Xem mẫu
ACCESS-LISTS - NON ROUTABLE PROTOCOLS
Key Commands
Extended MAC access lists
Access-list 1101 deny 1111.2222.3333 0000.0000.0000 2222.3333.4444 0000.0000.0000
access-list 1101 permit 0000.0000.0000 FFFF.FFFF.FFFF 0000.0000.0000 FFFF.FFFF.FFFF
!
interface ethernet 0
bridge-group 1 input-pattern-list 1101 bridge-group 1 output-pattern-list 1101
or on Token ring: interface tokenring 0
source-bridge output-pattern-list 1101 source-bridge input-pattern-list 1101
Additional Commands
For standard MAC access lists:
Access-list 701 deny 1111.2222.3333 0000.0000.0000 Access-list 701 permit 0000.0000.0000 FFFF.FFFF.FFFF !
interface ethernet 0
bridge-group 1 output-address-list 701 bridge-group 1 input-address-list 701
interface tokenring 0
source-bridge input-address-list 701 source-bridge output-address-list 701
FOR DLSW: The access-list is placed on the remote-peer statement
dlsw remote-peer 0 tcp 10.1.1.1 dmac-output-list 701
Spot The Issue
Shows and Debugs
Show access-expression Debug access-expression Show access-list
LSAP address access-lists
Grouped by pair of source and destination LSAP: 0xF0F0 is F0 source to S0 destination.
Access-list 201 deny 0xF0F0 0x0 <- denies any LSAP source F0 to destination F0
access-list 201 deny 0xF000 0xFF <- denies any LSAP source F0, destination any
access-list 201 deny 0xF0 (0x00F0) 0xFF00 <- denies any LSAP with destination F0
For ethernet:
Bridge-group 1 input-lsap-list 201 Bridge-group 1 output-lsap-list 201
For Tokenring
Source-bridge input-lsap-list 201 Source-bridge input-type-list 201
For DLSW+
Dlsw remote-peer 0 tcp 10.1.1.1 lsap-output-list 201
Notes
• Remember that Ethernet and Tokenring MACs are bit swapped! The cannonical rule! This impacts the access-lists. An access-list designed for ethernet wouldn`t work for token ring.
• When configuring a netbio access list, IOS prompts for WORD NetBIOS station name". This is NOT the NetBIOS name to be filtered. It is the name of the NetBIOS access list!
• When configuring an access expression, DO NOT put a smace between smac and ( -> smac(200) good, smac (200) bad!
200 - LSAP address access list 700 - MAC address access-list
1100 - extended MAC address access list
FOR BRIDGED TRAFFIC ONLY!!
Common LSAP addresses: AA Snap
04 SNA path control F0 IBM Netbios
00 Null LSAP
ACCESS-LISTS - NON ROUTABLE PROTOCOLS
Key Commands Shows and Debugs
NetBIOS access lists
Does not have an access-list number range! Netbios access-list host MyList deny NetBiosName Netbios access-list host MyList deny C??
Netbios access-list host MyList deny FLA* Netbios access-list host MyList permit *
Can only be applied to Tokenring or DLSW peer statements, NOT to Ethernet. Filters on DLSW are outbound only
Dlsw remote-peer 0 tcp 1.1.1.1 host-netbios-out MyList
On Token Ring: Interface tokenring 0
Netbios output-access-filter host MyList Netbios input-access-filter host MyList
Additional Commands
Access Expressions
Combines netbios, lsap and mac access lists Can use:
Lsap(200) | or Type(200) & and Smac(700) ~ not Dmac(700)
Netbios-host(netbios access list name)
With the above lists:
Access-expression in lsap(201) | (lsap(200) & dmac(701))
On token ring: Interface tokenring 0
Access-expression in expression
Spot The Issue Notes
...
- tailieumienphi.vn
nguon tai.lieu . vn