Hi,
l googled in the internet and found the following link:
From http://www.ciscopress.com/articles/article.asp?p=1181682&seqNum=4
Switch(config)#*mac access-list extended my-mac-acl*
Switch(config-ext-macl)#*deny any any aarp*
Switch(config-ext-macl)#*permit any any*
Switch(config-ext-macl)#*exit*
Switch(config)#*interface Fastethernet0/10*
Switch(config-if)#*mac access-group my-mac-acl in*
Switch(config-if)#*end*
Switch#
Not sure whether this helps?
On 11/9/2012 8:07 AM, Eugene Pefti wrote:
That was my point, Matt, and I mostly relied on Brian's attempt to test it.
I know that it's hard to see Macs capable of talking appletalk nowadays. Just
wondering if it is prudent to see the proctor in case having a task with
appletalk and tell him/her that I'm aware of this bug and do they expect me to
use an ether type or just use an available option.
Eugene
-----Original Message-----
From: Matt Hill [mailto:[email protected]]
Sent: Monday, September 10, 2012 4:53 PM
To: Eugene Pefti
Cc: Brian Clarke; "Peter Jørgensen\"; [email protected]
Subject: Re: [OSL | CCIE_Security] Prevent AppleTalk attack on switchport: -
appletalk keyword
You cant get tested on something which is a bug that only appears in certain
versions of code. Granted 12.2(44)SE is specified in the blueprint, but that
is a bit rich.
Especially when one considers that the grading script would be looking for a
"show" command here, because it is unlikely they will have some traffic
generator spitting out Appletalk frames. Not that Apple computers have even used
Appletalk (by default) since quite some time ago. Kind of like IPX - remember that one?
Cheers,
Matt
CCIE #22386
CCSI #31207
On 11 September 2012 09:26, Eugene Pefti<[email protected]> wrote:
Hello guys,
I wonder if this was tested?
Eugene
From: Brian Clarke [mailto:[email protected]]
Sent: Monday, September 03, 2012 10:55 PM
To: Eugene Pefti; "Peter Jørgensen\";
[email protected]
Subject: Re: [OSL | CCIE_Security] Prevent AppleTalk attack on
switchport: - appletalk keyword
I'll give it a try. We're mostly and apple shop. Not sure we have
any AppleTalk left though.
Respectfully,
Brian Clarke
From: Eugene Pefti<[email protected]>
Date: Tuesday, September 4, 2012 1:35 AM
To: "\"Peter Jørgensen\""<[email protected]>,
"[email protected]"
<[email protected]>
Subject: Re: [OSL | CCIE_Security] Prevent AppleTalk attack on
switchport: - appletalk keyword
Theoretically you are right, Peter.
But IMHO it is just another oversight from Cisco. I wonder if it's
possible to test and confirm if we connect two Macs to the switch
configured with the first variant of your MAC ACL.
I can actually do it but later this week.
Eugene
From: [email protected]
[mailto:[email protected]] On Behalf Of "Peter
Jorgensen"
Sent: Monday, September 03, 2012 1:49 AM
To: [email protected]
Subject: [OSL | CCIE_Security] Prevent AppleTalk attack on switchport:
- appletalk keyword
Prevent AppleTalk attack on switchport fa0/10.
My first solution:
!
mac access-list extended MAC_ACL
deny host 1234.1234.1234 any eq appletalk permit any any !
interface fa0/10
mac access-group MAC_ACL in
But I found this in the documentation:
----------------------------------------------------------------------
----------------------------------------------------------------------
----
NOTE:
Cisco doc 3560SCG 12.2(44)SE (Creating Named MAC Extended ACLs page 32-26).
- Though visible in the command-line help strings, AppleTalk is not
supported as a matching condition for
the deny and permit MAC access-list configuration mode commands.
----------------------------------------------------------------------
----------------------------------------------------------------------
----
Solution: Use ethertype 0x809B for Appletalk (Ethertalk).
So my solution should instead look like this:
mac access-list extended MAC_ACL
deny host 1234.1234.1234 any eq 0x809B permit any any !
interface fa0/10
mac access-group MAC_ACL in
Can anyone confirmthat this assumptionis correct?
* * * PROPRIETARY& CONFIDENTIAL * * * The information contained
within this e-mail and any attached document(s) is confidential and/or
proprietary. It is intended solely for the use of the addressee(s)
named above. Unauthorized disclosure, photocopying, distribution or
use of the information contained herein is prohibited. If you believe
that you have received this e-mail in error, please notify me by reply
transmission and delete the message without copying or disclosing it.
_______________________________________________
For more information regarding industry leading CCIE Lab training,
please visit www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
