Re: netbios filters, how to trace sources ?

From: Rob Hopkins (rshopkins@xxxxxxxxxxxxx)
Date: Mon Apr 16 2001 - 02:58:50 GMT-3

   
notice also how a filter may only block in one direction, and the name still
appears in the DLSW reachable list,
for example: two routers boston & miami, workstations boston1 and miami1
etc.

hostname boston
!
netbios access-list host bongo permit MIAMI1
netbios access-list host bongo deny *
dlsw remote-peer 0 tcp miami host-netbios-out bongo

hostname miami
!
dlsw remote-peer 0 tcp boston

notes:
1> All miami workstations will be able to access all boston workstaions
2> boston workstations will only be able to access MIAMI1 workstation
3> boston router will list other miami workstaions in its DLSW reach. cache,
but
        workstations will not be able to access.

----- Original Message -----
From: "Daryl Wan Wai Meng" <darylwan@aeradio.com.sg>
To: "'max aronica'" <max_aronica@hotmail.com>; <nigel_taylor@hotmail.com>;
<ccielab@groupstudy.com>
Sent: Monday, April 16, 2001 12:11 AM
Subject: RE: netbios filters, how to trace sources ?

> For those who are following this thread...
>
> I have just finish testing, the filters really do filter by destination.
> All 3 - DMAC, LSAP & NETBIOS.
>
> The documentation is WRONG...time to readjust...
>
> Now, for the SNA SAP questions, anyone able to help out??
>
>
> Thanks again Max,
> Daryl
>
> -----Original Message-----
> From: Daryl Wan Wai Meng [mailto:darylwan@aeradio.com.sg]
> Sent: Monday, April 16, 2001 10:08 AM
> To: 'max aronica'; nigel_taylor@hotmail.com; ccielab@groupstudy.com
> Subject: RE: netbios filters, how to trace sources ?
>
>
> Hi Max,
> I got misled by the docs again, will test it out for sure... What
> about the DMAC & LSAP commands, does it work by destination too?
>
> For my SNA question, i would actually like to know how these SAPs are
> represented 00,01,04,05,08,09,0c,0d
>
> Example 1
> ----------
> 01 = 0000 0001 equals to
> 0101 = 0000 0001 0000 0001
>
>
> Example 2
> ----------
> 04 = 0000 0100 equals to
> 0404 = 0000 0100 0000 0100
>
>
> General SNA Mask to match the above
> ----------
> 0D0D = 0000 1101 0000 1101
>
>
> Because the 0x0D0D mask is 4 hexidecimals long, while the SAPs are only 2
> hexidecimals long. I am not very sure how to match them properly? Like the
> above?
> Does it imply that SAP 04 always equals to 0x0404 and SAP 0C always equals
> to 0x0C0C?
>
>
> Thanks,
> Daryl
>
>
>
> -----Original Message-----
> From: max aronica [mailto:max_aronica@hotmail.com]
> Sent: Sunday, April 15, 2001 9:46 PM
> To: darylwan@aeradio.com.sg; nigel_taylor@hotmail.com;
> ccielab@groupstudy.com
> Subject: RE: netbios filters, how to trace sources ?
>
>
> Hi Daryl,
> you are right, the link speaks clear. But if you test it, it will
> filter by destination....I tried. Just take two windows PC and put
> a dlsw network in the middle and try to filter.
> Ok, should this be requested in the lab, I will assume good what Cisco doc
> says.
>
> About your question, don't know if I well understand it. If you wonder
where
>
> that notation (0x0000 0x0D0D) comes from just write it in binary and will
> see that the only values permitted are the SNA ones (actually,
> even 0c and 0d ... )
>
>
> 0000.0000 (sap)
> 0000.1101 (mask)
> ---------
> It permits 00,01,04,05,08,09,0c,0d
>
>
>
>
>
>
> >From: Daryl Wan Wai Meng <darylwan@aeradio.com.sg>
> >To: "'max aronica'" <max_aronica@hotmail.com>, Nigel Taylor
> ><nigel_taylor@hotmail.com>, ccielab@groupstudy.com
> >Subject: RE: netbios filters, how to trace sources ?
> >Date: Sun, 15 Apr 2001 14:05:02 +0800
> >
> >Nigel/Max,
> >
> >I believe the following commands on Rtr 1 would do the trick...
> >
> >netbios access-list filter1 permit (netbios name of PC A)
> >dlsw remote-peer 0 tcp (Rtr 2 peer address) host-netbios-out filter1
> >
> >This is can verified from the following link
> >http://www.cisco.com/warp/public/cc/pd/ibsw/ibdlsw/prodlit/dlsw4_rg.htm
> >Figure 4-2: Using Filtering to Limit the Broadcasts and Network Access of
> >Individual NetBIOS Servers
> >
> >
> >When i initially started learning about DLSW filtering, i too thought
that
> >they meant to filter on the destination. It is not the case!!! Luckily,
the
> >above link steered me into the correct direction...
> >
> >The DMAC & LSAP commands for DLSW also work the same way, they reference
> >the
> >mac-addresses & SAP types local to the router!!! Not the destination
> >side....
> >
> >
> >
> >Now, i have a question regarding SAP types...
> >In the following link
> >http://www.cisco.com/warp/public/698/acl200.html
> >
> >They describe to permit SNA traffic, use 0x0000 0x0D0D to permit the most
> >common SNA SAPs ---
> >0x01
> >0x04
> >0x05
> >0x08
> >0x09
> >
> >Does it mean that the above SAPs actually become the following ---
> >0x0101 0x0000
> >0x0404 0x0000
> >0x0505 0x0000
> >0x0808 0x0000
> >0x0909 0x0000
> >-------------
> >0x0000 0x0D0D
> >
> >Is this how they interpret that the access-list can be used to permit the
> >above SNA SAPs?
> >
> >
> >
> >Thanks,
> > Daryl
> >
> >
> >-----Original Message-----
> >From: max aronica [mailto:max_aronica@hotmail.com]
> >Sent: Sunday, April 15, 2001 4:41 AM
> >To: Nigel Taylor; ccielab@groupstudy.com
> >Subject: Re: netbios filters, how to trace sources ?
> >
> >
> >Nigel,
> >Given your example, the access-list you created can only be set (in case
of
> >ethernet) on the dlsw remote peer definition, that is, will
> >filter -destination name-.
> >StaionA and B are on the same ethernet, I want A to be able to send out
> >netbios packet towards Rtr2. B should not.
> >How can I cut on Rtr1 packet coming from B ?
> >
> >|---|---Rtr1 -------------//---------------Rtr2
> >A B ------------> Nbios query
> >
> >
> >Thanks
> >Max
> >
> >
> >
>

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:29:46 GMT-3