Question: How do I stop users from sharing iTunes music over the Wi-Fi network? How do I block Bonjour (mDNS) traffic?
Product and Software: This article applies to all Aruba controllers and APs that run ArubaOS 220.127.116.11 and later.
There are several ways to stop users from sharing iTunes music on the Wi-Fi network or to block Bonjour (mDNS) traffic:
- If you run ArubaOS 18.104.22.168 or later, at the virtual AP (SSID) level, you can drop broadcast and multicast traffic in the air. This setting usually is used in conjunction with the setting to convert broadcast ARP packets to unicast. The configuration is:
wlan virtual-ap test
If this configuration is enabled, users will not be able to find each other's iTunes library. iTunes uses the Bonjour (mDNS) service, which is multicast. Before you enable this configuration, ensure that no other critical applications depend on broadcast or multicast traffic (such as IPTV).
- You can apply an ACL to limit mDNS traffic to selected user groups (based on user role).
ip access-list session block-mdns
user any udp 5353 deny
- You can block TCP port 3689.
ip access-list session block-itunes
user any tcp 3689 deny
iTunes uses port 3689 for music sharing. The previous suggestion blocks mDNS (Bonjour) and prevents discovery of iTunes libraries as well as any other Bonjour services. Blocking 3689 allows the iTunes libraries to be discovered, but prevents users from connecting to them.
- If you are just concerned about the impact on the network, you could experiment with setting the traffic priority of the TCP streams on 3689 to background or best effort.