Controller Based WLANs

How do I stop users from sharing iTunes music over the Wi-Fi network? How do I block Bonjour (mDNS) traffic?

by on ‎07-07-2014 04:23 PM

Question: How do I stop users from sharing iTunes music over the Wi-Fi network? How do I block Bonjour (mDNS) traffic?

 

Product and Software: This article applies to all Aruba controllers and APs that run ArubaOS 3.3.2.9 and later.

 

There are several ways to stop users from sharing iTunes music on the Wi-Fi network or to block Bonjour (mDNS) traffic:

  • If you run ArubaOS 3.3.2.9 or later, at the virtual AP (SSID) level, you can drop broadcast and multicast traffic in the air. This setting usually is used in conjunction with the setting to convert broadcast ARP packets to unicast. The configuration is:

wlan virtual-ap test

broadcast-filter all

broadcast-filter arp

If this configuration is enabled, users will not be able to find each other's iTunes library. iTunes uses the Bonjour (mDNS) service, which is multicast. Before you enable this configuration, ensure that no other critical applications depend on broadcast or multicast traffic (such as IPTV).

  • You can apply an ACL to limit mDNS traffic to selected user groups (based on user role).

ip access-list session block-mdns

user any udp 5353 deny

  • You can block TCP port 3689.

ip access-list session block-itunes

user any tcp 3689 deny

iTunes uses port 3689 for music sharing. The previous suggestion blocks mDNS (Bonjour) and prevents discovery of iTunes libraries as well as any other Bonjour services. Blocking 3689 allows the iTunes libraries to be discovered, but prevents users from connecting to them.

  • If you are just concerned about the impact on the network, you could experiment with setting the traffic priority of the TCP streams on 3689 to background or best effort.
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.