Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ACL to block iTunes networking sharing on a VLAN 1

Status
Not open for further replies.

Teecee33

MIS
Jul 20, 2004
31
US
I want to prevent internal itunes sharing on a certain VLAN on my network. I would assume an ACL is the best way. So I found that itunes likes to use 5353 and 3689 to share people's music libraries. So I created the following ACL.

no access-list 101 remark Block Itunes network sharing
no access-list 101 deny tcp any any eq 3689
no access-list 101 remark Block Itunes network sharing
no access-list 101 deny tcp any any eq 5353
no access-list 101 permit tcp any any
no access-list 101 permit udp any any

Then I applied the ACL to my VLAN.

int vlan 55
ip access-group 101 out


After I do this, I am still able to view people's shared itunes library and play their music. I look at the port monitor on my pc, and it is connecting to their computers via port 5353. Any thoughts? I have also tried ip access-group 101 in with no luck either.

 
I think a step back needs to be taken.. Everyone here is recommending an ACL on the physical access port.. This is the unscalable solution.. Please verify your hardware supports VACL capability.. If it does, go that route. The reason I say this, the soultions presented here will only work if you apply the ACL to every port on the switch.. Why do I say everyport? What happens if the user moves to a different desk, the problem would be back.. As applying the ACL to every port could work, its not scalable as it requires much administrative overhead. Applying a VACL is an easy approach for the whole VLAN.

BuckWeet
 
It shouldn't be that hard using the int range command. Buckweet has a good point though; VACL is an easy solution and works well. However, it too has to be configured on every switch. Either one should work fine, should they not?
 
Well since 99% of my users are wireless, applying this on the access point switch and the trunked ports should do the trick for me. Thanks for all of the help.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top