From: Bob Chahal (bob.chahal@xxxxxxxxxxxx)
Date: Mon Aug 13 2001 - 11:27:30 GMT-3
Hi Luke,
This my take on filters and I'll test this out to be sure tonight. In the
meantime I'll stick my neck out.
The following
dlsw remote-peer 0 tcp 2.2.2.2 dmac-output-list 700
access-list 700 permit 00c0.f400.d0f8 0000.0000.0000
allows local devices to connect to the device with the above mac address on
the remote peer. In your sceanario this is not what you want to and what you
will find is you cannot connect to host 3 on the ethernet segment from the
token ring segment either.
watch the wrap but this is what cisco have to say.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/ibm_c
/bcprt2/bcdlsw.htm
If you wanted to prevent any devices on the ethernet accessing host 2 you
can either put the following on r2.
dlsw remote-peer 0 tcp 1.1.1.1 dmac-output-list
access-list 700 permit 00c0.f400.d0f8 0000.0000.0000
or you can put the following on r1
dlsw remote-peer 0 tcp 2.2.2.2
dlsw icanreach 00c0.f400.d0f8 ffff.ffff.ffff
dlsw icanreach mac-exclusive
As far as bitswapping is concerned it depends on what you are trying to
achieve. Lets take your specific sceanrio but include another host 4 on the
ethernet. Let us say that you want remote-peer 1.1.1.1 to be able to connect
to Host 3 mac addr 1234.1234.1234 ONLY. When using the dlsw icanreach
command you will have to bitswap i.e
dlsw remote-peer 0 tcp 1.1.1.1
dlsw icanreach 482c.482c.482c
dlsw icanreach mac-exclusive.
If you wanted token-ring devices (Host1 and 2) to only connect to Host 3
(which has a canonical mac addr of 1234.1234.1234). On R1 you would
configure
dlsw remote-peer 0 tcp 2.2.2.2 dmac-output-list 700
access-list 700 permit 482c.482c.282c 0000.0000.0000
You can follow the logic if you consider what is happening when host 2
connects with host3. Let's just say they are netbios stations. Host sends a
netbios name_query for Host3. The exporer returns with mac addr of host3 but
this wiil be in non-canonical format. So if you want to filter output
destination mac addrs you need to filter on the non-canonical format of the
ethernet device, host3.
Also if your peers were both attached to ethernets then you would have to
bitswap when creating dlsw filters. This applies to both icanreach and
dmac-output-list.
I hope this makes sense and I stand to be corrected :-)
Bob
----- Original Message -----
From: "Luke" <luke.mendoza@home.com>
To: <ccielab@groupstudy.com>
Sent: Monday, August 13, 2001 7:18 AM
Subject: dmac-output questions - dlsw
> Hello group,
>
> Here is what I have....
>
>
> host 1 , host 2 ------- tokenring ------- R1 <----serial-----> R2 ------
> ethernet ------ Host 3
>
> Host 1 and Host 2 are attached to the tokenring segment of R1
> Host 3 is attached to the ethernet segment of R2
>
>
> R1 and R2 are dlsw peered (tcp)
>
> I am trying to filter host 1 and allowing host 2 from the token ring R1 to
> communicate to Host 3
>
> I am trying to do this using dmac-output-list
>
> sample config R1
>
> dlsw local-peer peer-id 1.1.1.1
> dlsw remote-peer 0 tcp 2.2.2.2 dmac-output-list 700
>
> access-list 700 permit 00c0.f400.d0f8 0000.0000.0000 (this is the mac
> address of host 2's token ring card)
>
> It doesn't seem to work... Do I need to bit-swap the mac address of host
2
> ??
>
> I have always thought that bitswapping is done for the icanreach
mac-address
> so that during the peer capabilities exchange it would allow the ethernet
> host to understand the mac address.
>
> In this case, my understanding is that dmac-output-list is to be used for
> permit/deny the mac-address from R1 to R2....
>
>
> Please help!
> **Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:50 GMT-3