From: Joe (GroupStudy@xxxxxxxxxxx)
Date: Tue Jul 30 2002 - 11:23:59 GMT-3
No it isn't correct. It matches only 0x0c0c and 0x0d0d.
Look at it this way (remember the rule for masks: "1's don't care, 0 direct
match", except in a MAC address mask!!!!):
Column 1 2 3 4 5
DSAP/SSAP 0x0d0d = 0000 1101 0000 1101
Mask 0x0101 = 0000 0001 0000 0001
Matched = 0000 110x 0000 110x
The x's in the Matched row, columns 3 and 5 can be either 0 or 1 because of
the mask you used. So therefore the only values that are matched in those
columns are 1100 and 1101, or 0x0c and 0x0d. Your filter will not match on
0x04 or 0x08, nor the responses to those frames.
Let's work backward and find a mask for your DSAP/SSAP pair. The matched
column would need to be:
Matched = 0000 xx0x 0000 xx0x
Your Mask would then need to be:
Mask = 0000 1101 0000 1101 which translates to 0x0d0d
So your DSAP/SSAP pair of 0x0d0d would need a mask of 0x0d0d. This may seem
confusing since it is different than what I said below, but you need to
remember the '1's don't care' rule. In fact, if you entered the filter as
0x0d0d 0x0d0d, IOS will automatically convert it to 0x0000 0x0d0d, but they
are really the same, just as 0x0404 0x0d0d and 0x0808 0x0d0d are. It's kind
of like a least common value concept, where if you have a 1 in the mask, it
will match any value, the actual value does not matter; it's just a
placeholder. IOS assumes that 0 is the simplest value to use as a
placeholder and will change your statement for you.
Look at this to see what I mean:
Router(config)#access-list 200 permit 0x0d0d 0x0d0d
Router(config)#access-list 201 permit 0x0000 0x0d0d
Router(config)#access-list 202 permit 0x0404 0x0d0d
Router(config)#access-list 203 permit 0x0808 0x0d0d
Router(config)#exit
Router#^z
Router#sh access-list
Type code access list 200
permit 0x0000 0x0D0D
Type code access list 201
permit 0x0000 0x0D0D
Type code access list 202
permit 0x0000 0x0D0D
Type code access list 203
permit 0x0000 0x0D0D
- Joe
-----Original Message-----
From: Tom Young [mailto:gitsyoung@yahoo.co.jp]
Sent: Sunday, July 28, 2002 6:57 AM
To: Joe A
Subject: RE: What is the correct filter for all five SNA saps??
Infact, I always used the command below:
access-list 200 permit 0x0d0d 0x0101
for control all the SNA command/response frame
Is it right?
Tom
--- Joe A <GroupStudy@comcast.net> $B$+$i$N%a%C%;!<%8!'(B
> Not sure what you mean by all 5 lsaps. Ya might say
> there are six, but
> that's not technically correct. The SNA lsaps are
> 0x04, 0x08 and 0x0C.
> These are the lsap values you'd see in the command
> frames; the response
> frames flip the first bit, resulting what most
> people call the other three
> lsaps, 0x05, 0x09 and 0x0D, though they're not
> 'really' lsaps. Anyway, back
> to your question, the first ACL, having all 0s in
> the mask, would mean all
> the bits in the dsap/ssap pair must be matched
> exactly and therefore would
> only match on 0x0D0D, so that's not it. The second
> one is correct.
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com]On Behalf Of
> alex fayn
> Sent: Monday, July 22, 2002 5:51 PM
> To: ccielab@groupstudy.com
> Subject: What is the correct filter for all five SNA
> saps??
>
>
> What is the correct filter for all five SNA saps??
>
>
>
> 1: access-list 200 permit 0x0d0d 0x0000 or
> 2: access-list 200 permit 0x0000 0x0d0d
>
>
> ---------------------------------
> Do You Yahoo!?
> Yahoo! Health - Feel better, live better
>
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:36:48 GMT-3