From: Scott Morris (swm@emanon.com)
Date: Wed Jan 28 2004 - 23:07:25 GMT-3
They two you listed are most certainly NOT equivalent! The LSAP access list
is just like any other ACL. You have an item that sets the bits (network,
sap, whatever) and then you have a mask.
IP access lists are in decimal to keep us from going insane. LSAP access
lists are in hexadecimal because nobody cares whether we go insane or not.
:)
The part of setting the bits is the first section (which 0x0000 would be the
often used example) to set the bits that exist in an ethernet LLC SAP field
(1 byte DSAP, 1 byte SSAP).
The second part would be the mask (0x0d0d) in what you have listed. This
permits destination SAP and source SAP values of 00, 01, 04, 05, 08, 09, 0C
and 0D. Do ya understand what each of those are??? :)
A SAP always comes in pairs. The Command port (even number, which can be in
DSAP or SSAP position) and the Response port (odd number, which can only be
in the SSAP position).
00 is for explorers, known as a null lsap. Most likely won't be seen in our
ethernet-only topology unless we're running SRB.
01 isn't listed as anything valid.
04/05 is the main SNA entries we would want.
08/09 and 0C/0D are IBM specific entries for token-ring-based equipment that
should never be seen in our ethernet-only topologies.
So be careful what you look for!
>From a binary perspective, F0/F1 and 04/05 cannot be represented in a single
mask with any sort of reasonable sanity check. If the Practical Studies
book reversed the two hex numbers, then it was something missed by tech
editors, or randomly introduced during some other editing phase.
Check out ftp://ns2.emanon.com/Whitepaper%20-%20DLSW%20SAP%20Filter.pdf
HTH,
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, CISSP,
JNCIS, et al.
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
swm@emanon.com/smorris@ipexpert.net
http://www.ipexpert.net
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Karim
Sent: Wednesday, January 28, 2004 8:41 PM
To: ccielab@groupstudy.com
Subject: DLSw question - filtering SAPs??
Hi all,
-- Refrering to CCIE practical studies (vol.1), chapter 13:
To permit only known SNA SAPs, use: access-list 200 permit 0x0d0d 0x0000 To
permit only NetBIOS SAPs, use: access-list 200 permit 0xF0F0 0x0101
If it is required to permit both of them in one statement, the book states
that the following access-list is enough:
access-list 200 permit 0x0d0d (the same that was used to permit the SNA
SAPs).
I don't understand from where this comes from ??
-- Also regarding permiting SNA SAPs, is the following access-lists are
equivilant to each other ??
First: access-list 200 permit 0x0000 0x0d0d
Second: access-list 200 permit 0x0d0d 0x0000
Waiting for your help ;)
Karim.
This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:51 GMT-3