Secure the SRB Network
Configure Access Expressions
To configure an access expression perform the following tasks:
•
•
•
Design the access expression.
Configure the access lists used by the expression.
Configure the access expression into the router.
When designing an access expression, you must create some phrase that indicates, in its entirety, all the frames that will pass the access expression. This access expression is designed to apply on frames coming from the Token Ring interface on Router A in Figure 53:
“Pass the frame if it is a NetBIOS frame or if it is an SNA frame destined to address 0110.2222.3333.”
In Boolean form, this phrase can be written as follows:
“Pass if ‘NetBIOS or (SNA and destined to 0110.2222.3333).’”
The preceding statement requires three access lists to be configured:
•
•
•
An access list that passes a frame if it is a NetBIOS frame (SAP = 0xF0F0)
An access list that passes a frame if it is an SNA frame (SAP = 0x0404)
An access list that passes a MAC address of 0110.2222.3333
The following configuration allows for all these conditions:
!Access list 201 passes NetBIOS frames (command or response)
!Access list 701 will permit the FEP MAC address
!of 0110.2222.3333
The 0x0001 mask allows command and response frames to pass equally.
To apply the access expression to the appropriate interface, enter the following command in interface configuration mode:
Command | Purpose |
Define a | |
|
|
Optimize Access Expressions
It is possible to combine access expressions. Suppose you wanted to transmit SNA traffic through to a single address, but allow other traffic through the router without restriction. The phrase could be written as follows:
“Allow access if the frame is not an SNA frame, or if it is going to host 0110.2222.3333.”
More tersely, this would be:
“Not SNA or destined to 0110.2222.3333.”