From: Jon Carmichael (jonc@xxxxxxxxxxx)
Date: Sun Aug 12 2001 - 17:03:44 GMT-3
I'm trying to approach this problem with a workaround, ---problem it is
works too well. Instead of using a netbios access-list, you can hard-code
the filter on a dlsw icanreach line, --so my config looks like this...
dlsw local-peer peer-id 192.168.255.50 group 40 promiscuous
dlsw remote-peer 0 tcp 192.168.255.13
dlsw icanreach netbios-exclusive
dlsw icanreach netbios-name 166*
dlsw bridge-group 1
Where I am trying to make it so I can reach a machine whose name is
166-Clone, but not others on a distant net. I'm not sure if it's case
sensitive, --so that why the 166*. --So all I do is break all netbios
connectivity to that and all other machines on the distant net. If I take
it off connectivity works again.
I was able to do a successful filter using mac-address filters and
mac-address exclusive, --but I can't make specific netbios names work any
way I've tried.
JONC
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Bob Chahal
Sent: Thursday, August 09, 2001 2:21 AM
To: Devender Singh; Ccielab@Groupstudy. Com (E-mail); Zeng Puyang
Subject: Re: DLSW Peer Goup - Netbios Filters
Yea but I was able to bring up the on-demand peer by seraching for ADVENT.
I'll be doing some more testing on this and let you. I was running debug
dlsw reachability and even when I put the filetr on the remote-peer
statement for the border router I could see the explorer going through and
it looked as if the filter works as the response to the explorer comes back.
I'm going to check this again as well (when I get time!)
----- Original Message -----
From: "Devender Singh" <devender.singh@cmc.cwo.net.au>
To: "Bob Chahal" <bob.chahal@ntlworld.com>; "Ccielab@Groupstudy. Com
(E-mail)" <ccielab@groupstudy.com>; "Zeng Puyang" <zbridge98@yahoo.com>
Sent: Thursday, August 09, 2001 9:34 AM
Subject: RE: DLSW Peer Goup - Netbios Filters
> That is very interesting. It is making sense to me, although it is wierd.
> The way it should work is(I THINK - will be logical at least), demand peer
> should not connect if NAME-QUERY explorer is only for ADVENT. But if the
> peer comes up for any other reason NAME-QUERY for ADVENT should be still
> filtered.
>
> Devender Singh
> BE(Hons), CCNP
> IP Solution Specialist
>
>
> -----Original Message-----
> From: Bob Chahal [mailto:bob.chahal@ntlworld.com]
> Sent: Wednesday, 8 August 2001 8:30
> To: Ccielab@Groupstudy. Com (E-mail); Zeng Puyang
> Subject: Re: DLSW Peer Goup - Netbios Filters
>
>
> Hi Zeng,
>
> You may be correct about this as (if I remember correctly) I seen that as
> well. However, I'll check this but the testing I have done definitely
shows
> that putting a filter on dlsw peer-on-demand-defaults host-netbios-out
STOP
> does NOT block access to ADVENT. As I've said I think this is because in
> order to open the Peer-on-demand connection the explorer has to get
through
> and a circuit established after which the filter might work. Actually I
> think I'll test this with another PC on the same segment as ESCOM and see
> the what the results are.
>
> Cheers
>
> Bob
>
> ----- Original Message -----
> From: "Zeng Puyang" <zbridge98@yahoo.com>
> To: "Bob Chahal" <bob.chahal@ntlworld.com>
> Sent: Wednesday, August 08, 2001 10:37 AM
> Subject: Re: DLSW Peer Goup - Netbios Filters
>
>
> > Hi, Bob:
> >
> > I don't try this. Some posts said that you can still find the netbios
name
> even there is a netbios filter, but the filter can block the access. That
> means you can see the netbios name in the dlsw reachbility, but you can't
> open the file on ADVENT from ESCOM by network neighborhood. They did this
> without peer group. If it's true, I think no matter you put the
> host-netbios-out filter on peer to the border or on-demand-default, you
> should get the same result. In both case, the two pc can see each other,
but
> can't access each other.
> >
> > Could you please prove this for me?
