Configuring Bonjour forwarding for the MX Security Appliance in Passthrough mode

The Cisco Meraki MX Security Appliance can be configured to forward Bonjour mDNS traffic across VLANs, even when in Passthrough mode. For information on configuring Bonjour forwarding when the MX is in NAT mode, refer to this article. 

This functionality is useful when deploying the MX below a Layer 3 switch or other appliance that can define VLANs, but cannot forward Bonjour traffic across them. An MX in passthrough will intercept the traffic and forward it from service VLANs to client VLANs. This allows clients on one VLAN to utilize Bonjour services like AirPlay or wireless printing when the service is in another broadcast domain.

 This article explains the network design required for the functionality to work and then provides instructions on how to enable Bonjour forwarding in Dashboard. 

Caveats and explanation of how Bonjour forwarding works in Passthrough mode

The MX accomplishes Bonjour forwarding in Passthrough mode by inspecting traffic for 802.1Q VLAN tags in each packet that passes through the appliance. If a packet has a VLAN tag, the Bonjour forwarding rules are referenced and if a match is identified, the packet is forwarded across to the other broadcast domain.

Therefore, in order for Bonjour forwarding to work in Passthrough mode, traffic must be tagged with a VLAN ID before it passes through the MX. Forwarding from the native VLAN is not possible in Passthrough mode because no explicit 802.1Q VLAN tag exists for traffic on the native VLAN. Traffic can be tagged in a number of ways, either by employing SSID VLAN tagging or by configuring an access port on a Layer 2 switch.

If traffic is not explicitly tagged downstream of the MX, it will not be identified for forwarding and will pass through upstream to the Layer 3 switch or security appliance incapable of forwarding Bonjour traffic.

Example topology for successful Bonjour forwarding

Enabling Bonjour forwarding in Dashboard

1. Configure the MX for use in Passthrough mode
2. Navigate to Configure > Firewall > Bonjour forwarding
3. Add rules to forward each VLAN across. In the case above, add one rule for VLAN ID 20 > VLAN ID 30 and another for VLAN ID 30 > VLAN ID 20 (as shown below, with VLAN names displayed)

This configuration will ensure that traffic is forwarded for all Bonjour services from the Apple TV on VLAN 20 to the MacBook Pro connected to an SSID tagging traffic for VLAN 30.