C9800 Multicast and mDNS Gateway Configuration
When you deploy a wireless network at enterprise scale, you quickly discover that multicast traffic behaves very differently over the air than it does on wired infrastructure. Your wireless users want to discover printers, stream AirPlay content, and access Apple TVs—all capabilities that rely on multicast and mDNS. Without proper configuration on the C9800, those services either won't work or will consume excessive airtime. This guide walks you through the architecture, configuration options, and best practices for multicast and mDNS gateway on your Catalyst 9800 wireless controller.
Why Multicast is Challenging in Wireless
Wireless networks introduce constraints that wired networks don't have. Multicast packets are sent at the lowest mandatory data rate (often 6 Mbps on 5 GHz) to ensure reception by all clients, using significant airtime. There's no acknowledgment mechanism for multicast frames, so packet loss directly impacts reliability. When a client moves to a new AP, it may lose multicast group membership mid-stream. And clients must wake up to receive multicast traffic, draining battery on power-save devices.
The mDNS gateway solves a related problem: mDNS uses link-local multicast (addresses 224.0.0.251 and FF02::FB), which cannot traverse VLAN boundaries by design. If your AirPrint server is on one VLAN and your wireless clients on another, they won't discover each other without a gateway between them. The C9800's mDNS gateway acts as that bridge, caching service advertisements and responding to queries on behalf of remote services.
Multicast Architecture on the C9800
Before configuring multicast, understand how it flows through your system. A wireless client sends an IGMP join to its AP. The AP tunnels that IGMP join over CAPWAP to the C9800. The C9800 runs IGMP snooping, intercepts the join, and creates a multicast group identifier (MGID) based on the source, multicast group IP address, and VLAN. The C9800 then sends a proxy IGMP join upstream to your campus network's multicast router. When multicast traffic arrives at the C9800, it encapsulates the traffic in a CAPWAP header and sends it to the AP, which replicates it to all wireless clients in the multicast group.
The critical decision is how the C9800 handles replication: Multicast-over-Unicast (MoU) or Multicast-over-Multicast (MoM).
| Mode | CAPWAP Encapsulation | Replication Point | Best For | Limitations |
|---|---|---|---|---|
| MoU (Multicast-over-Unicast) | Unicast CAPWAP tunnel to each AP | C9800 creates one copy per AP | Small deployments (up to 1000 APs per C9800-CL) | CPU/memory intensive on WLC; not recommended at scale |
| MoM (Multicast-over-Multicast) | Multicast CAPWAP group on network | Network routers replicate naturally | Large deployments with multicast-capable infrastructure | Requires Layer 3 multicast routing in your campus network; unique multicast group per C9800 |
| Media Stream (MC2UC) | Converts multicast to unicast per client | AP replicates per client that joined | Video delivery with ACK-based reliability and QoS | Requires explicit stream definition; only for media applications |
Most enterprise deployments use MoM, which offloads replication to the network fabric and scales better. The C9800 sends one copy of multicast traffic on a dedicated multicast IP address; your Layer 3 switches and routers handle the replication. However, MoM requires explicit configuration of a multicast group IP in the range 239.0.0.0 to 239.255.255.255, and that group must be unique per C9800 to avoid duplicates in multi-WLC deployments.
Configuring Global Multicast on the C9800
Start by enabling multicast forwarding globally. This is a prerequisite for any multicast service on your wireless network.
c9800(config)#wireless multicast
c9800(config-wireless-multicast)#global-multicast-mode enable
c9800(config-wireless-multicast)#ap-capwap-multicast multicast
c9800(config-wireless-multicast)#ap-capwap-ipv4-multicast-group-address 239.10.10.10
c9800(config-wireless-multicast)#igmp-snooping enable
c9800(config-wireless-multicast)#igmp-snooping-querier enable
c9800(config-wireless-multicast)#endThe above CLI performs the following (you can also use the GUI under Configuration > Services > Multicast):
- global-multicast-mode enable: Activates multicast forwarding. Without this, all multicast is blocked.
- ap-capwap-multicast multicast: Sets the mode to MoM (as opposed to unicast, which is MoU).
- ap-capwap-ipv4-multicast-group-address: The C9800 will send CAPWAP multicast on this address. This must be unique per C9800 and routable in your network.
- igmp-snooping enable: The C9800 listens to IGMP messages from wireless clients to track which groups they want to join.
- igmp-snooping-querier enable: If your network doesn't have a multicast router sending IGMP queries, the C9800 can send them. This is optional but helps when the WLC is the only multicast-aware device.