> >
> > Regards
> >
> > Zeng Puyang
> >
> > ----- Original Message -----
> > From: "Bob Chahal" <bob.chahal@ntlworld.com>
> > To: "Fred Ingham" <fningham@worldnet.att.net>
> > Cc: <ccielab@groupstudy.com>
> > Sent: Wednesday, August 08, 2001 4:21 PM
> > Subject: Re: DLSW Peer Goup - Netbios Filters
> >
> >
> > > Thanks for that Fred. Ok I will try the dlsw disable but after I had
> > > configured this and saved the config, the next day I powered up the
> routers
> > > and still the filter wouldn't work. I'll be working on all this DLSW
for
> a
> > > couple of weeks yet so if I get anywhere with this I'll let you know.
> > >
> > >
> > > ----- Original Message -----
> > > From: "Fred Ingham" <fningham@worldnet.att.net>
> > > To: "Bob Chahal" <bob.chahal@ntlworld.com>
> > > Cc: <ccielab@groupstudy.com>
> > > Sent: Tuesday, August 07, 2001 3:28 AM
> > > Subject: Re: DLSW Peer Goup - Netbios Filters
> > >
> > >
> > > > Bob: The filter on r5 should work if ESCOM is initiating the
session.
> > > > Did you do
> > > > a dlsw disable and a no dlsw disable after configuring the filter?
If
> > > > not the filter doesn't take effect with peer-on-demand-defaults in
my
> > > > experience.
> > > >
> > > > As you have seen the same filter works on the remote-peer statement
to
> > > > the border. Filters on the remote-peer statement seem to be active
> > > > without the dis, no dis exercise. And the filter should also work
on
> r1
> > > > remote-peer statement to r2.
> > > >
> > > > Let me know if this explains your tests.
> > > >
> > > > Cheers, Fred.
> > > >
> > > > Bob Chahal wrote:
> > > > >
> > > > >
> PC-ADVENT-----R8---------R2----------------R1-----------R5----PC-ESCOM
> > > > >
> > > > > I've a setup with two border peers (R1 in group 2 and R2 in
group1).
> In
> > > each
> > > > > group I have an on-demand peers (Group 2 has R5 and Group 1 has
R8)
> . I
> > > have
> > > > > a windows pc on R8 (netbios name ADVENT) and R5 (netbios name
> ESCOM). I
> > > have
> > > > > placed a dlsw netbios filter on R5 to block netbios name queries
to
> > > ADVENT
> > > > > as follows
> > > > >
> > > > > netbios access-list host STOP deny ADVENT
> > > > > netbios access-list host STOP permit *
> > > > > enable password cisco
> > > > > !
> > > > > ip tcp synwait-time 5
> > > > > no ip domain-lookup
> > > > > dlsw local-peer peer-id 5.5.5.5 group 2 promiscuous
> > > > > dlsw remote-peer 0 tcp 1.1.1.1
> > > > > dlsw peer-on-demand-defaults host-netbios-out STOP
> > > > > dlsw bridge-group 1
> > > > >
> > > > > This does not block the netbios name queries for ADVENT. What I do
> see
> > > is
> > > > > the peer-on demand connect and a successful connection to ADVENT
> from
> > > ESCOM.
> > > > > I had thought that
> > > > >
> > > > > dlsw peer-on-demand-defaults host-netbios-out STOP
> > > > >
> > > > > would do enable filtering on demand peers. But I think that this
is
> a
> > > catch
> > > > > 22 situation because the demand peer will not from unless the name
> query
> > > > > goes through. So now I'm wondering why would you have the ability
to
> > > > > configure it this way.
> > > > >
> > > > > In order to block netbios name queries to ADVENT I had to put the
> filter
> > > on
> > > > > the remote peer statement to the border peer.
> > > > >
> > > > > dlsw local-peer peer-id 5.5.5.5 group 2 promiscuous
> > > > > dlsw remote-peer 0 tcp 1.1.1.1 host-netbios-out STOP
> > > > > dlsw bridge-group 1
> > > > >
> > > > > Has anyone else done filtering like this and if so do you share my
> > > > > observations?
> > > > >
> > > > > Thanks everyone
> > > > >
> > > > > Bob
> > > > > **Please read:http://www.groupstudy.com/list/posting.html
> > > > **Please read:http://www.groupstudy.com/list/posting.html
> > > **Please read:http://www.groupstudy.com/list/posting.html
> > ?9?"7*-z{&"?T'-kjX6YT(I(!J
> **Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:49 GMT-3