From: Johnny Dedon (johnny.dedon@xxxxxxxxxx)
Date: Thu May 10 2001 - 13:36:02 GMT-3
The access-list is on an inbound interface. You need to remember on inbound
interfaces that you need to allow the response port.
While I am on this subject, can someone verify that the dlsw endpoint with
the highest ip address is the one that initiates a session all other things
being equal?
Johnny Dedon
Senior Staff Consultant
Exodus Professional Services
johnny.dedon@exodus.net
www.exodus.net
----- Original Message -----
From: "ShahzaD Ali" <shahzad-ali@home.com>
To: <HENDERSON_DAVE_G@Lilly.com>; "Tariq Sharif"
<tariq_sharif@btinternet.com>
Cc: "Ccielab@Groupstudy. Com" <ccielab@groupstudy.com>;
<nobody@groupstudy.com>
Sent: Thursday, May 10, 2001 9:26 AM
Subject: RE: DLSw+ & ACL
> Dave,
>
> I tried permitting 2065 and 2067 but no luck. Here is the log
>
> %SEC-6-IPACCESSLOGP: list 101 denied tcp 140.1.2.2(2065) ->
> 140.1.4.4(11001), 1
> packet
> %SEC-6-IPACCESSLOGP: list 101 denied tcp 140.1.134.3(179) ->
> 140.1.134.4(11002),
> 1 packet
> %SEC-6-IPACCESSLOGP: list 101 denied tcp 140.1.2.2(2065) ->
> 140.1.4.4(11004), 1
> packet
> %SEC-6-IPACCESSLOGP: list 101 denied tcp 140.1.2.2(2065) ->
> 140.1.4.4(11005), 1
> packet
> %SEC-6-IPACCESSLOGP: list 101 denied tcp 140.1.2.2(2065) ->
> 140.1.4.4(11006), 1
> packet
> r4#
> %SEC-6-IPACCESSLOGP: list 101 denied tcp 140.1.2.2(2065) ->
> 140.1.4.4(11007), 1
>
> I think, I need to permit all the ports gt 11000
>
> Any Suggestion Folks ???
>
>
> Regards,
>
> ShahzaD
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> HENDERSON_DAVE_G@Lilly.com
> Sent: Thursday, May 10, 2001 8:26 AM
> To: Tariq Sharif
> Cc: Ccielab@Groupstudy. Com; nobody@groupstudy.com; ShahzaD Ali
> Subject: RE: DLSw+ & ACL
>
>
> Try also permitting port 2067. I beleive 2067 is the read port.
>
>
>
>
> Tariq Sharif <tariq_sharif@btinternet.com>
> Sent by: nobody@groupstudy.com
> 05/10/01 08:03 AM
> Please respond to Tariq Sharif
>
>
> To: "Ccielab@Groupstudy. Com" <ccielab@groupstudy.com>,
ShahzaD
> Ali
> <shahzad-ali@home.com>
> cc:
> Subject: RE: DLSw+ & ACL
>
> This is strange. I'm now using physical interface addresses for DLSw+ &
> permitting port 2065 but DLSw+ doesn't come up unless I remove the ACL:
> Here
> are the partial configs:
>
> Many thanks & regards.
>
> Tariq Sharif
>
>
> hostname r3
> !
> dlsw local-peer peer-id 132.1.23.2
> dlsw remote-peer 0 tcp 132.1.23.1
> dlsw remote-peer 0 tcp 132.1.10.4
> dlsw bridge-group 3
> !
> interface Ethernet0/0
> ip address 132.1.50.3 255.255.255.0
> no ip directed-broadcast
> ipx network 50
> bridge-group 3
> !
> interface Serial2/0
> ip address 132.1.10.3 255.255.255.224
> no ip directed-broadcast
> encapsulation frame-relay
> ip ospf network point-to-multipoint
> no ip mroute-cache
> logging event subif-link-status
> logging event dlci-status-change
> ipx network 134
> frame-relay map ipx 134.0004.0004.0004 103 broadcast
> frame-relay map ip 132.1.10.1 103 broadcast
> frame-relay map ip 132.1.10.3 103 broadcast
> frame-relay map ip 132.1.10.4 103 broadcast
> frame-relay map ipx 134.0001.0001.0001 103 broadcast
> no frame-relay inverse-arp
> !
> router ospf 1
> router-id 3.3.3.3
> area 3 virtual-link 2.2.2.2
> timers spf 30 60
> redistribute static metric 10 subnets
> network 132.1.3.0 0.0.0.255 area 0
> network 132.1.10.0 0.0.0.255 area 0
> network 132.1.23.0 0.0.0.255 area 3
> network 132.1.50.0 0.0.0.255 area 3
> !
