From: Wu Jiang (wujiang@xxxxxxxxx)
Date: Fri Jan 12 2001 - 04:57:55 GMT-3
Guoxing,
First, yes NetBIOS access-lists are only allowed on token ring like interfaces.
I also have no token ring routers to test now. And I found a funny thing in th
e documention.
----------------------------------------------
NetBIOS Access Filters Example
The following command permits packets that *include* the station name ABCD to p
ass through the router, but denies passage to packets that do not include the s
tation name ABCD:
netbios access-list host marketing permit ABCD
----------------------------------------------
So I think if you have another way, do not use this method for your lab.
Second, I did test a NetBIOS filter before. It worked. Seems you are encounteri
ng a cache problem. Restart all routers (and maybe workstations) may help.
Regards,
Wu Jiang
----- Original Message -----
From: "Jiang" <jianggx@transcentury.com.cn>
To: "Wu Jiang" <wujiang@bj163.com>; "CCIELAB" <ccielab@groupstudy.com>
Sent: Friday, January 12, 2001 3:26 PM
Subject: Still question about netbios access-list, that really let me down!!!
> Hello,
>
> I just asked one questions about the netbios access-list, thanks
> everyone that answered me. But I am not very clearly about it,
> today I set a test lab in my company, but the result really let me
> down. All methods didn't work at all, so I really need your help
> to found out my mistakes.
>
> First I found I made one big mistake int my first mail, the command
> "netbios input-access-filter host test" can only configed under
> tokenring interface. But I think my question is the same, A or B will
> work well or not under token interface?
>
> because I don't have tokenring, so I just test C and D in my
> ethernet, I am confirmed C and D will work. But even I combind C and
> D. It didn't work. The following is my connection and config:
>
> LANA e0 HDLC e0 LANB
> -------- R5---------------R3---------------
> | | |
> notepad2 JGX HP-SERVER
>
> There is only one host named "notepad2" on the LANA, LANB is my
> company lan, so there are many hosts on it, eg JGX, HP-SERVER.
>
> I want notepad2 can only access JGX, maybe just can see JGX in its
> neighbor windows. First I just config on R3:
> dlsw icanreach netbios-exclusive
> dlsw icanreach netbios-name JGX
>
> It didn't work, I can see all hosts on notepad2's net neighbor
> windown and can access everyone, so I add the following commands on
> R5:
> netbios access-list host test permit JGX
> netbios access-list host test deny *
> dlsw remote-peer 0 tcp 200.1.1.3 host-netbios-out test
>
> I still can see everyone and access everyone, what's wrong? my config
> is wrong or my test conditions are wrong? Thanks for your help.
>
> The following is my config(combined C and D):
> r5#show run
> Building configuration...
>
>
>
> Current configuration:
> !
> version 12.0
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname r5
> !
> netbios access-list host test permit JGX
> netbios access-list host test deny *
> !
> ip subnet-zero
> no ip domain-lookup
> !
> !
> !
> dlsw local-peer peer-id 200.1.1.5
> dlsw remote-peer 0 tcp 200.1.1.3 host-netbios-out test
> dlsw bridge-group 1
> !
> !
> interface Ethernet0
> ip address 192.168.1.1 255.255.255.0
> no ip directed-broadcast
> bridge-group 1
> !
> interface Serial0
> no ip address
> no ip directed-broadcast
> shutdown
> !
> interface Serial1
> ip address 200.1.1.5 255.255.255.0
> no ip directed-broadcast
> !
> interface BRI0
> no ip address
> no ip directed-broadcast
> shutdown
> !
> ip classless
> !
> !
> bridge 1 protocol ieee
> !
> line con 0
> transport input none
> line aux 0
> line vty 0 4
> !
> end
>
>
> r3#show run
> Building configuration...
>
>
>
> Current configuration:
> !
> version 12.0
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname r3
> !
> ip subnet-zero
> no ip domain-lookup
> !
> !
> dlsw local-peer peer-id 200.1.1.3
> dlsw remote-peer 0 tcp 200.1.1.5
> dlsw icanreach netbios-exclusive
> dlsw icanreach netbios-name JGX
> dlsw bridge-group 1
> !
> !
> interface Ethernet0
> ip address 192.1.1.88 255.255.255.0
> no ip directed-broadcast
> bridge-group 1
> !
> interface Serial0
> no ip address
> no ip directed-broadcast
> shutdown
> !
> interface Serial1
> ip address 200.1.1.3 255.255.255.0
> no ip directed-broadcast
> clockrate 2000000
> !
> interface BRI0
> no ip address
> no ip directed-broadcast
> shutdown
> !
> ip classless
> no ip http server
> !
> !
> bridge 1 protocol ieee
> !
> line con 0
> transport input none
> line aux 0
> line vty 0 4
> !
> end
>
> r3#
>
> when I using "show dlsw reach", I found there are two entries about
> JGX. I think one is through the peer capability, one is dynamic found.
>
> r5#show dlsw reachability
> DLSw Local MAC address reachability cache list
> Mac Addr status Loc. port rif
> 0008.25e9.4567 FOUND LOCAL TBridge-001 --no rif--
>
> DLSw Remote MAC address reachability cache list
> Mac Addr status Loc. peer
> .......
> 0044.0044.0044 FOUND REMOTE 200.1.1.3(2065)
> 0080.6780.2b30 FOUND REMOTE 200.1.1.3(2065)
> .......
>
> DLSw Local NetBIOS Name reachability cache list
> NetBIOS Name status Loc. port rif
> NOTEPAD2 FOUND LOCAL TBridge-001 --no rif--
>
> DLSw Remote NetBIOS Name reachability cache list
> NetBIOS Name status Loc. peer
> .......
> HP-SERVER FOUND REMOTE 200.1.1.3(2065)
> HUHAILONG FOUND REMOTE 200.1.1.3(2065)
> JGX UNCONFIRM REMOTE 200.1.1.3(2065)
> JGX FOUND REMOTE 200.1.1.3(2065)
> .......
>
> Thanks a lot.
> Hiler
>
> --
> Best regards,
> Guoxing Jiang mailto:jianggx@transcentury.com.cn
>
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:27:28 GMT-3