From: Yves Fauser (Yves@xxxxxxxxx)
Date: Fri Aug 24 2001 - 06:06:03 GMT-3
Chris,
Hymm your question seems to have several parts so please excuse me if I tell yo
u
something you already know.
First of all the LSAP Filters like input-lsap-list and output-lsap-list or the
lsap filters used in dlsw match the DSAP and SSAP values in the 802.2 LLC
Header. You'll find this Header in the 802.3 Ethernet Frame and 802.5 Token-Rin
g
Frame.
The DSA/SSAP are 1 Byte each, so 2 Bytes together.
The format for lsap is : access-l 200 0x<dsas><ssap> 0x<dsap wildcard><ssap
wildcard>
0x0000 0x0D0D allows every I/G C/R frame that does not have the second bit set
to one. The magic on this is that the second bit in the SAP is used to identify
an IEEE defined SAP (1) or an User Defined SAP. So 0x0D0D matches every User
defined SAP Value. IBM is a User, so they took 04, 08, 0C for their SNA. 06 as
example has the second bit set and is used for IP. 0x0404 0x0D0D would be more
granular.
The Type Filters like input-type-list and output-type-list look for the type
field in either the Ethernet_II (DIX) Frame Type or the Type Field in the SNAP
Header that you find in an 802.2 LLC that has the DSAP/SSAP set to AA.
The Type Field in both the DIX and SNAP are 2 Bytes long.
So the format for Type is : access-l 200 0x<type> 0x<type wildcard>
Your example of a type filter would match either an DIX Frame with type 0x0D0D
or an SNAP Frame with a Type Field 0x0D0D. Now the question is which protocol
uses the Type field "0x0D0D". I must say, I have no idea. I searched for an SNA
P
Type list but I did not find one. For DIX I found :
0600 XNS, 0800 IP, 0806 ARP, 6003 DecNet IV, 6004 Dec LAT, 8035 RARP, 80D5 IBM
SNA on Ethernet, 809B AT, 8137 Novel arpa (And much more unknown ones. So if
your example would use 0x80D5 0x0000 I would understand it, but 0D0D doesn't
make sense for me yet. I think it's a typo.
Hope this helps, Yves
Chris Allen wrote:
> Yves,
>
> Maybe you (or the group) can help me out with something I am trying to
> understand. Let's say I have a large global network which has requirements
> for SNA traffic from multiple locations. I set up bridging on all local
> LANS and configure DLSW to carry across the WAN. The only thing I want to
> allow is SNA across my entire layer 2 topology, so I will need to implement
> filtering... When I researched filtering on CCO and the doc CD I found the
> following solutions....
>
> Filtering SNA in DLSW
> dlsw local-peer peer-id 10.1.1.1
> dlsw remote-peer 0 tcp 10.2.2.2 output-lsap-list 200
> access-list 200 permit 0x0000 0x0D0D
>
> Filtering SNA in Transparent Bridging
> bridge 1 protocol ieee
> int eth0
> bridge-group 1
> bridge-group 1 input-type-list 200
> bridge-group 1 output-type-list 200
> access-list 200 permit 0x0D0D 0x0000
>
> The configs above are just examples to make a point. The main question I
> have is with access-list 200? Are the examples above correct? Can anyone
> explain why Access-list 200 is reversed depending on how you apply it? (Type
> or LSAP)
>
> Thanks everyone....
>
> Chris
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Yves Fauser
> Sent: Thursday, August 23, 2001 11:16 AM
> To: Marek Janik
> Cc: ccielab@groupstudy.com
> Subject: Re: lsap access-list
>
> Hi Marek,
>
> I asked this myself a lot of times, the answer can be found reading the
> 802.2 Spec that you can
> download free at www.ieee.org.
> The 802.2 header contains the DSAP and SSAP Addresses to identify the upper
> layer protocols.
>
> The DSAP has the following Format :
>
> 1 2 3 4 5 6 7 8
> I/G D D D D D D D
>
> The first bit identifies the frame as an individual frame, or an frame
> destined to a group.
>
> The SSAP has the following Format :
>
> 1 2 3 4 5 6 7 8
> C/R S S S S S S S
>
> The first bit identifies the frame as an Control (0) or response Frame (1)
>
> The format of the 200 acl is 0x<dsap><ssap> 0x<dsap wc><ssap wc>.
>
> A Netbios or SNA Host will send frames with the C/R bit sent to either 0/1
> so the actual SSAP is
> F0, but when the response bit is set it is F1. So for Netbios to work you
> have to use 0xF0F0
> 0x0001 which allows an netbios client to communicate with an remote
> individual netbios host.
>
> An 0xF0F0 0x0101 would also allow frames send out to a group address. I
> don't know were it is
> used, if you look at :
> http://www.cisco.com/warp/public/111/12.html
>
> You will see F0 but not F1, 5 is an SNA path control group address. I tried
> out to find out a bit
> more about that but I did not find a lot about which application would set
> the group bit in the
> DSAP. For the lab I think it would not hurt to use 0xF0F0 0x0101 or 0x0404
> 0x0D0D since it is
> like this in the cisco docu.
>
> Good luck, Yves
>
> Marek Janik wrote:
>
> > Hello ccielab,
> > In cisco CD I've found example lsap access-list
> > ! Access list 201 passes NetBIOS frames (command or response)
> > access-list 201 permit 0xF0F0 0x0001
> > but in TAC
> > http://www.cisco.com/warp/public/698/acl200.html
> > I've found this
> > NetBIOS traffic uses SAP values 0xF0 (for commands) and 0xF1
> > (for responses). Typically, network administrators
> > use these SAP values to filter this protocol.
> > The access list entry depicted below permits NetBIOS
> > traffic and denies everything else (remember the implicit "deny all" at
> the end of each ACL):
> > access-list 200 permit 0xF0F0 0x0101
> > And I don't know what is right ....
> > --
> > Marek Janik CCDP/CCNP+Security
> > Network Integration Department
> > MCX sp. z o.o., Towarowa 7A, PL 00-839 Warszawa, POLAND
> > +48225484719, fax +48225484682, http://www.mcx.com.pl
> > **Please read:http://www.groupstudy.com/list/posting.html
> **Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:57 GMT-3