From: Matt Mullen (mullenm@gmail.com)
Date: Tue Nov 23 2004 - 12:57:58 GMT-3
Thanks guys, I agree with you both. I wouldn't rule out access
expressions completely as something they might test and it's certainly
good to know about them. However, I wouldn't consider using them if
other viable alternatives for filtering that do work could be used to
solve a particular problem. That is unless the wording of the question
specifically lead me toward an access expression, in which case I
would try to get clarification from the proctor.
-Matt
On Tue, 23 Nov 2004 16:20:28 +0100, Tom Lijnse
<tom.lijnse@globalknowledge.nl> wrote:
> I definitely agree with Tony on this one.
>
> Especially when the scenario is hard to test with the given equipment
> you very often have to go by what the documentation tells you and since
> the documentation doesn't really say anything about the feature not
> working on Ethernet it could be a 'valid lab solution' as opposed to a
> 'valid real life solution'.
>
> Though I must say that when I would be forced to choose between a
> solution that looks good, but I know doesn't work and one that looks
> ugly, but works for sure, that I'd find it hard to make the right call.
> It then basically comes down to trying to figure out what the author of
> the lab was thinking when he wrote the lab and I'm not very good at
> mind-reading. It could be a handy skill for the lab though ;-)
> Alternatively you could ask the proctor and see if he's willing to
> confirm that you can assume access-expressions to simply work.
>
> And in that respect, if you want an alternative way of fixing your
> scenario, you could try to use an 1100-1199 range access-list to filter
> both the mac-address fields and the SAP-fields, but that would typically
> yield very ugly access-lists.
>
> Regards,
>
>
>
> Tom Lijnse
> CCIE #11031
> Global Knowledge Netherlands
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Tony Schaffran
> Sent: dinsdag 23 november 2004 15:51
> To: 'Matt Mullen'; Tom Lijnse; ccielab@groupstudy.com
> Subject: RE: access-expression and dlsw
>
> I have tried to do some research on this myself and like what you said,
> the
> only examples I can find are with SRB and Token Ring interfaces.
>
> Maybe the task in the workbook was not to actually get
> access-expressions to
> work, but to know how to configure one.
>
> On the Lab, you may or may not find similar situations. They just want
> to
> see if you can do it regardless if it will actually work. Remember,
> things
> done in the lab are not necessarily best practices and definitely not
> the
> best design. Don't confuse what is done in the lab with the real world.
>
> Good luck,
>
> Tony Schaffran
> Network Analyst
> CCIE #11071
> CCNP, CCNA, CCDA,
> NNCDS, NNCSS, CNE, MCSE
>
> www.cconlinelabs.com
> Your #1 choice for online Cisco rack rentals.
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Matt
> Mullen
> Sent: Tuesday, November 23, 2004 6:13 AM
> To: Tom Lijnse; ccielab@groupstudy.com
> Subject: Re: access-expression and dlsw
>
> Hi Tom,
>
> Thanks for confirming that. So far your response is the only one I
> have gotten on this. The thing that was killing me was that the
> workbook i'm using gives you a task requiring to configure the access
> expression on ethernet, so I thought it must work. I did search the
> archives and saw the posts where people were having problems with it,
> but there didn't seem to be any definitive answer. At this point I
> have tried loading different IOS versions and feature sets and still
> it does not work. That coupled with the documentation listing
> access-expressions in the SRB section makes me comfortable with the
> conclusion that access expressions only work on Token Ring. You can
> apply them on an ethernet interface but they have no affect. If
> anybody has ever been able to get an access-expression work on
> ethernet, please respond.
>
> Thanks,
> Matt
>
> On Tue, 23 Nov 2004 10:10:29 +0100, Tom Lijnse
> <tom.lijnse@globalknowledge.nl> wrote:
> > Hi Matt,
> >
> > I have never gotten access-expressions to work on Ethernet in any of
> the
> > tests that I've done. Even very simple expressions that should have
> > blocked everything still passed traffic through.
> > Though I haven't been able to find it in the documentation it seems
> like
> > this is a token-ring-only feature (which would explain why it's in the
> > SRB chapter).
> >
> > If you search through the groupstudy archives for 'access-expression'
> > and 'ethernet' you'll find a number of threads of other people
> > experiencing the same issue.
> >
> > Tom Lijnse
> > CCIE #11031
> > Global Knowledge Netherlands
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > Matt Mullen
> > Sent: vrijdag 19 november 2004 15:56
> > To: ccielab@groupstudy.com
> > Subject: access-expression and dlsw
> >
> > Having some trouble with configuration of an access expression for
> > filtering in DLSW. Do access expression's work if you are not doing
> > Source Route Bridging? I have the following configuration:
> >
> > access-list 201 deny 0x0000 0xFFFF
> > access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
> >
> > bridge 1 protocol ieee
> >
> > interface Ethernet0
> > ip address 150.50.17.2 255.255.255.0
> > access-expression input (smac(700) & lsap(201))
> > bridge-group 1
> >
> > The access expression does not seem to be working because the FEP
> > (router running DSPU) attached to the Ethernet segment is able to
> > establish communication with the remote device even after I issue
> > clear dlsw circuit:
> >
> > R2#show dlsw cir
> > Index local addr(lsap) remote addr(dsap) state
> > uptime
> > 1644167437 5555.5555.5555(04) 3333.3333.3333(04) CONNECTED
> > 00:09:22
> > Total number of circuits connected: 1
> >
> > The Doc CD lists the access-expression command as part of SRB
> > configuration. Is there a problem with my configuration, or can the
> > access expression only be used when doing SRB, and therefore, Token
> > Ring?
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:49 GMT-3