Configuring VRF-Aware Local Area Bonjour Services

Beginning from Cisco IOS XE Bengaluru 17.4.1, Cisco Catalyst 9000 Series switches supports Virtual Routing and Forwarding-Aware (VRF-Aware) services in Local Area Bonjour domain. VRF-Aware Local Area Bonjour services provide boundary-based service discovery for Layer 3 segmented IPv4 and IPv6 network and support policy-based (secure) routing services for Wired and Wireless networks. VRF-Aware Local Area Bonjour service is supported on enterprise-grade, traditional, and next-generation fabric-based deployment models as described in Cisco DNA Service for Bonjour Solution Overview.

Prerequisites for VRF-Aware Local Area Bonjour Services

  • You must understand the mDNS service segmentation capabilities to implement, manage, and troubleshoot the proxy service in Local Area Bonjour domain.

  • Ensure that the Cisco Catalyst 9000 Series switch is configured in SDG-Agent mode. VRF-Aware Local Area Bonjour service is supported on first-hop IP gateway of switches configured in SDG-Agent mode in Wired and Wireless networks.

  • Ensure that the software version installed on the Cisco Catalyst 9000 Series switch is Cisco IOS XE Bengaluru 17.4.1 or higher.

  • Ensure that all required IP VRF with IPv4 or IPv6 address-family configurations is completed. These configurations are required to activate VRF on the switch configured in SDG-Agent mode.

  • Ensure that the IP VRF configured to a local SVI interface supports IP gateway so that the mDNS Wired and Wireless endpoint can be attached directly or remotely.

  • To activate mDNS gateway in Unicast mode for a VLAN, ensure that the mDNS gateway and service policy is configured after enabling the VLAN using the vlan configuration id command.

  • Ensure that all configurations for IPv4 or IPv6-based data routing and forwarding both within the same VRF or different VRFs are complete including network requirements such as stateful firewall configuration, route-leaking configuration and so on.

  • Ensure that all the prerequisites described in Configuring Local Area Bonjour in Unicast Mode for LAN Networks module are completed.

Restrictions for VRF-Aware Local Area Bonjour Services

  • VRF-Aware Local Area Bonjour service is not supported on a Layer 2 Cisco Catalyst 9000 Series switch or a Layer 2 Cisco Catalyst 9800 WLC in Service-Peer mode.

  • VRF-Aware Local Area Bonjour services are configured to provide mDNS service discovery information between Layer 3 segments within the same or different IP VRF, or share services from non-VRF enabled networks only. Any additional IP routing and data forwarding configurations are beyond the scope of this implementation.

Information about VRF-Aware Local Area Bonjour Services

The Cisco DNA Service for Bonjour solution provides end-to-end service-routing for enterprise-grade Wired and Wireless networks. The enterprise network builds secure and segmented networks that protect IT-managed infrastructure and shares services and resources among trusted and untrusted user group. The physical infrastructure can be logically virtualized into a private networking space that supports secure communication services within closed user groups and conditionally extends boundary services based on business and technical demands.

VRF-Aware Local Area Bonjour gateway services allow to dynamically discover and distribute mDNS services on the same VRF segmented Layer 3 overlay networks based on policy. You can also build an Extranet network using the mDNS location-filter policy that supports proxy services among multiple logical VRF or a global IP routing domain on a local system. The Layer 3 VRF segmented networks can also be configured to route in overlay using any next-generation overlay networks such as Cisco SD-Access, BGP EVPN VXLAN or classic technologies such as Multi-VRF, MPLS.

Figure illustrates the Cisco DNA Service for Bonjour solution configured with VRF-Aware services for enterprise-grade Wired and Wireless networks.

Figure 1. Cisco DNA Service for Bonjour with VRF-Aware Services
Cisco DNA Service for Bonjour configured with VRF-aware services

Gateway Modes for VRF-Aware Bonjour Services

VRF is a Layer 3 specific virtual routing function and therefore it is implemented on Layer 3 Ethernet switches with first-hop IP gateways that can directly or remotely attach mDNS endpoints.

Figure illustrates the Cisco Catalyst 9000 Series switch in SDG-Agent mode supporting VRF-Aware services in Layer 3 access mode and in multi-layer network deployment mode. In multi-layer network deployment mode, the gateway to the distribution layer provides a Layer 2 or Layer 3 boundary to a downstream Layer 2 Cisco Catalyst 9000 Series switch and Cisco Catalyst 9800 WLC for local proxy service with local VLANs.

