From: Connary, Julie Ann (jconnary@xxxxxxxxx)
Date: Sat Jan 20 2001 - 11:13:16 GMT-3
Hi,
I tried both. JCONNARY-W2K is off of R3 and JULIE-95 is off of R2 - but I'm
going to do it again this morning with
a fresh mind.
I read in Source-Route-Bridging the following caveats:
As you configure NetBIOS access filters, keep the following issues in mind:
The access lists that apply filters to an interface are scanned in
the order they are entered.
There is no way to put a new access list entry in the middle of an
access list. All new additions to existing NetBIOS access lists are placed
at the end of the
existing list.
Access list arguments are case sensitive. The software makes a
literal translation, so that a lowercase "a" is different from an uppercase
"A." (Most nodes are
named in uppercase letters.)
A host NetBIOS access list and byte NetBIOS access list can each use
the same name. The two lists are identified as unique and bear no
relationship to each
other.
The station names included in the access lists are compared with the
source name field for NetBIOS commands 00 and 01
(ADD_GROUP_NAME_QUERY and ADD_NAME_QUERY), as well as the destination
name field for NetBIOS commands 08, 0A, and 0E
(DATAGRAM, NAME_QUERY, and NAME_RECOGNIZED).
If an access list does not contain a particular station name, the
default action is to deny the access to that station.
To minimize any performance degradation, NetBIOS access filters do not
examine all packets. Rather, they examine certain packets that are used to
establish and
maintain NetBIOS client/server connections, thereby effectively stopping
new access and load across the router. However, applying a new access
filter does not
terminate existing sessions immediately. All new sessions will be filtered,
but existing sessions could continue for some time.
so I disabled DLSW, made sure the connections were gone, re-enabled and
still a connection.
I guess I have to figure out whether my list should filter on the source or
destination. In examples - they usually put
in the source, but when jconnary-w2k goes to talk to julie-95 - it sends
out a name_query - right. So then it should be
the destination.
Well, I'm going to try one more time and move on to multicasting.
Thanks,
At 02:23 PM 1/19/2001 -0800, you wrote:
>If I've read your scenario right, the netbios access-list on R3 should
>deny JULIE-95.
>or put the existing one on R2.
>
> >>> "Connary, Julie Ann" <jconnary@cisco.com> 01/19 2:05 PM >>>
>Hi All,
>
>I went back and read all the messages on netbios filtering and it still
>doesn't work as I expected, can
>someone point out my problem? I think I'm just missing something really
>simple here.
>
>I have a simple netowrk:
>
>--------netbeuie pc-on Ethernet---r2------ip network-----r3----ethernet -
>netbeui pc
>
>name
>jconnary-w2k
> netbios name julie-95
>
>
>
>So I wanted to prevent jconnary-w2k on R3's ethernet from establishing a
>circuit with julie-95 on R2's ethernet.
>
>First I filtered sap f0f0, worked great.
>Then I tried netbios name filtering.
>
>On R3 I setup a netbios access-list and applied it to the remote-peer
>statement for R2.
>
>netbios access-list host selab deny JCONNARY-W2K
>netbios access-list host selab permit *
>enable password cisco
>!
>username r5 password 0 julie
>ip subnet-zero
>no ip domain-lookup
>isdn switch-type basic-ni
>!
>sap-priority-list 1 medium dmac 0001.38ac.1f00
>source-bridge ring-group 30
>dlsw local-peer peer-id 170.100.3.1
>dlsw remote-peer 0 tcp 170.100.25.2 priority host-netbios-out selab
>dlsw duplicate-path-bias load-balance
>dlsw timer explorer-wait-time 10
>
>
>But I still get a connection. I looked at debug and I can watch the
>connection be setup - but why? I even tried lower and upper case
>on my access-list with the same results. I then read manuals and looked in
>emails and they all say to do it this way - that this would filter the
>request from jconnary-w2k going to julie-95 and would
>filter any return traffic if julie-95 tried to establish the connection.
>
>Or have I got that wrong?
>
>Julie Ann
>------------------------------------------------------------------------
> Julie Ann Connary
> | | Network Consulting Engineer
> ||| ||| Federal Support Program
> .|||||. .|||||. 13635 Dulles Technology Drive,
>Herndon VA 20171
> .:|||||||||:.:|||||||||:. Pager: 1-888-642-0551
> c i s c o S y s t e m s Email: jconnary@cisco.com
>
>------------------------------------------------------------------------
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:27:36 GMT-3