RE: DLSW NB name filtering

From: Chuck Church (cchurch@xxxxxxxxxxxx)
Date: Wed Jan 10 2001 - 20:42:17 GMT-3

• Next message: Jay Chandradas: "Re: tunes"
• Previous message: Mike Schlenger: "Skyline CCIE workshop 2 week course"
• Maybe in reply to: Chuck Church: "DLSW NB name filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

-----Original Message-----
From: Fred Ingham [mailto:fningham@worldnet.att.net]
Sent: Wednesday, January 10, 2001 5:53 PM
To: Lykourgiotis Paraskevas; CCIE Lab group (E-mail)
Subject: Re: DLSW NB name filtering

Rephrasing what Lykourgiotis stated: The NetBIOS access-list host
filters names in the Name_Query packet so the name specified is the
target host not the origin host. The origin host and the target host
will be in both reachability caches after a connection is attempted even
with the filter on the correct router.

If you don't want router A to see CHUCK1200 in its reachability cache
you have to filter the distribution of packets transmitted from
CHUCK1200 on router C. Or, ignore them once they're received by router
A.

If you are using Windows 95/98 on CHUCK1200 the Browser
will periodically announce itself with a NetBIOS datagram and this
packet
is transmitted to all peers. Once the peers receive this packet the
peers
put the host in the reachability cache by default.

You could put a icanreach netbios-name CHUCKEE and a icanreach
netbios-exclusive on router C. You will find that CHUCK1200
still shows up in the router A reachability cache. However if you
try to connect to CHUCK1200 from router A it will be filtered.

To filter the packets from CHUCK1200 you can go several ways:

Put a bgroup on the peer to router A that doesn't have the bridge
that CHUCK1200 is attached to. Of course this will kill any
connectivity between hosts on router A and CHUCK1200.
Probably not what you wanted.

Filter the netbios multicast address using a dmac-output filter
on router C. This filters the multicasts from CHUCK1200 so
CHUCK1200 will not be able to initiate a connection.

On router A configure dlsw cache-ignore-netbios-datagram. This still
allows CHUCK1200 to generate the datagrams, router A just ignores them.
A host on router A will still be able to connect to CHUCK1200 and vice
versa. CHUCK1200 will not be in the reachability cache until a
connection
is initiated.

Filter the NetBIOS datagrams on router C with a bytes-netbios-out
filter.
Here you would filter NetBIOS datagrams by using an offset 4 and the
value
08.

Several choices here, I'm sure you will find one or more that does the
job.

Cheers, Fred.

Lykourgiotis Paraskevas wrote:
>
> Hi,
>
> I think that your access list is not working because when you say "deny
> CHUCK1200" and " dlsw ... host-netbios-out nbnames", in fact you deny the
> destination not the source netbios-name.
>
> -----Original Message-----
> From: Chuck Church [mailto:cchurch@MAGNACOM.com]
> Sent: Wednesday, January 10, 2001 3:28 AM
> To: 'Ronnie Royston'; CCIE Lab group (E-mail)
> Subject: RE: DLSW NB name filtering
>
> Sorry I wasn't totally clear on the DLSW config. These are all my
important
> DLSW lines:
>
> netbios access-list host nbnames deny CHUCK1200
> netbios access-list host nbnames permit *
> !
> dlsw local-peer peer-id 192.168.11.1
> dlsw remote-peer 0 tcp 192.168.101.1 host-netbios-out nbnames
> dlsw bridge-group 1
>
> The CHUCK1200 device is hanging off of this routers' e0 interface, which
is
> in bridge group 1. I also tried CHUCK* on the deny line, and got the same
> result.
>
> Chuck Church
> CCNP, CCDP, MCNE, MCSE
> Sr. Network Engineer
> Magnacom Technologies
> 140 N. Rt. 303
> Valley Cottage, NY 10989
> 845-267-4000 x218
>
> -----Original Message-----
> From: Ronnie Royston [mailto:RonnieR@globaldatasys.com]
> Sent: Tuesday, January 09, 2001 4:46 PM
> To: 'Chuck Church'; CCIE Lab group (E-mail)
> Subject: RE: DLSW NB name filtering
>
> Is this what you have?
>
> netbios access-list host FILTER_1 deny STATION1
> netbios access-list host FILTER_1 permit *
> !
> dlsw local-peer peer-id 30.3.3.3
> dlsw remote-peer 0 tcp 1.1.1.1 host-netbios-out FILTER_1
>
> -----Original Message-----
> From: Chuck Church [mailto:cchurch@MAGNACOM.com]
> Sent: Tuesday, January 09, 2001 12:34 PM
> To: CCIE Lab group (E-mail)
> Subject: DLSW NB name filtering
>
> All,
>
> I'm trying to filter out netbios names before they get to my DLSW
> peer. Network looks like:
>
> (CHUCK1200 laptop)--ethernet--routerC----serial HDLC--routerA--ethernet
> DLSW-------------------DLSW
>
> My NB name ACLs on router C are:
>
> netbios access-list host nbnames deny CHUCK1200
> netbios access-list host nbnames permit *
>
> If I use it like this, CHUCK1200 gets though to the other peer. If I
remove
> the 'permit *' line, the device gets blocked, either because of the first
> line, or by an implicit deny (I'm not sure if these NB ACLs have an
implicit
> deny). Any ideas?
>
> Thanks,
>
> Chuck Church
> CCNP, CCDP, MCNE, MCSE
> Sr. Network Engineer
> Magnacom Technologies
> 140 N. Rt. 303
> Valley Cottage, NY 10989
> 845-267-4000 x218
>

• Next message: Jay Chandradas: "Re: tunes"
• Previous message: Mike Schlenger: "Skyline CCIE workshop 2 week course"
• Maybe in reply to: Chuck Church: "DLSW NB name filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:27:26 GMT-3