Figure 2. Gateway Modes for VRF-Aware Services

  • VRF-Aware Routed Access: The Cisco Catalyst 9000 Series switch can be deployed as an IP gateway for directly attached Wired or Wireless mDNS endpoints. The Cisco Wireless SSID can be configured as fabric-enabled or as FlexConnect with local switching that provides local termination point to a first-hop Ethernet switch that supports Layer 3 overlay networks such as Cisco SD-Access or BGP EVPN based-fabric networks. A Cisco Catalyst 9000 Series switch configured in SDG-Agent mode provides unicast-based mDNS gateway services to directly attached Wired and Wireless endpoints within the same or different virtual routing network space or a default global IP network.

  • VRF-Aware Multilayer: The Cisco Catalyst 9000 Series Switch can be deployed as an IP gateway for remotely attached Wired or Wireless mDNS endpoints through an intermediate Layer 2 Cisco Catalyst 9000 Series switch or Cisco Catalyst 9800 Series WLC. A Cisco Catalyst 9000 Series switch, configured in SDG-Agent mode and in the distribution layer, provides VRF-Aware mDNS gateway services, while the Layer 2 Ethernet switch and Cisco WLC in Unicast mode provides local proxy services to directly attached Wired and Wireless endpoints within the same or different VLAN.

Understanding VRF-Aware Wide Area Bonjour Services

The VRF-Aware service discovery and distribution can be implemented across multiple switches in SDG-Agent mode on an IP, MPLS, or VXLAN-enabled network with Wide Area Bonjour. The Cisco Catalyst Center with Wide Area Bonjour application supports granular and policy-based routing services that allow discovery and distribution of mDNS services dynamically over overlay networks. You can build a global policy combining one or more source and receiver SDG-Agents that allow distributing or advertising services from a specific IPv4 or even an IPv6 network mapped to the VRF.

The network wide and distributed switches in SDG-Agent mode transport locally discovered or requested mDNS service information over lightweight unicast routing services to a centralized Cisco Catalyst Center controller in an underlay IPv4 network. These switches must be configured with a unified service-export policy for local networks mapped to one or more VRFs or to a global IP routing domain.

Figure illustrates VRF-Aware Wide Area Bonjour services for IP, MPLS, or VXLAN enabled overlay networks.

Figure 3. VRF-Aware Wide Area Bonjour Services
VRF-Aware Wide Area Bonjour services for IP, MPLS, or VXLAN enabled overlay networks

The Configuring Wide Area Bonjour module lists the configuration procedures in detail.

Understanding VRF-Aware Service on Multilayered Wired and Wireless Networks

The Cisco Catalyst 9000 Series switches support VRF-Aware service for multilayered Wired and central-switching Wireless-enabled networks. The Layer 2 or Layer 3 network boundary to the Cisco Catalyst 9000 Series switches is extended at the distribution layer with an intermediate Layer 2 Cisco Catalyst 9000 Series switch or Cisco Catalyst 9800 Series WLC and directly attached to the Wired and central-switching Wireless endpoints. As the IP gateway shifts, the Cisco Catalyst 9000 Series switches in the distribution layer must be configured in SDG-Agent mode and the downstream Layer 2 switch and WLC network devices must be configured in Service-Peer mode to support mDNS proxy services to locally attached endpoints.

The VRF-Aware service configured on a switch, in SDG-Agent mode and in the distribution layer, follows configuration and operation guidelines for Wired and central-switching Wireless as described in Understanding VRF-Aware Wide Area Bonjour Services. The Layer 2 switch and WLC network devices remains transparent to VRF-Aware services and continues to provide local proxy services to locally attached users in the same or different VLANs.

The VRF-Aware service discovery and distribution can be implemented across multiple switches in SDG-Agent mode on an IP, MPLS, or VXLAN-enabled network with Wide Area Bonjour. The Cisco Catalyst Center with Wide Area Bonjour application supports granular and policy-based routing services that allow discovery and distribution of mDNS services dynamically for overlay networks. You can build a global policy combining one or more source and receiver SDG-Agent that allow distributing or advertising services from a specific IPv4 or even an IPv6 network mapped to the VRF.

Figure illustrates end-to-end VRF-Aware on multilayered Wired and Wireless networks across Wide Area Bonjour domain with Cisco Catalyst Center.

Figure 4. VRF-Aware on Multilayered Wired and Wireless Network
VRF-Aware on Multilayered Wired and Wireless Network

How to configure Intra-Virtual Network Proxy Service on Local Area Bonjour Domain

Intra-Virtual Network (Intra-VN) Proxy Service is a policy-based VRF-Aware service discovery and distribution implemented on the IP VRF of a switch in SDG-Agent mode connected to multiple IP networks.

