Jamf Nation Community

Damien · ‎02-26-2015

Hello All,

Does anyone have information on working ACL’s to allow airplay through Cisco WLC ACL’s. We have a mix of Apple TV’s and AirServer and Airplay mirroring from both iOS and OS X. The bonjour discovery side is working correctly its the data stream that is failing, When ACL’s are disable everything works are desired.

Looking through Apple’s TCP and UDP ports guide http://support.apple.com/en-au/HT202944 it appears you need the following;

80 TCP HTTP

443 TCP HTTPS

554 tcp/udp RTSP

3689 TCP DAAP

5353 UDP MDNS

And

AirServers Documentation http://support.airserver.com/customer/portal/articles/1465944-which-ports-are-used-by-airserver-and-...

7000 TCP 7100 TCP 5000 TCP 6010-6012 UDP 5353 UDP

Current Testing ACL’s are listed below, rules 1-20 are related to AirPlay. ( Prot 6 = TCP, 17 = UDP )

```
Source Destination Source Port Dest Port
Index Dir IP Address/Netmask IP Address/Netmask Prot Range Range DSCP Action Counter

1 In 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 6 0-65535 80-80 Any Permit 144873 2 Out 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 6 80-80 0-65535 Any Permit 274339 3 In 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 6 0-65535 443-443 Any Permit 31527 4 Out 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 6 443-443 0-65535 Any Permit 31524 5 In 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 6 0-65535 554-554 Any Permit 0 6 Out 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 6 554-554 0-65535 Any Permit 0 7 In 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 17 0-65535 554-554 Any Permit 0 8 Out 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 17 554-554 0-65535 Any Permit 0 9 In 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 6 0-65535 3689-3689 Any Permit 0 10 Out 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 6 3389-3389 0-65535 Any Permit 0 11 In 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 17 0-65535 5353-5353 Any Permit 0 12 Out 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 17 5353-5353 0-65535 Any Permit 0 13 In 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 6 0-65535 7000-7000 Any Permit 0 14 Out 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 6 7000-7000 0-65535 Any Permit 0 15 In 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 6 0-65535 7100-7100 Any Permit 0 16 Out 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 6 7100-7100 0-65535 Any Permit 0 17 In 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 6 0-65535 5000-5000 Any Permit 14 18 Out 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 6 5000-5000 0-65535 Any Permit 12 19 In 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 17 0-65535 6010-6012 Any Permit 0 20 Out 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 17 6010-6012 0-65535 Any Permit 0
```
Cheers,

Damien

tron_jones · ‎02-27-2015

What is your use case for creating a ACL to permit for AirPlay? Is there other rules below that are filtering? Try adding the two bonjour ports to the ACL (5297, 5289).

Damien · ‎03-01-2015

@tron_jones, thanks for your info. There are more rules below the ones listed(omitted to , basically this is to go between a guest vlan and one of our production ones.

I have added the the following and getting someone onsite to do some testing.

19  In         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0            6     0-65535  5297-5297   Any Permit           0 
20 Out         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0            6  5297-5297      0-65535  Any Permit           0 
21  In         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0            6     0-65535  5289-5289   Any Permit           0 
22 Out         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0            6  5289-5289      0-65535  Any Permit           0 
23  In         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0           17     0-65535  5289-5289   Any Permit           0 
24 Out         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0           17  5289-5289      0-65535  Any Permit           0

Damien · ‎03-01-2015

@tron_jones Its doing the same, the only rules that are getting any hits are;

17  In         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0            6     0-65535  5000-5000   Any Permit          14 
 18 Out         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0            6  5000-5000      0-65535  Any Permit          12

Jamf Nation Community

Cisco WLC ACL's to support AirPlay