From: Jiang (jianggx@xxxxxxxxxxxxxxxxxxx)
Date: Thu Jan 11 2001 - 05:40:41 GMT-3
thanks Wu jiang, In D it should be host-netbios-out. Do you think A and B
can do the same or not? and do you think my opinions about the four
methods are right or not? I am just not clear about them.
Thursday, January 11, 2001, 3:32:48 PM, you wrote:
WJ> In D, should it be host-netbios-out? Or if you want to permit only one mac
address (of hostA), you can use dest-mac option to simplify configuration.
WJ> I would prefer C and D because they don't send unwanted traffic over the WA
N link. Using C, even explorer packets are filtered.
WJ> ----- Original Message -----
WJ> From: "Jiang" <jianggx@transcentury.com.cn>
WJ> To: <ccielab@groupstudy.com>
WJ> Sent: Thursday, January 11, 2001 2:18 PM
WJ> Subject: Puzzlled by the netbios and mac address access-list, need help
>> Hello,
>>
>> I think the dlsw is my weekness, especially about the access-list,
>> I try to find more information about them, but I am still very
>> puzzled. for example, if I have the topology just like the following:
>>
>> ethernet hdlc ethernet
>> hostA--------Router1----------Router2---------hostB
>> |
>> |
>> hostC
>>
>> Now I want hosts on the ethernet of Router2 can only access hostA on the
>> ethernet of Router1. Router1 and Router2 are configed as dlsw+ peers.
>> I think I can using the following methods to get it, but I can't sure
>> which one is right and if more than one are right, which one is the
>> best? and what is the diffrence among them?
>>
>> A:
>> on Router1
>> netbios access-list host test permit hostA
>> netbios access-list host test deny *
>>
>> interface e0
>> netbios input-access-filter host test
>>
>> B:
>> still on Router1
>> netbios access-list host test permit hostA
>> netbios access-list host test deny *
>>
>> interface e0
>> netbios output-access-filter host test
>>
>> C:
>> also on Router1
>> dlsw dlsw icanreach netbios-name hostA
>> dlsw icanreach netbios-exclusive
>>
>> D:
>> on Router2
>> netbios access-list host test permit hostA
>> netbios access-list host test deny *
>>
>> dlsw remote-peer 0 tcp 1.1.1.1 dmac-output-list test
>>
>>
>> As for A and B, I found in documtation that input-access-filter is based
>> on the source, the output-access-filter is based on destination. So I
>> think A and B are all right, right? What is the difference between
>> them. I think if I using input-access-filter, the Router2 and hostB
>> can't know any other hosts except hostA, eg it can't see hostC. But if
I use
>> output-access-filter, the Router2 and hostB will see hostC too, but
>> just can't access hostC, the packet is denied on the point where the tra
ffic
>> will leave the router1's ethernet. Do you think I am right or not?
>>
>> As for C, I think in my condition, it is the same as A. right? hostB
>> will only see hostA.
>>
>> D, I think is just like B, hostB can see any host on the remote, eg
>> hostA, hostC..., but just can access hostA.
>>
>> I just searched the archive, think there are maybe more solutions, but
>> I am really not very clear about it, especially don't know I should
>> using which one under different conditions? I think there is only one
>> best solution under specail conditions.
>>
>> Best regards,
>> Hiler mailto:jianggx@transcentury.com.cn
>>
>>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:27:27 GMT-3