RE: when to use canonical->non-canonical conversion

From: Volkov, Dmitry (Toronto - BCE) (dmitry_volkov@ca.ml.com)
Date: Mon Sep 16 2002 - 00:15:09 GMT-3

> DMITRY: ANSWERS IN-LINE.
>
> CHEERS, FRED.
> ----- Original Message -----
> From: "Volkov, Dmitry (Toronto - BCE)" <dmitry_volkov@ca.ml.com>
> To: "'Fred Ingham'" <fingham@cox.net>
> Cc: "Omer Ansari" <omer@ansari.com>; <ccielab@groupstudy.com>
> Sent: Sunday, September 15, 2002 1:44 PM
> Subject: RE: when to use canonical->non-canonical conversion
>
>
> > > >YES, ACCORDING TO THE DOCUMENTATION. MAC ADDRESSES
> >> ARE IN NATIVE FORMAT. I'LL TEST IF I CAN GET A SETUP TO BE SURE.

Fred,

What does it mean "native format" - i.e. original format - without any
conversions/changes ?

> 3) in case if we use output-address-list and we have SR/TLB (i.e.
> > destination is on different media than source) - we have to
> bitswap mac
> > address when we make access-list 700-799
> > >NO, YOU CAN ENABLE
> >>bridge bridge-group bitswap-layer3-addresses
> >> IN GLOBAL CONFIGURATION MODE. THE ACCESS LIST
> >> WILL HAVE THE NATIVE FORMAT FOR THE INTERFACE.
> >> WILL NEED TO TEST TO BE SURE.

Well, this is not clear for me. First of all what does it mean "You can" ?
"can" is not "must" ;) right ?

As far as I understand "bridge bridge-group bitswap-layer3-addresses " :
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ibm_
r/brprt1/br1dtb.htm#xtocid6
This command "bitswaps" (to and from non-canonical format) the hardware
addresses that are embedded in layer 3 of ARP and RARP frames.

So, I understand that this command is necessary only when we bridge IP
traffic.

Do You think that we must to use the above command when we want to use
"output-address-list" (i.e. when we want to filter based on dest mac
address) in SR/TLB ??

There is one example on cco:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ibm_
c/bcprt1/bcdsrb.htm#xtocid1735773
but they don't use output-address-list there but input instead and the
result is different:
They allow only ethernet host to enter ethernet interface and tok ring host
to enter tok ring interface (based on source addresses only), but what if I
want to allow ethernet host to connect to particular tok ring host (only
host B to host A) ??
In this case we need restrictions based on destination mac as well.

We talked about placing access-list on router where translation happens, but
what about this situation:

A---to1--R1--to2---R2---ethernet---B

If we put "source-bridge output-address-list 700" on R1 and want to prevent
host A on T01 to connect to host B
on ethernet - I believe we have to put bitswapped mac address of host B in
access-list 700.

Thanks,

Dmitry

>
>
>
>
>
>
>
>
> non-canonical conversion
> > >
> > >
> > > Omer: 1. and 2. are fine. Side question - no, it doesn't change.
> > >
> > > In 3. and 4. you are using SR/TLB. The access-list would
> > > deny all since
> > > access-list 700 uses a wildcard mask. In 3 and 4 the
> > > direction should be
> > > out in both cases since you are denying a host on the other LAN.
> > >
> > > Fred
> > >
> > > ----- Original Message -----
> > > From: "Omer Ansari" <omer@ansari.com>
> > > To: <ccielab@groupstudy.com>
> > > Sent: Sunday, September 15, 2002 1:44 AM
> > > Subject: when to use canonical->non-canonical conversion
> > >
> > >
> > > > Guys,
> > > >
> > > > this is to summarize and confirm the usage of canonical to
> > > non-canonical
> > > > mac address conversion:
> > > >
> > > > Are there other places where one might need to to the
> > > conversion other
> > > > than the following scenarios:
> > > >
> > > > 1. dlsw icanreach
> > > > -----
> > > > {ethernet}-----RouterA-----{cloud}....
> > > >
> > > > ethernetA has device with mac address 1.1.1
> > > (non-canonical=0080.0080.0080)
> > > >
> > > > we want to use icanreach on RouterA for this mac
> address, but we use
> > > > non-canonical here:
> > > >
> > > > dlsw icanreach mac-addr 0080.0080.0080
> > > >
> > > >
> > > > 2. dlsw remote-peer xxxx dest-mac:
> > > > -----
> > > >
> > > >
> {ethernetA/tokenringA}---RouterA---{cloud}---RouterB---{ethernetB}
> > > >
> > > > "ethernetB" has device with mac address 1.1.1
> > > >
> > > > thus on RouterA:
> > > >
> > > > dlsw remote-peer 0 tcp <RouterB> dest-mac 0080.0080.0080
> > > >
> > > >
> > > > --side question for #2, does the above change if the
> source LAN is
> > > > ethernetA instead of tokenringA?
> > > >
> > > >
> > > > {
> > > > if the above reasoning is correct, then the answer in
> > > > KarlSolie, Enchilda, pp1168:
> > > > Section XI: Question1 is incorrect as per:
> > > >
> > > http://www.ciscopress.com/content/images/1587200023/downloads/
> > Skylabs-enchil
> > ada.pdf
> > >
> > > where he hasn't changed the canonical -> non-canonical format.
> > >
> > > }
> > >
> > >
> > > 3. source-bridge input-address-list
> > > ----------
> > >
> > > {tokenring}----{to0/0}RouterA(e0/0)------{ethernet}
> > >
> > > ethernet has a 1.1.1 mac address device
> > >
> > > on RouterA t0/0
> > > source-bridge input-address-list 700
> > >
> > > access-l 700 deny 0080.0080.0080 FFFF.FFFF.FFFF <----
> > > access-l ......
> > >
> > >
> > > 4. bridge-group input-address-list
> > > ----------
> > >
> > > same scenario as 3, but mac address 1.1.1 is on TokenRing
> > >
> > > RouterA e0/0
> > >
> > > bridge-group input-address-list 700
> > >
> > > access-l 700 deny 0080.0080.0080 FFFF.FFFF.FFFF <----
> > > access-l ......
> > >
> > >
> > >
> > >
> > > any other scenarios??
> > > Omer

This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:53 GMT-3