RE: Filtering SNA

From: Jonathan V Hays (jhays@jtan.com)
Date: Tue May 27 2003 - 12:01:59 GMT-3

• Next message: Tom Young: "prefix-list not working (help!)"
• Previous message: Gene_Thorne@doh.state.fl.us: "RE: 2950 layer3 image"
• Maybe in reply to: lg01: "Filtering SNA"
• Next in thread: FATHALLAH: "RE: Filtering SNA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Actually those are not SNA ports but LSAP type codes. See:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/
ibm_r/brprt1/br1dsrb.htm#1017441

access-list access-list-number {permit | deny} {type-code wild-mask |
address mask}

Think binary.

Here are the LSAP type codes and your wildcard mask (0x0C0C) in binary:

Hex Binary
00 0000 0000
04 0000 0100
08 0000 1000
0B 0000 1011

0C 0000 1100 <- wild card mask

Given '0B' as one of the type codes to be matched by your access-list, I
think 0x0C0C is the *wrong* wild card mask ('0' is a match and '1' is
don't care).

Since the hex digits are doubled in the access-list let's just look at
one pair: access-list type code 00 and wildcard mask 0C.

The first access-list type code hex digit is '0' and the wildcard mask
is '0'. We have a match in every case since your list of type codes to
be matched (00, 04, 08 & 0B) all start with hex '0'.

The second access-list type code hex digit CANNOT match your entire list
with an access-list wildcard mask of 'C'. Here's why.

An access-list LSAP type code of hex 0 (0000 binary) and a wildcard of
'C' (1100) matches on hex type-codes 0 (0000), 4 (0100), and 8 (1000),
all of which have 00 as the last two binary digits, but not B (1011),
which has 11 as the last two binary digits.

Why is '0B' a requirement? Although I am not in any way an SNA expert,
from my reading I understand that that the standard SNA LSAP values are
00, 01, 04, 05, 08, 09, 0C, and 0D. If you use a mask of 0x0D0D with
these values you will note that the access-list LSAP type 0x0000 will
matches all these values.

Most of my reading suggests using 'permit 0x0000 0x0D0D' to match all
SNA type codes.

Look below to see why - the next to last column of binary digits is all
zeroes.

Hex Binary
00 0000 0000
01 0000 0001
04 0000 0100
08 0000 1000
09 0000 1001
0C 0000 1100
0D 0000 1101
            ^
0D 0000 1101 <-- wildcard mask
            ^
I think that either "0B" is a typo in the exercise or "0x0C0C" is the
wrong match in the solution.

-Jonathan

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf Of lg01
> Sent: Tuesday, May 27, 2003 7:01 AM
> To: ccielab@groupstudy.com
> Subject: Filtering SNA
>
>
> Hello group,
>
> If anyone can shed some lights on this, that would be greatly
> appreciated.
>
> In an exercise, it asked me to only allow SNA traffic from
> RTA. And it said that the SNA ports used will be 00, 04, 08 & 0B.
>
> But somehow... the answwer config gives:
>
> access-list 200 permit 0x0000 0x0C0C
>
> But I don't understand how they dervie / calculate this ACL.
>
> Thanks.
>
> H.
>
>
> _______________________________________________
> No banners. No pop-ups. No kidding.
> Introducing My Way - http://www.myway.com

• Next message: Tom Young: "prefix-list not working (help!)"
• Previous message: Gene_Thorne@doh.state.fl.us: "RE: 2950 layer3 image"
• Maybe in reply to: lg01: "Filtering SNA"
• Next in thread: FATHALLAH: "RE: Filtering SNA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:48 GMT-3