From: Maurice Flint (mflint@xxxxxxxxxx)
Date: Sat Feb 16 2002 - 13:13:36 GMT-3
I am observing that SNA requires the use of the SAP 0x00 in order to establish
the connection. I have taken snapshots of sniffer traces on a production SRB
network. Will the access-list 202 in the attached configuration permit
connectivity? If multiple SNA devices are running on a network, 04 is not the
only port that can be used.
1. Initial test poll from remote device trying to find the FEP:
------------ LLC Header ------------
LLC: Dsap: 0x0 (0)
LLC: Ssap: 0x8 (8) Command
LLC: Unnumbered frame: TEST POLL (227)
2. The FEP responds to the test poll:
------------ LLC Header ------------
LLC: Dsap: 0x8 (8)
LLC: Ssap: 0x0 (0) Response
LLC: Unnumbered frame: TEST FINAL (227)
3. The remote device sends the XID poll:
------------ LLC Header ------------
LLC: Dsap: 0x4 (4) note: ssap 8 dsap 4
LLC: Ssap: 0x8 (8) Command
LLC: Unnumbered frame: XID POLL (175)
4. The FEP responds:
------------ LLC Header ------------
LLC: Dsap: 0x8 (8) note: ssap 4 dsap 8
LLC: Ssap: 0x4 (4) Response
LLC: Unnumbered frame: XID FINAL (175)
LLC: 117 bytes of data
Carolyn Camarda wrote:
> Mamoor,
>
> Thanks for your response. I did some further digging and this is what I
> came up with.The reference is from IOS v9 but not 12.0/.1 I think the pipe
> has a different meaning when used with access-expressions but I was looking
> for recent information & confirmation.
>
> http://www.cisco.com/univercd/cc/td/doc/product/software/ssr90/rpc_r/54037.h
> tm
>
> Boolean Operators for Access Expression Terms Boolean Operators Definitions
> ~ (called "not") Negates, or reverses, the result of the term or
> group of terms immediately to the right of the ~.
> Example: "~lsap(201)" returns FALSE if "lsap(201)" itself were TRUE.
> & (called "and") Returns TRUE if the terms or parenthetical
> expressions to the left and right of the & both return TRUE.
> Example: "lsap(201) & dmac(701)" returns TRUE if both the lsap(201) and
> dmac(701) terms return TRUE.
> | (called "or") Returns TRUE if the term or parenthetical expression
> to the left or right of the | either or both return TRUE.
> Example: "lsap(201) | dmac(701)" returns TRUE if either the lsap(201)
> or dmac(701) terms return TRUE.
>
> Also, thanks for the fyi on the ACL 200. My reference comes from
>
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ibm_
> c/bcprt1/bcdsrb.htm#xtocid1735781
>
> Suppose you want to permit the IBM 3174 cluster controllers to access the
> FEP at address 0110.2222.3333, and also want the NetBIOS clients to access
> the NetBIOS server named FILESVR3. The following set of router configuration
> commands would meet this need:
> netbios access-list host MIS permit FILESVR3
> netbios access-list host MIS deny *
> !
> access-list 202 permit 0x0404 0x0001 ! Permits SNA frames
> (command or response)
> ********* access-list 202 permit 0x0004 0x0001 ! Permits SNA Explorers with
> NULL DSAP ****************
> !
> access-list 701 permit 0110.2222.3333
> !
> interface tokenring 0
> access-expression in (lsap(202) & dmac(701)) | netbios-host(MIS)
>
> I don't know what stations use the null DSAP value. I will start using both
> your entry and my entry. Hard to find accurate information when it comes to
> SNA.
> Thanks
> Carolyn.
>
> ----- Original Message -----
> From: "Ahmed Mamoor Amimi" <mamoor@ieee.org>
> To: "Carolyn Camarda" <ccamarda@bellsouth.net>; "CCIE Lab Mailing List"
> <ccielab@groupstudy.com>
> Sent: Wednesday, February 13, 2002 11:50 PM
> Subject: Re: Regarding Access-Expressions - Confirmation Needed
>
> > quote from CCO :
> >
> > Alternation allows you to specify alternative patterns to match against a
> > string. You separate the alternative patterns with a vertical bar (|).
> > Exactly one of the alternatives can match the string. For example, the
> > regular expression
> >
> > codex|telebit
> >
> > matches the string codex or the string telebit, but not both codex and
> > telebit.
> >
> > this is the bible of expression used in cisco IOS : please see the regular
> > expression part of the paper.
> >
> http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/ios127xe/cmdref/
> chap1.htm#xtocid249366
> > watch the wrap.
> >
> > by the way .... seeing ur accesslist
> > > access-list 200 deny 0x0004 0x0001
> > > access-list 200 permit 0x0000 0xffff
> >
> > I think there is some mistake at 0x0004 0x0001 ---- it should be 0x0404
> > 0x0d0d if ur filtering SNA type code 0x04
> > why i have written it twice.... actually this is lsap and dsap and it is
> > written that way.
> >
> > Just remember these magic phrase : ....
> > 0x0d0d mask is for SNA
> > 0x0101 mask is for netbios and its address is 0xf0f0 (for command) and
> > 0xf1f1 (for respond)
> > eg : accesslist 200 deny 0xf0f0 0x0101 .... will deny
> > netbios.
> > 0x0101 mask is also for IPX sap.... and its address of ssap and dsap is
> > 0xe0e0
> > eq : accesslist 200 deny 0xe0e0 0x0101 will deny ipx saps
> > and allow rest of the traffic
> > accesslist 200 permit 0x0000 0xffff
> >
> > please let me know if ur cleared !
> >
> > -Mamoor
> > ----- Original Message -----
> > From: Carolyn Camarda <ccamarda@bellsouth.net>
> > To: CCIE Lab Mailing List <ccielab@groupstudy.com>
> > Sent: Thursday, February 14, 2002 4:23 AM
> > Subject: Regarding Access-Expressions - Confirmation Needed
> >
> >
> > > I spent all day working a problem that I finally figured out (stupid,
> > > stupid) as I was typing for help. Sometime the group has it's merits
> > > without posting.
> > >
> > > Please respond if possible:
> > >
> > > Need confirmation. Access expressions work as Boolean functions. Given
> > the
> > > following configuration:
> > >
> > > int to0
> > > access-expression in (lsap(200) & dmac(700))
> > > !
> > > access-list 200 deny 0x0004 0x0001
> > > access-list 200 permit 0x0000 0xffff
> > > !
> > > access-list 700 deny 4000.3701.2000
> > > access-list 700 permit 0.0.0 ffff.ffff.ffff
> > >
> > > A packet that is:
> > >
> > > denied by both ACL 200 & 700 -> is blocked from entering to0
> > > permitted by either but no both ACL 200 & 700 -> is blocked from
> > entering
> > > to0
> > > permitted by both ACL 200 & 700 -> is allowed to enter to0
> > >
> > > Changing the operand to a '|'
> > >
> > > access-expression in (lsap(200) | dmac(700))
> > >
> > > denied by both ACL 200 & 700 -> is blocked from entering to0
> > > permitted by either but no both ACL 200 & 700 -> is allowed to enter
> to0
> > > permitted by both ACL 200 & 700 -> is allowed to enter to0
> > >
> > > I am really looking for confirmation on the OR part.
> > >
> > > Carolyn
This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 13:46:25 GMT-3