RE: DLSW Peer Goup - Netbios Filters

From: Devender Singh (devender.singh@xxxxxxxxxxxxxx)
Date: Thu Aug 09 2001 - 05:34:08 GMT-3

   
That is very interesting. It is making sense to me, although it is wierd.
The way it should work is(I THINK - will be logical at least), demand peer
should not connect if NAME-QUERY explorer is only for ADVENT. But if the
peer comes up for any other reason NAME-QUERY for ADVENT should be still
filtered.

Devender Singh
BE(Hons), CCNP
IP Solution Specialist

-----Original Message-----
From: Bob Chahal [mailto:bob.chahal@ntlworld.com]
Sent: Wednesday, 8 August 2001 8:30
To: Ccielab@Groupstudy. Com (E-mail); Zeng Puyang
Subject: Re: DLSW Peer Goup - Netbios Filters

Hi Zeng,

You may be correct about this as (if I remember correctly) I seen that as
well. However, I'll check this but the testing I have done definitely shows
that putting a filter on dlsw peer-on-demand-defaults host-netbios-out STOP
does NOT block access to ADVENT. As I've said I think this is because in
order to open the Peer-on-demand connection the explorer has to get through
and a circuit established after which the filter might work. Actually I
think I'll test this with another PC on the same segment as ESCOM and see
the what the results are.

Cheers

Bob

----- Original Message -----
From: "Zeng Puyang" <zbridge98@yahoo.com>
To: "Bob Chahal" <bob.chahal@ntlworld.com>
Sent: Wednesday, August 08, 2001 10:37 AM
Subject: Re: DLSW Peer Goup - Netbios Filters

> Hi, Bob:
>
> I don't try this. Some posts said that you can still find the netbios name
even there is a netbios filter, but the filter can block the access. That
means you can see the netbios name in the dlsw reachbility, but you can't
open the file on ADVENT from ESCOM by network neighborhood. They did this
without peer group. If it's true, I think no matter you put the
host-netbios-out filter on peer to the border or on-demand-default, you
should get the same result. In both case, the two pc can see each other, but
can't access each other.
>
> Could you please prove this for me?
>
> Regards
>
> Zeng Puyang
>
> ----- Original Message -----
> From: "Bob Chahal" <bob.chahal@ntlworld.com>
> To: "Fred Ingham" <fningham@worldnet.att.net>
> Cc: <ccielab@groupstudy.com>
> Sent: Wednesday, August 08, 2001 4:21 PM
> Subject: Re: DLSW Peer Goup - Netbios Filters
>
>
> > Thanks for that Fred. Ok I will try the dlsw disable but after I had
> > configured this and saved the config, the next day I powered up the
routers
> > and still the filter wouldn't work. I'll be working on all this DLSW for
a
> > couple of weeks yet so if I get anywhere with this I'll let you know.
> >
> >
> > ----- Original Message -----
> > From: "Fred Ingham" <fningham@worldnet.att.net>
> > To: "Bob Chahal" <bob.chahal@ntlworld.com>
> > Cc: <ccielab@groupstudy.com>
> > Sent: Tuesday, August 07, 2001 3:28 AM
> > Subject: Re: DLSW Peer Goup - Netbios Filters
> >
> >
> > > Bob: The filter on r5 should work if ESCOM is initiating the session.
> > > Did you do
> > > a dlsw disable and a no dlsw disable after configuring the filter? If
> > > not the filter doesn't take effect with peer-on-demand-defaults in my
> > > experience.
> > >
> > > As you have seen the same filter works on the remote-peer statement to
> > > the border. Filters on the remote-peer statement seem to be active
> > > without the dis, no dis exercise. And the filter should also work on
r1
> > > remote-peer statement to r2.
> > >
> > > Let me know if this explains your tests.
> > >
> > > Cheers, Fred.
> > >
> > > Bob Chahal wrote:
> > > >
> > > >
PC-ADVENT-----R8---------R2----------------R1-----------R5----PC-ESCOM
> > > >
> > > > I've a setup with two border peers (R1 in group 2 and R2 in group1).
In
> > each
> > > > group I have an on-demand peers (Group 2 has R5 and Group 1 has R8)
. I
> > have
> > > > a windows pc on R8 (netbios name ADVENT) and R5 (netbios name
ESCOM). I
> > have
> > > > placed a dlsw netbios filter on R5 to block netbios name queries to
> > ADVENT
> > > > as follows
> > > >
> > > > netbios access-list host STOP deny ADVENT
> > > > netbios access-list host STOP permit *
> > > > enable password cisco
> > > > !
> > > > ip tcp synwait-time 5
> > > > no ip domain-lookup
> > > > dlsw local-peer peer-id 5.5.5.5 group 2 promiscuous
> > > > dlsw remote-peer 0 tcp 1.1.1.1
> > > > dlsw peer-on-demand-defaults host-netbios-out STOP
> > > > dlsw bridge-group 1
> > > >
> > > > This does not block the netbios name queries for ADVENT. What I do
see
> > is
> > > > the peer-on demand connect and a successful connection to ADVENT
from
> > ESCOM.
> > > > I had thought that
> > > >
> > > > dlsw peer-on-demand-defaults host-netbios-out STOP
> > > >
> > > > would do enable filtering on demand peers. But I think that this is
a
> > catch
> > > > 22 situation because the demand peer will not from unless the name
query
> > > > goes through. So now I'm wondering why would you have the ability to
> > > > configure it this way.
> > > >
> > > > In order to block netbios name queries to ADVENT I had to put the
filter
> > on
> > > > the remote peer statement to the border peer.
> > > >
> > > > dlsw local-peer peer-id 5.5.5.5 group 2 promiscuous
> > > > dlsw remote-peer 0 tcp 1.1.1.1 host-netbios-out STOP
> > > > dlsw bridge-group 1
> > > >
> > > > Has anyone else done filtering like this and if so do you share my
> > > > observations?
> > > >
> > > > Thanks everyone
> > > >
> > > > Bob
> > > > **Please read:http://www.groupstudy.com/list/posting.html
> > > **Please read:http://www.groupstudy.com/list/posting.html
> > **Please read:http://www.groupstudy.com/list/posting.html
> ?9?"7*-z{&"?T'-kjX6YT(I(!J
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:47 GMT-3