RE: dlsw+ LSAP filtering

From: Scott Morris (swm@emanon.com)
Date: Mon Aug 09 2004 - 21:17:21 GMT-3

• Next message: marc van hoof: "RE: dlsw+ LSAP filtering"
• Previous message: Scott Morris: "RE: Virus"
• Maybe in reply to: mani poopal: "dlsw+ LSAP filtering"
• Next in thread: marc van hoof: "RE: dlsw+ LSAP filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Ummm... Regular ACLs work the same... Your bits are backwards... 0 means
must stay the same in a binary wildcard mask. 1 means don't care.

So it's not backwards, it's the same.

HTH,

Scott

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of marc
van hoof
Sent: Monday, August 09, 2004 6:46 PM
To: 'Scott Morris'; 'mani poopal'; ccielab@groupstudy.com
Subject: RE: dlsw+ LSAP filtering

So in actual fact, those particular ACLs are asking for wildcard bits, as
the IP ACLs use a 1 to represent a fixed bit and a 0 to represent a bit that
we don't care about...

It's reversed for DSAPs ???

Why would they do that ? or am I being stupid ?

-marc.

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of Scott Morris
> Sent: Tuesday, 10 August 2004 2:23 AM
> To: 'marc van hoof'; 'mani poopal'; ccielab@groupstudy.com
> Subject: RE: dlsw+ LSAP filtering
>
> The router works in binary. The ACL is written in hexadecimal.
>
> The network architect needs to be able to understand binary, workin
> decimal, hexadecimal, or whatever other evil crap that IOS programmers
> choose to throw at us. ;)
>
> A mask in binary being 0000000100000001 would mean there are only two
> bits you don't care about. So F0 and F1 would be your two possible
> values allowed in each position. But the mask SHOULD be
> 0000000000000001
> (0x0001)
> because since your "net" portion represents the SAP field in the LLC
> header of ethernet (DSAP/SSAP), you'll find that odd values don't
> exist as destinations.
>
> Why not? Dunno, didn't write those specs. :) They just don't! The
> pairs are in a command/response relationship. Something is destined
> to a command port, but not TO a reply port (if you are replying, you
> are sourcing information not receiving it). *shrug*
>
> HTH,
>
>
> Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> CISSP, JNCIP, et al.
> IPExpert CCIE Program Manager
> IPExpert Sr. Technical Instructor
> swm@emanon.com/smorris@ipexpert.net
> http://www.ipexpert.net
>
>
> PS. The couple of unicast messages you sent me have been replied to,
> but I get bounces from your server. *shrug*
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of marc van hoof
> Sent: Monday, August 09, 2004 11:14 AM
> To: 'Scott Morris'; 'mani poopal'; ccielab@groupstudy.com
> Subject: RE: dlsw+ LSAP filtering
>
> G'day Scott,
>
> Does this mean that the access list still works in binary, or that it
> actually works in hex ?
>
> Eg. If it works in hex, then:
> 0xf0f0 with mask 0x0101 would match:
> 0xf?f? with ? being any character between 0 and f
>
> or do we convert to binary, so
> 0xf0f0 with mask 0x0101 would really be 1111000011110000 with mask
> 0000000100000001 so in reality, it would actually match
> [0-f][0,2,4,6,8,10,12,14][0-f][0,2,4,6,8,10,12,14]
>
> due to the least significant bit in each octet being fixed by the '1'.
>
> I'm guessing it's the second one, due do you saying that there are no
> odd number DSAP values.
>
> Also, if this is the case, why not ?
>
> Just clarifying...
>
> Cheers,
> -marc.
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > Of Scott Morris
> > Sent: Saturday, 7 August 2004 9:43 PM
> > To: 'mani poopal'; ccielab@groupstudy.com
> > Subject: RE: dlsw+ LSAP filtering
> >
> > The 200 series ACLs are just like any other access list... The only
> > difference is that they hppen to be written in hex!
> >
> > The first listing is like your "network" and is used to set the bits.
> > The second part is your mask. In BINARY, the concept is the same as
> > any other, where a 0 bit means stay the same and a 1 bit means you
> > don't care what the value is.
> >
> > Now, there are a few other things for technical accuracy.... Odd
> > numbered SAPs will never exist in the DSAP field (first half of the
> > "net" entry), so having a mask of 0x0101 is pointless. 0x0001 will
> > accomplish what you want.
> >
> > So if you want specefic things only, like 04 SAPs, the "access-list
> > 201 permit 0x0404 0x0001" will be great.
> >
> > Some of the others, it's useful to have some technical bacground on...
> > First, SAPs come in pairs (even and odd). Also, 08/09 and 0C/0D are
> > IBM-specific SAPs and only exist in Token Ring networks.
> >
> > But to answer your question, the ACL does exactly what any other ACL
> > does, just notes it in hex!
> >
> >
> > Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> > CISSP, JNCIP, et al.
> > IPExpert CCIE Program Manager
> > IPExpert Sr. Technical Instructor
> > swm@emanon.com/smorris@ipexpert.net
> > http://www.ipexpert.net
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > Of mani poopal
> > Sent: Saturday, August 07, 2004 12:25 AM
> > To: ccielab@groupstudy.com
> > Subject: dlsw+ LSAP filtering
> >
> > Hi Group,
> >
> > I like to get more information about LSAP filtering. I read
> > Pactical studies volII and Netmasters material. I know there are
> > 0xf0(Netbios) and 0x00, 0x04, 0x08 and 0x0c(SNA) SAP's available.
> > If they ask you to block only few of them eg:0x00 and 0x08 how to do it.
> >
> > access-list 200 permit 0xf0f0 0x0101 access-list 200 permit 0x0000
> > 0x0d0d What above command does and how the access list are written.
> > Any good explanation with examples are appreciated.
> >
> > thanks
> >
> > Mani
> >
> >
> > B.ENG,A+,CCNA,CCNP,CCNP-VOICE, CSS1,CNA,MCSE
> > (416)431 9929
> > MANI_CCIE@YAHOO.COM
> >
> > ---------------------------------
> > Do you Yahoo!?
> > Yahoo! Mail - 50x more storage than other providers!
> >
> > ____________________________________________________________________
> > __ _ Please help support GroupStudy by purchasing your study
> > materials
> > from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > ____________________________________________________________________
> > __ _ Please help support GroupStudy by purchasing your study
> > materials
> > from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________________
> _ Please help support GroupStudy by purchasing your study materials
> from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________________
> _ Please help support GroupStudy by purchasing your study materials
> from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: marc van hoof: "RE: dlsw+ LSAP filtering"
• Previous message: Scott Morris: "RE: Virus"
• Maybe in reply to: mani poopal: "dlsw+ LSAP filtering"
• Next in thread: marc van hoof: "RE: dlsw+ LSAP filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Sep 03 2004 - 07:02:36 GMT-3