Verify your configuration with:
c9800#show wireless multicast
Global Wireless Multicast Mode : Enabled
AP CAPWAP Multicast : Multicast
AP CAPWAP IPv4 Multicast Group : 239.10.10.10
AP CAPWAP IPv6 Multicast Group : (not configured)
Wireless mDNS Bridging : Disabled
Wireless Non-IP Multicast : Disabled
Wireless Broadcast : Disabled
IGMP Snooping Querier : Enabled
IGMP Snooping : Enabled
Last Member Querier Interval : 1000 msConfiguring IGMP and Rate Limiting
IGMP snooping builds membership tables so the C9800 knows which VLANs and clients want which multicast groups. By default, the C9800 supports IGMPv1, IGMPv2, and IGMPv3. If your campus uses IGMPv3 for source-specific multicast (SSM), ensure your upstream switches also support it.
For wireless clients, rate limiting multicast traffic is essential. A rogue multicast source sending at high rates can consume significant airtime and degrade all other traffic. The C9800 allows you to set a multicast rate per WLAN profile (typically in the RF profile under Media Stream settings). A common starting point is 5% of total AP bandwidth reserved for multicast, with additional limits on a per-stream basis.
At the policy profile level (Configuration > Tags and Profiles > Policy), you can define:
- Maximum bandwidth reserved for multicast/media streams.
- RRC (Resource Reservation Control) parameters to admit or deny clients to media streams based on available airtime.
- Multicast rate (in kbps) for each defined media stream.
mDNS Gateway: Bridging Services Across VLANs
mDNS (Multicast DNS) is Apple's Bonjour protocol for service discovery without a centralized DNS server. Devices on the same Layer 2 segment advertise services (like _airplay._tcp.local or _ipp._tcp.local for printers) and respond to queries from other devices on that segment. The problem: mDNS uses TTL=1, link-local addresses (224.0.0.251 and FF02::FB), and operates on port 5353 (UDP). It will never traverse a VLAN boundary without a gateway.
The C9800's mDNS gateway solves this by:
- Listening to mDNS advertisements from wired devices (servers, printers, Apple TVs) on configured VLANs.
- Caching those service advertisements in memory.
- Responding to mDNS queries from wireless clients with the cached services that match the client's VLAN or location.
- Allowing you to filter services by type, location, or AP proximity.
mDNS Gateway Modes on the C9800
The C9800 supports three mDNS deployment models:
| Mode | Architecture | Use Case | Pros | Cons |
|---|---|---|---|---|
| mDNS Bridging | C9800 bridges mDNS traffic on the same VLAN as wireless clients | Wireless and wired devices on same VLAN; simple topology | Minimal config; no filtering needed | Doesn't solve VLAN isolation; traffic still limited to Link-Local |
| mDNS Gateway | C9800 caches wired services, unicasts responses to wireless clients | Wireless on VLAN X, servers/printers on VLAN Y; centralized discovery | Cross-VLAN service discovery; fine-grained filtering; location-aware | Requires service policy configuration; more moving parts |
| SDG Agent Mode | Catalyst switch or external Service Discovery Gateway manages mDNS centrally | Enterprise with multiple WLCs; centralized service policy management | Scales to many WLCs; unified policy; supports AP-Level filtering | Requires Catalyst switch or dedicated SDG appliance; not covered in this guide |
For most campus networks with a single C9800, the mDNS Gateway mode is preferred. It gives you cross-VLAN discovery without spreading multicast traffic across your entire network.
Enabling mDNS Gateway Globally
Start by enabling mDNS gateway on the WLC and choosing an IP transport (IPv4, IPv6, or both).
c9800(config)#services mdns
c9800(config-services-mdns)#global
c9800(config-mdns-global)#mdns-gateway enable
c9800(config-mdns-global)#transport ipv4
c9800(config-mdns-global)#active-query-timer 30
c9800(config-mdns-global)#mdns-ap-service-policy default-mdns-service-policy
c9800(config-mdns-global)#endThe active-query-timer (default 30 minutes) controls how often the C9800 refreshes its mDNS cache by sending active queries to the network. A lower value (5–10 minutes) ensures fresh data but increases traffic; 30 minutes is standard.
