Re: tcp ports for dlsw+ traffic

From: Ron (ron@xxxxxxxxxxxxxxxxxxxx)
Date: Mon Feb 26 2001 - 13:26:05 GMT-3

• Next message: Halaska, David: "RE: OSPF authentication"
• Previous message: Rodgers Moore: "Re: OSPF demand Circuit Problem"
• Maybe in reply to: Ron: "tcp ports for dlsw+ traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Hi, David,

You're right. For FST, it only needs protocol 91, not needs tcp. At the
begining I tried to simply my question. Actually there are both "fst" and
"tcp" in the scenario for firewall & dlsw+. This is why I used the
access-list 120, including fst and tcp ports.

Thanks again,

Ron

----- Original Message -----
From: David FAHED <dfahed@outremer.com>
To: Ron <ron@xtranetsolutions.com>
Cc: Devon Watkins <devon_watkins@yahoo.com>; <ccielab@groupstudy.com>
Sent: Monday, February 26, 2001 5:22 AM
Subject: Re: tcp ports for dlsw+ traffic

> Hi,
>
> I think you don't need to use :
> access-list 120 permit tcp any eq 2065 any
> access-list 120 permit tcp any eq 2067 any
> with FST encapsulation. It is useful only for TCP encapsulation. As you
can see
> when you sh access-list 120 :
> Extended IP access list 120
> permit eigrp any any (568 matches)
> permit tcp any any eq bgp (110 matches)
> permit 91 any any (222 matches)
> permit tcp any eq 2065 any <- none packet match this access-list
> permit tcp any eq 2067 any <- none packet match this access-list
>
> Try to not use the 2 lines and you will see it will work also. After you
can try
> with tcp encapsulation ans you will see that you will need this two
line...
>
>
> Ron wrote:
>
> > Hi, Devon and David,
> >
> > Your suggestions are great!!! It works. But I have to open the protocol
> > number 91 for FST to work. Per Caslow's CCIE book (p686), it says 71. It
> > also mentioned that 2067 for dlsw+ write. Here is my access-list on R2:
> >
> > access-list 120 permit eigrp any any
> > access-list 120 permit tcp any any eq bgp
> > access-list 120 permit 91 any any
> > access-list 120 permit tcp any eq 2065 any
> > access-list 120 permit tcp any eq 2067 any
> >
> > r2#sh access-list 120
> > Extended IP access list 120
> > permit eigrp any any (568 matches)
> > permit tcp any any eq bgp (110 matches)
> > permit 91 any any (222 matches)
> > permit tcp any eq 2065 any
> > permit tcp any eq 2067 any
> >
> > Thanks again,
> >
> > Ron
> >
> > ----- Original Message -----
> > From: David FAHED <dfahed@outremer.com>
> > To: Ron <ron@xtranetsolutions.com>
> > Cc: <ccielab@groupstudy.com>
> > Sent: Sunday, February 25, 2001 9:30 PM
> > Subject: Re: tcp ports for dlsw+ traffic
> >
> > > My english is not perfect but I will try to explain you.
> > > Router 3 have a bigger ip address than router r1. So when R1 try to
make a
> > > connection to R3 (it's ok for your access-list), but R3 tear down the
tcp
> > > connection on its local port 2065. Then R3 try to make the connection
(no
> > > problem with your accesss-list for R3->R1 eth0 in ) but when the
packet
> > come
> > > back R1 to R3 the packet has a tcp source of 2065 and a tcp dest
>1023
> > (you
> > > have a problem with your access-list).
> > > Try this I can't test it now but I think it will work :
> > > interface e0
> > > ip access-group 120 in
> > > access-list 120 permit tcp any eq 2065 any
> > > access-list 120 permit tcp any eq 2067 any <- I don't think you need
this.
> > > Don't forget to add port 1981 1982 1983 you use priority with DLSW.
> > > Try this link to know the port DLSW use...
> > >
> >
http://127.0.0.1:8080/cc/td/doc/product/software/ios120/12cgcr/ibm_c/bcprt2/
> > bcdlsw.htm#15211
> > >
> > >
> > >
> > >
> > > Ron wrote:
> > >
> > > > Hi, all,
> > > >
> > > > Besides tcp 2065 and tcp 2067, Is there any more ports for dlsw+ =
> > > > traffic? I checked Cisco CD and got no answer. Before I put the =
> > > > access-list 120 in the R2. The dlsw+ is working. If I put the =
> > > > access-list, the dlsw+ peers are lost.
> > > >
> > > > Here is a scenario: R1 (fa0/0) .........(e0, access-list 120 in )
R2 =
> > > > (s1)...........(s1)R3
> > > > Required: only permit dlsw+ traffic pass through R2
> > > > My configs:
> > > > *************
> > > > R1:
> > > > dlsw local-peer peer-id 138.10.4.1
> > > > dlsw remote-peer 0 fst 138.10.25.3=20
> > > > dlsw bridge-group 1
> > > >
> > > > R2:
> > > > interface e0
> > > > ip access-group 120 in
> > > > access-list 120 permit tcp any any eq 2065
> > > > access-list 120 permit tcp any any eq 2067
> > > >
> > > > R3:
> > > > dlsw local-peer peer-id 138.10.25.3
> > > > dlsw remote-peer 0 fst 138.10.4.1
> > > > dlsw bridge-group 1
> > > >
> > > > r1#sh dlsw peers
> > > >
> > > > Peers: state pkts_rx pkts_tx type drops ckts
TCP
> > =
> > > > uptime
> > > >
> > > > FST 138.10.25.3 DISCONN 0 0 conf
   0 - -
> > =
> > > > -
> > > >
> > > > Expected: 0 Next Send: 0 Seq errors: 0
> > > > Total number of connected peers: 0
> > > > Total number of connections: 0
> > > >
> > > > ********************
> > > >
> > > > Thanks for any help,
> > > >
> > > > Ron
> > > >

• Next message: Halaska, David: "RE: OSPF authentication"
• Previous message: Rodgers Moore: "Re: OSPF demand Circuit Problem"
• Maybe in reply to: Ron: "tcp ports for dlsw+ traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:29:02 GMT-3