Re: Still question about netbios access-list, that really let me down!!!

From: zhangxianqi (xianqizhang@xxxxxxxx)
Date: Sat Jan 13 2001 - 10:49:58 GMT-3

• Next message: Jason Whelan: "Frame relay switch problem"
• Previous message: Patrick Bikar: "Routing between 2 tokenring vlans using RSM"
• Maybe in reply to: Jiang: "Still question about netbios access-list, that really let me down!!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Hi, Wujiang and Guoxing,
You can see stations in your neighbor, even you use filter.This is because Wins
 protocol doesn't act as pure netbios.So you can't use filter to prevent statio
ns present at windows's neighbor.If you want test the effect of filter,you can
use the command of 'net view' in Dos mode.

Regards
Xianqi
----- Original Message -----
From: Wu Jiang <wujiang@bj163.com>
To: <ccielab@groupstudy.com>
Sent: Friday, January 12, 2001 3:57 PM
Subject: Re: Still question about netbios access-list, that really let me down!
!!

> Guoxing,
> First, yes NetBIOS access-lists are only allowed on token ring like interface
s. I also have no token ring routers to test now. And I found a funny thing in
the documention.
> ----------------------------------------------
> NetBIOS Access Filters Example
> The following command permits packets that *include* the station name ABCD to
 pass through the router, but denies passage to packets that do not include the
 station name ABCD:
> netbios access-list host marketing permit ABCD
> ----------------------------------------------
> So I think if you have another way, do not use this method for your lab.
>
> Second, I did test a NetBIOS filter before. It worked. Seems you are encounte
ring a cache problem. Restart all routers (and maybe workstations) may help.
>
> Regards,
> Wu Jiang
>
> ----- Original Message -----
> From: "Jiang" <jianggx@transcentury.com.cn>
> To: "Wu Jiang" <wujiang@bj163.com>; "CCIELAB" <ccielab@groupstudy.com>
> Sent: Friday, January 12, 2001 3:26 PM
> Subject: Still question about netbios access-list, that really let me down!!!
>
>
> > Hello,
> >
> > I just asked one questions about the netbios access-list, thanks
> > everyone that answered me. But I am not very clearly about it,
> > today I set a test lab in my company, but the result really let me
> > down. All methods didn't work at all, so I really need your help
> > to found out my mistakes.
> >
> > First I found I made one big mistake int my first mail, the command
> > "netbios input-access-filter host test" can only configed under
> > tokenring interface. But I think my question is the same, A or B will
> > work well or not under token interface?
> >
> > because I don't have tokenring, so I just test C and D in my
> > ethernet, I am confirmed C and D will work. But even I combind C and
> > D. It didn't work. The following is my connection and config:
> >
> > LANA e0 HDLC e0 LANB
> > -------- R5---------------R3---------------
> > | | |
> > notepad2 JGX HP-SERVER
> >
> > There is only one host named "notepad2" on the LANA, LANB is my
> > company lan, so there are many hosts on it, eg JGX, HP-SERVER.
> >
> > I want notepad2 can only access JGX, maybe just can see JGX in its
> > neighbor windows. First I just config on R3:
> > dlsw icanreach netbios-exclusive
> > dlsw icanreach netbios-name JGX
> >
> > It didn't work, I can see all hosts on notepad2's net neighbor
> > windown and can access everyone, so I add the following commands on
> > R5:
> > netbios access-list host test permit JGX
> > netbios access-list host test deny *
> > dlsw remote-peer 0 tcp 200.1.1.3 host-netbios-out test
> >
> > I still can see everyone and access everyone, what's wrong? my config
