Product and Software: This article applies to all ArubaOS versions.
Multicast DNS (mDNS) is a protocol that is used by all Apple products and by Bonjour on the Windows platforms. mDNS is a way for these devices to find resources on the local network (for example, printers, servers, shared iTunes libraries, each other, FTP, and SFTP). When in a high-capacity network installation, such as college dormitories, public access areas, or stadiums, the impact of these devices on your wireless networks can be substantial. As always, the particular applications on your network should be considered before you disable this feature.
mDNS exists on the destination addresses of 224.0.0.250 and 224.0.0.251. These two destinations are the entries that can be added to an access list that is applied to either your logon or authenticated user-role or to both.
- If you want to deny mDNS before a user authenticates, apply the ACL to the logon role that you are using for your unauthenticated clients.
- If you want to deny mDNS to authenticated clients, apply the ACL to your authenticated role.
- You also have the option to apply the ACL to both roles.
This example is a basic access list that will accomplish this:
ip access-list session DenymDNS
any host 224.0.0.250 any deny
any host 224.0.0.251 any deny
any any any permit
This configuration should be applied to one or both user-roles for the pre- and post-authenticated client:
user-role logon
session-acl DenymDNS
session-acl logon-control
session-acl captiveportal
session-acl vpnlogon
ipv6 session-acl v6-logon-control
and/or
user-role authenticated
session-acl DenymDNS
session-acl allowall
ipv6 session-acl v6-allowall
The ACL should be applied as the first session-acl in the list so that mDNS can be filtered before matching any other rules. Also remember that the Aruba controller is a stateful firewall and will not apply these changes to current sessions. The ACL takes effect after a user is cleared from the user table or if a 'aaa user delete' command is issued.