From: Brian McGahan (brian@xxxxxxxxxxxxxxx)
Date: Mon Apr 08 2002 - 01:32:36 GMT-3
Mamoor,
You also have to remember to match the response SAP. The
command SAPs for SNA, as Parry mentioned, are 4, 8, & C. The
corresponding response SAPs for SNA are 5, 9, & D. Therefore, if you
allow 4, you should also allow 5. Therefore Parry's list reads
correctly.
access-list 201 permit 0x0404 0x0101 <--- matches 4 & 5
access-list 202 permit 0x0808 0x0101 <--- matches 8 & 9
access-list 203 permit 0x0000 0x0d0d <--- matches 4, 5, 8, 9, C, & D
NetBIOS uses command SAP F0, and response SAP F1. Therefore, to
match on NetBIOS your syntax should read:
access-list 200 permit 0xF0F0 0x0101
IPX, however, does not use a response SAP. It only uses SAP E0.
Matching on IPX should read:
access-list 200 permit 0xE0E0 0x0000
HTH
Brian McGahan
CCIE #8593
brian@cyscoexpert.com
CyscoExpert Corporation
Internetwork Consulting & Training
http://www.cyscoexpert.com
Voice: 847.674.3392
Fax: 847.674.2625
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Ahmed Mamoor Amimi
Sent: Saturday, April 06, 2002 11:04 PM
To: Narvaez, Pablo; Chua, Parry; Larry Whitfill; ccielab@groupstudy.com
Subject: Re: SAP ACLs
ur right !! in that 0 is for the exact match ,but there is no meaning of
"1010" in hex it is called AA. so ur access-list is wrong here.
The correct should be according to example that Parry had given :
0x0404 0x0000 if ur matching 4
0x0808 0x0000 if ur matcing 8
0x0000 0x0d0d if ur matching 4 , 8 , 1 that gives C
Correct me if i am wrong.
-Mamoor
----- Original Message -----
From: Narvaez, Pablo <Pablo.Narvaez@getronics.com>
To: Chua, Parry <Parry.Chua@compaq.com>; Larry Whitfill
<whitfill@cox.net>;
<ccielab@groupstudy.com>
Sent: Monday, April 08, 2002 8:35 AM
Subject: RE: SAP ACLs
> Just wondering about this acl, shouldn't it be like:
>
> +- access-list 201 permit 0x0404 0x1010
> +- access-list 202 permit 0x0808 0x1010 ? I tested with that
wildcars as
with IP ACLs and it worked indicated "0" = exact match required ...
>
> Am I right? just wondering ..
>
> -hockito-
>
>
>
> -----Original Message-----
> From: Chua, Parry [mailto:Parry.Chua@compaq.com]
> Sent: Domingo, 07 de Abril de 2002 10:15 p.m.
> To: Larry Whitfill; ccielab@groupstudy.com
> Subject: RE: SAP ACLs
>
>
> For testing, i would suggest you to do the following.
>
> - Create three access-list
> +- access-list 201 permit 0x0404 0x0101
> +- access-list 202 permit 0x0808 0x0101
> +- access-list 203 permit 0x0000 0x0d0d
>
> Create 3 SNA session using lasp 4, 8, C.
>
> Test with each access-list and see the result. access-list 201 should
allow ony lsap 4, 202 should allow lsap 8 and 203 should allow all three
lsap.
>
> Parry Chua
>
> -----Original Message-----
> From: Larry Whitfill [mailto:whitfill@cox.net]
> Sent: Monday, April 08, 2002 10:42 AM
> To: ccielab@groupstudy.com
> Subject: SAP ACLs
>
>
> http://www.cisco.com/warp/public/698/acl200.html#caseD
>
> Friends,
>
> This may be old news but I found this after investigating a
discrepancy in
> the Practical Studies book. I'm particularly interested in the
advised
> method of filtering SNA:
>
> "access-list 201 deny 0x0000 0x0d0d"
>
> The site admits that not all SNA SAPS will be filtered by this, but is
it
> safe to assume that this is good enough for testing purposes?
>
> Larry
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:57:59 GMT-3