> > is wrong or my test conditions are wrong? Thanks for your help.
> >
> > The following is my config(combined C and D):
> > r5#show run
> > Building configuration...
> >
> >
> >
> > Current configuration:
> > !
> > version 12.0
> > service timestamps debug uptime
> > service timestamps log uptime
> > no service password-encryption
> > !
> > hostname r5
> > !
> > netbios access-list host test permit JGX
> > netbios access-list host test deny *
> > !
> > ip subnet-zero
> > no ip domain-lookup
> > !
> > !
> > !
> > dlsw local-peer peer-id 200.1.1.5
> > dlsw remote-peer 0 tcp 200.1.1.3 host-netbios-out test
> > dlsw bridge-group 1
> > !
> > !
> > interface Ethernet0
> > ip address 192.168.1.1 255.255.255.0
> > no ip directed-broadcast
> > bridge-group 1
> > !
> > interface Serial0
> > no ip address
> > no ip directed-broadcast
> > shutdown
> > !
> > interface Serial1
> > ip address 200.1.1.5 255.255.255.0
> > no ip directed-broadcast
> > !
> > interface BRI0
> > no ip address
> > no ip directed-broadcast
> > shutdown
> > !
> > ip classless
> > !
> > !
> > bridge 1 protocol ieee
> > !
> > line con 0
> > transport input none
> > line aux 0
> > line vty 0 4
> > !
> > end
> >
> >
> > r3#show run
> > Building configuration...
> >
> >
> >
> > Current configuration:
> > !
> > version 12.0
> > service timestamps debug uptime
> > service timestamps log uptime
> > no service password-encryption
> > !
> > hostname r3
> > !
> > ip subnet-zero
> > no ip domain-lookup
> > !
> > !
> > dlsw local-peer peer-id 200.1.1.3
> > dlsw remote-peer 0 tcp 200.1.1.5
> > dlsw icanreach netbios-exclusive
> > dlsw icanreach netbios-name JGX
> > dlsw bridge-group 1
> > !
> > !
> > interface Ethernet0
> > ip address 192.1.1.88 255.255.255.0
> > no ip directed-broadcast
> > bridge-group 1
> > !
> > interface Serial0
> > no ip address
> > no ip directed-broadcast
> > shutdown
> > !
> > interface Serial1
> > ip address 200.1.1.3 255.255.255.0
> > no ip directed-broadcast
> > clockrate 2000000
> > !
> > interface BRI0
> > no ip address
> > no ip directed-broadcast
> > shutdown
> > !
> > ip classless
> > no ip http server
> > !
> > !
> > bridge 1 protocol ieee
> > !
> > line con 0
> > transport input none
> > line aux 0
> > line vty 0 4
> > !
> > end
> >
> > r3#
> >
> > when I using "show dlsw reach", I found there are two entries about
> > JGX. I think one is through the peer capability, one is dynamic found.
> >
> > r5#show dlsw reachability
> > DLSw Local MAC address reachability cache list
> > Mac Addr status Loc. port rif
> > 0008.25e9.4567 FOUND LOCAL TBridge-001 --no rif--
> >
> > DLSw Remote MAC address reachability cache list
> > Mac Addr status Loc. peer
> > .......
> > 0044.0044.0044 FOUND REMOTE 200.1.1.3(2065)
> > 0080.6780.2b30 FOUND REMOTE 200.1.1.3(2065)
> > .......
> >
> > DLSw Local NetBIOS Name reachability cache list
> > NetBIOS Name status Loc. port rif
> > NOTEPAD2 FOUND LOCAL TBridge-001 --no rif--
> >
> > DLSw Remote NetBIOS Name reachability cache list
> > NetBIOS Name status Loc. peer
> > .......
> > HP-SERVER FOUND REMOTE 200.1.1.3(2065)
> > HUHAILONG FOUND REMOTE 200.1.1.3(2065)
> > JGX UNCONFIRM REMOTE 200.1.1.3(2065)
> > JGX FOUND REMOTE 200.1.1.3(2065)
> > .......
> >
> > Thanks a lot.
> > Hiler
> >
> > --
> > Best regards,
> > Guoxing Jiang mailto:jianggx@transcentury.com.cn
> >
> >

• Next message: Jason Whelan: "Frame relay switch problem"
• Previous message: Patrick Bikar: "Routing between 2 tokenring vlans using RSM"
• Maybe in reply to: Jiang: "Still question about netbios access-list, that really let me down!!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:27:28 GMT-3