Thank you so far....
In CCIE Sec. Workbook vol 2 - LAB 11 - Task 7.3 - the keyword appeltalk
is used to solve the task. However, I was confused when I
read the note in Cisco documentation on the
restriction of the use of the appeltak keyword. So to be on the safe side I
thought it's probably best to
use ether type 0x809B.
/Peter
I'll give it a try. We're mostly and apple
shop. Not sure we have any AppleTalk
left though.
Respectfully,
Brian Clarke
From: Eugene Pefti
[email protected]>
Date: Tuesday, September 4, 2012 1:35 AM
To: "\"Peter Jørgensen\""
[email protected]>, "[email protected]"
[email protected]>
Subject: Re: [OSL | CCIE_Security] Prevent AppleTalk
attack on switchport: - appletalk keyword
<style type="text/css">
-> </style>
Theoretically you are right,
Peter.
But IMHO it is just another oversight
from Cisco.
I wonder if it’s possible to test and confirm if we connect two Macs to
the switch
configured with the first variant of your MAC ACL.
I can actually do it but later this
week.
Eugene
From:
[email protected]
[mailto:[email protected]] On Behalf Of
"Peter Jorgensen"
Sent: Monday, September 03,
2012 1:49 AM
To:
[email protected]
Subject: [OSL | CCIE_Security]
Prevent AppleTalk attack on switchport: -
appletalk keyword
Prevent AppleTalk attack on switchport
fa0/10.
My first solution:
!
mac access-list extended MAC_ACL
deny host 1234.1234.1234 any eq
appletalk
permit any any
!
interface fa0/10
mac access-group MAC_ACL in
But I found this in the
documentation:
------------------------------------------------------------------------------------------------------------------------------------------------
NOTE:
Cisco doc 3560SCG 12.2(44)SE (Creating
Named MAC Extended ACLs page
32-26).
– Though visible in the
command-line help strings, AppleTalk is not
supported as a matching condition for
the deny and permit MAC access-list
configuration mode commands.
------------------------------------------------------------------------------------------------------------------------------------------------
Solution: Use ethertype 0x809B for
Appletalk
(Ethertalk).
So my solution should instead look like
this:
mac access-list extended MAC_ACL
deny host 1234.1234.1234 any eq 0x809B
permit any any
!
interface fa0/10
mac access-group MAC_ACL in
Can anyone
confirmthat this assumptionis correct?
* * * PROPRIETARY & CONFIDENTIAL * * *
The information contained within this e-mail and any attached
document(s) is
confidential and/or proprietary. It is intended solely for the use of
the
addressee(s) named above. Unauthorized disclosure, photocopying,
distribution or use of the information contained herein is prohibited.
If
you believe that you have received this e-mail in error, please notify
me by
reply transmission and delete the message without copying or disclosing
it.
--
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
