Secure 'Casting

Uberseehandel
Kind of a big deal

Secure 'Casting

Hi

 

I have a conundrum, which hopefully has a simple solution.

 

Situation

I have a number of 'Chromecast/Miracast capable devices, mostly Sony, but likely to include other brands in the future.

All these devices are wired, although they are Bluetooth/Wi-Fi capable as well.

It is very convenient to be able to link to a chromecast device from, for example, a phone and have the device establish the link to the source and take over playing the music/video, freeing up the phone for other purposes.

 

Problem

These casting devices are IOT based and therefor quite high risk. I do not want them on the same VLAN as ostensibly secure kit such as servers and workstations.

 

Requirement

Find a way of allowing secure devices to communicate with the casting capable devices without compromising security.

 

 

Is it simplest to work along the same lines as enabling Bonjour?

Or, I worked out that using subnetting I could arrange VLANs so that the secure network can see the IOT network but not vice versa - eg Secure VLAN 192.168.20.0/23 - Insecure VLAN 192.168.21.0/24 - and restrict the range of DHCP addresses used by the secure VLAN ?

 

I am concerned that the subnetting proposal may have unintended consequences?

 

All suggestions gratefully received.

 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
5 REPLIES 5
MauH
Meraki Employee

Hi @Uberseehandel,

 

Depending on the type of casting device you use there will be a limitation from where you can cast. As far as I know Chromecast wont let you cast if they are on separate VLANs (different broadcast domain). 

Uberseehandel
Kind of a big deal


@MauH wrote:

Hi @Uberseehandel,

 

Depending on the type of casting device you use there will be a limitation from where you can cast. As far as I know Chromecast wont let you cast if they are on separate VLANs (different broadcast domain). 


Mau

Thanks for that.

I'd noticed that behaviour already, hence my idea of setting the VLANs up as follows - 

Secure VLAN - 192.168.20.0/23 (IP range 192.168.20.1 - 192.168.21.255)  DHCP 192.168.20.11 - 192.168.21.255  VLAN ID 20 MX 192.168.20.1

Insecure VLAN - 192.168.21.1/24   (IP range 192.168.21.1  - 192.168.21.255)  DHCP 192.168.21.11 - 192.168.21.255 VLAN ID 21  MX 192.168.21.1

 

The idea being that the devices on the secure network (VLAN 20) see the cast capable devices as being in their broadcast domain, but the insecure cast capable devices do not see the members of VLAN 20.

 

In effect, what I am looking to do is set up a series of "security zones", and control the interactions between the zones.

 

The reality is that as the use of IOT devices becomes more pervasive, there are going to be reasons to use known insecure devices as well as devices whose security status is protected, and have them interact with each other. So from a smartphone one can set up casting by an internet connected speaker or monitor/tv, or control a door lock, or interact with the known high security risk "smart" meter the power utility insists on installing. 

 

I'm concerned that if I set up this overlapping VLAN scheme that it might have unintended consequences.

 

Thanks again.

 

 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

Interesting, if you end up giving this a try please let me know if it worked. If I can get some of this cast devices I will give it a try myself.
Uberseehandel
Kind of a big deal


@MauH wrote:
Interesting, if you end up giving this a try please let me know if it worked. If I can get some of this cast devices I will give it a try myself.

Mau

 

I will get onto this before Christmas. At the moment, all the sound and audio Chromecast capable kit is Sony, which is a broadcaster standard. I just love the way that once I set up casting, the smart device can be turned off and the cast continues. So, in the first place I am looking at having small personal devices for audio casting and will be testing the Bang+Olufsen BeoPlay M3. For testing purposes, I suspect a Google Chromecast dongle would work. It has options that allow one to do 4K video and also to hardwire everything, rather than Wi-Fi the link to the internet.

 

Incidentally, the IP address scheme should read - 

 

Sec VLAN   - 192.168.20.0/23 (IP range 192.168.20.1 - 192.168.21.255) DHCP 192.168.20.11 - 192.168.20.255 VLAN ID 20 MX 192.168.20.1
Insec VLAN - 192.168.21.1/24 (IP range 192.168.21.1 - 192.168.21.255) DHCP 192.168.21.11 - 192.168.21.255 VLAN ID 21 MX 192.168.21.1

 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

err - audio and video
Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels