From: zheng jiang gu (zjgu@xxxxxxxxxx)
Date: Fri Dec 29 2000 - 00:00:06 GMT-3
I think should permit both udp 2067 for dlsw v2 and tcp 2067 for normal.
zjgu
00-12-29 10:23:36, Bernard Dunn <dunn@cisco.com> wrote:
>Oleg,
>
>You'll find dlsw capability exchange trying to use port 2067 to see if
>it's dlsw v2 capable. Most of the details are in RFC2166. Hope it's not
>too heavy.
>
>Bottom line : allow for the udp and tcp ports, in real production
>environments, since it helps dlsw peer setup/capability exchange.
>
><snip>
>
>6.2.1.4 TCP Connections with Non-Multicast Capable DLSw peers
>
> During periods of migration, it is possible that TCP connections
> between multicast capable and non-multicast capable DLSw peers will
> occur. It is also possible that multicast capable DLSws may attempt
> to establish TCP connections with partners of unknown capabilities
> (e.g., statically defined peers). To handle these conditions the
> following additional rules apply to expedited single session TCP
> connection setup:
>
> 1.If the capability of a DLSw peer is not known, an implementation
> may choose to send the initial TCP connect request to either port
> 2067 (expedited single session setup) or port 2065 (standard RFC
> 1795 TCP setup).
> 2.If a multicast capable DLSw receives an inbound TCP connect request
> on port 2065 while processing an outbound request on 2067 to the
> same DLSw, the sending DLSw will terminate its 2067 request and
> respond as defined in RFC 1795 with an outbound 2065 request
> (standard RFC 1795 TCP setup).
> 3.If a multicast capable DLSw receives an indication that the DLSw
> peer is not multicast capable (the port 2067 setup request times
> out or a port not recognized rejection is received), it will send
> another connection request using port 2065 and the standard RFC
> 1795 session setup protocol.
>
>
> - TCP connections on demand
>
> Two DLSw peers using these enhancements will only establish a TCP
> connection when necessary. SSP connections to DLSw peers which do
> not implement these enhancements are assumed to be established by
> the means defined in RFC 1795. DLSws implementing v2.0 utilize UDP
> based transport services to send address resolution packets
> (CANUREACH_ex, NETBIOS_NQ_ex, etc.). If a positive response is
> received, then a TCP connection is only established to the
> associated DLSw peer if one does not already exist.
> Correspondingly, TCP connections are brought down when there are no
> circuits to a DLSw peer for an implementation defined period of
> time.
>
></snip>
>
>On Wed, 27 Dec 2000, Bespalov Oleg wrote:
>
>> Hi!
>> >From deny any any log i got:
>>
>> 01:31:44: %SEC-6-IPACCESSLOGP: list 101 denied udp 137.1.3.130(0) ->
>> 137.1.4.65(2067), 45
>> packets
>>
>> Do it have UDP 2067 or TCP 2067 and what this udp port do?
>> Or should i open both udp 2067 and tcp 2067?
>>
>> Regards,
>> Oleg Bespalov
>>
>>
>> > -----Original Message-----
>> > From: zheng jiang gu [mailto:zjgu@ce-air.com]
>> > Sent: Monday, December 18, 2000 6:19 AM
>> > To: Fred Ingham; Bill Young; ccielab@groupstudy.com
>> > Subject: Re: allowing DLSW through an access-list
>> >
>> >
>> > Sorry Fred
>> > But DLSW V2 use TCP 2065/2067,correct me if wrong!!
>> > ----- Original Message -----
>> > From: Fred Ingham <fningham@worldnet.att.net>
>> > To: Bill Young <byoung@cox.rr.com>; <ccielab@groupstudy.com>
>> > Sent: Monday, December 18, 2000 3:34 AM
>> > Subject: Re: allowing DLSW through an access-list
>> >
>> >
>> > > The replies so far state the correct ports:tcp 2065, and, if
>> > > prioritization is configured, 1981,1982, and 1983. DLSW v2
>> > can also use
>> > > UDP 2065/2067.
>> > >
>> > > Best way to discover needed ports is to insert a "deny any any log"
>> > > statement at the end of your access-list and see the
>> > rejected packets.
>> > > Pick up the needed ports from the log messages.
>> > >
>> > > Cheers, Fred.
>> > >
>> > > Bill Young wrote:
>> > > >
>> > > > All,
>> > > >
>> > > > Anyone know what the required ACL port(s) for DLSW are?
>> > I have been =
>> > > > working on a lab all morning and couldn't figure out why
>> > my DLSW was =
>> > > > failing. As I was cutting and pasting the configs into
>> > an email for you =
>> > > > all, I saw the ip access-group statement. As soon as I
>> > removed it, DLSW =
>> > > > started working (DUH!)
>> > > >
>> > > > I can't seem to find the port numbers for DLSW though.
>> > Does anyone have =
>> > > > this?
>> > > >
>> > > > Thanks,
>> > > > Bill
>> > > >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:26:12 GMT-3