Hi Sek, Thanks for your input. It's a little bit different. Apple ARP and Appletalk have different ether type numbers. Take a look at this Ethertypes code table
http://www.cisco.com/en/US/docs/ios/ibm/command/reference/b1ftethc.html AARP is 80F3, while Appletalk is 809B Eugene From: Sek Chye Gmail [mailto:[email protected]] Sent: Monday, September 10, 2012 5:35 PM To: Eugene Pefti Cc: Matt Hill; [email protected]; [email protected] Subject: Re: [OSL | CCIE_Security] Prevent AppleTalk attack on switchport: - appletalk keyword Hi, l googled in the internet and found the following link: >From http://www.ciscopress.com/articles/article.asp?p=1181682&seqNum=4 Switch(config)# mac access-list extended my-mac-acl Switch(config-ext-macl)# deny any any aarp Switch(config-ext-macl)# permit any any Switch(config-ext-macl)# exit Switch(config)# interface Fastethernet0/10 Switch(config-if)# mac access-group my-mac-acl in Switch(config-if)# end Switch# Not sure whether this helps? On 11/9/2012 8:07 AM, Eugene Pefti wrote: That was my point, Matt, and I mostly relied on Brian's attempt to test it. I know that it's hard to see Macs capable of talking appletalk nowadays. Just wondering if it is prudent to see the proctor in case having a task with appletalk and tell him/her that I'm aware of this bug and do they expect me to use an ether type or just use an available option. Eugene -----Original Message----- From: Matt Hill [mailto:[email protected]] Sent: Monday, September 10, 2012 4:53 PM To: Eugene Pefti Cc: Brian Clarke; "Peter Jørgensen\"; [email protected]<mailto:[email protected]> Subject: Re: [OSL | CCIE_Security] Prevent AppleTalk attack on switchport: - appletalk keyword You cant get tested on something which is a bug that only appears in certain versions of code. Granted 12.2(44)SE is specified in the blueprint, but that is a bit rich. Especially when one considers that the grading script would be looking for a "show" command here, because it is unlikely they will have some traffic generator spitting out Appletalk frames. Not that Apple computers have even used Appletalk (by default) since quite some time ago. Kind of like IPX - remember that one? Cheers, Matt CCIE #22386 CCSI #31207 On 11 September 2012 09:26, Eugene Pefti <[email protected]><mailto:[email protected]> wrote: Hello guys, I wonder if this was tested? Eugene From: Brian Clarke [mailto:[email protected]] Sent: Monday, September 03, 2012 10:55 PM To: Eugene Pefti; "Peter Jørgensen\"; [email protected]<mailto:[email protected]> Subject: Re: [OSL | CCIE_Security] Prevent AppleTalk attack on switchport: - appletalk keyword I'll give it a try. We're mostly and apple shop. Not sure we have any AppleTalk left though. Respectfully, Brian Clarke From: Eugene Pefti <[email protected]><mailto:[email protected]> Date: Tuesday, September 4, 2012 1:35 AM To: "\"Peter Jørgensen\"" <[email protected]><mailto:[email protected]>, "[email protected]"<mailto:[email protected]> <[email protected]><mailto:[email protected]> Subject: Re: [OSL | CCIE_Security] Prevent AppleTalk attack on switchport: - appletalk keyword Theoretically you are right, Peter. But IMHO it is just another oversight from Cisco. I wonder if it's possible to test and confirm if we connect two Macs to the switch configured with the first variant of your MAC ACL. I can actually do it but later this week. Eugene From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of "Peter Jorgensen" Sent: Monday, September 03, 2012 1:49 AM To: [email protected]<mailto:[email protected]> Subject: [OSL | CCIE_Security] Prevent AppleTalk attack on switchport: - appletalk keyword Prevent AppleTalk attack on switchport fa0/10. My first solution: ! mac access-list extended MAC_ACL deny host 1234.1234.1234 any eq appletalk permit any any ! interface fa0/10 mac access-group MAC_ACL in But I found this in the documentation: ---------------------------------------------------------------------- ---------------------------------------------------------------------- ---- NOTE: Cisco doc 3560SCG 12.2(44)SE (Creating Named MAC Extended ACLs page 32-26). - Though visible in the command-line help strings, AppleTalk is not supported as a matching condition for the deny and permit MAC access-list configuration mode commands. ---------------------------------------------------------------------- ---------------------------------------------------------------------- ---- Solution: Use ethertype 0x809B for Appletalk (Ethertalk). So my solution should instead look like this: mac access-list extended MAC_ACL deny host 1234.1234.1234 any eq 0x809B permit any any ! interface fa0/10 mac access-group MAC_ACL in Can anyone confirmthat this assumptionis correct? * * * PROPRIETARY & CONFIDENTIAL * * * The information contained within this e-mail and any attached document(s) is confidential and/or proprietary. It is intended solely for the use of the addressee(s) named above. Unauthorized disclosure, photocopying, distribution or use of the information contained herein is prohibited. If you believe that you have received this e-mail in error, please notify me by reply transmission and delete the message without copying or disclosing it. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com> _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
