Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: nsp: juniper

Help Needed for Bonjour Routing/OSX Clients

 

 

nsp juniper RSS feed   Index | Next | Previous | View Threaded


spam-me at fioseurope

May 9, 2012, 1:03 PM

Post #1 of 10 (2207 views)
Permalink
Help Needed for Bonjour Routing/OSX Clients

Hello All, I am a complete noobie when it comes to Juniper so please don't
bash me to bad :-)

Hardware: Juniper SRX240

Problem : We have moved our client PCs from being all in 1 large
subnet into 8 VLANs to better segment
the various departments. All windows PCs/Servers are working fine, no
problems. The Apple
OSX PCs are another story. They can only see the Bonjour type services,
printers, etc. in their
own VLAN and none from the other VLANs. How can I get this Bonjour traffic
to be passed/seen
by all devices in all VLANs?

Current Setup: The SRX240 is the main (Only) router in the network. I is
configured with 8 VLANs, each
with a different /24 subnet. 2 Interfaces are Aggregated and connected to a
Managed/VLAN
Capable Switch (VPN Trunk) where the clients/servers have been placed in the
various VLANs.
Everything works as expected except the aforementioned Apple Bonjour.

All VLANs are in the same security Zone (Trusted) and permissions have been
setup for all "Trusted"
Interfaces to communicate with each other and pass any/all traffic (No
filters/security blocks between
VLANs).

Whats needed: What are the commands to get the Bonjour traffic to be
seen/sent to all VLAN members?
I have found a few posts online, but they all seem to mention multiple
routers or large
Corp setups, thus not the right settings.. Any/All help would be
appreciated.
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


jof at thejof

May 9, 2012, 2:55 PM

Post #2 of 10 (2123 views)
Permalink
Re: Help Needed for Bonjour Routing/OSX Clients [In reply to]

To get Bonjour to work across LANs, you would need to enable multicast
routing so that clients on the various LANs can join the same group.

Bonjour is just Apple's name for mDNS (multicast DNS).

Provided that everyone can solicit queries and hear announcements, hosts
should be able to resolve the addresses of the other stations and will then
attempt to route to it.

I've gotten this to work in the past, but it ended up being a LOT more work
than just using DNS names and routing (which I've subsequently done each
time).


Bonjour / mDNS is really only great at service discovery and small-scale
name resolution, IMO. DNS and distributing names at scale; not so much.

Cheers,
jof
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


ObrienH at missouri

May 9, 2012, 3:02 PM

Post #3 of 10 (2130 views)
Permalink
Re: Help Needed for Bonjour Routing/OSX Clients [In reply to]

How big is the network?

Will O'Brien

On May 9, 2012, at 4:59 PM, "Jonathan Lassoff" <jof [at] thejof> wrote:

> To get Bonjour to work across LANs, you would need to enable multicast
> routing so that clients on the various LANs can join the same group.
>
> Bonjour is just Apple's name for mDNS (multicast DNS).
>
> Provided that everyone can solicit queries and hear announcements, hosts
> should be able to resolve the addresses of the other stations and will then
> attempt to route to it.
>
> I've gotten this to work in the past, but it ended up being a LOT more work
> than just using DNS names and routing (which I've subsequently done each
> time).
>
>
> Bonjour / mDNS is really only great at service discovery and small-scale
> name resolution, IMO. DNS and distributing names at scale; not so much.
>
> Cheers,
> jof
> _______________________________________________
> juniper-nsp mailing list juniper-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


p.mayers at imperial

May 10, 2012, 2:54 AM

Post #4 of 10 (2115 views)
Permalink
Re: Help Needed for Bonjour Routing/OSX Clients [In reply to]

On 09/05/12 22:55, Jonathan Lassoff wrote:

> I've gotten this to work in the past, but it ended up being a LOT more work
> than just using DNS names and routing (which I've subsequently done each
> time).

Out of curiosity, how did this work? Isn't most mDNS traffic TTL=1?
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


jof at thejof

May 10, 2012, 9:12 AM

Post #5 of 10 (2136 views)
Permalink
Re: Help Needed for Bonjour Routing/OSX Clients [In reply to]

On Thu, May 10, 2012 at 2:54 AM, Phil Mayers <p.mayers [at] imperial>wrote:

> On 09/05/12 22:55, Jonathan Lassoff wrote:
>
> I've gotten this to work in the past, but it ended up being a LOT more
>> work
>> than just using DNS names and routing (which I've subsequently done each
>> time).
>>
>
> Out of curiosity, how did this work? Isn't most mDNS traffic TTL=1?


