From: Ahmed Mamoor Amimi (mamoor@xxxxxxxx)
Date: Sun Apr 07 2002 - 02:56:10 GMT-3
Thanks for the pointer ... i was ignoring it ...
Pablo.... here it is more refined... <grin>
Thanks.
----- Original Message -----
From: Brian McGahan <brian@cyscoexpert.com>
To: 'Ahmed Mamoor Amimi' <mamoor@ieee.org>; 'Narvaez, Pablo'
<Pablo.Narvaez@getronics.com>; 'Chua, Parry' <Parry.Chua@compaq.com>; 'Larry
Whitfill' <whitfill@cox.net>; <ccielab@groupstudy.com>
Sent: Monday, April 08, 2002 9:32 AM
Subject: RE: SAP ACLs
> Mamoor,
>
> You also have to remember to match the response SAP. The
> command SAPs for SNA, as Parry mentioned, are 4, 8, & C. The
> corresponding response SAPs for SNA are 5, 9, & D. Therefore, if you
> allow 4, you should also allow 5. Therefore Parry's list reads
> correctly.
>
> access-list 201 permit 0x0404 0x0101 <--- matches 4 & 5
> access-list 202 permit 0x0808 0x0101 <--- matches 8 & 9
> access-list 203 permit 0x0000 0x0d0d <--- matches 4, 5, 8, 9, C, & D
>
> NetBIOS uses command SAP F0, and response SAP F1. Therefore, to
> match on NetBIOS your syntax should read:
>
> access-list 200 permit 0xF0F0 0x0101
>
> IPX, however, does not use a response SAP. It only uses SAP E0.
> Matching on IPX should read:
>
> access-list 200 permit 0xE0E0 0x0000
>
>
> HTH
>
> Brian McGahan
> CCIE #8593
> brian@cyscoexpert.com
>
> CyscoExpert Corporation
> Internetwork Consulting & Training
> http://www.cyscoexpert.com
> Voice: 847.674.3392
> Fax: 847.674.2625
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Ahmed Mamoor Amimi
> Sent: Saturday, April 06, 2002 11:04 PM
> To: Narvaez, Pablo; Chua, Parry; Larry Whitfill; ccielab@groupstudy.com
> Subject: Re: SAP ACLs
>
> ur right !! in that 0 is for the exact match ,but there is no meaning of
> "1010" in hex it is called AA. so ur access-list is wrong here.
>
> The correct should be according to example that Parry had given :
>
> 0x0404 0x0000 if ur matching 4
> 0x0808 0x0000 if ur matcing 8
> 0x0000 0x0d0d if ur matching 4 , 8 , 1 that gives C
>
> Correct me if i am wrong.
>
> -Mamoor
>
>
>
> ----- Original Message -----
> From: Narvaez, Pablo <Pablo.Narvaez@getronics.com>
> To: Chua, Parry <Parry.Chua@compaq.com>; Larry Whitfill
> <whitfill@cox.net>;
> <ccielab@groupstudy.com>
> Sent: Monday, April 08, 2002 8:35 AM
> Subject: RE: SAP ACLs
>
>
> > Just wondering about this acl, shouldn't it be like:
> >
> > +- access-list 201 permit 0x0404 0x1010
> > +- access-list 202 permit 0x0808 0x1010 ? I tested with that
> wildcars as
> with IP ACLs and it worked indicated "0" = exact match required ...
> >
> > Am I right? just wondering ..
> >
> > -hockito-
> >
> >
> >
> > -----Original Message-----
> > From: Chua, Parry [mailto:Parry.Chua@compaq.com]
> > Sent: Domingo, 07 de Abril de 2002 10:15 p.m.
> > To: Larry Whitfill; ccielab@groupstudy.com
> > Subject: RE: SAP ACLs
> >
> >
> > For testing, i would suggest you to do the following.
> >
> > - Create three access-list
> > +- access-list 201 permit 0x0404 0x0101
> > +- access-list 202 permit 0x0808 0x0101
> > +- access-list 203 permit 0x0000 0x0d0d
> >
> > Create 3 SNA session using lasp 4, 8, C.
> >
> > Test with each access-list and see the result. access-list 201 should
> allow ony lsap 4, 202 should allow lsap 8 and 203 should allow all three
> lsap.
> >
> > Parry Chua
> >
> > -----Original Message-----
> > From: Larry Whitfill [mailto:whitfill@cox.net]
> > Sent: Monday, April 08, 2002 10:42 AM
> > To: ccielab@groupstudy.com
> > Subject: SAP ACLs
> >
> >
> > http://www.cisco.com/warp/public/698/acl200.html#caseD
> >
> > Friends,
> >
> > This may be old news but I found this after investigating a
> discrepancy in
> > the Practical Studies book. I'm particularly interested in the
> advised
> > method of filtering SNA:
> >
> > "access-list 201 deny 0x0000 0x0d0d"
> >
> > The site admits that not all SNA SAPS will be filtered by this, but is
> it
> > safe to assume that this is good enough for testing purposes?
> >
> > Larry
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:57:59 GMT-3