Service Definitions and Service Lists
The C9800 comes with a pre-configured default-service-list that includes common mDNS service types. You can view it with:
c9800#show mdns-sd default-service-list
Service Definition | mDNS Service-Type
--------------------|--------------------------------------------
Apple-TV | _airplay._tcp.local, _raop._tcp.local
HomeSecurity | _home-sharing._tcp.local
Printer-ipps | _ipps._tcp.local
Apple-AirPrint | _ipp._tcp.local, _universal._sub._ipp._tcp.local
Google-Chromecast | _googlecast._tcp.local, _googlerpc._tcp.local
Apple-Remote-Login | _sftp-ssh._tcp.local, _ssh._tcp.local
Apple-Screen-share | _rfb._tcp.local
Google-Expeditions | _googexpeditions._tcp.local
Multifunction-Printer| _fax-ipp._tcp.local, _ipp._tcp.local, _scanner._tcp.local
Apple-Windows-Fileshare| _smb._tcp.localIf you need to add custom services (e.g., a proprietary IoT device), you can create a custom service definition under Configuration > Services > mDNS > Service Definition. For example:
c9800(config)#services mdns service-policy
c9800(config-mdns-service-policy)#service-definition
c9800(config-mdns-service-definition)#add
Service Definition Name: my-app-service
Service Type: _myapp._tcp.local
c9800(config-mdns-service-definition)#exit
c9800(config-mdns-service-policy)#exitThen map that service to a service list:
c9800(config)#services mdns service-policy
c9800(config-mdns-service-policy)#service-list
c9800(config-mdns-service-list)#add
Service List Name: my-app-list
Available Services: my-app-service
c9800(config-mdns-service-list)#exitService Policies and Filtering
A service policy maps a service list to ingress/egress direction and applies it to a WLAN or policy profile. This is where you control which services wireless clients can discover and which direction they're allowed to flow.
Navigate to Configuration > Services > mDNS > Service Policy > Service Policy and add a policy:
- Service List Input: Services from the wired network that the C9800 should cache and offer to wireless clients.
- Service List Output: Services advertised by wireless clients that should be forwarded to the wired network (optional; typically "None").
- Location: A site tag that allows you to filter services by AP proximity or building. For example, only show the printer in Building-A to APs with the Building-A site tag.
At the WLAN level, select the service policy under Configuration > Tags and Profiles > WLANs > Edit WLAN > Advanced > mDNS Mode. The mode can be:
- Bridging: Legacy mode; mDNS traffic is forwarded to/from the VLAN as-is (no filtering).
- Gateway: Modern mode; the C9800 caches services and responds to queries, allowing cross-VLAN discovery with filtering.
- Drop: mDNS queries are dropped (useful for guest networks).
Location-Based Service Filtering
A powerful feature is filtering services by AP location and site tags. Imagine you have AirPrint servers in three different buildings. You want users in Building-A to see only the Building-A printer, and users in Building-B to see only the Building-B printer. You accomplish this with site tags and location-based filtering.
- Assign each AP a site tag under Configuration > Tags and Profiles > Tags.
- In the mDNS service policy, set a location filter to a specific site tag.
- The C9800 will include only service instances from wired infrastructure in that site tag in its responses to wireless clients.
Additionally, newer C9800 releases support AP Location filtering (location-specific services) and AP Name filtering, allowing you to scope services by the specific AP or even by regex pattern on the AP name.
End-to-End Configuration Example: AirPlay and AirPrint
Let's walk through a complete example: you have a corporate guest WLAN on VLAN 100, and you want guest users to discover and use an AirPrint printer on VLAN 200 and an Apple TV (AirPlay) on VLAN 200. Both are on the wired network; wireless clients are not.
Step 1: Enable global multicast and mDNS gateway.
c9800(config)#wireless multicast
c9800(config-wireless-multicast)#global-multicast-mode enable
c9800(config-wireless-multicast)#ap-capwap-multicast multicast
c9800(config-wireless-multicast)#ap-capwap-ipv4-multicast-group-address 239.10.10.10
c9800(config-wireless-multicast)#igmp-snooping enable
c9800(config-wireless-multicast)#igmp-snooping-querier enable
c9800(config-wireless-multicast)#exit
c9800(config)#services mdns
c9800(config-services-mdns)#global
c9800(config-mdns-global)#mdns-gateway enable
c9800(config-mdns-global)#transport ipv4
c9800(config-mdns-global)#exitStep 2: Ensure the default service list includes Apple-AirPrint and Apple-TV.
The default-mdns-service-policy already includes both, so no custom service definition is needed.
Step 3: Create a service policy for the guest WLAN.
c9800(config)#services mdns service-policy
c9800(config-mdns-service-policy)#service-policy
c9800(config-mdns-service-policy)#add
Service Policy Name: guest-services-policy
Service List Input: default-mdns-service-list
Service List Output: None
Location: (none)
c9800(config-mdns-service-policy)#exitStep 4: Apply the policy to the guest WLAN.
Under Configuration > Tags and Profiles > WLANs, edit the guest WLAN. On the Advanced tab, set:
- mDNS Mode: Gateway
- mDNS Service Policy: guest-services-policy
Click Update and Apply to Device.
Step 5: Verify service discovery.
Connect a macOS or iOS device to the guest WLAN. Open System Preferences > Printers and Scanners. The AirPrint printer should appear. Open Control Center on iOS and check for the Apple TV in AirPlay destinations. Both should be discoverable without any knowledge of the wired network.
