From: crl (cisco@xxxxxxxxxxxx)
Date: Wed May 16 2001 - 12:03:47 GMT-3
I've recognized ACL 200's, MAC filters, and Access-Expressions
as weak areas of mine, and I suspect the same of many other
list members. I thought I'd come up with an excercise to test
our minds.
(Theoretical) Customer has DLSw+ running with one locally
attached token ring. It has multiple peers established, but
not configured locally. (This peer is promiscuous.) We want to
block our stations from NETBIOS communications with the host
"BADHOST". We also want to disallow SNA communications to a
device with MAC address 0110.2222.3333 since our hosts should
connect to some other device that offers the same services.
I'll include what I believe the answer to be down the message
a little... I appreciate all constructive comments.
First - Is the configuration below correct - will it work?
Second - Is there perhaps a better way to accomplish the
goals above?
Third - Anyone have a better challenge / excercise they can
offer to the group?
.
.
.
.
.
.
.
.
.
Config snipped to reflect only config related to DLSw/Filters
etc.
.
hostname r3
!
netbios access-list host badlist deny BADHOST
netbios access-list host badlist permit *
!
source-bridge ring-group 10
dlsw local-peer peer-id 137.20.64.1 promiscuous
dlsw peer-on-demand-defaults host-netbios-out badlist
!
interface Loopback0
ip address 137.20.64.1 255.255.255.240
!
interface TokenRing0
ip address 137.20.33.1 255.255.255.0
ring-speed 16
multiring all
! Note - I did this here because I couldn't find a way to do
! Access-Expression in DLSw+
access-expression input (lsap(202) & dmac(701))
source-bridge 2 2 10
source-bridge spanning
!
access-list 202 deny 0x0404 0x0001
access-list 202 deny 0x0004 0x0001
access-list 202 permit 0x0000 0xFFFF
!
access-list 701 deny 0110.2222.3333 0000.0000.0000
access-list 701 permit 0000.0000.0000 ffff.ffff.ffff
!
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:30:42 GMT-3