Header Only - DO NOT REMOVE - Extreme Networks
Question

create+acl


Hello,

I'm new to scripting and creating acl files and need help with denying a device from broadcasting mdns on udp port 5353. Also, can the address be a mac address instead of ip? We have the ip address but it's mac address is referenced in logs and scans on our network. The device is being seen as a access point but it's our phone system. Also, should the acl be applied on all switches including the core switch?

Thanks,
Kevin

10 replies

Userlevel 4
Kevin,

Is this on an Extreme device? The address can be the MAC in lieu of the IP, below is a brief example:

if {
ethernet-source-address mac;
ethernet-destination-address ff:ff:ff:ff:ff:ff;
protocol udp;
source-port port#;
destination-port port#;
} then {
action-modifier;
}
}
Yes it is. We have a summit x460 and 10 summit x440 edge switches.

Would this work?

entry deny_mdns {
if {
source-address mac 00:e0:07:06:cc:bb;
protocol UDP;
source-port 5353;

}then {

deny;

}

}
Userlevel 4
Kevin,

If it is a broadcast I would add ethernet-destination-address ff:ff:ff:ff:ff:ff;

Also keep in mind that the syntax is "ethernet-source-address and ethernet-destination-address"

"source-address" is for IPs. Also from what I read the MAC for mDNS is 01:00:5E:00:00:FB and the IPv4 address is 224.0.0.251. You do not want to use the mac of the machine but rather the mac that the protocol sends out.
Ok, then perhaps this is what we should write and apply it just to the suspected port on the switch? Thanks for your help on this. is the syntax correct?

entry deny_mdns {
if {
ethernet-source-address mac 00:e0:07:06:cc:bb;
ethernet-destination-address 224.0.0.251;
protocol udp;
source-port 5353;
destination-port 5353;
} then {
deny;
}
}
Userlevel 4
Kevin,

replace the ethernet-source-address with the MAC of mDNS 01:00:5E:00:00:FB;

replace ethernet-destination-address with the broadcast MAC, which is ff:ff:ff:ff:ff:ff;

The source port is probably dynamic so I would not specify that but the destination port is 5353 for mDNS

The syntax "ethernet-source-address" and "ethernet-destination-address" is for MAC addresses. The syntax "source-address" and "destination-address" is for IP addresses.
A recently published knowledge article is now available on this topic in GTAC Knowledge. http://gtacknowledge.extremenetworks.com/articles/Q_A/How-can-I-block-mDNS-with-an-ACL-using-MAC-add...
Then for the physical network card, 00:e0:07:06:cc:bb which is broadcasting mdns on port 2 of the switch I would apply an acl policy;

entry deny_mdns {
if {
ethernet-source-address 01:00:5E:00:00:FB;
ethernet-destination-address ff:ff:ff:ff:ff:ff;
protocol udp;
destination-port 5353;
} then {
deny;
}
}

How does this look? By default it's ingress so it's to be applied to the port on the switch where the network card is connected correct?
Userlevel 4
Kevin,

Looks good. It would be applied ingress on the port where its originating from.
Thank you Joshua and Susan. If it turns out that the flow is going the other way, would I create a second file with the same statements for egress on the port?
Userlevel 4
Kevin,

The ACL will remain the same. The only thing that would change would be the port you apply it to based on where its originating.

http://gtacknowledge.extremenetworks.com/articles/Q_A/How-can-I-block-mDNS-with-an-ACL-using-MAC-add...

Reply