From: Scott Morris (swm@emanon.com)
Date: Mon Feb 23 2004 - 20:04:00 GMT-3
I understand that logic... (don't agree, but that's beside the point as I
haven't been responsible or had points hinging on my dlsw answers for years
now!)
But the doc-cd is not necessarily a defensible position when it comes to the
reason for doing one thing or another. You're still responsible for knowing
the actual application and functionality of whatever technology you're
responsible for.
With that in mind, it simply becomes and over-broad access list rather than
only those things necessary in an ethernet-only environment.
If the lab asked you to use the dlsw icanreach saps command to permit SNA,
by your logic here could I assume you would have a command for 00, 04, 08
and 0C?
Always be aware of what you're reading on the CD and what it's actual
context is.
Scott
-----Original Message-----
From: Michael Snyder [mailto:msnyder@revolutioncomputer.com]
Sent: Monday, February 23, 2004 5:09 PM
To: ccielab@groupstudy.com
Cc: 'Scott Morris'
Subject: RE: DLSW SAP FILTERING?
Scott, I understand you are right; but going by CCO the common saps for sna
is 0x00 0x04 0x08 0x0c.
When taking the lab, I'm going to use the idealized answer provided by cco,
and probably not the real world answer. Can you provide the correct answer
for Ethernet to Ethernet sna?
http://www.cisco.com/warp/public/698/acl200.html
The lsap-output-list links to a SAP access list (SAP ACL) that currently
only allows SNA SAPs (for example, 0x00, 0x04, 0x08, and so on) to go toward
the central router, and denies everything else
http://www.cisco.com/warp/public/697/dlswfilter.shtml
00 Null LSAP
04 IBM SNA Path Control (individual)
05 IBM SNA Path Control (group)
08 SNA
09 SNA
0C SNA
0D SNA
http://www.cisco.com/en/US/tech/tk870/tk451/tk374/technologies_tech_note
09186a0080094226.shtml
-----Original Message-----
From: Scott Morris [mailto:swm@emanon.com]
Sent: Monday, February 23, 2004 1:05 PM
To: 'Michael Snyder'; ccielab@groupstudy.com
Cc: 'Zack Damen'
Subject: RE: DLSW SAP FILTERING?
Actually, 201 permits a bunch of crap you won't see. ;)
00 is null lsap (used for explorers in SRB)
01 doesn't exist
04 and 05 are SNA
08, 09, 0C and 0D are IBM-specific token-ring implementations that will not
exist in ethernet.
Soooo.... It's a whole lot more than you acutally need in order to permit
SNA in an ethernet-to-ethernet scenario.
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, CISSP,
JNCIS, et al.
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
swm@emanon.com/smorris@ipexpert.net
http://www.ipexpert.net
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Michael Snyder
Sent: Monday, February 23, 2004 9:43 AM
To: ccielab@groupstudy.com
Cc: 'Zack Damen'
Subject: RE: DLSW SAP FILTERING?
201 is permit ibm sna protocol
202 is deny netbios and permit all
I prefer icanreach saps myself, much cleaner code.
Icanreach sap f0 (netbios only on local router)
Icanreach sap 00 04 08 0C (SNA only on local router)
Icanreach sap e0 (ipx only on local router)
Check the archives, and the sap filtering links on cco.
-----Original Message-----
From: Zack Damen [mailto:zack@supertux.com]
Sent: Monday, February 23, 2004 2:07 AM
To: ccielab@groupstudy.com
Subject: DLSW SAP FILTERING?
I was hoping that someone here could point in the right direction of
understanding SAP filtering.
example:
Access list 201 permit 0x0000 0x0d0d
!
Access list 202 deny 0xf0f0 0x0101
Access list 202 permit 0x0000 0xffff
I understand how dlsw work, but not exactly how to do the filtering in dlsw.
thanks
Zack
This archive was generated by hypermail 2.1.4 : Fri Mar 05 2004 - 07:13:56 GMT-3