RE: DLSW netbios filter from beda

From: Volkov, Dmitry (Toronto - BCE) (dmitry_volkov@ca.ml.com)
Date: Fri Sep 13 2002 - 14:31:41 GMT-3

• Next message: alee@cccis.com: "question on Cat 3550"
• Previous message: Becky Qiang: "Re: bgp confederation peer"
• Maybe in reply to: beda jain: "RE: DLSW netbios filter from beda"
• Next in thread: beda jain: "RE: DLSW netbios filter from beda"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> -----Original Message-----
> From: baganini@attbi.com [mailto:baganini@attbi.com]
> Sent: Friday, September 13, 2002 1:06 PM
> To: beda jain
> Cc: ccielab@groupstudy.com
> Subject: RE: DLSW netbios filter from beda
>
>
> Hi,
>
> If you want one particular host to reach the remote wan
> link can be done the way shown in the article. This

Sorry,
This is not right.

PC2-------R1------WAN----Rn------PC1

If You have some of the following commands on R1:
R1#
dlsw remote-peer 0 tcp a.b.c.d host-netbios-out TEST
OR dlsw peer-on-demand-defaults host-netbios-out TEST
OR dlsw prom-peer-defaults host-netbios-out TEST

Access-list TEST:
netbios access-list host TEST deny PC1
netbios access-list host TEST deny PC2
netbios access-list host TEST permit *

Will NOT prevent PC2 to connect to anywhere, as well as anything can connect
to PC1.
PC2 can NOT connect to PC1 only

