Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ACL to block iTunes networking sharing on a VLAN 1

Status
Not open for further replies.

Teecee33

MIS
Jul 20, 2004
31
US
I want to prevent internal itunes sharing on a certain VLAN on my network. I would assume an ACL is the best way. So I found that itunes likes to use 5353 and 3689 to share people's music libraries. So I created the following ACL.

no access-list 101 remark Block Itunes network sharing
no access-list 101 deny tcp any any eq 3689
no access-list 101 remark Block Itunes network sharing
no access-list 101 deny tcp any any eq 5353
no access-list 101 permit tcp any any
no access-list 101 permit udp any any

Then I applied the ACL to my VLAN.

int vlan 55
ip access-group 101 out


After I do this, I am still able to view people's shared itunes library and play their music. I look at the port monitor on my pc, and it is connecting to their computers via port 5353. Any thoughts? I have also tried ip access-group 101 in with no luck either.

 
This is on a 4506 Core and I am using 3560 switches on my edge. The user is connected to an edge switch and I am connected directly to my core.
 
Are you on the same VLAN as the other devices by any chance?
 
Then what you have described won't work. Applying the ACL to the SVI interface will only affect inter-VLAN traffic; traffic within the VLAN is at Layer-2 so the ACL doesn't get touched. You need to apply the ACL at the physical port level where the PC's are - i.e.

interface FastEthernet0/1
switchport
ip access-group 101 in

HTH

Andy
 
Got ya. That makes sense. So I should apply this ACL to every port I want it on? Hmmm. That could take a while. I guess I could apply it on ports that access points are on, then everyone connected to that one access point will be able to share with each other but not the rest of the network? What if I put it on a trunked fiber port? Then that would keep it inside that one switch but not let it out?
 
You can't apply ACL's to switch ports, either... As ABD mentioned, these are layer-2 datalink comms that don't involve IP at all.
 
So how can I block this itunes sharing? Any other suggestions?
 
You can't apply ACL's to switch ports, either... As ABD mentioned, these are layer-2 datalink comms that don't involve IP at all.

Do you want to put money on that?

You can even do this with Catalyst 2950's as long as you have the EI capable ones, so with a 3560 or a 4500.... Even though these are Layer-2 interfaces you can apply Layer-3 ACLs to allow/deny traffic:


HTH

Andy
 
A port ACL only works for:
•Standard IP access lists using source addresses

•Extended IP access lists using source and destination addresses and optional protocol type information

•MAC extended access lists using source and destination MAC addresses and optional protocol type information

Now, what is "protocol type information?" The definition is unclear - it may include port numbers, it may not. I'll hold my money from that bet.

Traditionally what we use is a Vlan map.
 
Protocol Type is the Ethernet Type Field following the source MAC address of any Ethernet frame.

Preamble (8-bytes), Destination MAC address (6-bytes), Source MAC address (6-bytes), Type (or Length) field (2-bytes).

For example, IPV4 uses an Ethertype of 0x0800, ARP uses 0x0806, IPX using EthernetII framing (Novell terminology) uses 0x8137.

Some details here:


Andy
 
Interesting info, thanks. I probably read it at one time and forget. So much to remember, so short a memory.

It would seem to suggest that a port ACL will not work for this purpose though as it requires a port number.
 
You need to research using VACLs

I'm not sure if the 3500's or 4500's can do this though..
 
It seems like this is going back and forth. Any idea on how to accomplish what I put in my original post?
 
Apply this to the access ports on your 3560's:

!
access-list 101 deny tcp any any eq 3689
access-list 101 deny tcp any any eq 5353
access-list 101 permit tcp any any
access-list 101 permit udp any any

interface FastEthernet0/1
switchport
switchport mode access
switchport access vlan 10
ip access-group 101 in
!

Obviously change the access VLAN.

Andy
 
So basically all I need is the ACL and the ip access-group 101 in? The VLANs are already done. I assume I can apply this to lets say, a port that an access point is connected too and it will stop all traffic at the access point?
 
I'd venture to say that will probably work. Let us know. If it doesn't; you'll require a vacl as Buckweet said.
 
Applying the acl to the port works. I think the best plan would be to apply this ACL to all of my fiber ports, and all ports that an access point is plugged into.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top