From: Kyle Galusha (kgalusha@xxxxxxxxx)
Date: Sun Aug 12 2001 - 17:58:10 GMT-3
Jon,
Maybe I'm missing what you are trying to do but doesn't the below config
tell other (remote) DLSW peers that this local peer can only reach netbios
hosts with names that start with 166 ? Is that what you want to do? Your
text sound like you want just the opposite which would mean you need the
dlsw icanreach netbios-exclusive and dlsw icanreach netbios-name 166*
commands on the remote peer.
Kyle
At 01:03 PM 8/12/2001 -0700, Jon Carmichael wrote:
>I'm trying to approach this problem with a workaround, ---problem it is
>works too well. Instead of using a netbios access-list, you can hard-code
>the filter on a dlsw icanreach line, --so my config looks like this...
>
>dlsw local-peer peer-id 192.168.255.50 group 40 promiscuous
>dlsw remote-peer 0 tcp 192.168.255.13
>dlsw icanreach netbios-exclusive
>dlsw icanreach netbios-name 166*
>dlsw bridge-group 1
>
>Where I am trying to make it so I can reach a machine whose name is
>166-Clone, but not others on a distant net. I'm not sure if it's case
>sensitive, --so that why the 166*. --So all I do is break all netbios
>connectivity to that and all other machines on the distant net. If I take
>it off connectivity works again.
>
>I was able to do a successful filter using mac-address filters and
>mac-address exclusive, --but I can't make specific netbios names work any
>way I've tried.
>
>JONC
>
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>Bob Chahal
>Sent: Thursday, August 09, 2001 2:21 AM
>To: Devender Singh; Ccielab@Groupstudy. Com (E-mail); Zeng Puyang
>Subject: Re: DLSW Peer Goup - Netbios Filters
>
>
>Yea but I was able to bring up the on-demand peer by seraching for ADVENT.
>I'll be doing some more testing on this and let you. I was running debug
>dlsw reachability and even when I put the filetr on the remote-peer
>statement for the border router I could see the explorer going through and
>it looked as if the filter works as the response to the explorer comes back.
>I'm going to check this again as well (when I get time!)
>
>----- Original Message -----
>From: "Devender Singh" <devender.singh@cmc.cwo.net.au>
>To: "Bob Chahal" <bob.chahal@ntlworld.com>; "Ccielab@Groupstudy. Com
>(E-mail)" <ccielab@groupstudy.com>; "Zeng Puyang" <zbridge98@yahoo.com>
>Sent: Thursday, August 09, 2001 9:34 AM
>Subject: RE: DLSW Peer Goup - Netbios Filters
>
>
> > That is very interesting. It is making sense to me, although it is wierd.
> > The way it should work is(I THINK - will be logical at least), demand peer
> > should not connect if NAME-QUERY explorer is only for ADVENT. But if the
> > peer comes up for any other reason NAME-QUERY for ADVENT should be still
> > filtered.
> >
> > Devender Singh
> > BE(Hons), CCNP
> > IP Solution Specialist
> >
> >
> > -----Original Message-----
> > From: Bob Chahal [mailto:bob.chahal@ntlworld.com]
> > Sent: Wednesday, 8 August 2001 8:30
> > To: Ccielab@Groupstudy. Com (E-mail); Zeng Puyang
> > Subject: Re: DLSW Peer Goup - Netbios Filters
> >
> >
> > Hi Zeng,
> >
> > You may be correct about this as (if I remember correctly) I seen that as
> > well. However, I'll check this but the testing I have done definitely
>shows
> > that putting a filter on dlsw peer-on-demand-defaults host-netbios-out
>STOP
> > does NOT block access to ADVENT. As I've said I think this is because in
> > order to open the Peer-on-demand connection the explorer has to get
>through
> > and a circuit established after which the filter might work. Actually I
> > think I'll test this with another PC on the same segment as ESCOM and see
> > the what the results are.
> >
> > Cheers
> >
> > Bob
> >
> > ----- Original Message -----
> > From: "Zeng Puyang" <zbridge98@yahoo.com>
> > To: "Bob Chahal" <bob.chahal@ntlworld.com>
> > Sent: Wednesday, August 08, 2001 10:37 AM
> > Subject: Re: DLSW Peer Goup - Netbios Filters
> >
> >
> > > Hi, Bob:
> > >
> > > I don't try this. Some posts said that you can still find the netbios
>name
> > even there is a netbios filter, but the filter can block the access. That
> > means you can see the netbios name in the dlsw reachbility, but you can't
> > open the file on ADVENT from ESCOM by network neighborhood. They did this
> > without peer group. If it's true, I think no matter you put the
> > host-netbios-out filter on peer to the border or on-demand-default, you
> > should get the same result. In both case, the two pc can see each other,
>but
> > can't access each other.
> > >
> > > Could you please prove this for me?
