From: beda jain (bpjain@cisco.com)
Date: Tue Sep 17 2002 - 16:22:53 GMT-3
Hi,
These filters can not check both source and destination address at a time.
In OUT it check for destination and in IN
it check fro source.
For both input and output it check for host directly connected to rings or
lan only.
i am agree with no.1 but not with no.2.
I understand OUT means it check destination host in the ring and traffic
coming out from the router towards ring.
INPUT means it check for source host from ring toward router.
OUTPUT means it check destination host in ring from router.
This input and output same for netbios filter(input-access-filter) , mac
filter(input-address-list) and access expression.
This is my understanding. Some please confirm this.
At 12:34 PM 9/17/2002 -0400, Volkov, Dmitry (Toronto - BCE) wrote:
>Well, it depends where is source and where is destination...
>
>1) If host with MAC address 3745.0001.0001 is somwhere on Ring 2 and we want
>to allow
>SNA traffic from hosts outside of ring 2 to the host with MAC address
>3745.0001.0001 (on Ring 2)
>then we have to put "OUT"
>2) In case if we want to allow SNA traffic from hosts located on Ring 2 to
>the host (located otside of Ring 2)
>with MAC address 3745.0001.0001 - we have to put "IN"
>
>I never understand Solie Labs wording... the same time the book itself is
>written in a very comprehensible way.
>
>Dmitry
>
> > -----Original Message-----
> > From: Edward Monk [mailto:edmonk@attbi.com]
> > Sent: Tuesday, September 17, 2002 11:30 AM
> > To: 'Omer Ansari'; ccielab@groupstudy.com
> > Subject: RE: access-expression "out" vs "in"
> >
> >
> > Omer,
> > No it looks wrong to me.
> >
> > It should be "in". You are trying to allow only SNA traffic
> > coming IN TO
> > the interface to the specified host.
> >
> > The "out" would only allow SNA traffic OUT of the interface
> > coming from
> > the host at the MAC you specified.
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> > Behalf Of
> > Omer Ansari
> > Sent: Tuesday, September 17, 2002 4:58 AM
> > To: ccielab@groupstudy.com
> > Subject: access-expression "out" vs "in"
> >
> > All,
> > question in the unnamed lab was:
> >
> > Configure R4 so that only SNA traffic to MAC address 3745.0001.0001 is
> > allowed on [R4's] Ring2.
> >
> > my answer was:
> > !
> > interface TokenRing0/0
> > ip address 10.10.10.1 255.255.255.240
> > ...
> > access-expression output (dmac(701) & lsap(201))
> > !
> >
> > access-list 201 permit 0x0000 0x0D0D
> > access-list 701 permit 3745.0001.0001 0000.0000.0000
> > !
> >
> >
> > does the above look ok? [the solutions had access-expression input
> > instead]
> >
> > Omer
> >
> >
> >
> > > Unnamed questions
> > > =================
> > > 3.Sec XI, q2
> > > on router4, shouldn't this be access-expression out .... instead of
> > "in" ?
This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:54 GMT-3