RE: DLSW Netbios Name Filters

From: Michael Le (mmle@xxxxxxxxxxxxxxxxx)
Date: Mon Jan 22 2001 - 19:40:59 GMT-3

   
Hello,

This is an old thread that I'm looking at again because I'm having problems
with filtering Netbios names.
I have the same setup as Bill does below.

PC[ABC]---(Router1)---(Border Peer)---(Router2)---PC[XYZ]

Router1

netbios access-list host XYZ deny XYZ

dlsw local-peer peer-id 1.1.1.1 group 1 promiscuous
dlsw remote-peer 0 tcp 2.2.2.2 host-netbios-out XYZ
dlsw peer-on-demand-defaults host-netbios-out XYZ
dlsw bridge-group 1

Border Peer

dlsw local-peer peer-id 2.2.2.2 group 1 border
dlsw remote-peer 0 tcp 1.1.1.1
dlsw remote-peer 0 tcp 3.3.3.3

Router2

dlsw local-peer peer-id 3.3.3.3 group 1 promiscuous
dlsw remote-peer 0 tcp 2.2.2.2
dlsw bridge-group 1

Fred stated in his email that the netbios filter filters out Netbios
NAME_QUERYs. And I see alot of Groupstudy archived posts that say the same
thing. So that's like filtering based on destination Netbios name. However,
as PC[ABC] I can still access PC[XYZ]. If you look on Cisco's site,
http://www.cisco.com/warp/public/cc/pd/ibsw/ibdlsw/prodlit/dlsw4_rg.htm#1719
1, then the example seems to show that it filters based on source Netbios
name.
So, which is it? From everything I read, the above should work. Maybe it is
because Router2 is running 11.2(24). I will try to upgrade, but is my
configuration correct? Is the Cisco website wrong?
Thanks.

Michael Le

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Fred Ingham
Sent: Thursday, November 09, 2000 12:58 PM
To: Bill Fallon; ccielab@groupstudy.com
Subject: Re: DLSW Netbios Name Filters

The NetBIOS name filter filters NetBIOS Name_Query packets so the filter
goes on the router nearest the PC issuing the Name_Query. In your case
the filter denying MUSICMAKER would go on R1. The filter denying
PENTIUM200 would go on R2.

The dlsw peer-on-demand-defaults host-netbios-out TEST command on R2
isn't needed for your configuration since both remote peers are
configured. This would be used if R2 were promiscuous and no remote
peer configured.

If you want to deny access to a local PC from any outside access you
could a.) disable dlsw, b.) use bgroups c.) use
icanreach netbios-exclusive for resources you want accessed. These
commands would go on the local router.

Cheers, Fred.
Bill Fallon wrote:
>
>
> Hi--I have run into some confusion with Netbios Name filtering over DLSW.
> Here is the basic testbed I created:
>
> PC(Name:
> PENTIUM200)--hub----e0[R1]s0----HDLC------s0[R2]e0----hub----PC(Name:
> MUSICMAKER)
>
> The only way I can get the net bios name filters to work is to filter the
> remote PC NETBIOS NAME on local side of the DLSW connection.
>
> For example: if I just set up a netbios access list on R1 to filter
> Pentium200, MUSICMAKER is still able to access it.
>
> However, if I ONLY set up a filter on R2 (Filtering PENTIUM200) then the
> traffic is blocked from MUSICMAKER to PENTIUM200; but this does not
> prevent PENTIUM200 from accessing MUSICMAKER. Also, PENTIUM200 will still
> show up in the reachability list of R2 if you "NETVIEW \\MUSICMAKER" from
> PENTIUM200. This does not make any sense to me??? If I just want to
block
> my local Netbios names from being seen by a remote Router, shouldn't
> blocking it on the LOCAL router be the correct way to do it. Can you
> explain this to me.....(I GUESS THIS IS WHY IT COULD BE A GREAT TEST
> QUESTION ON THE LAB--TRY IT YOURSELF).
> here are the 2 configs:
>
> R1#sh run
> Building configuration...
>
> Current configuration:
>
> version 12.0
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname R1
> !
> !
> ip subnet-zero
> !
> dlsw local-peer peer-id 1.1.1.1
> dlsw remote-peer 0 tcp 2.2.2.2
> dlsw bridge-group 1
> !
> !
> interface Loopback0
> ip address 1.1.1.1 255.255.255.0
> no ip directed-broadcast
> !
> interface Ethernet0
> ip address 10.10.10.1 255.255.255.0
> no ip directed-broadcast
> bridge-group 1
> !
> interface Serial0
> ip address 2.2.3.1 255.255.255.0
> no ip directed-broadcast
> no ip mroute-cache
> no fair-queue
> clockrate 64000
> !
> interface Serial1
> no ip address
> no ip directed-broadcast
> shutdown
> !
> router igrp 100
> network 1.0.0.0
> network 2.0.0.0
> !
> ip classless
> !
> !
> bridge 1 protocol ieee
> !
> line con 0
> transport input none
> line aux 0
> line vty 0 4
> !
> end
>
> R1#
>
> *************************
>
> R2#sh run
> Building configuration...
>
> Current configuration:
> !
> version 12.0
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname R2
> !
> netbios access-list host TEST deny PENTIUM200
> netbios access-list host TEST permit *
> !
> ip subnet-zero
> !
> dlsw local-peer peer-id 2.2.2.2
> dlsw remote-peer 0 tcp 1.1.1.1 host-netbios-out TEST
> dlsw peer-on-demand-defaults host-netbios-out TEST
> dlsw bridge-group 1
> !
> !
> interface Loopback0
> ip address 2.2.2.2 255.255.255.0
> no ip directed-broadcast
> !
> interface Ethernet0
> ip address 20.20.20.1 255.255.255.0
> no ip directed-broadcast
> bridge-group 1
> !
> interface Serial0
> ip address 2.2.3.2 255.255.255.0
> no ip directed-broadcast
> no ip mroute-cache
> no fair-queue
> !
> interface Serial1
> no ip address
> no ip directed-broadcast
> shutdown
> !
> router igrp 100
> network 2.0.0.0
> network 20.0.0.0
> !
> ip classless
> !
> !
> bridge 1 protocol ieee
> !
> line con 0
> transport input none
> line aux 0
> line vty 0 4
> login
> !
> end
>
> R2#
>
> -----------------------------------------------------
> Click here for Free Video!!
> http://www.gohip.com/free_video/
>

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:27:39 GMT-3