Beginning from Cisco IOS XE Bengaluru 17.4.1, the Cisco Catalyst 9000 Series switches support mDNS gateway service as the default on each VRF. You must build a mDNS service policy that implicitly allows required mDNS service types and mapping services to endpoint facing VLANs. The Cisco Catalyst 9000 Series switch can automatically discover VRF associations to a VLAN interface without additional configurations.

The Cisco Catalyst 9000 Series switch in SDG-Agent mode dynamically discovers mDNS services from a local network and automatically builds VRF-aware service information. To enable Layer 3 segmented proxy service by default, the SDG-Agent provides limited mDNS service proxy response to endpoints in other VLANs mapped with the same VRF.

Figure illustrates VRF-Aware enabled on an Intra-VN proxy service.

Figure 5. Intra-VN Service Proxy

How to configure Inter-Virtual Network Proxy Service on Local Area Bonjour Domain

Inter-VN Proxy Service is a policy-based VRF-Aware service discovery and distribution implemented on multiple IP VRFs or on a global IP routing domain of a switch in SDG-Agent mode connected to multiple IP networks.

Beginning from Cisco IOS XE Bengaluru 17.4.1, the Cisco Catalyst 9000 Series switches support mDNS service discovery and distribution between IP VRFs or on a global routing domain based on the configured mDNS location-filter policy. The existing location-filter configuration on an SDG-Agent permits mDNS service information between configured VLANs and records discovery and distribution on the mapping table. Although configuring inter-VN provides Extranet mDNS proxy services between Wired and Wireless networks, additional methods such as stateful firewall, route-leaking and so on must also be configured to handle the data transfer between Inter-VN or VRF to global IP routing.

Figure shows Inter-VN proxy service for Extranet network.

Figure 6. Inter-VN Proxy Service

Configuring Inter-Virtual Network Location-Filter

To enable the local service proxy on the switch to discover mDNS services between local VLANs, perform the following steps:

Procedure

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password, if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

vlan ID

Example:

Device(config)# vlan 101
Device(config-vlan)# name BLUE-VRF
Device(config)# vlan 201
Device(config-vlan)# name YELLOW-VRF
Device(config)# vlan 301
Device(config-vlan)# name GREEN-VRF

Configures a VLAN ID in local database for overlay mDNS endpoints.

Step 4

mdns-sd location-filter location-filter-name

Example:

Device(config)# mdns-sd  location-filter INTER-VN-LOCAL-PROXY

Configures a unique location-filter.

Step 5

match location {all | default | ID} vlan [ID]

Example:

Device(config-mdns-loc-filter)# match location-group default vlan 101
Device(config-mdns-loc-filter)# match location-group default vlan 201
Device(config-mdns-loc-filter)# match location-group default vlan 301

Configures the match criteria that mutually distribute permitted services between grouped VLANs.

Step 6

mdns-sd service-list service-list-name {in | out}

Example:

Device(config)# mdns-sd service-list BLUE-VRF-LIST-OUT out

Configures mDNS service-list to classify one or more service-types. Unique service-list is required to process incoming mDNS message and the outbound response to the requesting end points.

Step 7

match service-destination-name [message-type {any | announcement | query}]

Example:

Device(config)# mdns-sd service-list BLUE-VRF-LIST-OUT out
Device(config-mdns-sl-out)# match APPLE-TV location-filter LOCAL-PROXY

Associates the location-filter to one or more service-types to enable local proxy between local VLANs. For example, the Apple-TV learned from the YELLOW-VRF VLAN 201 and the GREEN-VRF VLAN 301 will be distributed to the receiver in the BLUE-VRF VLAN 101.

The service-list contains implicit deny at the end.

The message-type for outbound service-list is not required.

Step 8

mdns-sd service-policy service-policy-name

Example:

Device(config)# mdns-sd service-policy BLUE-VRF-POLICY

Creates a unique mDNS service-policy.

Step 9

service-list service-list-name {in | out}

Example:

Device(config)# mdns-sd service-policy BLUE-VRF-POLICY
Device(config-mdns-ser-policy)# service-list BLUE-VRF-LIST-OUT out

Configures an mDNS service policy to associate with the service-list for each direction.

Step 10

vlan configuration ID

Example:

Device(config)# vlan configuration 101-103

Enables VLAN configuration for advanced service parameters.

One or more VLANs can be created for the same settings. For example, the VLAN configuration range 101-110 or 200 allows to configure consecutive and nonconsecutive VLAN IDs.

Step 11

mdns-sd gateway

Example:

Device(config-vlan)# mdns-sd gateway

Enables the mDNS gateway on the specified VLAN IDs.

Step 12

service-policy BLUE-VRF-POLICY

Example:

Device(config-vlan-mdns)# service-policy BLUE-VRF-POLICY

Associates an mDNS service-policy with the specified VLAN IDs.

