From: Roger Dellaca (rdellaca@xxxxxxxxxx)
Date: Mon Aug 13 2001 - 17:52:05 GMT-3
To go beyond the surface:
According to Cisco, 04, 08 & 0C are used for SNA. According to reality (transl
ate: IBM), the SAPs used can go on to 10, 14, 18, 1C, etc, based on the need to
do so to crete SNA connections. In LLC2, a connection is <source MAC> <source
SAP> <destination MAC> <destination SAP> (sounds like TCP, huh?, it's just mult
iplexed sessions at layer 2).
each # divisible by 4 (why divisible by 4? see the web pages below, especially
the IBM one), is a regular SAP; add 1 to it & it means: group if a DSAP; respon
se (as opposed to command) on a SSAP.
00 is used in "ring station identification" (huh?)
see http://webdocs.numaq.ibm.com/docs/snapac01/app_e.htm & http://www.cisco.com
/warp/public/100/45.html ; also http://www.cisco.com/warp/public/698/acl200.htm
l specifically on SAP access lists
So what is 0x0404 0x0001 allowing? it allows commands going out (04 DSAP, 04 SS
AP) & responses boing out (04 DSAP, 05 SSAP) on the virtual circuit with SSAP 0
4 & DSAP 04. (Do I have DSAP & SSAP mixed up? no - DSAP is 1st - see the 3rd we
b site listed above on SAP access lists). If you also wanted to allow commands
& responses to group addresses, your access-list should say 0x0404 0x0101.
Another example: I have an SNA server with 5 PU's to the same mainframe, same M
AC & SAP 04, on my side it's all the same MAC & I use SAPs 04, 08, 0C, 10, & 14
. on the SNA server-side router, I can keep the 1st line & last 2 lines from yo
ur access-list below & add:
access-list 200 permit 0x0414 0x0001
access-list 200 permit 0x0408 0x0001
access-list 200 permit 0x040C 0x0001
or if I wasn't quite so picky, I could replace it all with one line:
access-list 200 permit 0x0400 0x001D
which would allow me ot use SAPs 18 & 1C. Of course I would prefer not to allow
what I shouldn't allow (which is why I don;t particularly like 0x0000 0x0d0d)
Also, lsap-output-list doesn't filter what's coming in. Gotta put something on
the other end. (like maybe 0x0000 0x1C05, which allows DSAPs 00-1C & SSAP 04 &
05, for command & response). And if I won't want to count on remotes sending on
ly to recognized SAPs on my host side, I can use dlsw icannotreach saps.
>>> McClendon Susan Contr AEDC/ACS <Susan.McClendon@arnold.af.mil> 08/13 12:37
PM >>>
Brian,
00 is a null address - don't know what these packets contain if from
no-address & to no-address.
IBM SNA traffic apparently uses these addresses:
04 (SNA - command & response - individual)
05 (SNA - command & response - group)
08 (SNA - data - individual)
0C (SNA - data - group)
HTH,
susan
> -----Original Message-----
> From: Diehm, Brian [mailto:Brian.Diehm@compaq.com]
> Sent: Monday, August 13, 2001 12:18 PM
> To: Ccielab (E-mail)
> Subject: access-list 200
>
>
> Could somebody tell me what the first three lines of this
> access list do? I
> have the last three figure out.
>
> access-list 200 permit 0x0000 0x0000
> access-list 200 permit 0x0808 0x0001
> access-list 200 permit 0x0c0c 0x0001
> access-list 200 permit 0x0404 0x0001 (sna command and
> response traffic)
> access-list 200 permit 0x0004 0x0001 (san explorers)
> access-list 200 permit 0xf0f0 0x0001 (netbios traffic)
>
>
> Thanks,
> Brian
> **Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:50 GMT-3