From the C9800, verify the mDNS cache and active queries:
c9800#show mdns-sd cache
Service Name: AirPrint-Printer
Instance: AirPrint-Printer._ipp._tcp.local
IPv4 Address: 10.1.200.50
Port: 631
Service Name: Apple-TV
Instance: Apple-TV._airplay._tcp.local
IPv4 Address: 10.1.200.51
Port: 7000
c9800#show mdns-sd statistics
Total Active Queries Sent: 12
Total Service Advertisements Received: 24
Total Query Responses Sent: 156Troubleshooting Multicast and mDNS
When multicast or mDNS discovery fails, check the following:
| Symptom | Likely Cause | Solution |
|---|---|---|
| Wireless clients can't discover services | mDNS gateway not enabled or policy not applied to WLAN | Verify mDNS is enabled globally and mDNS Mode on the WLAN is "Gateway" |
| Service discovery works for some APs but not others | IGMP snooping disabled on upstream switch; multicast traffic not reaching those APs | Enable IGMP snooping on all Layer 2 switches in the path. Verify PIM (Protocol Independent Multicast) on Layer 3 devices if using MoM |
| mDNS cache is empty (no services cached) | C9800 not receiving mDNS advertisements from wired network; may be on wrong VLAN or different subnet | Ensure C9800 has management interfaces (SVIs) on VLANs where service providers exist. Check VLAN routing. |
| Wireless clients see duplicate services | Multiple C9800s responding to same query; or mDNS bridging enabled alongside gateway mode | Disable mDNS bridging if gateway mode is active. In multi-WLC designs, use SDG Agent mode for centralized management. |
| High airtime usage by multicast | Multicast rate not limited; video streams or file transfers using multicast | Configure media stream rate limiting in the policy profile; verify no unmanaged multicast sources |
Use these commands to diagnose:
! Check IGMP membership on the C9800
c9800#show ip igmp groups
Group Address | Interface | Version | Uptime
-----------------|----------------|---------|--------
239.10.10.10 | TenGigabitEth.. | v2 | 0:45:23
! View active multicast traffic
c9800#show ip mroute
Source | Multicast Group | Upstream | Downstream
----------------|-----------------|----------|----------
10.1.1.1 | 224.10.10.10 | Eth0 | CAPWAP-1, CAPWAP-2
! Display mDNS service cache and statistics
c9800#show mdns-sd cache
c9800#show mdns-sd statistics
! Verify VLAN SVI configuration for mDNS
c9800#show vlan brief | include 200
VLAN 200 is up, line protocol is upMulticast-to-Unicast Conversion: Media Streaming
For video and high-bitrate media, the C9800 supports an advanced feature called Media Stream or MC2UC (Multicast-to-Unicast) conversion. Instead of sending multicast frames over the air (which are unacknowledged and unreliable), the AP converts each multicast frame into unicast frames, one per client, allowing link-layer retransmission and MAC-layer QoS.
This requires defining a media stream with a multicast group IP, expected bandwidth, and QoS parameters. The AP monitors IGMP joins and, when a client joins a defined media stream, the AP converts that stream from multicast to unicast on the air. This significantly improves reliability and airtime efficiency for video applications.
Media Streaming is enabled under Configuration > Wireless > Media Stream > Streams. Define the multicast group IP, bitrate, and policy (Admit, Deny, or Best Effort), then enable it on the radio and WLAN profiles.
Key Takeaways
- Enable global multicast before any wireless multicast service will work. Choose MoM (Multicast-over-Multicast) with a unique multicast group IP for your C9800.
- mDNS gateway is the modern approach to cross-VLAN service discovery. Enable it globally, configure service policies, and apply them to your WLANs.
- IGMP snooping must be enabled on the C9800 and on all Layer 2 switches to track multicast group membership and prevent unnecessary flooding.
- Rate limiting is essential. Configure multicast bandwidth limits in your policy profiles to prevent rogue multicast sources from consuming all airtime.
- Service filtering by location (site tags) and service type allows you to give different user populations access to different services—critical for multi-building or guest networks.
- Media Streaming (MC2UC) converts multicast to unicast for reliable video delivery. Use it for AirPlay mirroring, video conferencing, and streaming video services.
- Verify with show commands: display multicast routing tables, IGMP groups, mDNS cache, and traffic statistics to diagnose issues quickly.
- Test end-to-end from both wireless and wired clients. Service discovery failures often stem from VLAN isolation, missing SVIs, or disabled multicast routing on the upstream network.
With multicast and mDNS properly configured, your wireless users will seamlessly discover printers, stream content to Apple TVs, and enjoy the same service-discovery experience they expect from a wired network—all while your C9800 intelligently manages airtime and reliability.