cancel
Showing results for 
Search instead for 
Did you mean: 

Bonjour Gateway with Client Isolation

Greg_WiGuy
Contributor II

Hey Gang,
I'm working on a new LAN design scheme for our offices and taking my time to fully understand the Bonjour Gateway feature by reading through the "Ruckus Bonjour Gateway “How To” Guide" from 2018.  We're running a pair of SZ124s and planning an upgrade from 6.1.0.x to the new LTS 6.1.1.x line, but I doubt that has much impact on this.

So far my understanding is that we should only run BjGW on only 1 AP in each office with the switch port configured as a trunk with each VLAN we want to advertise services from, like printing in this case.

Printer VLAN - 20
Wired Data VLAN - 10
WiFi Data VLAN - 11
AP Mgmt VLAN - 30

So I need to build a trunk with native/PVID 30, and allow 10,11,20.  Then on the SZ, configure a Bonjour Gateway Policy with the following.

AirPrint from V20 to 10
AirPrint from V20 to 11

And now assign that to the 1 AP we have all VLANs trunked to, as per the best practice of having only 1 AP act as the BjGW in this scenario.

Next up, configure a WLAN/SSID with local drop off on VLAN 11, all set.  This should work as per the guide.

Here's where I'm concerned.  We want to use Client isolation from a security and performance standpoint.  I dont like wasting airtime and useless frames on all the client discovery protocols floating around the network, and we also want to limit the spread of malware if one of the hosts were to become infected.

Is it possible to still allow multicast mDNS discovery of printers while Client isolation is in use?  We plan on using private VLANs on the wired client connections also, which in theory should allow BUMcast traffic to and from all trunk ports.

I'm thinking that maybe I have to discover the wired mac address of the AP assigned as my BjGW in each office and whitelist it somehow.  I see the client isolation whitelist feature but it also requires an IP, and I'm not sure if the AP participates in these VLANs on IP/L3 or if it just listens and forwards on the mac layer.

I hope I've written this clearly, apologies if this is a little convoluted and needs a second read-through.

1 REPLY 1

Chandini
RUCKUS Team Member

Hi Greg

I suppose your request may need more time to analyze and help you with your concerns. I would recommend you to open a ticket with TAC using the below link .

https://support.ruckuswireless.com/contact-us

Thanks