PC2 can connect to any other PCx, and any other PCx can connect to PC1

Dmitry

> stops traffice from other hosts from going to one
> particular dlsw peer. This configuration, however, can
> not stop the peer from seeing other netbios hosts in the
> reachability table.
>
>
> --
> CCIE# 7003
> Director of Research & Development
> thouma@cyscoexpert.com
>
> CyscoExpert, Inc.
> 4433 W. Touhy Ave.
> LincolnWood, IL 60712
> info@cyscoexpert.com
> Ph:(847) 674-3392
> FX:(847) 674-2625
> > Hi,
> >
> > I am talking about the link example on host-netbios-out.
> Please go to the
> > link below.
> > http://www.cisco.com/warp/public/cc/pd/ibsw/ibdlsw/tech/dls4_rg.htm
> >
> > At 04:02 PM 9/13/2002 +0000, baganini@attbi.com wrote:
> > > From what I understand, in the cnfiguratoin you have,
> > >the filter will not filter out the reachability table.
> > >It will filter out the netbios traffic that is destined
> > >to R2. If Your "icanreach" statement were on R2, R6
> > >will see all the hosts that R2 cam reaching, not
> > >confirmed thoug. Then when a host on R6 want to send
> > >traffice to a host other that CISCO on R2, the filter
> > >will do its work at this time.
> > >
> > >
> > >--
> > >CCIE# 7003
> > >Director of Research & Development
> > >thouma@cyscoexpert.com
> > >
> > >CyscoExpert, Inc.
> > >4433 W. Touhy Ave.
> > >LincolnWood, IL 60712
> > >info@cyscoexpert.com
> > >Ph:(847) 674-3392
> > >FX:(847) 674-2625
> > > > Hi,
> > > >
> > > > I also understand the same way you understand, but
> after reading this link
> > > > i got confuse.
> > > >
> > > > Could some body clarify this. How we can allow only a
> particular local
> > > > host to access to remote wan link.
> > > >
> > > > Thanks,
> > > > Beda
> > > >
> > > >
> > > >
> > > > Figure 4-2 shows the configuration required to allow
> any NetBIOS host with
> > > > a name starting with "sales" to access the WAN, but not
> allow any other
> > > > servers (for example, Engserv01 or Acctserv02) to
> access the WAN. This can
> > > > be done for security reasons or to limit the traffic
> across the WAN link.
> > > > By applying the access lists to the remote peers
> instead of the local
> > > > interfaces, you allow traffic to be locally bridged.
> > > >
> > > > Figure 4-2: Using Filtering to Limit the Broadcasts and
> Network Access of
> > > > Individual NetBIOS Servers
> > > >
> > > >
> > > >
> > > > At 06:02 PM 9/12/2002 -0400, Volkov, Dmitry (Toronto -
> BCE) wrote:
> > > > >here how I understand this:
> > > > >
> > > > >1)dlsw remote-peer 0 tcp 172.17.59.137 host-netbios-out CISCO
> > > > >permits sending NETBIOS traffic from 172.17.59.69 to
> host CISCO
> > > through peer
> > > > >172.17.59.137
> > > > >
> > > > >2)dlsw icanreach netbios-name CISCO
> > > > >tells all peers connected to this peer 172.17.59.69
> that this local peer
> > > > >can reach host CISCO, i.e. remote peers peering with
> this peer won't send
> > > > >explorers to find where they can send traffic to
> CISCO, but will send
> > > > >traffic towards to 172.17.59.69 destined to CISCO.
> Other peers will know
> > > > >that CISCO is reachable via 172.17.59.69
> > > > >
> > > > >Please correct me if I'm wrong
> > > > >
> > > > >Dmitry
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Guoqi Cui [mailto:guoqicui@yahoo.com]
> > > > > > Sent: Thursday, September 12, 2002 5:14 PM
> > > > > > To: ccielab@groupstudy.com
> > > > > > Subject: DLSW netbios filter
> > > > > >
> > > > > >
> > > > > > Hi, Group:
> > > > > >
> > > > > > I am configuring DLSW netbios filter and have a
> > > > > > problem
> > > > > > with the operartion.
> > > > > >
> > > > > > R6-----------------R2
> > > > > >
> > > > > > in R6:
> > > > > >
> > > > > > netbios access-list host CISCO permit CISCO
> > > > > >
> > > > > > dlsw local-peer peer-id 172.17.59.69 promiscuous
> > > > > > dlsw remote-peer 0 tcp 172.17.59.137 host-netbios-out
> > > > > > CISCO
> > > > > > dlsw remote-peer 0 tcp 172.17.59.138 backup-peer
> > > > > > 172.17.59.137 linger 8
> > > > > > dlsw icanreach netbios-exclusive
> > > > > > dlsw icanreach netbios-name ABC
> > > > > > dlsw icanreach netbios-name CISCO
> > > > > > dlsw icanreach netbios-name CISCOA
> > > > > > dlsw icanreach netbios-name ACISCOA
> > > > > > dlsw bridge-group 1
> > > > > >
> > > > > > in R2
> > > > > > source-bridge ring-group 1000
> > > > > > dlsw local-peer peer-id 172.17.59.137 promiscuous
> > > > > > dlsw bridge-group 1
> > > > > >
> > > > > > I want to see only CISCO in R2, somehow I can see all
> > > > > > of them.
> > > > > >
> > > > > > r2#sh dlsw re
> > > > > > r2#sh dlsw reachability
> > > > > > DLSw Local MAC address reachability cache list
> > > > > > Mac Addr status Loc. port
> > > > > > rif
> > > > > > 0008.de81.990e FOUND LOCAL TBridge-001
> > > > > > --no rif--
> > > > > >
> > > > > > DLSw Remote MAC address reachability cache list
> > > > > > Mac Addr status Loc. peer
> > > > > > 0006.907f.fba0 FOUND REMOTE 172.17.59.69(2065)
> > > > > >
> > > > > > DLSw Local NetBIOS Name reachability cache list
> > > > > > NetBIOS Name status Loc. port
> > > > > > rif
> > > > > >
> > > > > > DLSw Remote NetBIOS Name reachability cache list
> > > > > > NetBIOS Name status Loc. peer
> > > > > > ABC UNCONFIRM REMOTE 172.17.59.69(2065)
> > > > > > ACISCOA UNCONFIRM REMOTE 172.17.59.69(2065)
> > > > > > CISCO UNCONFIRM REMOTE 172.17.59.69(2065)
> > > > > > CISCOA UNCONFIRM REMOTE 172.17.59.69(2065)
> > > > > >
> > > > > >
> > > > > > What is wrong with my configuration?
> > > > > >
> > > > > > Thanks,
> > > > > >
> > > > > > Guoqi
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > __________________________________________________
> > > > > > Do you Yahoo!?
> > > > > > Yahoo! News - Today's headlines
> > > > > > http://news.yahoo.com

• Next message: alee@cccis.com: "question on Cat 3550"
• Previous message: Becky Qiang: "Re: bgp confederation peer"
• Maybe in reply to: beda jain: "RE: DLSW netbios filter from beda"
• Next in thread: beda jain: "RE: DLSW netbios filter from beda"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:51 GMT-3