Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Access-list to block mDNS from traversing across switch trunks

I have a situation where I have 75 apple TVs on a single VLAN. I would like to know how to block mDNS, 224.0.0.250 and .251, at the trunk port, so the mDNS traffic stays within the switch. I need to do this only for the one VLAN. I need to know how to create the access lists, and how to apply them to the trunk ports. 

Here are the details:

Vlan 12 10.1.4.0/22 

mDNS 224.0.0.250 and 251

7 REPLIES

What kind of switch?

What kind of switch?

HTH, John *** Please rate all useful posts ***
New Member

WS-C2960X-48FPD-LThis is a

WS-C2960X-48FPD-L

This is a layer two switch. How can I block mDNS on a layer 2 VLAN?

I'm not sure you're going to

I'm not sure you're going to be able to. Are you trying to keep that traffic local on the switch? The mdns traffic multicast group isn't routable, so it wouldn't cross vlans. Is igmp snooping enabled on the switch?

HTH, John *** Please rate all useful posts ***
New Member

I am trying to keep the

I am trying to keep the traffic local to the switch. The apple TVs and ipads are on the same network.

New Member

I figured it out. The access

I figured it out. The access-list is below:

ip access-list extended Block_mDNS

 deny udp 10.1.4.0 0.0.3.255 any eq 5353

 permit ip any any 

At the uplink trunk ports I added

ip access-group Block_mDNS in

This restricts the mDNS traffic to only the switch where it originated. 

Good info..thanks!

Good info..thanks!

HTH, John *** Please rate all useful posts ***

I've never done this, so I'm

I've never done this, so I'm not sure what else this will break, but you could try this on the switch:

mac access-list extended ATV
deny any host 01:00:5e:00:00:fa
deny any host 01:00:5e:00:00:fb
permit any any

Go to the interface that the apple tv is on:

mac access-group ATV in

I'd be curious to see what that does. The mac addresses are the multicast group in mac format. They can match on multiple multicast groups, so that's why I said I'm not sure what else it will break in your environment.

HTH,

John

HTH, John *** Please rate all useful posts ***
668
Views
5
Helpful
7
Replies