From: Fred Ingham (fingham@cox.net)
Date: Sun Sep 15 2002 - 21:24:09 GMT-3
DMITRY: ANSWERS IN-LINE.
CHEERS, FRED.
----- Original Message -----
From: "Volkov, Dmitry (Toronto - BCE)" <dmitry_volkov@ca.ml.com>
To: "'Fred Ingham'" <fingham@cox.net>
Cc: "Omer Ansari" <omer@ansari.com>; <ccielab@groupstudy.com>
Sent: Sunday, September 15, 2002 1:44 PM
Subject: RE: when to use canonical->non-canonical conversion
> Fred,
>
> Can we say, that :
>
> 1) source-bridge input-address-list & bridge-group input-address-list -
> filter frames based on Source mac address defined in access-list 700-799
> >YES, IN THIS CASE THE HOSTS ARE ON THE LAN WITH THE FILTER.
>>AND THE MAC ADDRESSES ARE IN NATIVE FORMAT.
>
> 2) source-bridge output-address-list & bridge-group output-address-list -
> filter frames based on Destination mac address defined in access-list
> 700-799
> >YES, ACCORDING TO THE DOCUMENTATION. MAC ADDRESSES
>> ARE IN NATIVE FORMAT. I'LL TEST IF I CAN GET A SETUP TO BE SURE.
>
3) in case if we use output-address-list and we have SR/TLB (i.e.
> destination is on different media than source) - we have to bitswap mac
> address when we make access-list 700-799
> >NO, YOU CAN ENABLE
>>bridge bridge-group bitswap-layer3-addresses
>> IN GLOBAL CONFIGURATION MODE. THE ACCESS LIST
>> WILL HAVE THE NATIVE FORMAT FOR THE INTERFACE.
>> WILL NEED TO TEST TO BE SURE.
non-canonical conversion
> >
> >
> > Omer: 1. and 2. are fine. Side question - no, it doesn't change.
> >
> > In 3. and 4. you are using SR/TLB. The access-list would
> > deny all since
> > access-list 700 uses a wildcard mask. In 3 and 4 the
> > direction should be
> > out in both cases since you are denying a host on the other LAN.
> >
> > Fred
> >
> > ----- Original Message -----
> > From: "Omer Ansari" <omer@ansari.com>
> > To: <ccielab@groupstudy.com>
> > Sent: Sunday, September 15, 2002 1:44 AM
> > Subject: when to use canonical->non-canonical conversion
> >
> >
> > > Guys,
> > >
> > > this is to summarize and confirm the usage of canonical to
> > non-canonical
> > > mac address conversion:
> > >
> > > Are there other places where one might need to to the
> > conversion other
> > > than the following scenarios:
> > >
> > > 1. dlsw icanreach
> > > -----
> > > {ethernet}-----RouterA-----{cloud}....
> > >
> > > ethernetA has device with mac address 1.1.1
> > (non-canonical=0080.0080.0080)
> > >
> > > we want to use icanreach on RouterA for this mac address, but we use
> > > non-canonical here:
> > >
> > > dlsw icanreach mac-addr 0080.0080.0080
> > >
> > >
> > > 2. dlsw remote-peer xxxx dest-mac:
> > > -----
> > >
> > > {ethernetA/tokenringA}---RouterA---{cloud}---RouterB---{ethernetB}
> > >
> > > "ethernetB" has device with mac address 1.1.1
> > >
> > > thus on RouterA:
> > >
> > > dlsw remote-peer 0 tcp <RouterB> dest-mac 0080.0080.0080
> > >
> > >
> > > --side question for #2, does the above change if the source LAN is
> > > ethernetA instead of tokenringA?
> > >
> > >
> > > {
> > > if the above reasoning is correct, then the answer in
> > > KarlSolie, Enchilda, pp1168:
> > > Section XI: Question1 is incorrect as per:
> > >
> > http://www.ciscopress.com/content/images/1587200023/downloads/
> Skylabs-enchil
> ada.pdf
> >
> > where he hasn't changed the canonical -> non-canonical format.
> >
> > }
> >
> >
> > 3. source-bridge input-address-list
> > ----------
> >
> > {tokenring}----{to0/0}RouterA(e0/0)------{ethernet}
> >
> > ethernet has a 1.1.1 mac address device
> >
> > on RouterA t0/0
> > source-bridge input-address-list 700
> >
> > access-l 700 deny 0080.0080.0080 FFFF.FFFF.FFFF <----
> > access-l ......
> >
> >
> > 4. bridge-group input-address-list
> > ----------
> >
> > same scenario as 3, but mac address 1.1.1 is on TokenRing
> >
> > RouterA e0/0
> >
> > bridge-group input-address-list 700
> >
> > access-l 700 deny 0080.0080.0080 FFFF.FFFF.FFFF <----
> > access-l ......
> >
> >
> >
> >
> > any other scenarios??
> > Omer
This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:52 GMT-3