From: Bernard Dunn (dunn@xxxxxxxxx)
Date: Thu Dec 28 2000 - 20:23:36 GMT-3
Oleg,
You'll find dlsw capability exchange trying to use port 2067 to see if
it's dlsw v2 capable. Most of the details are in RFC2166. Hope it's not
too heavy.
Bottom line : allow for the udp and tcp ports, in real production
environments, since it helps dlsw peer setup/capability exchange.
<snip>
6.2.1.4 TCP Connections with Non-Multicast Capable DLSw peers
During periods of migration, it is possible that TCP connections
between multicast capable and non-multicast capable DLSw peers will
occur. It is also possible that multicast capable DLSws may attempt
to establish TCP connections with partners of unknown capabilities
(e.g., statically defined peers). To handle these conditions the
following additional rules apply to expedited single session TCP
connection setup:
1.If the capability of a DLSw peer is not known, an implementation
may choose to send the initial TCP connect request to either port
2067 (expedited single session setup) or port 2065 (standard RFC
1795 TCP setup).
2.If a multicast capable DLSw receives an inbound TCP connect request
on port 2065 while processing an outbound request on 2067 to the
same DLSw, the sending DLSw will terminate its 2067 request and
respond as defined in RFC 1795 with an outbound 2065 request
(standard RFC 1795 TCP setup).
3.If a multicast capable DLSw receives an indication that the DLSw
peer is not multicast capable (the port 2067 setup request times
out or a port not recognized rejection is received), it will send
another connection request using port 2065 and the standard RFC
1795 session setup protocol.
- TCP connections on demand
Two DLSw peers using these enhancements will only establish a TCP
connection when necessary. SSP connections to DLSw peers which do
not implement these enhancements are assumed to be established by
the means defined in RFC 1795. DLSws implementing v2.0 utilize UDP
based transport services to send address resolution packets
(CANUREACH_ex, NETBIOS_NQ_ex, etc.). If a positive response is
received, then a TCP connection is only established to the
associated DLSw peer if one does not already exist.
Correspondingly, TCP connections are brought down when there are no
circuits to a DLSw peer for an implementation defined period of
time.
</snip>
On Wed, 27 Dec 2000, Bespalov Oleg wrote:
> Hi!
> >From deny any any log i got:
>
> 01:31:44: %SEC-6-IPACCESSLOGP: list 101 denied udp 137.1.3.130(0) ->
> 137.1.4.65(2067), 45
> packets
>
> Do it have UDP 2067 or TCP 2067 and what this udp port do?
> Or should i open both udp 2067 and tcp 2067?
>
> Regards,
> Oleg Bespalov
>
>
> > -----Original Message-----
> > From: zheng jiang gu [mailto:zjgu@ce-air.com]
> > Sent: Monday, December 18, 2000 6:19 AM
> > To: Fred Ingham; Bill Young; ccielab@groupstudy.com
> > Subject: Re: allowing DLSW through an access-list
> >
> >
> > Sorry Fred
> > But DLSW V2 use TCP 2065/2067,correct me if wrong!!
> > ----- Original Message -----
> > From: Fred Ingham <fningham@worldnet.att.net>
> > To: Bill Young <byoung@cox.rr.com>; <ccielab@groupstudy.com>
> > Sent: Monday, December 18, 2000 3:34 AM
> > Subject: Re: allowing DLSW through an access-list
> >
> >
> > > The replies so far state the correct ports:tcp 2065, and, if
> > > prioritization is configured, 1981,1982, and 1983. DLSW v2
> > can also use
> > > UDP 2065/2067.
> > >
> > > Best way to discover needed ports is to insert a "deny any any log"
> > > statement at the end of your access-list and see the
> > rejected packets.
> > > Pick up the needed ports from the log messages.
> > >
> > > Cheers, Fred.
> > >
> > > Bill Young wrote:
> > > >
> > > > All,
> > > >
> > > > Anyone know what the required ACL port(s) for DLSW are?
> > I have been =
> > > > working on a lab all morning and couldn't figure out why
> > my DLSW was =
> > > > failing. As I was cutting and pasting the configs into
> > an email for you =
> > > > all, I saw the ip access-group statement. As soon as I
> > removed it, DLSW =
> > > > started working (DUH!)
> > > >
> > > > I can't seem to find the port numbers for DLSW though.
> > Does anyone have =
> > > > this?
> > > >
> > > > Thanks,
> > > > Bill
> > > >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:26:12 GMT-3