ACCESS-LISTS - NON ROUTABLE PROTOCOLS

ACCESS-LISTS - NON ROUTABLE PROTOCOLS Key Commands Extended MAC access lists Access-list 1101 deny 1111.2222.3333 0000.0000.0000 2222.3333.4444 0000.0000.0000 access-list 1101 permit 0000.0000.0000 FFFF.FFFF.FFFF 0000.0000.0000 FFFF.FFFF.FFFF ! interface ethernet 0 bridge-group 1 input-pattern-list 1101 bridge-group 1 output-pattern-list 1101 or on Token ring: interface tokenring 0 source-bridge output-pattern-list 1101 source-bridge input-pattern-list 1101 Additional Commands For standard MAC access lists: Access-list 701 deny 1111.2222.3333 0000.0000.0000 Access-list 701 permit 0000.0000.0000 FFFF.FFFF.FFFF ! interface ethernet 0 bridge-group 1 output-address-list 701 bridge-group 1 input-address-list 701 interface tokenring 0 source-bridge input-address-list 701 source-bridge output-address-list 701 FOR DLSW: The access-list is placed on the remote-peer statement dlsw remote-peer 0 tcp 10.1.1.1 dmac-output-list 701 Spot The Issue Shows and Debugs Show access-expression Debug access-expression Show access-list LSAP address access-lists Grouped by pair of source and destination LSAP: 0xF0F0 is F0 source to S0 destination. Access-list 201 deny 0xF0F0 0x0 <- denies any LSAP source F0 to destination F0 access-list 201 deny 0xF000 0xFF <- denies any LSAP source F0, destination any access-list 201 deny 0xF0 (0x00F0) 0xFF00 <- denies any LSAP with destination F0 For ethernet: Bridge-group 1 input-lsap-list 201 Bridge-group 1 output-lsap-list 201 For Tokenring Source-bridge input-lsap-list 201 Source-bridge input-type-list 201 For DLSW+ Dlsw remote-peer 0 tcp 10.1.1.1 lsap-output-list 201 Notes • Remember that Ethernet and Tokenring MACs are bit swapped! The cannonical rule! This impacts the access-lists. An access-list designed for ethernet wouldn`t work for token ring. • When configuring a netbio access list, IOS prompts for WORD NetBIOS station name". This is NOT the NetBIOS name to be filtered. It is the name of the NetBIOS access list! • When configuring an access expression, DO NOT put a smace between smac and ( -> smac(200) good, smac (200) bad! 200 - LSAP address access list 700 - MAC address access-list 1100 - extended MAC address access list FOR BRIDGED TRAFFIC ONLY!! Common LSAP addresses: AA Snap 04 SNA path control F0 IBM Netbios 00 Null LSAP ACCESS-LISTS - NON ROUTABLE PROTOCOLS Key Commands Shows and Debugs NetBIOS access lists Does not have an access-list number range! Netbios access-list host MyList deny NetBiosName Netbios access-list host MyList deny C?? Netbios access-list host MyList deny FLA* Netbios access-list host MyList permit * Can only be applied to Tokenring or DLSW peer statements, NOT to Ethernet. Filters on DLSW are outbound only Dlsw remote-peer 0 tcp 1.1.1.1 host-netbios-out MyList On Token Ring: Interface tokenring 0 Netbios output-access-filter host MyList Netbios input-access-filter host MyList Additional Commands Access Expressions Combines netbios, lsap and mac access lists Can use: Lsap(200) | or Type(200) & and Smac(700) ~ not Dmac(700) Netbios-host(netbios access list name) With the above lists: Access-expression in lsap(201) | (lsap(200) & dmac(701)) On token ring: Interface tokenring 0 Access-expression in expression Spot The Issue Notes ... - tailieumienphi.vn