From: Scott Morris (swm@emanon.com)
Date: Fri Jan 30 2004 - 21:28:47 GMT-3
Ummm.... I think you have your idea about bits backwards..
0 = must stay the same.
1 = don't care what the value is. So a mask of 0202 would only allow one
single bit in each of the DSAP/SSAP fields to be any value. And it's not
the method of including 04/05 and F0/F1. :)
The web link you gave gives a decent description of how the bits work in
relation to the two different SAP fields...
Your listing of the 0d0d mask, don't forget that you can independently have
separate values as well (0405, etc) where they don't have to be a 1:1 match
like you list.
In the list that you build for everything else though, the only bit that
would be 0 (stay's the same) is the 2's position. That would make your mask
11111101 or FD (0x0000 and 0xFDFD) would include everything listed there.
But with 7 bits of difference in the mask 2^7 = 128 possible different
matches to that ACL. You'd permit LOTS of unnecessary stuff coming in.
I personally don't see the point in doing that. If you are going to permit
that much extra, just permit it all...
My $.02. :)
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, CISSP,
JNCIS, et al.
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
swm@emanon.com/smorris@ipexpert.net
http://www.ipexpert.net
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Edwards, Andrew M
Sent: Friday, January 30, 2004 12:57 PM
To: Karim; ccielab@groupstudy.com
Subject: RE: DLSw question - filtering SAPs??
Look at the bits:
---------
0xf0f0 0x0101 = bits 11110000 11110000 mask 00000001 00000001
What are the matches?
11110000 11110000 f0f0
11110001 11110001 f1f1
---------
0000 0d0d = bits 00000000 00000000 mask 00001101 00001101
What are the matches?
00000000 00000000 0000
00000001 00000001 0101
00000100 00000100 0404
00000101 00000101 0505
00001000 00001000 0808
00001001 00001001 0909
00001100 00001100 0c0c
00001101 00001101 0d0d
What is a valid address and reverse mask to combine these into one
statement, or what bits do we NOT care about (the x bit)?
00000000 00000000 0000
00000001 00000001 0101
00000100 00000100 0404
00000101 00000101 0505
00001000 00001000 0808
00001001 00001001 0909
00001100 00001100 0c0c
00001101 00001101 0d0d
11110000 11110000 f0f0
11110001 11110001 f1f1
xxxxxx0x xxxxxx0x 0202 = bits we dont care about cause they are
different on all SAPs.
So you could use the LESS specific 0x0000 0x0202. And I say less specific
because it includes other SAP types not requested.... or you can look at the
reverse mask for the SNA SAP, apply it to the Netbios and see if it fits....
Lets see.
0000xx0x 0000xx0x 0x0d0d (x = dont care bits)
11110000 11110000 0xf0f0 = Shows I care about the Netbios bits so
its a MATCH!
and
0000xx0x 0000xx0x 0x0d0d (x = dont care bits)
11110001 11110001 0xf1f1 = Shows I care about the Netbios bits so
its a MATCH!
So.... 0x0000 0x0d0d matches both SNA SAP and Netbios SAP!
If you dont like my explaination... see this...
http://www.cisco.com/en/US/tech/tk331/tk336/technologies_tech_note09186a0080
0fad74.shtml
andy
-----Original Message-----
From: Karim [mailto:karim_ccie@hotmail.com]
Sent: Wednesday, January 28, 2004 5:41 PM
To: ccielab@groupstudy.com
Subject: DLSw question - filtering SAPs??
Hi all,
-- Refrering to CCIE practical studies (vol.1), chapter 13:
To permit only known SNA SAPs, use: access-list 200 permit 0x0d0d 0x0000
To permit only NetBIOS SAPs, use: access-list 200 permit 0xF0F0 0x0101
If it is required to permit both of them in one statement, the book
states that the following access-list is enough: access-list 200 permit
0x0d0d (the same that was used to permit the SNA SAPs).
I don't understand from where this comes from ??
-- Also regarding permiting SNA SAPs, is the following access-lists are
equivilant to each other ??
First: access-list 200 permit 0x0000 0x0d0d
Second: access-list 200 permit 0x0d0d 0x0000
Waiting for your help ;)
Karim.
This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:52 GMT-3