From: Brian Hescock (bhescock@xxxxxxxxx)
Date: Thu Nov 29 2001 - 19:00:19 GMT-3
Kivas,
You won't need an access-list with just permit statements for the sna and
netbios, it will be permitted by default. We had been discussing how to block
specific items. So if you wanted to deny sna but permit netbios and ipx:
access-list 200 deny 0x0000 0x0D0D (includes saps 4, 8 and C and responses)
access-list 200 permit 0x0000 0xffff
then use it on your remote-peer statement or elsewhere (depending on the
requirement)
or block a explorer from being sent to mac aaaa.bbbb.cccc
access-list 200 deny 0x0004 0x0001
access-list 200 permit 0x0000 0xffff
access-list 700 deny aaaa.bbbb.cccc
access-list 700 permit 0000.0000.0000 ffff.ffff.ffff (double-check this, I
may have the 0's anf f's reversed)
interface token 0
description this "should" block exploers from being sent to aaa.bbbb.cccc
access-expression in (lsap (200) & dmac(700))
I'm sure the SNA experts out there will correct me if I screwed it up... :o)
Again, this isn't something I've seen on a test nor heard was on a test, just
"what if's" I've come up with on my own to make sure I understand it. It was
all prompted by seeing in a doc that "dlsw icanreach mac" doesn't block
explorers to the mac address in question.
Brian
"Waters, Kivas (UK72)" wrote:
> I have been following this thread with interrest, thanks for the
> clarification. Can you please help me understand the LLC2 explorer traffic
> you mention. For example, should a lab question ask me to configure a dlsw
> remote peer output-sap-filter allowing only the SNA path control SAP and SAP
> 0x0C through the filter, what should the ACL 200 look like?
>
> Here is my attempt :
>
> "access-list(200) perm 0x0404 0x0101
> access-list(200) perm 0x0C0C 0x0101"
>
> Is this feasable or will I also need to permit an explorer type SAP or TEST
> frame to enable connectivity to an end station? If my answer is wrong,
> please correct it to illustrate.
>
> best regards
>
> Ki
>
> -----Original Message-----
> From: Brian Hescock [mailto:bhescock@cisco.com]
> Sent: 29 November 2001 20:18
> To: ccielab@groupstudy.com
> Subject: follow-up: filtering explorers to a specific host
>
> Follow-up to my previous questions about filtering explorers to a
> specific host:
>
> - "dlsw icanreach mac" and "dlsw mac-addr" commands will not prevent an
> explorer from being sent for the specified mac address. The only
> advantage is we reduce traffic on the wan because we only send an
> explorer to the peer in question, not to all peers. I confirmed this
> with our IBM team.
> - there is no way to force the dlsw reachability cache to mark an entry
> as "found" (instead of "unconfirmed")
> - sna has static mappings and we will always know the destination mac to
> a host. We can then use that dmac in an access-expression and filter
> explorers from being sent to that specific mac, as in:
> access-expression in (lsap(200) & dmac(700))
>
> Brian
This archive was generated by hypermail 2.1.4 : Fri Jun 21 2002 - 06:45:26 GMT-3