I have an interesting use case that I just cant get my head around.
We have a customer that wants to have chromecast ability in each room, but also ensuring that each room can only cast to the room the client is connected to.
So the setup is at the ICT Room we have 3x MS410-16 stacked switches to multiple buildings and rooms.
There are 9 Villas and 2 Rooms per Villa. Each Room has Fiber Optic cable back to the ICT Room full Star Topology.
Each room has MS225-24 (due to many UTP requirements as well as SFP requirements), also an MR33.
So the requirement for Roaming is clear, they want seamless roaming without loss of connectivity across the premises, therefore I have a single guest VLAN which I bridge to a Guest SSID.
Now comes the challenge of how do I let a Guest be one one VLAN and only see their room Chromecast when they are in their room.
The first thing that was on the cards was Port Isolation on the MS410 switches, but this does wont work across stacked switches so that option is out. Then I thought of looking into the access control on the SSID and trying to isolate Layer 2 traffic or deny LAN traffic thinking that only AP Clients will be able to get to AP Clients. Tested and when I enable Layer 2 traffic isolation or deny Layer 3 lan traffic I lose comms to even my local clients on same AP. So would something like Bonjour forwarding work for this use case, the problem still is how to isolate the various rooms from each other. Another option might be to have an ACL deny traffic on the MS410 switches, but then I would have to split the network on the cloud since the ACL's is network wide not switch specific which also does not seem ideal.
A perfect example of what I need is something like Private VLAN's.
Not quite sure how to meet both requirements of Roaming as well as Chromecast room isolation.
Anyone has some advise?
We had a similar deployment/issue. Unfortunately, the chromecast devices don't have the ability to set a passcode or other security measure. They are pretty much insecure open devices. So the only option is to isolate via vlan or to just name them and trust that people will cast to the correct device(s).
In some of our conference rooms we use this solution for a more secure option. It's a lot more expensive but may be of interest depending on your application https://www.barco.com/en/product/clickshare-cs-100
@Adam+1 for Barco. We utilize Barco in our conference rooms as well and by default Air Marshal leaves them alone.
I'm think I wuld use a VLAN per room, and then I would use layer 3 roaming.
Layer 3 roaming guarantees you will always be connected to the first VLAN you attached to - even if you roam to another access point.
Thanks for the response.
First problem is there is no MX appliance so we cant do that.
Even if there was an MX appliance, how would you know Guest A is in Room A for example, would the guest not just authenticate to the WLAN depending on when he/she feels like it and then just roam accordingly. What if the device then dis-associates and associates again to a wrong room. Walk around to their own room and roam in the wrong VLAN?
Not sure this would work.
Hoist group Chromecast proxy offer this feature, There's a pairing step to allow access only for the room where Chromecast is