From: John Neiberger (neiby@xxxxxxxxxx)
Date: Mon Apr 08 2002 - 01:23:49 GMT-3
No, that is incorrect. Break it down into binary to see why.
The parameters are broken down like this:
0x0404 = source sap (04) + destination sap (04)
In binary, that is:
00000100 00000100
0x0808 is:
00001000 00001000
Let's stick the using 0x04 as an example. If this is the
destination sap in a command frame, 0x05 will be the sap in the
response (or so I've heard <g>). So, our access list must
match every fourth even sap plus the next odd sap (0405, 0809,
etc.)
To do this, we match on a "blank" sap of all zeroes: 0x0000
and use a mask of 0x0d0d:
00000000 00000000
00001101 00001101
This will match any sap that has a zero in the second bit
position. Here are some possible matches, starting at 4:
00000100 (4) 00000101 (5)
00001000 (8) 00001001 (9)
00001100 (C) 00001101 (D)
These can all be matched by using 0x0000 0x0d0d in your access
list, and I believe almost all SNA traffic uses 0x04 and 0x05.
I don't know that for certain, and I do know that it can use
other saps but that list will cover those three cases.
To follow this thread in another direction let's look at the
IPX and NetBIOS filters:
access-list 200 permit 0xe0e0 0x0101 (IPX)
access-list 201 permit 0xf0f0 0x0101 (NetBIOS)
Taking the first one as an example we break it down into binary:
11100000 11100000 (0xe0e0)
00010001 00010001 (0x0101)
This will match the sap in command frame (e0) or the sap in a
response frame (e1). The math works out the same for NetBIOS
except the command and response saps are f0 and f1.
Some of all of this may be incorrect so you'll want to verify
this. I'd hate for a portion of someone's exam to rest on my
word alone. :-) I think the URL listed below says it all, so
read through it carefully.
HTH,
John
---- On Sun, 7 Apr 2002, Narvaez, Pablo
(Pablo.Narvaez@getronics.com) wrote:
> Just wondering about this acl, shouldn't it be like:
>
> +- access-list 201 permit 0x0404 0x1010
> +- access-list 202 permit 0x0808 0x1010 ? I tested with
that wildcars
> as with IP ACLs and it worked indicated "0" = exact match
required ...
>
> Am I right? just wondering ..
>
> -hockito-
>
>
>
> -----Original Message-----
> From: Chua, Parry [mailto:Parry.Chua@compaq.com]
> Sent: Domingo, 07 de Abril de 2002 10:15 p.m.
> To: Larry Whitfill; ccielab@groupstudy.com
> Subject: RE: SAP ACLs
>
>
> For testing, i would suggest you to do the following.
>
> - Create three access-list
> +- access-list 201 permit 0x0404 0x0101
> +- access-list 202 permit 0x0808 0x0101
> +- access-list 203 permit 0x0000 0x0d0d
>
> Create 3 SNA session using lasp 4, 8, C.
>
> Test with each access-list and see the result. access-list
201 should
> allow ony lsap 4, 202 should allow lsap 8 and 203 should
allow all three
> lsap.
>
> Parry Chua
>
> -----Original Message-----
> From: Larry Whitfill [mailto:whitfill@cox.net]
> Sent: Monday, April 08, 2002 10:42 AM
> To: ccielab@groupstudy.com
> Subject: SAP ACLs
>
>
> http://www.cisco.com/warp/public/698/acl200.html#caseD
>
> Friends,
>
> This may be old news but I found this after investigating a
discrepancy
> in
> the Practical Studies book. I'm particularly interested in
the advised
> method of filtering SNA:
>
> "access-list 201 deny 0x0000 0x0d0d"
>
> The site admits that not all SNA SAPS will be filtered by
this, but is
> it
> safe to assume that this is good enough for testing purposes?
>
> Larry
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:57:59 GMT-3