From: Jiang (jianggx@xxxxxxxxxxxxxxxxxxx)
Date: Thu Jan 11 2001 - 23:19:28 GMT-3
I think A will work too,
In Tan Nam-Kee's book "Configuring Cisco Routers for Bridging, DLSW+,
and Desktop Protocols", there are some examples in chapter 2, 2.8.1
section:
on R1:
interface TokenRing0
netbios input-access-filter host MLIST
netbios access-list host MLIST permit MAR?
This will only allow netbios packets of MARY and MARK pass through the
router R1. (there are some other hosts named MARLIN, MARVIN)
Am I right?
Thanks,
Hiler
Thursday, January 11, 2001, 5:36:39 PM, you wrote:
WJ> It makes things more clear for C and D, but I cannot figure out why A and B
can't work. I will setup a lab to test it.
WJ> Thanks,
WJ> Wu
WJ> ----- Original Message -----
WJ> From: "Justin Menga" <Justin.Menga@computerland.co.nz>
WJ> To: "'Wu Jiang'" <wujiang@bj163.com>
WJ> Cc: <ccielab@groupstudy.com>
WJ> Sent: Thursday, January 11, 2001 4:55 PM
WJ> Subject: RE: Puzzlled by the netbios and mac address access-list, need help
>> Only C or D will work - it really depends on the scenario. E.g. C cuts Host
>> C away from ANY DLSW peer - whereas D only allows Host B to access Host A.
>>
>> Regards,
>>
>> Justin Menga CCIE #6640 MCSE+I CCSE
>> WAN Specialist
>> Computerland New Zealand
>> PO Box 3631, Auckland
>> DDI: (+64) 9 360 4864 Mobile: (+64) 25 349 599
>> mailto: justin.menga@computerland.co.nz
>>
>>
>>
>> -----Original Message-----
>> From: Wu Jiang [mailto:wujiang@bj163.com]
>> Sent: Thursday, January 11, 2001 8:33 PM
>> Cc: ccielab@groupstudy.com
>> Subject: Re: Puzzlled by the netbios and mac address access-list, need
>> help
>>
>>
>> In D, should it be host-netbios-out? Or if you want to permit only one mac
>> address (of hostA), you can use dest-mac option to simplify configuration.
>> I would prefer C and D because they don't send unwanted traffic over the WAN
>> link. Using C, even explorer packets are filtered.
>>
>> ----- Original Message -----
>> From: "Jiang" <jianggx@transcentury.com.cn>
>> To: <ccielab@groupstudy.com>
>> Sent: Thursday, January 11, 2001 2:18 PM
>> Subject: Puzzlled by the netbios and mac address access-list, need help
>>
>>
>> > Hello,
>> >
>> > I think the dlsw is my weekness, especially about the access-list,
>> > I try to find more information about them, but I am still very
>> > puzzled. for example, if I have the topology just like the following:
>> >
>> > ethernet hdlc ethernet
>> > hostA--------Router1----------Router2---------hostB
>> > |
>> > |
>> > hostC
>> >
>> > Now I want hosts on the ethernet of Router2 can only access hostA on
>> the
>> > ethernet of Router1. Router1 and Router2 are configed as dlsw+ peers.
>> > I think I can using the following methods to get it, but I can't sure
>> > which one is right and if more than one are right, which one is the
>> > best? and what is the diffrence among them?
>> >
>> > A:
>> > on Router1
>> > netbios access-list host test permit hostA
>> > netbios access-list host test deny *
>> >
>> > interface e0
>> > netbios input-access-filter host test
>> >
>> > B:
>> > still on Router1
>> > netbios access-list host test permit hostA
>> > netbios access-list host test deny *
>> >
>> > interface e0
>> > netbios output-access-filter host test
>> >
>> > C:
>> > also on Router1
>> > dlsw dlsw icanreach netbios-name hostA
>> > dlsw icanreach netbios-exclusive
>> >
>> > D:
>> > on Router2
>> > netbios access-list host test permit hostA
>> > netbios access-list host test deny *
>> >
>> > dlsw remote-peer 0 tcp 1.1.1.1 dmac-output-list test
>> >
>> >
>> > As for A and B, I found in documtation that input-access-filter is based
>> > on the source, the output-access-filter is based on destination. So I
>> > think A and B are all right, right? What is the difference between
>> > them. I think if I using input-access-filter, the Router2 and hostB
>> > can't know any other hosts except hostA, eg it can't see hostC. But
>> if I use
>> > output-access-filter, the Router2 and hostB will see hostC too, but
>> > just can't access hostC, the packet is denied on the point where the
>> traffic
>> > will leave the router1's ethernet. Do you think I am right or not?
>> >
>> > As for C, I think in my condition, it is the same as A. right? hostB
>> > will only see hostA.
>> >
>> > D, I think is just like B, hostB can see any host on the remote, eg
>> > hostA, hostC..., but just can access hostA.
>> >
>> > I just searched the archive, think there are maybe more solutions, but
>> > I am really not very clear about it, especially don't know I should
>> > using which one under different conditions? I think there is only one
>> > best solution under specail conditions.
>> >
>> > Best regards,
>> > Hiler mailto:jianggx@transcentury.com.cn
>> >
>> >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:27:28 GMT-3