Hello guys, I wonder if this was tested? Eugene
From: Brian Clarke [mailto:[email protected]] Sent: Monday, September 03, 2012 10:55 PM To: Eugene Pefti; "Peter Jørgensen\"; [email protected] Subject: Re: [OSL | CCIE_Security] Prevent AppleTalk attack on switchport: - appletalk keyword I'll give it a try. We're mostly and apple shop. Not sure we have any AppleTalk left though. Respectfully, Brian Clarke From: Eugene Pefti <[email protected]<mailto:[email protected]>> Date: Tuesday, September 4, 2012 1:35 AM To: "\"Peter Jørgensen\"" <[email protected]<mailto:[email protected]>>, "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [OSL | CCIE_Security] Prevent AppleTalk attack on switchport: - appletalk keyword Theoretically you are right, Peter. But IMHO it is just another oversight from Cisco. I wonder if it's possible to test and confirm if we connect two Macs to the switch configured with the first variant of your MAC ACL. I can actually do it but later this week. Eugene From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of "Peter Jorgensen" Sent: Monday, September 03, 2012 1:49 AM To: [email protected]<mailto:[email protected]> Subject: [OSL | CCIE_Security] Prevent AppleTalk attack on switchport: - appletalk keyword Prevent AppleTalk attack on switchport fa0/10. My first solution: ! mac access-list extended MAC_ACL deny host 1234.1234.1234 any eq appletalk permit any any ! interface fa0/10 mac access-group MAC_ACL in But I found this in the documentation: ------------------------------------------------------------------------------------------------------------------------------------------------ NOTE: Cisco doc 3560SCG 12.2(44)SE (Creating Named MAC Extended ACLs page 32-26). - Though visible in the command-line help strings, AppleTalk is not supported as a matching condition for the deny and permit MAC access-list configuration mode commands. ------------------------------------------------------------------------------------------------------------------------------------------------ Solution: Use ethertype 0x809B for Appletalk (Ethertalk). So my solution should instead look like this: mac access-list extended MAC_ACL deny host 1234.1234.1234 any eq 0x809B permit any any ! interface fa0/10 mac access-group MAC_ACL in Can anyone confirmthat this assumptionis correct? * * * PROPRIETARY & CONFIDENTIAL * * * The information contained within this e-mail and any attached document(s) is confidential and/or proprietary. It is intended solely for the use of the addressee(s) named above. Unauthorized disclosure, photocopying, distribution or use of the information contained herein is prohibited. If you believe that you have received this e-mail in error, please notify me by reply transmission and delete the message without copying or disclosing it.
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
