RE: access-expression "out" vs "in" from beda

From: beda jain (bpjain@cisco.com)
Date: Tue Sep 17 2002 - 17:42:04 GMT-3

• Next message: Peng Zheng: "IGRP on ISDN"
• Previous message: Persio Pucci: "IPM latency graphs"
• Maybe in reply to: beda jain: "RE: access-expression "out" vs "in" from beda"
• Next in thread: Paglia, John (USPC.PCT.Hopewell): "RE: access-expression "out" vs "in" from beda"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

you are right on mac stuff in access-expression.
But what about netbios stuff.
Thanks,
Beda

At 03:48 PM 9/17/2002 -0400, Volkov, Dmitry (Toronto - BCE) wrote:
>This is access-expression (which can be applied "in" or "out" interface)
>inside access-expression can be dmac or smac.
>
>http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ibm_
>r/brprt1/br1dsrb.htm
>smac(7nn) - Access list to match the source MAC address of the frame (700
>series).
>dmac(7nn) - Access list to match the destination MAC address of the frame
>(700 series).
>
>Combinations IN / OUT smac / dmac can give You all possibilities.
>
>i.e.
>1) to check frames coming into interface based on source or destination MAC
>address,
>2) to check frames leaving interface based on source or destination MAC
>address,
>
>If we use :
>
>interface TokenRing0/0
> ip address 10.10.10.1 255.255.255.240
> access-expression output (dmac(701) & lsap(201))
>!
>access-list 201 permit 0x0000 0x0D0D
>access-list 701 permit 3745.0001.0001 0000.0000.0000
>
>We allow only SNA frames with dest MAC 3745.0001.0001 to leave interface To
>0/0
>
>
>Dmitry
>
> > -----Original Message-----
> > From: beda jain [mailto:bpjain@cisco.com]
> > Sent: Tuesday, September 17, 2002 3:23 PM
> > To: Volkov, Dmitry (Toronto - BCE); 'Edward Monk'; 'Omer Ansari';
> > brian@cyscoexpert.com
> > Cc: ccielab@groupstudy.com
> > Subject: RE: access-expression "out" vs "in" from beda
> >
> >
> > Hi,
> >
> > These filters can not check both source and destination
> > address at a time.
> > In OUT it check for destination and in IN
> > it check fro source.
> >
> > For both input and output it check for host directly
> > connected to rings or
> > lan only.
> > i am agree with no.1 but not with no.2.
> >
> > I understand OUT means it check destination host in the ring
> > and traffic
> > coming out from the router towards ring.
> >
> > INPUT means it check for source host from ring toward router.
> > OUTPUT means it check destination host in ring from router.
> >
> > This input and output same for netbios
> > filter(input-access-filter) , mac
> > filter(input-address-list) and access expression.
> >
> > This is my understanding. Some please confirm this.
> >
> >
> >
> >
> >
> >
> >
> > At 12:34 PM 9/17/2002 -0400, Volkov, Dmitry (Toronto - BCE) wrote:
> > >Well, it depends where is source and where is destination...
> > >
> > >1) If host with MAC address 3745.0001.0001 is somwhere on
> > Ring 2 and we want
> > >to allow
> > >SNA traffic from hosts outside of ring 2 to the host with
> > MAC address
> > >3745.0001.0001 (on Ring 2)
> > >then we have to put "OUT"
> > >2) In case if we want to allow SNA traffic from hosts
> > located on Ring 2 to
> > >the host (located otside of Ring 2)
> > >with MAC address 3745.0001.0001 - we have to put "IN"
> > >
> > >I never understand Solie Labs wording... the same time the
> > book itself is
> > >written in a very comprehensible way.
> > >
> > >Dmitry
> > >
> > > > -----Original Message-----
> > > > From: Edward Monk [mailto:edmonk@attbi.com]
> > > > Sent: Tuesday, September 17, 2002 11:30 AM
> > > > To: 'Omer Ansari'; ccielab@groupstudy.com
> > > > Subject: RE: access-expression "out" vs "in"
> > > >
> > > >
> > > > Omer,
> > > > No it looks wrong to me.
> > > >
> > > > It should be "in". You are trying to allow only SNA traffic
> > > > coming IN TO
> > > > the interface to the specified host.
> > > >
> > > > The "out" would only allow SNA traffic OUT of the interface
> > > > coming from
> > > > the host at the MAC you specified.
> > > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> > > > Behalf Of
> > > > Omer Ansari
> > > > Sent: Tuesday, September 17, 2002 4:58 AM
> > > > To: ccielab@groupstudy.com
> > > > Subject: access-expression "out" vs "in"
> > > >
> > > > All,
> > > > question in the unnamed lab was:
> > > >
> > > > Configure R4 so that only SNA traffic to MAC address
> > 3745.0001.0001 is
> > > > allowed on [R4's] Ring2.
> > > >
> > > > my answer was:
> > > > !
> > > > interface TokenRing0/0
> > > > ip address 10.10.10.1 255.255.255.240
> > > > ...
> > > > access-expression output (dmac(701) & lsap(201))
> > > > !
> > > >
> > > > access-list 201 permit 0x0000 0x0D0D
> > > > access-list 701 permit 3745.0001.0001 0000.0000.0000
> > > > !
> > > >
> > > >
> > > > does the above look ok? [the solutions had access-expression input
> > > > instead]
> > > >
> > > > Omer
> > > >
> > > >
> > > >
> > > > > Unnamed questions
> > > > > =================
> > > > > 3.Sec XI, q2
> > > > > on router4, shouldn't this be access-expression out
> > .... instead of
> > > > "in" ?

• Next message: Peng Zheng: "IGRP on ISDN"
• Previous message: Persio Pucci: "IPM latency graphs"
• Maybe in reply to: beda jain: "RE: access-expression "out" vs "in" from beda"
• Next in thread: Paglia, John (USPC.PCT.Hopewell): "RE: access-expression "out" vs "in" from beda"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:54 GMT-3