Theoretically you are right, Peter. But IMHO it is just another oversight from Cisco. I wonder if it's possible to test and confirm if we connect two Macs to the switch configured with the first variant of your MAC ACL. I can actually do it but later this week.
Eugene From: [email protected] [mailto:[email protected]] On Behalf Of "Peter Jorgensen" Sent: Monday, September 03, 2012 1:49 AM To: [email protected] Subject: [OSL | CCIE_Security] Prevent AppleTalk attack on switchport: - appletalk keyword Prevent AppleTalk attack on switchport fa0/10. My first solution: ! mac access-list extended MAC_ACL deny host 1234.1234.1234 any eq appletalk permit any any ! interface fa0/10 mac access-group MAC_ACL in But I found this in the documentation: ------------------------------------------------------------------------------------------------------------------------------------------------ NOTE: Cisco doc 3560SCG 12.2(44)SE (Creating Named MAC Extended ACLs page 32-26). - Though visible in the command-line help strings, AppleTalk is not supported as a matching condition for the deny and permit MAC access-list configuration mode commands. ------------------------------------------------------------------------------------------------------------------------------------------------ Solution: Use ethertype 0x809B for Appletalk (Ethertalk). So my solution should instead look like this: mac access-list extended MAC_ACL deny host 1234.1234.1234 any eq 0x809B permit any any ! interface fa0/10 mac access-group MAC_ACL in Can anyone confirm that this assumption is correct?
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