> > >
> > > Regards
> > >
> > > Zeng Puyang
> > >
> > > ----- Original Message -----
> > > From: "Bob Chahal" <bob.chahal@ntlworld.com>
> > > To: "Fred Ingham" <fningham@worldnet.att.net>
> > > Cc: <ccielab@groupstudy.com>
> > > Sent: Wednesday, August 08, 2001 4:21 PM
> > > Subject: Re: DLSW Peer Goup - Netbios Filters
> > >
> > >
> > > > Thanks for that Fred. Ok I will try the dlsw disable but after I had
> > > > configured this and saved the config, the next day I powered up the
> > routers
> > > > and still the filter wouldn't work. I'll be working on all this DLSW
>for
> > a
> > > > couple of weeks yet so if I get anywhere with this I'll let you know.
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Fred Ingham" <fningham@worldnet.att.net>
> > > > To: "Bob Chahal" <bob.chahal@ntlworld.com>
> > > > Cc: <ccielab@groupstudy.com>
> > > > Sent: Tuesday, August 07, 2001 3:28 AM
> > > > Subject: Re: DLSW Peer Goup - Netbios Filters
> > > >
> > > >
> > > > > Bob: The filter on r5 should work if ESCOM is initiating the
>session.
> > > > > Did you do
> > > > > a dlsw disable and a no dlsw disable after configuring the filter?
>If
> > > > > not the filter doesn't take effect with peer-on-demand-defaults in
>my
> > > > > experience.
> > > > >
> > > > > As you have seen the same filter works on the remote-peer statement
>to
> > > > > the border. Filters on the remote-peer statement seem to be active
> > > > > without the dis, no dis exercise. And the filter should also work
>on
> > r1
> > > > > remote-peer statement to r2.
> > > > >
> > > > > Let me know if this explains your tests.
> > > > >
> > > > > Cheers, Fred.
> > > > >
> > > > > Bob Chahal wrote:
> > > > > >
> > > > > >
> > PC-ADVENT-----R8---------R2----------------R1-----------R5----PC-ESCOM
> > > > > >
> > > > > > I've a setup with two border peers (R1 in group 2 and R2 in
>group1).
> > In
> > > > each
> > > > > > group I have an on-demand peers (Group 2 has R5 and Group 1 has
>R8)
> > . I
> > > > have
> > > > > > a windows pc on R8 (netbios name ADVENT) and R5 (netbios name
> > ESCOM). I
> > > > have
> > > > > > placed a dlsw netbios filter on R5 to block netbios name queries
>to
> > > > ADVENT
> > > > > > as follows
> > > > > >
> > > > > > netbios access-list host STOP deny ADVENT
> > > > > > netbios access-list host STOP permit *
> > > > > > enable password cisco
> > > > > > !
> > > > > > ip tcp synwait-time 5
> > > > > > no ip domain-lookup
> > > > > > dlsw local-peer peer-id 5.5.5.5 group 2 promiscuous
> > > > > > dlsw remote-peer 0 tcp 1.1.1.1
> > > > > > dlsw peer-on-demand-defaults host-netbios-out STOP
> > > > > > dlsw bridge-group 1
> > > > > >
> > > > > > This does not block the netbios name queries for ADVENT. What I do
> > see
> > > > is
> > > > > > the peer-on demand connect and a successful connection to ADVENT
> > from
> > > > ESCOM.
> > > > > > I had thought that
> > > > > >
> > > > > > dlsw peer-on-demand-defaults host-netbios-out STOP
> > > > > >
> > > > > > would do enable filtering on demand peers. But I think that this
>is
> > a
> > > > catch
> > > > > > 22 situation because the demand peer will not from unless the name
> > query
> > > > > > goes through. So now I'm wondering why would you have the ability
>to
> > > > > > configure it this way.
> > > > > >
> > > > > > In order to block netbios name queries to ADVENT I had to put the
> > filter
> > > > on
> > > > > > the remote peer statement to the border peer.
> > > > > >
> > > > > > dlsw local-peer peer-id 5.5.5.5 group 2 promiscuous
> > > > > > dlsw remote-peer 0 tcp 1.1.1.1 host-netbios-out STOP
> > > > > > dlsw bridge-group 1
> > > > > >
> > > > > > Has anyone else done filtering like this and if so do you share my
> > > > > > observations?
> > > > > >
> > > > > > Thanks everyone
> > > > > >
> > > > > > Bob
> > > > > > **Please read:http://www.groupstudy.com/list/posting.html
> > > > > **Please read:http://www.groupstudy.com/list/posting.html
> > > > **Please read:http://www.groupstudy.com/list/posting.html
> > > ?9?"7*-z{&"?T'-kjX6YT(I(!J
> > **Please read:http://www.groupstudy.com/list/posting.html
>**Please read:http://www.groupstudy.com/list/posting.html
>**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:49 GMT-3