.22.0 0.0.0.255] 224.0.0.0 15.255.255.255 sequence 25 deny udp [Subnet of Chromecast VLAN devices in network inverse mask format, eg 10.5.5.0 0.0.0.255] host 224.0.0.251 eq 5353 sequence 30 permit ip any any
or via the GUI:
Simply apply the Access List to all downstream ports - whether there is an Access Point, a TV, a wired Chromecast, a server, or a downstream switch.
interface ethernet x/x/x [downstream-facing ethernet ports] ip access-group Filter_mDNS out
Note that you cannot configure multiple ports at once by using port ranges.