Step 13

end

Example:

Device(config-vlan-mdns)# end

Returns to privileged EXEC mode.

Verifying VRF-Aware Local Area Bonjour Services

The dynamically discovered VRF-Aware service information can be verified on Cisco Catalyst 9000 Series switch in SDG-Agent mode by including the vrf keyword on the existing show mdns-sd command. You can verify each VRF-service record information based on the unique VRF name.

The following is an example of the command that displays the dynamically discovered mDNS service records in the BLUE-VRF:

Device# show mdns-sd cache vrf BLUE-VRF

                                                    mDNS CACHE
===================================================================================================================================================================================
[<NAME>]                                     [<TYPE>]    [<TTL>/Remaining] [Vlan-Id/If-name] [Mac Address]        [<RR Record Data>]


RTP-ATV-1._device-info._tcp.local            TXT         4500/4495         511               a018.28f2.9889       (13)'model=J33iAP'
_airplay._tcp.local                          PTR         4500/4495         511               a018.28f2.9889       RTP-ATV-1._airplay._tcp.local
_raop._tcp.local                             PTR         4500/4495         511               a018.28f2.9889       A01828F29889@RTP-ATV-1._raop._tcp.local
RTP-ATV-1._airplay._tcp.local                SRV         4500/4495         511               a018.28f2.9889       0           0                   7000           RTP-ATV-3.local
A01828F29889@RTP-ATV-1._raop._tcp.local      SRV         4500/4495         511               a018.28f2.9889       0           0                   7000           RTP-ATV-3.local
RTP-ATV-1.local                              AAAA        4500/4495         511               a018.28f2.9889       2001:10:153:2:C2F:9445:7062:5C3C
RTP-ATV-1.local                              A           4500/4495         511               a018.28f2.9889       10.155.1.17
RTP-ATV-1._airplay._tcp.local                TXT         4500/4495         511               a018.28f2.9889       (208)'deviceid=A0:18:28:F2:98:89''features=0x5A7FFFF7,0x1E''flags=0x44''model=~'~
A01828F29889@RTP-ATV-1._raop._tcp.local      TXT         4500/4495         511               a018.28f2.9889       (177)'cn=0,1,2,3''da=true''et=0,3,5''ft=0x5A7FFFF7,0x1E''md=0,1,2''am=AppleTV3,2'~

Use the following commands in privileged EXEC mode on a Cisco Catalyst 9000 Series switch configured in SDG-Agent mode to verify various Local Area Bonjour domain mDNS parameters such as service configuration, cache records, statistics, and so on.

Table 1. Commands to Verify VRF-Aware Services

Command

Purpose

show mdns-sd cache {all | interface | mac | name | service-peer | static | type | vlan | vrf}

Displays all available mDNS cache record that supports multiple variables and provides granular source details. The following variables are available:

  • all : Displays all available cache records discovered from multiple source connections of a system.

  • interface : Displays the available cache records discovered from a specified Layer 3 interface.

  • mac : Displays the available cache records discovered from the specified MAC address.

  • name : Displays the available cache records based on service provider announced name.

  • service-peer : Displays available cache records discovered from the specified Layer 2 Service-Peer.

  • static : Displays the locally configured static mDNS cache entries.

  • type : Displays the available cache records based on the specific mDNS record type (PTR, SRV, TXT, A, or AAAA).

  • vlan : Displays the available cache records discovered from the specified Layer 2 VLAN ID in unicast mode.

  • vrf : Displays each VRF available cache records based on the specific mDNS record type (PTR, SRV, TXT, A, or AAAA).

show mdns-sd service-definition {name | type}

Displays the built-in and user-defined custom service definitions and provides the mapping from service name to mDNS PTR records.

The service-definition can be filtered by name or type.

show mdns-sd service-list {direction | name}

Displays the configured inbound or outbound service-list that classifies matching service types for a service policy.

The service lists can be filtered by name or specific direction.

show mdns-sd service-policy {interface | name}

Displays the list of mDNS service policies mapped with inbound or outbound service-lists.

The service policies list can be filtered by the associated specified interface or by name.

show mdns-sd statistics {all | cache | debug | interface | service-list | service-policy | services | vlan}

Displays the detailed mDNS statistics processed bidirectionally by the system on each mDNS-gateway-enabled VLAN, when mDNS in configured in unicast mode.

The keywords for the mDNS statistics provide a detail view on the interface, policy, service-list, and services.

show mdns-sd summary {interface | vlan}

Displays the brief information about mDNS gateway and the key configuration status on all VLANs and interfaces of the system.