Support User Manuals

Cisco Systems BC-109 Network Router User Manual

Open as PDF

of 56

Secure the SRB Network

BC-138

Bridging and IBM Networking Configuration Guide

Configure Access Expressions

To configure an access expression perform the following tasks:

• Design the access expression.

• Configure the access lists used by the expression.

• Configure the access expression into the router.

When designing an access expression, you must create some phrase that indicates, in its entirety, all

the frames that will pass the access expression. This access expression is designed to apply on frames

coming from the Token Ring interface on Router A in Figure 53:

“Pass the frame if it is a NetBIOS frame or if it is an SNA frame destined to address

0110.2222.3333.”

In Boolean form, this phrase can be written as follows:

“Pass if ‘NetBIOS or (SNA and destined to 0110.2222.3333).’”

The preceding statement requires three access lists to be configured:

• An access list that passes a frame if it is a NetBIOS frame (SAP = 0xF0F0)

• An access list that passes a frame if it is an SNA frame (SAP = 0x0404)

• An access list that passes a MAC address of 0110.2222.3333

The following configuration allows for all these conditions:

! Access list 201 passes NetBIOS frames (command or response)

access-list 201 permit 0xF0F0 0x0001

!

access-list 202 permit 0x0404 0x0001 ! Permits SNA frames (command or response)

access-list 202 permit 0x0004 0x0001 ! Permits SNA Explorers with NULL DSAP

!

! Access list 701 will permit the FEP MAC address

! of 0110.2222.3333

access-list 701 permit 0110.2222.3333

The 0x0001 mask allows command and response frames to pass equally.

To apply the access expression to the appropriate interface, enter the following command in interface

configuration mode:

Optimize Access Expressions

It is possible to combine access expressions. Suppose you wanted to transmit SNA traffic through to

a single address, but allow other traffic through the router without restriction. The phrase could be

written as follows:

“Allow access if the frame is not an SNA frame, or if it is going to host 0110.2222.3333.”

More tersely, this would be:

“Not SNA or destined to 0110.2222.3333.”

Command Purpose

access-expression {in | out} expression Define a per-interface access expression.

previous next