I don't know about all the various implementations out there (of if the
standard says anything), but my modern-ish OSX box does 255:

v6:
Internet Protocol Version 6, Src: fe80::xxxx:xxff:xxxx:xxxx
(fe80::xxxx:xxff:xxxx:xxxx), Dst: ff02::fb (ff02::fb)
0110 .... = Version: 6
[.0110 .... = This field makes the filter "ip.version == 6"
possible: 6]
.... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000
.... 0000 00.. .... .... .... .... .... = Differentiated
Services Field: Default (0x00000000)
.... .... ..0. .... .... .... .... .... = ECN-Capable Transport
(ECT): Not set
.... .... ...0 .... .... .... .... .... = ECN-CE: Not set
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 35
Next header: UDP (0x11)
Hop limit: 255
Source: fe80::xxxx:xxff:xxxx:xxxx (fe80::xxxx:xxff:xxxx:xxxx)
[Source SA MAC: xx:xx:xx:xx:xx:xx (xx:xx:xx:xx:xx:xx)]
Destination: ff02::fb (ff02::fb)
User Datagram Protocol, Src Port: 5353 (5353), Dst Port: 5353 (5353)
Source port: 5353 (5353)
Destination port: 5353 (5353)
Length: 35
Checksum: 0x4aa1 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Domain Name System (query)
......

and the v4 case:
Ethernet II, Src: xx:xx:xx:xx:xx:xx (xx:xx:xx:xx:xx:xx), Dst:
01:00:5e:00:00:fb (01:00:5e:00:00:fb)
Destination: 01:00:5e:00:00:fb (01:00:5e:00:00:fb)
Address: 01:00:5e:00:00:fb (01:00:5e:00:00:fb)
.... ...1 .... .... .... .... = IG bit: Group address
(multicast/broadcast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Source: xx:xx:xx:xx:xx:xx (xx:xx:xx:xx:xx:xx)
Address: xx:xx:xx:xx:xx:xx (xx:xx:xx:xx:xx:xx)
.... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
Type: IP (0x0800)
Internet Protocol Version 4, Src: nn.nn.nn.nn (nn.nn.nn.nn), Dst:
224.0.0.251 (224.0.0.251)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00:
Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not
ECN-Capable Transport) (0x00)
Total Length: 55
Identification: 0xd6ca (54986)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 255
Protocol: UDP (17)
Header checksum: 0x82ad [correct]
[Good: True]
[Bad: False]
Source: nn.nn.nn.nn (nn.nn.nn.nn)
Destination: 224.0.0.251 (224.0.0.251)
User Datagram Protocol, Src Port: 5353 (5353), Dst Port: 5353 (5353)
Source port: 5353 (5353)
Destination port: 5353 (5353)
Length: 35
Checksum: 0x2886 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Domain Name System (query)
....

Cheers,
jof
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


p.mayers at imperial

May 10, 2012, 9:21 AM

Post #6 of 10 (2111 views)
Permalink
Re: Help Needed for Bonjour Routing/OSX Clients [In reply to]

On 10/05/12 17:12, Jonathan Lassoff wrote:
> On Thu, May 10, 2012 at 2:54 AM, Phil Mayers <p.mayers [at] imperial
> <mailto:p.mayers [at] imperial>> wrote:
>
> On 09/05/12 22:55, Jonathan Lassoff wrote:
>
> I've gotten this to work in the past, but it ended up being a
> LOT more work
> than just using DNS names and routing (which I've subsequently
> done each
> time).
>
>
> Out of curiosity, how did this work? Isn't most mDNS traffic TTL=1?
>
>
> I don't know about all the various implementations out there (of if the
> standard says anything), but my modern-ish OSX box does 255:

Ok. Though I note that they're both link-local multicast groups, so
again I wonder how people did them cross-subnet.
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


jof at thejof

May 10, 2012, 9:33 AM

Post #7 of 10 (2120 views)
Permalink
Re: Help Needed for Bonjour Routing/OSX Clients [In reply to]

On Thu, May 10, 2012 at 9:21 AM, Phil Mayers <p.mayers [at] imperial>wrote:

