RE: dlsw+ LSAP filtering

From: Scott Morris (swm@emanon.com)
Date: Mon Aug 09 2004 - 13:22:41 GMT-3

• Next message: Scott Morris: "RE: SP track"
• Previous message: Brian McGahan: "RE: Multilayer switching reference"
• Maybe in reply to: mani poopal: "dlsw+ LSAP filtering"
• Next in thread: marc van hoof: "RE: dlsw+ LSAP filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The router works in binary. The ACL is written in hexadecimal.

The network architect needs to be able to understand binary, workin decimal,
hexadecimal, or whatever other evil crap that IOS programmers choose to
throw at us. ;)

A mask in binary being 0000000100000001 would mean there are only two bits
you don't care about. So F0 and F1 would be your two possible values
allowed in each position. But the mask SHOULD be 0000000000000001 (0x0001)
because since your "net" portion represents the SAP field in the LLC header
of ethernet (DSAP/SSAP), you'll find that odd values don't exist as
destinations.

Why not? Dunno, didn't write those specs. :) They just don't! The pairs
are in a command/response relationship. Something is destined to a command
port, but not TO a reply port (if you are replying, you are sourcing
information not receiving it). *shrug*

HTH,

 
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, CISSP,
JNCIP, et al.
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
swm@emanon.com/smorris@ipexpert.net
http://www.ipexpert.net
 

PS. The couple of unicast messages you sent me have been replied to, but I
get bounces from your server. *shrug*

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of marc
van hoof
Sent: Monday, August 09, 2004 11:14 AM
To: 'Scott Morris'; 'mani poopal'; ccielab@groupstudy.com
Subject: RE: dlsw+ LSAP filtering

G'day Scott,

Does this mean that the access list still works in binary, or that it
actually works in hex ?

Eg. If it works in hex, then:
0xf0f0 with mask 0x0101 would match:
0xf?f? with ? being any character between 0 and f

or do we convert to binary, so
0xf0f0 with mask 0x0101 would really be
1111000011110000 with mask 0000000100000001 so in reality, it would actually
match [0-f][0,2,4,6,8,10,12,14][0-f][0,2,4,6,8,10,12,14]

due to the least significant bit in each octet being fixed by the '1'.

I'm guessing it's the second one, due do you saying that there are no odd
number DSAP values.

Also, if this is the case, why not ?

Just clarifying...

Cheers,
-marc.

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of Scott Morris
> Sent: Saturday, 7 August 2004 9:43 PM
> To: 'mani poopal'; ccielab@groupstudy.com
> Subject: RE: dlsw+ LSAP filtering
>
> The 200 series ACLs are just like any other access list... The only
> difference is that they hppen to be written in hex!
>
> The first listing is like your "network" and is used to set the bits.
> The second part is your mask. In BINARY, the concept is the same as
> any other, where a 0 bit means stay the same and a 1 bit means you
> don't care what the value is.
>
> Now, there are a few other things for technical accuracy.... Odd
> numbered SAPs will never exist in the DSAP field (first half of the
> "net" entry), so having a mask of 0x0101 is pointless. 0x0001 will
> accomplish what you want.
>
> So if you want specefic things only, like 04 SAPs, the "access-list
> 201 permit 0x0404 0x0001" will be great.
>
> Some of the others, it's useful to have some technical bacground on...
> First, SAPs come in pairs (even and odd). Also, 08/09 and 0C/0D are
> IBM-specific SAPs and only exist in Token Ring networks.
>
> But to answer your question, the ACL does exactly what any other ACL
> does, just notes it in hex!
>
>
> Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> CISSP, JNCIP, et al.
> IPExpert CCIE Program Manager
> IPExpert Sr. Technical Instructor
> swm@emanon.com/smorris@ipexpert.net
> http://www.ipexpert.net
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of mani poopal
> Sent: Saturday, August 07, 2004 12:25 AM
> To: ccielab@groupstudy.com
> Subject: dlsw+ LSAP filtering
>
> Hi Group,
>
> I like to get more information about LSAP filtering. I read Pactical
> studies volII and Netmasters material. I know there are 0xf0(Netbios)
> and 0x00, 0x04, 0x08 and 0x0c(SNA) SAP's available. If they ask you
> to block only few of them eg:0x00 and 0x08 how to do it.
>
> access-list 200 permit 0xf0f0 0x0101
> access-list 200 permit 0x0000 0x0d0d
> What above command does and how the access list are written. Any good
> explanation with examples are appreciated.
>
> thanks
>
> Mani
>
>
> B.ENG,A+,CCNA,CCNP,CCNP-VOICE, CSS1,CNA,MCSE
> (416)431 9929
> MANI_CCIE@YAHOO.COM
>
> ---------------------------------
> Do you Yahoo!?
> Yahoo! Mail - 50x more storage than other providers!
>
> ______________________________________________________________________
> _ Please help support GroupStudy by purchasing your study materials
> from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________________
> _ Please help support GroupStudy by purchasing your study materials
> from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Scott Morris: "RE: SP track"
• Previous message: Brian McGahan: "RE: Multilayer switching reference"
• Maybe in reply to: mani poopal: "dlsw+ LSAP filtering"
• Next in thread: marc van hoof: "RE: dlsw+ LSAP filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Sep 03 2004 - 07:02:35 GMT-3