From: Chris Allen (chris.allen@xxxxxxxxxxxx)
Date: Thu Aug 23 2001 - 12:49:23 GMT-3
Yves,
Maybe you (or the group) can help me out with something I am trying to
understand. Let's say I have a large global network which has requirements
for SNA traffic from multiple locations. I set up bridging on all local
LANS and configure DLSW to carry across the WAN. The only thing I want to
allow is SNA across my entire layer 2 topology, so I will need to implement
filtering... When I researched filtering on CCO and the doc CD I found the
following solutions....
Filtering SNA in DLSW
dlsw local-peer peer-id 10.1.1.1
dlsw remote-peer 0 tcp 10.2.2.2 output-lsap-list 200
access-list 200 permit 0x0000 0x0D0D
Filtering SNA in Transparent Bridging
bridge 1 protocol ieee
int eth0
bridge-group 1
bridge-group 1 input-type-list 200
bridge-group 1 output-type-list 200
access-list 200 permit 0x0D0D 0x0000
The configs above are just examples to make a point. The main question I
have is with access-list 200? Are the examples above correct? Can anyone
explain why Access-list 200 is reversed depending on how you apply it? (Type
or LSAP)
Thanks everyone....
Chris
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Yves Fauser
Sent: Thursday, August 23, 2001 11:16 AM
To: Marek Janik
Cc: ccielab@groupstudy.com
Subject: Re: lsap access-list
Hi Marek,
I asked this myself a lot of times, the answer can be found reading the
802.2 Spec that you can
download free at www.ieee.org.
The 802.2 header contains the DSAP and SSAP Addresses to identify the upper
layer protocols.
The DSAP has the following Format :
1 2 3 4 5 6 7 8
I/G D D D D D D D
The first bit identifies the frame as an individual frame, or an frame
destined to a group.
The SSAP has the following Format :
1 2 3 4 5 6 7 8
C/R S S S S S S S
The first bit identifies the frame as an Control (0) or response Frame (1)
The format of the 200 acl is 0x<dsap><ssap> 0x<dsap wc><ssap wc>.
A Netbios or SNA Host will send frames with the C/R bit sent to either 0/1
so the actual SSAP is
F0, but when the response bit is set it is F1. So for Netbios to work you
have to use 0xF0F0
0x0001 which allows an netbios client to communicate with an remote
individual netbios host.
An 0xF0F0 0x0101 would also allow frames send out to a group address. I
don't know were it is
used, if you look at :
http://www.cisco.com/warp/public/111/12.html
You will see F0 but not F1, 5 is an SNA path control group address. I tried
out to find out a bit
more about that but I did not find a lot about which application would set
the group bit in the
DSAP. For the lab I think it would not hurt to use 0xF0F0 0x0101 or 0x0404
0x0D0D since it is
like this in the cisco docu.
Good luck, Yves
Marek Janik wrote:
> Hello ccielab,
> In cisco CD I've found example lsap access-list
> ! Access list 201 passes NetBIOS frames (command or response)
> access-list 201 permit 0xF0F0 0x0001
> but in TAC
> http://www.cisco.com/warp/public/698/acl200.html
> I've found this
> NetBIOS traffic uses SAP values 0xF0 (for commands) and 0xF1
> (for responses). Typically, network administrators
> use these SAP values to filter this protocol.
> The access list entry depicted below permits NetBIOS
> traffic and denies everything else (remember the implicit "deny all" at
the end of each ACL):
> access-list 200 permit 0xF0F0 0x0101
> And I don't know what is right ....
> --
> Marek Janik CCDP/CCNP+Security
> Network Integration Department
> MCX sp. z o.o., Towarowa 7A, PL 00-839 Warszawa, POLAND
> +48225484719, fax +48225484682, http://www.mcx.com.pl
> **Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:56 GMT-3