From: Tom Lijnse (Tom.Lijnse@globalknowledge.nl)
Date: Tue Nov 23 2004 - 12:20:28 GMT-3
I definitely agree with Tony on this one.
Especially when the scenario is hard to test with the given equipment
you very often have to go by what the documentation tells you and since
the documentation doesn't really say anything about the feature not
working on Ethernet it could be a 'valid lab solution' as opposed to a
'valid real life solution'.
Though I must say that when I would be forced to choose between a
solution that looks good, but I know doesn't work and one that looks
ugly, but works for sure, that I'd find it hard to make the right call.
It then basically comes down to trying to figure out what the author of
the lab was thinking when he wrote the lab and I'm not very good at
mind-reading. It could be a handy skill for the lab though ;-)
Alternatively you could ask the proctor and see if he's willing to
confirm that you can assume access-expressions to simply work.
And in that respect, if you want an alternative way of fixing your
scenario, you could try to use an 1100-1199 range access-list to filter
both the mac-address fields and the SAP-fields, but that would typically
yield very ugly access-lists.
Regards,
Tom Lijnse
CCIE #11031
Global Knowledge Netherlands
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Tony Schaffran
Sent: dinsdag 23 november 2004 15:51
To: 'Matt Mullen'; Tom Lijnse; ccielab@groupstudy.com
Subject: RE: access-expression and dlsw
I have tried to do some research on this myself and like what you said,
the
only examples I can find are with SRB and Token Ring interfaces.
Maybe the task in the workbook was not to actually get
access-expressions to
work, but to know how to configure one.
On the Lab, you may or may not find similar situations. They just want
to
see if you can do it regardless if it will actually work. Remember,
things
done in the lab are not necessarily best practices and definitely not
the
best design. Don't confuse what is done in the lab with the real world.
Good luck,
Tony Schaffran
Network Analyst
CCIE #11071
CCNP, CCNA, CCDA,
NNCDS, NNCSS, CNE, MCSE
www.cconlinelabs.com
Your #1 choice for online Cisco rack rentals.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Matt
Mullen
Sent: Tuesday, November 23, 2004 6:13 AM
To: Tom Lijnse; ccielab@groupstudy.com
Subject: Re: access-expression and dlsw
Hi Tom,
Thanks for confirming that. So far your response is the only one I
have gotten on this. The thing that was killing me was that the
workbook i'm using gives you a task requiring to configure the access
expression on ethernet, so I thought it must work. I did search the
archives and saw the posts where people were having problems with it,
but there didn't seem to be any definitive answer. At this point I
have tried loading different IOS versions and feature sets and still
it does not work. That coupled with the documentation listing
access-expressions in the SRB section makes me comfortable with the
conclusion that access expressions only work on Token Ring. You can
apply them on an ethernet interface but they have no affect. If
anybody has ever been able to get an access-expression work on
ethernet, please respond.
Thanks,
Matt
On Tue, 23 Nov 2004 10:10:29 +0100, Tom Lijnse
<tom.lijnse@globalknowledge.nl> wrote:
> Hi Matt,
>
> I have never gotten access-expressions to work on Ethernet in any of
the
> tests that I've done. Even very simple expressions that should have
> blocked everything still passed traffic through.
> Though I haven't been able to find it in the documentation it seems
like
> this is a token-ring-only feature (which would explain why it's in the
> SRB chapter).
>
> If you search through the groupstudy archives for 'access-expression'
> and 'ethernet' you'll find a number of threads of other people
> experiencing the same issue.
>
> Tom Lijnse
> CCIE #11031
> Global Knowledge Netherlands
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Matt Mullen
> Sent: vrijdag 19 november 2004 15:56
> To: ccielab@groupstudy.com
> Subject: access-expression and dlsw
>
> Having some trouble with configuration of an access expression for
> filtering in DLSW. Do access expression's work if you are not doing
> Source Route Bridging? I have the following configuration:
>
> access-list 201 deny 0x0000 0xFFFF
> access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
>
> bridge 1 protocol ieee
>
> interface Ethernet0
> ip address 150.50.17.2 255.255.255.0
> access-expression input (smac(700) & lsap(201))
> bridge-group 1
>
> The access expression does not seem to be working because the FEP
> (router running DSPU) attached to the Ethernet segment is able to
> establish communication with the remote device even after I issue
> clear dlsw circuit:
>
> R2#show dlsw cir
> Index local addr(lsap) remote addr(dsap) state
> uptime
> 1644167437 5555.5555.5555(04) 3333.3333.3333(04) CONNECTED
> 00:09:22
> Total number of circuits connected: 1
>
> The Doc CD lists the access-expression command as part of SRB
> configuration. Is there a problem with my configuration, or can the
> access expression only be used when doing SRB, and therefore, Token
> Ring?
>
>
This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:49 GMT-3