From: Carolyn Camarda (ccamarda@xxxxxxxxxxxxx)
Date: Thu Feb 14 2002 - 11:21:31 GMT-3
Mamoor,
Thanks for your response. I did some further digging and this is what I
came up with.The reference is from IOS v9 but not 12.0/.1 I think the pipe
has a different meaning when used with access-expressions but I was looking
for recent information & confirmation.
http://www.cisco.com/univercd/cc/td/doc/product/software/ssr90/rpc_r/54037.h
tm
Boolean Operators for Access Expression Terms Boolean Operators Definitions
~ (called "not") Negates, or reverses, the result of the term or
group of terms immediately to the right of the ~.
Example: "~lsap(201)" returns FALSE if "lsap(201)" itself were TRUE.
& (called "and") Returns TRUE if the terms or parenthetical
expressions to the left and right of the & both return TRUE.
Example: "lsap(201) & dmac(701)" returns TRUE if both the lsap(201) and
dmac(701) terms return TRUE.
| (called "or") Returns TRUE if the term or parenthetical expression
to the left or right of the | either or both return TRUE.
Example: "lsap(201) | dmac(701)" returns TRUE if either the lsap(201)
or dmac(701) terms return TRUE.
Also, thanks for the fyi on the ACL 200. My reference comes from
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ibm_
c/bcprt1/bcdsrb.htm#xtocid1735781
Suppose you want to permit the IBM 3174 cluster controllers to access the
FEP at address 0110.2222.3333, and also want the NetBIOS clients to access
the NetBIOS server named FILESVR3. The following set of router configuration
commands would meet this need:
netbios access-list host MIS permit FILESVR3
netbios access-list host MIS deny *
!
access-list 202 permit 0x0404 0x0001 ! Permits SNA frames
(command or response)
********* access-list 202 permit 0x0004 0x0001 ! Permits SNA Explorers with
NULL DSAP ****************
!
access-list 701 permit 0110.2222.3333
!
interface tokenring 0
access-expression in (lsap(202) & dmac(701)) | netbios-host(MIS)
I don't know what stations use the null DSAP value. I will start using both
your entry and my entry. Hard to find accurate information when it comes to
SNA.
Thanks
Carolyn.
----- Original Message -----
From: "Ahmed Mamoor Amimi" <mamoor@ieee.org>
To: "Carolyn Camarda" <ccamarda@bellsouth.net>; "CCIE Lab Mailing List"
<ccielab@groupstudy.com>
Sent: Wednesday, February 13, 2002 11:50 PM
Subject: Re: Regarding Access-Expressions - Confirmation Needed
> quote from CCO :
>
> Alternation allows you to specify alternative patterns to match against a
> string. You separate the alternative patterns with a vertical bar (|).
> Exactly one of the alternatives can match the string. For example, the
> regular expression
>
> codex|telebit
>
> matches the string codex or the string telebit, but not both codex and
> telebit.
>
> this is the bible of expression used in cisco IOS : please see the regular
> expression part of the paper.
>
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/ios127xe/cmdref/
chap1.htm#xtocid249366
> watch the wrap.
>
> by the way .... seeing ur accesslist
> > access-list 200 deny 0x0004 0x0001
> > access-list 200 permit 0x0000 0xffff
>
> I think there is some mistake at 0x0004 0x0001 ---- it should be 0x0404
> 0x0d0d if ur filtering SNA type code 0x04
> why i have written it twice.... actually this is lsap and dsap and it is
> written that way.
>
> Just remember these magic phrase : ....
> 0x0d0d mask is for SNA
> 0x0101 mask is for netbios and its address is 0xf0f0 (for command) and
> 0xf1f1 (for respond)
> eg : accesslist 200 deny 0xf0f0 0x0101 .... will deny
> netbios.
> 0x0101 mask is also for IPX sap.... and its address of ssap and dsap is
> 0xe0e0
> eq : accesslist 200 deny 0xe0e0 0x0101 will deny ipx saps
> and allow rest of the traffic
> accesslist 200 permit 0x0000 0xffff
>
> please let me know if ur cleared !
>
> -Mamoor
> ----- Original Message -----
> From: Carolyn Camarda <ccamarda@bellsouth.net>
> To: CCIE Lab Mailing List <ccielab@groupstudy.com>
> Sent: Thursday, February 14, 2002 4:23 AM
> Subject: Regarding Access-Expressions - Confirmation Needed
>
>
> > I spent all day working a problem that I finally figured out (stupid,
> > stupid) as I was typing for help. Sometime the group has it's merits
> > without posting.
> >
> > Please respond if possible:
> >
> > Need confirmation. Access expressions work as Boolean functions. Given
> the
> > following configuration:
> >
> > int to0
> > access-expression in (lsap(200) & dmac(700))
> > !
> > access-list 200 deny 0x0004 0x0001
> > access-list 200 permit 0x0000 0xffff
> > !
> > access-list 700 deny 4000.3701.2000
> > access-list 700 permit 0.0.0 ffff.ffff.ffff
> >
> > A packet that is:
> >
> > denied by both ACL 200 & 700 -> is blocked from entering to0
> > permitted by either but no both ACL 200 & 700 -> is blocked from
> entering
> > to0
> > permitted by both ACL 200 & 700 -> is allowed to enter to0
> >
> > Changing the operand to a '|'
> >
> > access-expression in (lsap(200) | dmac(700))
> >
> > denied by both ACL 200 & 700 -> is blocked from entering to0
> > permitted by either but no both ACL 200 & 700 -> is allowed to enter
to0
> > permitted by both ACL 200 & 700 -> is allowed to enter to0
> >
> > I am really looking for confirmation on the OR part.
> >
> > Carolyn
This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 13:46:22 GMT-3