RE: access-expression "out" vs "in" from beda

From: Paglia, John (USPC.PCT.Hopewell) (JPaglia@NA2.US.ML.com)
Date: Tue Sep 17 2002 - 19:19:37 GMT-3

"Either in or out is specified to indicate whether the access expression is
applied to packets entering or leaving this interface. You can specify both
an input and an output access expression for an interface, but only one of
each."
From this, I'm led to believe that "in" = "entering this interface" and
"out" = "leaving this interface". Since you're configuring it on the token
interface, I have to believe that "input" would be the right answer, because
the traffic in question is entering the token int. looking for a certain mac
address.
I hope I'm right for once,
Pags

> -----Original Message-----
> From: beda jain [SMTP:bpjain@cisco.com]
> Sent: Tuesday, September 17, 2002 4:42 PM
> To: Volkov, Dmitry (Toronto - BCE); 'beda jain'; 'Edward Monk'; 'Omer
> Ansari'; brian@cyscoexpert.com
> Cc: ccielab@groupstudy.com
> Subject: RE: access-expression "out" vs "in" from beda
>
> Hi,
>
> you are right on mac stuff in access-expression.
> But what about netbios stuff.
> Thanks,
> Beda
>
>
> At 03:48 PM 9/17/2002 -0400, Volkov, Dmitry (Toronto - BCE) wrote:
> >This is access-expression (which can be applied "in" or "out" interface)
> >inside access-expression can be dmac or smac.
> >
> >http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/i
> bm_
> >r/brprt1/br1dsrb.htm
> >smac(7nn) - Access list to match the source MAC address of the frame
> (700
> >series).
> >dmac(7nn) - Access list to match the destination MAC address of the
> frame
> >(700 series).
> >
> >Combinations IN / OUT smac / dmac can give You all possibilities.
> >
> >i.e.
> >1) to check frames coming into interface based on source or destination
> MAC
> >address,
> >2) to check frames leaving interface based on source or destination MAC
> >address,
> >
> >If we use :
> >
> >interface TokenRing0/0
> > ip address 10.10.10.1 255.255.255.240
> > access-expression output (dmac(701) & lsap(201))
> >!
> >access-list 201 permit 0x0000 0x0D0D
> >access-list 701 permit 3745.0001.0001 0000.0000.0000
> >
> >We allow only SNA frames with dest MAC 3745.0001.0001 to leave interface
> To
> >0/0
> >
> >
> >Dmitry
> >
> > > -----Original Message-----
> > > From: beda jain [mailto:bpjain@cisco.com]
> > > Sent: Tuesday, September 17, 2002 3:23 PM
> > > To: Volkov, Dmitry (Toronto - BCE); 'Edward Monk'; 'Omer Ansari';
> > > brian@cyscoexpert.com
> > > Cc: ccielab@groupstudy.com
> > > Subject: RE: access-expression "out" vs "in" from beda
> > >
> > >
> > > Hi,
> > >
> > > These filters can not check both source and destination
> > > address at a time.
> > > In OUT it check for destination and in IN
> > > it check fro source.
> > >
> > > For both input and output it check for host directly
> > > connected to rings or
> > > lan only.
> > > i am agree with no.1 but not with no.2.
> > >
> > > I understand OUT means it check destination host in the ring
> > > and traffic
> > > coming out from the router towards ring.
> > >
> > > INPUT means it check for source host from ring toward router.
> > > OUTPUT means it check destination host in ring from router.
> > >
> > > This input and output same for netbios
> > > filter(input-access-filter) , mac
> > > filter(input-address-list) and access expression.
> > >
> > > This is my understanding. Some please confirm this.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > At 12:34 PM 9/17/2002 -0400, Volkov, Dmitry (Toronto - BCE) wrote:
> > > >Well, it depends where is source and where is destination...
> > > >
> > > >1) If host with MAC address 3745.0001.0001 is somwhere on
> > > Ring 2 and we want
> > > >to allow
> > > >SNA traffic from hosts outside of ring 2 to the host with
> > > MAC address
> > > >3745.0001.0001 (on Ring 2)
> > > >then we have to put "OUT"
> > > >2) In case if we want to allow SNA traffic from hosts
> > > located on Ring 2 to
> > > >the host (located otside of Ring 2)
> > > >with MAC address 3745.0001.0001 - we have to put "IN"
> > > >
> > > >I never understand Solie Labs wording... the same time the
> > > book itself is
> > > >written in a very comprehensible way.
> > > >
> > > >Dmitry
> > > >
> > > > > -----Original Message-----
> > > > > From: Edward Monk [mailto:edmonk@attbi.com]
> > > > > Sent: Tuesday, September 17, 2002 11:30 AM
> > > > > To: 'Omer Ansari'; ccielab@groupstudy.com
> > > > > Subject: RE: access-expression "out" vs "in"
> > > > >
> > > > >
> > > > > Omer,
> > > > > No it looks wrong to me.
> > > > >
> > > > > It should be "in". You are trying to allow only SNA traffic
> > > > > coming IN TO
> > > > > the interface to the specified host.
> > > > >
> > > > > The "out" would only allow SNA traffic OUT of the interface
> > > > > coming from
> > > > > the host at the MAC you specified.
> > > > >
> > > > > -----Original Message-----
> > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> > > > > Behalf Of
> > > > > Omer Ansari
> > > > > Sent: Tuesday, September 17, 2002 4:58 AM
> > > > > To: ccielab@groupstudy.com
> > > > > Subject: access-expression "out" vs "in"
> > > > >
> > > > > All,
> > > > > question in the unnamed lab was:
> > > > >
> > > > > Configure R4 so that only SNA traffic to MAC address
> > > 3745.0001.0001 is
> > > > > allowed on [R4's] Ring2.
> > > > >
> > > > > my answer was:
> > > > > !
> > > > > interface TokenRing0/0
> > > > > ip address 10.10.10.1 255.255.255.240
> > > > > ...
> > > > > access-expression output (dmac(701) & lsap(201))
> > > > > !
> > > > >
> > > > > access-list 201 permit 0x0000 0x0D0D
> > > > > access-list 701 permit 3745.0001.0001 0000.0000.0000
> > > > > !
> > > > >
> > > > >
> > > > > does the above look ok? [the solutions had access-expression input
> > > > > instead]
> > > > >
> > > > > Omer
> > > > >
> > > > >
> > > > >
> > > > > > Unnamed questions
> > > > > > =================
> > > > > > 3.Sec XI, q2
> > > > > > on router4, shouldn't this be access-expression out
> > > .... instead of
> > > > > "in" ?

This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:54 GMT-3