RE: DLSW netbios filter from beda

From: beda jain (bpjain@cisco.com)
Date: Fri Sep 13 2002 - 15:06:59 GMT-3

Hi,

If if you not allow to configure in Central router , how you will do that.

Thanks,
Beda
At 12:54 PM 9/13/2002 -0400, Volkov, Dmitry (Toronto - BCE) wrote:
>Beda,
>
>About this: How we can allow only a particular local host to access to
>remote wan link ?
>
>http://www.cisco.com/warp/public/697/dlswfilter.shtml#macfilter2
><http://www.cisco.com/warp/public/697/dlswfilter.shtml#macfilter2>
>With the dlsw icanreach mac-exclusive command configured at the central
>router, you ensure that only packets destined to the MAC addresses
>previously defined (in this case 4000.3745.0000) are allowed at the central
>location.
>
>Note that this filtering information is exchanged between all the DLSw+
>peers using CapExId messages. You save WAN bandwidth by configuring the
>filtering information at the central location, even though the actions (such
>as blocking frames) occur at the remote routers themselves.
>
>So, devices are not speciafied in "icanreach" will not be allowed to make
>outgoing connections.
>
>Ther is another usefull feature:
>
>http://www.cisco.com/warp/public/697/dlswfilter.shtml#macfilter4
><http://www.cisco.com/warp/public/697/dlswfilter.shtml#macfilter4>
><http://www.cisco.com/warp/public/697/dlswfilter.shtml>
>
>dlsw icanreach mac-exclusive remote
>dlsw icanreach mac-address 4000.3745.0000 mask ffff.ffff.ffff
>
>With the remote keyword we allow other devices at the central router (THAT
>ARE NOT specified in the dlsw icanreach mac-address command) to make
>outgoing connections.
>
>
>Dmitry
>
>-----Original Message-----
>From: beda jain [mailto:bpjain@cisco.com]
>Sent: Friday, September 13, 2002 10:22 AM
>To: Volkov, Dmitry (Toronto - BCE); 'Guoqi Cui'
>Cc: ccielab@groupstudy.com
>Subject: RE: DLSW netbios filter from beda
>
>
>Hi,
>
>I also understand the same way you understand, but after reading this link i
>got confuse.
>
>Could some body clarify this. How we can allow only a particular local host
>to access to remote wan link.
>
>Thanks,
>Beda
>
>http://www.cisco.com/warp/public/cc/pd/ibsw/ibdlsw/tech/dls4_rg.htm
><http://www.cisco.com/warp/public/cc/pd/ibsw/ibdlsw/tech/dls4_rg.htm>
>
>Figure 4-2 shows the configuration required to allow any NetBIOS host with a
>name starting with "sales" to access the WAN, but not allow any other
>servers (for example, Engserv01 or Acctserv02) to access the WAN. This can
>be done for security reasons or to limit the traffic across the WAN link. By
>applying the access lists to the remote peers instead of the local
>interfaces, you allow traffic to be locally bridged.
>
>Figure 4-2: Using Filtering to Limit the Broadcasts and Network Access of
>Individual NetBIOS Servers
>
>
>
>At 06:02 PM 9/12/2002 -0400, Volkov, Dmitry (Toronto - BCE) wrote:
>
>
>here how I understand this:
>
>1)dlsw remote-peer 0 tcp 172.17.59.137 host-netbios-out CISCO
>permits sending NETBIOS traffic from 172.17.59.69 to host CISCO through peer
>172.17.59.137
>
>2)dlsw icanreach netbios-name CISCO
>tells all peers connected to this peer 172.17.59.69 that this local peer
>can reach host CISCO, i.e. remote peers peering with this peer won't send
>explorers to find where they can send traffic to CISCO, but will send
>traffic towards to 172.17.59.69 destined to CISCO. Other peers will know
>that CISCO is reachable via 172.17.59.69
>
>Please correct me if I'm wrong
>
>Dmitry
>
>
> > -----Original Message-----
> > From: Guoqi Cui [ mailto:guoqicui@yahoo.com <mailto:guoqicui@yahoo.com> ]
> > Sent: Thursday, September 12, 2002 5:14 PM
> > To: ccielab@groupstudy.com
> > Subject: DLSW netbios filter
> >
> >
> > Hi, Group:
> >
> > I am configuring DLSW netbios filter and have a
> > problem
> > with the operartion.
> >
> > R6-----------------R2
> >
> > in R6:
> >
> > netbios access-list host CISCO permit CISCO
> >
> > dlsw local-peer peer-id 172.17.59.69 promiscuous
> > dlsw remote-peer 0 tcp 172.17.59.137 host-netbios-out
> > CISCO
> > dlsw remote-peer 0 tcp 172.17.59.138 backup-peer
> > 172.17.59.137 linger 8
> > dlsw icanreach netbios-exclusive
> > dlsw icanreach netbios-name ABC
> > dlsw icanreach netbios-name CISCO
> > dlsw icanreach netbios-name CISCOA
> > dlsw icanreach netbios-name ACISCOA
> > dlsw bridge-group 1
> >
> > in R2
> > source-bridge ring-group 1000
> > dlsw local-peer peer-id 172.17.59.137 promiscuous
> > dlsw bridge-group 1
> >
> > I want to see only CISCO in R2, somehow I can see all
> > of them.
> >
> > r2#sh dlsw re
> > r2#sh dlsw reachability
> > DLSw Local MAC address reachability cache list
> > Mac Addr status Loc. port
> > rif
> > 0008.de81.990e FOUND LOCAL TBridge-001
> > --no rif--
> >
> > DLSw Remote MAC address reachability cache list
> > Mac Addr status Loc. peer
> > 0006.907f.fba0 FOUND REMOTE 172.17.59.69(2065)
> >
> > DLSw Local NetBIOS Name reachability cache list
> > NetBIOS Name status Loc. port
> > rif
> >
> > DLSw Remote NetBIOS Name reachability cache list
> > NetBIOS Name status Loc. peer
> > ABC UNCONFIRM REMOTE 172.17.59.69(2065)
> > ACISCOA UNCONFIRM REMOTE 172.17.59.69(2065)
> > CISCO UNCONFIRM REMOTE 172.17.59.69(2065)
> > CISCOA UNCONFIRM REMOTE 172.17.59.69(2065)
> >
> >
> > What is wrong with my configuration?
> >
> > Thanks,
> >
> > Guoqi
> >
> >
> >
> >
> >
> >
> >
> >
> > __________________________________________________
> > Do you Yahoo!?
> > Yahoo! News - Today's headlines
> > http://news.yahoo.com <http://news.yahoo.com/>

This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:51 GMT-3