> end
>
>
> hostname r4
> !
> source-bridge ring-group 40
> dlsw local-peer peer-id 132.1.10.4
> dlsw remote-peer 0 tcp 132.1.23.2
> !
> interface Serial0/0
> ip address 132.1.10.4 255.255.255.224
> ip access-group 120 in
> no ip directed-broadcast
> encapsulation frame-relay
> ip ospf network point-to-multipoint
> no ip mroute-cache
> logging event subif-link-status
> logging event dlci-status-change
> ipx network 134
> no ipx split-horizon eigrp 1
> frame-relay map ip 132.1.10.1 101 broadcast
> frame-relay map ip 132.1.10.3 103 broadcast
> frame-relay map ip 132.1.10.4 101 broadcast
> frame-relay map ipx 134.0001.0001.0001 101 broadcast
> frame-relay map ipx 134.0003.0003.0003 103 broadcast
> no frame-relay inverse-arp
> frame-relay broadcast-queue 80 240000 160
> !
> interface TokenRing0/0
> ip address 132.1.40.4 255.255.255.224
> ip access-group 110 in
> no ip directed-broadcast
> ipx network 40
> ring-speed 16
> source-bridge 2 1 40
> source-bridge spanning
> hold-queue 100 in
> !
> router ospf 1
> router-id 4.4.4.4
> network 132.1.4.0 0.0.0.255 area 0
> network 132.1.10.0 0.0.0.255 area 0
> network 132.1.40.0 0.0.0.255 area 4
> network 222.0.0.0 0.255.255.255 area 0
> !
> access-list 110 permit tcp 132.1.52.0 0.0.0.255 132.1.40.0 0.0.0.255 eq
> smtp
> access-list 110 permit tcp 132.1.52.0 0.0.0.255 132.1.40.0 0.0.0.255 eq
> pop2
> access-list 110 permit tcp 132.1.52.0 0.0.0.255 132.1.40.0 0.0.0.255 eq
> pop3
> access-list 110 permit ospf any any
> access-list 110 permit tcp any any eq bgp
> access-list 110 permit icmp any any echo
> access-list 110 permit icmp any any echo-reply
> access-list 110 permit udp 132.1.52.0 0.0.0.255 132.1.40.0 0.0.0.255 eq
> tftp
> access-list 110 permit tcp 132.1.52.0 0.0.0.255 132.1.40.0 0.0.0.255 eq
> telnet
> access-list 110 permit tcp 132.1.52.0 0.0.0.255 132.1.40.0 0.0.0.255 eq
> www
> access-list 120 permit ospf any any
> access-list 120 permit tcp any any eq bgp
> access-list 120 permit icmp any any echo
> access-list 120 permit icmp any any echo-reply
> access-list 120 permit tcp 132.1.52.0 0.0.0.255 132.1.40.0 0.0.0.255
> established
> access-list 120 permit tcp 132.1.52.0 0.0.0.255 132.1.40.0 0.0.0.255 eq
> smtp
> access-list 120 permit tcp any any eq 2065
> end
>
>
>
>
>
>
>
> -----Original Message-----
> From: ShahzaD Ali [mailto:shahzad-ali@home.com]
> Sent: 10 May 2001 13:47
> To: Tariq Sharif
> Subject: RE: DLSw+ & ACL
>
>
> Use
>
> access-list 101 deny ip any any
>
> at the end of your access-list and the log will show you which
> port is being block. I think you need to permit tcp 2065.
>
>
> Regards,
>
> ShahzaD
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Tariq Sharif
> Sent: Thursday, May 10, 2001 6:46 AM
> To: Ccielab@Groupstudy. Com
> Subject: DLSw+ & ACL
>
>
> I've IP & DSLw+ running between R4 & R3 (linked with Frame) . DLSw+ is
> using
> loopback interfaces to communicate. I've added an ACL on R4 frame
> interface
> inbound & now DLSw+ does not work! " Qs:
> 1) Are loopback treated differently than router's normal interfaces
> (because
> ACL on a router does not include apply to the router communications)
> 2) How can I allow DSLw+ through the ACL
>
> Many thanks & regards.
>
> Tariq Sharif
>
> [GroupStudy.com removed an attachment of type application/ms-tnef which
> had
> a name of winmail.dat]
> **Please read:http://www.groupstudy.com/list/posting.html
> **Please read:http://www.groupstudy.com/list/posting.html
> **Please read:http://www.groupstudy.com/list/posting.html
> **Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:30:38 GMT-3