> On 10/05/12 17:12, Jonathan Lassoff wrote:
>
>> On Thu, May 10, 2012 at 2:54 AM, Phil Mayers <p.mayers [at] imperial
>> <mailto:p.mayers [at] imperial**uk <p.mayers [at] imperial>>> wrote:
>>
>> On 09/05/12 22:55, Jonathan Lassoff wrote:
>>
>> I've gotten this to work in the past, but it ended up being a
>> LOT more work
>> than just using DNS names and routing (which I've subsequently
>> done each
>> time).
>>
>>
>> Out of curiosity, how did this work? Isn't most mDNS traffic TTL=1?
>>
>>
>> I don't know about all the various implementations out there (of if the
>> standard says anything), but my modern-ish OSX box does 255:
>>
>
> Ok. Though I note that they're both link-local multicast groups, so again
> I wonder how people did them cross-subnet.
>

Oh, I'm not sure if v6 link-local groups can/should be routed. I see no
reason that a device could be configured to allow joins from multiple
links/LANs and forward frames accordingly. ff02::fb is in the link-local
scope however.

Interestingly, ff05::fb is a site-local scoped address that's been set
aside, but I don't know or haven't run across any clients that use this.
It's documented in
http://tools.ietf.org/html/draft-cheshire-dnsext-multicastdns-15

In the past, I did this with the v4 traffic.

Cheers,
jof
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


joelja at bogus

May 10, 2012, 5:02 PM

Post #8 of 10 (2119 views)
Permalink
Re: Help Needed for Bonjour Routing/OSX Clients [In reply to]

On 5/10/12 16:21 , Phil Mayers wrote:
> On 10/05/12 17:12, Jonathan Lassoff wrote:
>> On Thu, May 10, 2012 at 2:54 AM, Phil Mayers <p.mayers [at] imperial
>> <mailto:p.mayers [at] imperial>> wrote:
>>
>> On 09/05/12 22:55, Jonathan Lassoff wrote:
>>
>> I've gotten this to work in the past, but it ended up being a
>> LOT more work
>> than just using DNS names and routing (which I've subsequently
>> done each
>> time).
>>
>>
>> Out of curiosity, how did this work? Isn't most mDNS traffic TTL=1?
>>
>>
>> I don't know about all the various implementations out there (of if the
>> standard says anything), but my modern-ish OSX box does 255:
>
> Ok. Though I note that they're both link-local multicast groups, so
> again I wonder how people did them cross-subnet.

wide area bonjour is done like this:

http://www.dns-sd.org/ServerSetup.html
_______________________________________________
> juniper-nsp mailing list juniper-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


jof at thejof

May 10, 2012, 5:09 PM

Post #9 of 10 (2121 views)
Permalink
Re: Help Needed for Bonjour Routing/OSX Clients [In reply to]

On Thu, May 10, 2012 at 5:02 PM, Joel jaeggli <joelja [at] bogus> wrote:

> On 5/10/12 16:21 , Phil Mayers wrote:
> > On 10/05/12 17:12, Jonathan Lassoff wrote:
> >> On Thu, May 10, 2012 at 2:54 AM, Phil Mayers <p.mayers [at] imperial
> >> <mailto:p.mayers [at] imperial>> wrote:
> >>
> >> On 09/05/12 22:55, Jonathan Lassoff wrote:
> >>
> >> I've gotten this to work in the past, but it ended up being a
> >> LOT more work
> >> than just using DNS names and routing (which I've subsequently
> >> done each
> >> time).
> >>
> >>
> >> Out of curiosity, how did this work? Isn't most mDNS traffic TTL=1?
> >>
> >>
> >> I don't know about all the various implementations out there (of if the
> >> standard says anything), but my modern-ish OSX box does 255:
> >
> > Ok. Though I note that they're both link-local multicast groups, so
> > again I wonder how people did them cross-subnet.
>
> wide area bonjour is done like this:
>
> http://www.dns-sd.org/ServerSetup.html


On the surface, this looks like a much cleaner way of doing things,
provided the client support is there.

Thanks for the tip, Joel!

Cheers,
jof
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


caskings at ionetworks

May 11, 2012, 12:43 AM

Post #10 of 10 (2113 views)
Permalink
Re: Help Needed for Bonjour Routing/OSX Clients [In reply to]

Another option is to get the cheapest Areohive Access point and use their
Bonjour Gateway (Currently in Beta I believe) to control announcements
between vlans.


On 11 May 2012 10:09, Jonathan Lassoff <jof [at] thejof> wrote:

>
>
>
> On the surface, this looks like a much cleaner way of doing things,
> provided the client support is there.
>
> Thanks for the tip, Joel!
>
> Cheers,
> jof
>


--

Regards,

Craig Askings

io Networks Pty Ltd.



mobile: 0404 019365

phone: 1300 1 2 4 8 16
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

nsp juniper RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.