VACL Basics

Michael Sales · ‎12-21-2012

Hi All,

I've been working with ACL's for a while and needed to filter some iTunes share traffic on a specific VLAN

I assume VACL's will work for me. So, I created the following but it doesn't seem to be working.

Can I get some assistance on this from anyone who's done this more than I?

I'd appreciate it....

My intention is to block TCP 3689 and UDP 5353 that iTunes uses to share libraries.

Everything else is ok. This is enabled on a Cisco 4510 Core assigned to VLAN 100

ip access-list extended itunes

deny tcp any any eq 3689 established

deny udp any any eq 5353

vlan access-map stopitunes

action forward

match ip address itunes

vlan access-map stopitunes

action forward

!

vlan filter stopitunes vlan-list 100

---Show output--------------

4510-MDF#show access-list

Extended IP access list itunes

10 deny tcp any any eq 3689 established (31006 matches)

20 deny udp any any eq 5353 (1091101 matches)

30 permit ip any any (659731373 matches)

Michael Sales · ‎12-21-2012

I think I may have found my problem.

I should have used a permit statement? then let the VACL action drop under the first match condition.

I missed that for some reason.

ip access-list extended itunes

permit tcp any any eq 3689 established

permit udp any any eq 5353

vlan access-map stopitunes

action drop

match ip address itunes

vlan access-map stopitunes

action forward

!

vlan filter stopitunes vlan-list 100

I think this is what I should have configured...

I will check in a second.