From: Wu Jiang (wujiang@xxxxxxxxx)
Date: Thu Jan 11 2001 - 04:32:48 GMT-3
In D, should it be host-netbios-out? Or if you want to permit only one mac addr
ess (of hostA), you can use dest-mac option to simplify configuration.
I would prefer C and D because they don't send unwanted traffic over the WAN li
nk. Using C, even explorer packets are filtered.
----- Original Message -----
From: "Jiang" <jianggx@transcentury.com.cn>
To: <ccielab@groupstudy.com>
Sent: Thursday, January 11, 2001 2:18 PM
Subject: Puzzlled by the netbios and mac address access-list, need help
> Hello,
>
> I think the dlsw is my weekness, especially about the access-list,
> I try to find more information about them, but I am still very
> puzzled. for example, if I have the topology just like the following:
>
> ethernet hdlc ethernet
> hostA--------Router1----------Router2---------hostB
> |
> |
> hostC
>
> Now I want hosts on the ethernet of Router2 can only access hostA on the
> ethernet of Router1. Router1 and Router2 are configed as dlsw+ peers.
> I think I can using the following methods to get it, but I can't sure
> which one is right and if more than one are right, which one is the
> best? and what is the diffrence among them?
>
> A:
> on Router1
> netbios access-list host test permit hostA
> netbios access-list host test deny *
>
> interface e0
> netbios input-access-filter host test
>
> B:
> still on Router1
> netbios access-list host test permit hostA
> netbios access-list host test deny *
>
> interface e0
> netbios output-access-filter host test
>
> C:
> also on Router1
> dlsw dlsw icanreach netbios-name hostA
> dlsw icanreach netbios-exclusive
>
> D:
> on Router2
> netbios access-list host test permit hostA
> netbios access-list host test deny *
>
> dlsw remote-peer 0 tcp 1.1.1.1 dmac-output-list test
>
>
> As for A and B, I found in documtation that input-access-filter is based
> on the source, the output-access-filter is based on destination. So I
> think A and B are all right, right? What is the difference between
> them. I think if I using input-access-filter, the Router2 and hostB
> can't know any other hosts except hostA, eg it can't see hostC. But if I
use
> output-access-filter, the Router2 and hostB will see hostC too, but
> just can't access hostC, the packet is denied on the point where the traf
fic
> will leave the router1's ethernet. Do you think I am right or not?
>
> As for C, I think in my condition, it is the same as A. right? hostB
> will only see hostA.
>
> D, I think is just like B, hostB can see any host on the remote, eg
> hostA, hostC..., but just can access hostA.
>
> I just searched the archive, think there are maybe more solutions, but
> I am really not very clear about it, especially don't know I should
> using which one under different conditions? I think there is only one
> best solution under specail conditions.
>
> Best regards,
> Hiler mailto:jianggx@transcentury.com.cn
>
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:27:27 GMT-3