Re: DLSW SAP Filtering

From: Gerard Robinson (gerardrobinson@xxxxxxxxxxxxxx)
Date: Wed May 10 2000 - 08:00:30 GMT-3

• Next message: rocketmail: "Re: How can i make my router automatically disconnect a call when error rate is too high?"
• Previous message: Goh, Winston: "RE: OSPF route filtering on ABRs..."
• Maybe in reply to: Ben Rife: "DLSW SAP Filtering"
• Next in thread: Earl Aboytes: "RE: DLSW SAP Filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

        Many thanks Earl for your post it has certainly clarified things for
me.

        I just want to be absolutely clear over this as I have fallen foul
of SAP access-lists in the lab once before and I am going back on Monday for
attempt no.2 so I need to be spot on.

        If I want to allow only SAPx0404 and SAPx0808 and SAPx0C0C with the
fewest possible lines in my access-list I do this :

        access-list 201 permit 0x0404 0x0000 (or maybe 0x0001)
        access-list 201 permit 0x0808 0x0707 (also lets through 09, 0A, 0B
through to 0F)

        Am I correct ? I can see from Muthu's earlier post that I can do
access-l 201 permit 0x0000 0x0D0D and allow all necessary SNA frames but I
just want to check my logic.

----- Original Message -----
From: Earl Aboytes <earl@linkline.com>
To: Ben Rife <brife@bignet.net>; <ccielab@groupstudy.com>; Muthu
Mohanasundaram <mmsundar@yahoo.com>
Sent: Wednesday, May 10, 2000 5:11 AM
Subject: Re: DLSW SAP Filtering

> All,
> Here are my two cents on this subject. I have made this post before but I
am posting it again for all the newbies.
> The structure of the LLC header is such that you have 3 bytes made up of
one byte for DSAP one byte for SSAP and one byte for control. The SAP
identifier is actually only 7 bits long. The least significant bit in the
DSAP and SSAP are used for Individual/Group and Command/Response. In other
words, in the first two bytes you have I/G D D D D D D D C/R S S S S S S S
where I/G and C/R stand for individual/group and command/response. When the
I/G bit is set to one it is set to group and this could mean that the packet
is destined for more than one operating environment in the attached system.
If the c/r bit is set to one this is a response as opposed to a command. We
are always concerned about the a value and then that value plus one.
> SNA SAPs of 04/05, 08/09, and 0C/0D. This added value is the result of
the I/G bit being set on or off or the c/r bit being set on or off. Before
you start thinking that the I/G or C/R bit should be at the other end of the
string, think about non-canonical format.
>
>
> EARL
>
> ---------- Original Message ----------------------------------
> From: Muthu Mohanasundaram <mmsundar@yahoo.com>
> Reply-To: Muthu Mohanasundaram <mmsundar@yahoo.com>
> Date: Tue, 9 May 2000 17:51:35 -0700 (PDT)
>
> >Hi Ben,
> >
> >The 0x0000 with a mask of 0x0D0D will include all the
> >following SAPs:
> >
> >00 and 01
> >
> >04 and 05
> >
> >08 and 09
> >
> >0C and 0D
> >
> >which are exactly the SAPs for SNA.(00 is the Null
> >SAP)
> >
> >Do it with binary, you will get it.
> >
> >This will permit all the SNA SAPs where as 0x0404
> >0x0001 will only permit the 04 SAP.
> >
> >Anyone CMIIW (Correct Me If I am Wrong)
> >
> >Thanks,
> >
> >Mohan.
> >
> >
> >
> >
> >
> >
> >--- Ben Rife <brife@bignet.net> wrote:
> >> The following is from the source-route bridging
> >> section of the CD:
> >>
> >>
>
>###########################################################################
#####
> >> An access list that passes a frame if it is a
> >> NetBIOS frame (SAP = 0xF0F0)
> >> An access list that passes a frame if it is an
> >> SNA frame (SAP = 0x0404)
> >> An access list that passes a MAC address of
> >> 0110.2222.3333
> >>
> >> The following configuration allows for all these
> >> conditions:
> >>
> >> ! Access list 201 passes NetBIOS frames (command or
> >> response)
> >> access-list 201 permit 0xF0F0 0x0001
> >> !
> >> access-list 202 permit 0x0404 0x0001 ! Permits SNA
> >> frames (command or response)
> >> access-list 202 permit 0x0004 0x0001 ! Permits SNA
> >> Explorers with NULL DSAP
> >> !
> >> ! Access list 701 will permit the FEP MAC address
> >> ! of 0110.2222.3333
> >> access-list 701 permit 0110.2222.3333
> >>
> >> The 0x0001 mask allows command and response frames
> >> to pass equally.
> >>
>
>###########################################################################
#####
> >>
> >> Note that it indicates that SNA frames are permitted
> >> with 0X0404 0x0001 and
> >> Netbios frames are permitted with 0xF0F0 0x0001.
> >>
> >> I understand the Netbios command and have infact
> >> seen this in other documentation.
> >> The SNA filtering command is new to me however. I
> >> normally see it documented as 0x0000 0x0D0D.
> >> Can someone confirm which is the correct form of the
> >> SNA?
> >>
> >> Is it 0x0000 0x0D0D or 0x0404 0x0001? Can someone
> >> explain?
> >>
> >> Thanks in advance,
> >>
> >> Ben
> >>
> >>
> >
> >

• Next message: rocketmail: "Re: How can i make my router automatically disconnect a call when error rate is too high?"
• Previous message: Goh, Winston: "RE: OSPF route filtering on ABRs..."
• Maybe in reply to: Ben Rife: "DLSW SAP Filtering"
• Next in thread: Earl Aboytes: "RE: DLSW SAP Filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:28 GMT-3