Yes, the port is correct.  I just wanted to make sure the rule is correct because most of the examples are about blocking traffic between networks but I'm trying to block workstations from using mDNS within the vlan in this example.

I already don't allow traffic between VLANs through my firewall.  So it would just be the switch that I'm concerned about.  

So if I have 5 vlans, how do I make sure clients on different vlans can't communicate with each other?  Seems like you could go with deny rules or add a deny any at the bottom, then go with allow rules.

The one point to remember with ACLs on the MS switches is that they’re applied to all traffic entering the switch, not going between VLANs - hence why there is no default deny all, as that would render the switch inoperative out of the box (it would just deny everything). And they’re stateless too - so just because they allow traffic in one direction, doesn’t mean they’ll let it come back the other way.

As you’ve discovered this actually provides some great flexibility as it means you can actually stop clients from communicating within a VLAN.

It also means that to stop communication between VLANs you could use deny rules that specify the source IP as any, the destination IP as the other VLANs subnet, and apply it to the source VLAN, simple as that. Then you don’t actually need the rules on the firewall to block inter-VLAN traffic as it is blocked as it enters the network. 

There are a couple of gotchas to watch out for. The MS390 switches still have limitations on support for switch ACLs, and the MS120/125 switch model also have restrictions.