I’m trying to block multicast (Primarily MDNS) traffic from wireless clients from going out the Ethernet port of the AP. I’ve tried ACLs on both Ethernet 1 of the AP as well as on the WLANs and I’m still the multicast packets on the switch. For the Ethernet port the policy is Deny, direction Out, protocol UDP, source IP any, source port any, destination IP any, destination port 5353. For the WLAN I have action Deny, direction Any, protocol any, source IP/mask any/any, destination IP/mask 224.0.0.0 255.255.255.0, and WLAN to WLAN is checked. Any ideas what I’m doing wrong? APs are XV2’s and XE3’s.
You can apply the below configuration to your AP to block mDNS traffic passing out of the AP Ethernet Port:
!
filter global-filter
stateful
application-control
filter precedence 1
layer3-filter deny proto udp any/any any any/any 5353 any //Drop-mDNS-Packets
exit
!
Here is how you can enable this via cnMaestro:
Go to Configuration - Wi-Fi Profiles - Access Control Policies - Add AP Group Policy - IP and Application Filtering Rules - Add New - Create the Policy - Update.
Then, Go to Wi-Fi AP Groups - Edit - Access Control - Check the ‘Enable Access Control’ option - Choose the Policy that was created in the previous step - Save.
Note : Enabling this setting via CLI/cnMaestro will deactivate the discoverability of other devices utilizing mDNS for device discovery.
I ended up getting this to work using a similar ACL rule applied to the AP group. The exact same filter applied to the WLAN or Ethernet port did not work.