From: adiment@xxxxxxxxxx
Date: Thu May 10 2001 - 11:18:15 GMT-3
One thing I find extremely useful is at the end of the access list put the
entry
access-list 120 deny any any log
You will be able to see if any other ports are being filtered. In fact as
good practice
for the lab if you do this you can tell if you are blocking something you
shouldn't be.
Like a routing protocol you forgot about.
-----Original Message-----
From: HENDERSON_DAVE_G@Lilly.com [mailto:HENDERSON_DAVE_G@Lilly.com]
Sent: Thursday, May 10, 2001 8:26 AM
To: Tariq Sharif
Cc: Ccielab@Groupstudy. Com; nobody@groupstudy.com; ShahzaD Ali
Subject: RE: DLSw+ & ACL
Try also permitting port 2067. I beleive 2067 is the read port.
Tariq Sharif <tariq_sharif@btinternet.com>
Sent by: nobody@groupstudy.com
05/10/01 08:03 AM
Please respond to Tariq Sharif
To: "Ccielab@Groupstudy. Com" <ccielab@groupstudy.com>, ShahzaD
Ali
<shahzad-ali@home.com>
cc:
Subject: RE: DLSw+ & ACL
This is strange. I'm now using physical interface addresses for DLSw+ &
permitting port 2065 but DLSw+ doesn't come up unless I remove the ACL:
Here
are the partial configs:
Many thanks & regards.
Tariq Sharif
hostname r3
!
dlsw local-peer peer-id 132.1.23.2
dlsw remote-peer 0 tcp 132.1.23.1
dlsw remote-peer 0 tcp 132.1.10.4
dlsw bridge-group 3
!
interface Ethernet0/0
ip address 132.1.50.3 255.255.255.0
no ip directed-broadcast
ipx network 50
bridge-group 3
!
interface Serial2/0
ip address 132.1.10.3 255.255.255.224
no ip directed-broadcast
encapsulation frame-relay
ip ospf network point-to-multipoint
no ip mroute-cache
logging event subif-link-status
logging event dlci-status-change
ipx network 134
frame-relay map ipx 134.0004.0004.0004 103 broadcast
frame-relay map ip 132.1.10.1 103 broadcast
frame-relay map ip 132.1.10.3 103 broadcast
frame-relay map ip 132.1.10.4 103 broadcast
frame-relay map ipx 134.0001.0001.0001 103 broadcast
no frame-relay inverse-arp
!
router ospf 1
router-id 3.3.3.3
area 3 virtual-link 2.2.2.2
timers spf 30 60
redistribute static metric 10 subnets
network 132.1.3.0 0.0.0.255 area 0
network 132.1.10.0 0.0.0.255 area 0
network 132.1.23.0 0.0.0.255 area 3
network 132.1.50.0 0.0.0.255 area 3
!
end
hostname r4
!
source-bridge ring-group 40
dlsw local-peer peer-id 132.1.10.4
dlsw remote-peer 0 tcp 132.1.23.2
!
interface Serial0/0
ip address 132.1.10.4 255.255.255.224
ip access-group 120 in
no ip directed-broadcast
encapsulation frame-relay
ip ospf network point-to-multipoint
no ip mroute-cache
logging event subif-link-status
logging event dlci-status-change
ipx network 134
no ipx split-horizon eigrp 1
frame-relay map ip 132.1.10.1 101 broadcast
frame-relay map ip 132.1.10.3 103 broadcast
frame-relay map ip 132.1.10.4 101 broadcast
frame-relay map ipx 134.0001.0001.0001 101 broadcast
frame-relay map ipx 134.0003.0003.0003 103 broadcast
no frame-relay inverse-arp
frame-relay broadcast-queue 80 240000 160
!
interface TokenRing0/0
ip address 132.1.40.4 255.255.255.224
ip access-group 110 in
no ip directed-broadcast
ipx network 40
ring-speed 16
source-bridge 2 1 40
source-bridge spanning
hold-queue 100 in
!
router ospf 1
router-id 4.4.4.4
network 132.1.4.0 0.0.0.255 area 0
network 132.1.10.0 0.0.0.255 area 0
network 132.1.40.0 0.0.0.255 area 4
network 222.0.0.0 0.255.255.255 area 0
!
access-list 110 permit tcp 132.1.52.0 0.0.0.255 132.1.40.0 0.0.0.255 eq
smtp
access-list 110 permit tcp 132.1.52.0 0.0.0.255 132.1.40.0 0.0.0.255 eq
pop2
access-list 110 permit tcp 132.1.52.0 0.0.0.255 132.1.40.0 0.0.0.255 eq
pop3
access-list 110 permit ospf any any
access-list 110 permit tcp any any eq bgp
access-list 110 permit icmp any any echo
access-list 110 permit icmp any any echo-reply
access-list 110 permit udp 132.1.52.0 0.0.0.255 132.1.40.0 0.0.0.255 eq
tftp
access-list 110 permit tcp 132.1.52.0 0.0.0.255 132.1.40.0 0.0.0.255 eq
telnet
access-list 110 permit tcp 132.1.52.0 0.0.0.255 132.1.40.0 0.0.0.255 eq
www
access-list 120 permit ospf any any
access-list 120 permit tcp any any eq bgp
access-list 120 permit icmp any any echo
access-list 120 permit icmp any any echo-reply
access-list 120 permit tcp 132.1.52.0 0.0.0.255 132.1.40.0 0.0.0.255
established
access-list 120 permit tcp 132.1.52.0 0.0.0.255 132.1.40.0 0.0.0.255 eq
smtp
access-list 120 permit tcp any any eq 2065
end
-----Original Message-----
From: ShahzaD Ali [mailto:shahzad-ali@home.com]
Sent: 10 May 2001 13:47
To: Tariq Sharif
Subject: RE: DLSw+ & ACL
Use
access-list 101 deny ip any any
at the end of your access-list and the log will show you which
port is being block. I think you need to permit tcp 2065.
Regards,
ShahzaD
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Tariq Sharif
Sent: Thursday, May 10, 2001 6:46 AM
To: Ccielab@Groupstudy. Com
Subject: DLSw+ & ACL
I've IP & DSLw+ running between R4 & R3 (linked with Frame) . DLSw+ is
using
loopback interfaces to communicate. I've added an ACL on R4 frame
interface
inbound & now DLSw+ does not work! " Qs:
1) Are loopback treated differently than router's normal interfaces
(because
ACL on a router does not include apply to the router communications)
2) How can I allow DSLw+ through the ACL
Many thanks & regards.
Tariq Sharif
[GroupStudy.com removed an attachment of type application/ms-tnef which
had
a name of winmail.dat]
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:30:38 GMT-3