From: Volkov, Dmitry (Toronto - BCE) (dmitry_volkov@ca.ml.com)
Date: Sun Sep 15 2002 - 13:22:17 GMT-3
Prakash,
There is Fred Ingham posting:
http://www.groupstudy.com/archives/ccielab/200206/msg02066.html
Also Caslow book pages 652, 658: DLSW+ operates in non-canonical format and
coneversion happens when frame is delivered to ethertnet interface or
comming from ethernet interface
Dmitry
> -----Original Message-----
> From: Prakash H Somani [mailto:pdsccie@rediffmail.com]
> Sent: Sunday, September 15, 2002 9:31 AM
> To: Volkov,Dmitry(Toronto - BCE)
> Cc: ccielab@groupstudy.com; 'beda jain'; 'Guoqi Cui'
> Subject: Re: RE: DLSW netbios filter from beda
>
>
>
> Hi Dmitry,
>
> I have marked couple of things in this link:
>
> 1. He is using direct non-canonical address in icanreach and
> ACL.
>
> But he has not mentioned anywhere that if we want icanreach for
> Ethernet, should we use canonical or noncanonical ?
>
> regards...Prakash
> On Fri, 13 Sep 2002 Volkov, Dmitry (Toronto - BCE) wrote :
> >Beda,
> >
> >About this: How we can allow only a particular local host to
> >access to
> >remote wan link ?
> >
> >http://www.cisco.com/warp/public/697/dlswfilter.shtml#macfilter2
>
> ><http://www.cisco.com/warp/public/697/dlswfilter.shtml#macfilter2>
> >With the dlsw icanreach mac-exclusive command configured at the
> >central
> >router, you ensure that only packets destined to the MAC
> >addresses
> >previously defined (in this case 4000.3745.0000) are allowed at
> >the central
> >location.
> >
> >Note that this filtering information is exchanged between all the
> >DLSw+
> >peers using CapExId messages. You save WAN bandwidth by
> >configuring the
> >filtering information at the central location, even though the
> >actions (such
> >as blocking frames) occur at the remote routers themselves.
> >
> >So, devices are not speciafied in "icanreach" will not be allowed
> >to make
> >outgoing connections.
> >
> >Ther is another usefull feature:
> >
> >http://www.cisco.com/warp/public/697/dlswfilter.shtml#macfilter4
>
> ><http://www.cisco.com/warp/public/697/dlswfilter.shtml#macfilter4>
> ><http://www.cisco.com/warp/public/697/dlswfilter.shtml>
> >
> >dlsw icanreach mac-exclusive remote
> >dlsw icanreach mac-address 4000.3745.0000 mask ffff.ffff.ffff
> >
> >With the remote keyword we allow other devices at the central
> >router (THAT
> >ARE NOT specified in the dlsw icanreach mac-address command) to
> >make
> >outgoing connections.
> >
> >
> >Dmitry
> >
> >-----Original Message-----
> > From: beda jain [mailto:bpjain@cisco.com]
> >Sent: Friday, September 13, 2002 10:22 AM
> >To: Volkov, Dmitry (Toronto - BCE); 'Guoqi Cui'
> >Cc: ccielab@groupstudy.com
> >Subject: RE: DLSW netbios filter from beda
> >
> >
> >Hi,
> >
> >I also understand the same way you understand, but after reading
> >this link i
> >got confuse.
> >
> >Could some body clarify this. How we can allow only a particular
> >local host
> >to access to remote wan link.
> >
> >Thanks,
> >Beda
> >
> >http://www.cisco.com/warp/public/cc/pd/ibsw/ibdlsw/tech/dls4_rg.htm
> ><http://www.cisco.com/warp/public/cc/pd/ibsw/ibdlsw/tech/dls4_rg.htm>
> >
> >Figure 4-2 shows the configuration required to allow any NetBIOS
> >host with a
> >name starting with "sales" to access the WAN, but not allow any
> >other
> >servers (for example, Engserv01 or Acctserv02) to access the WAN.
> >This can
> >be done for security reasons or to limit the traffic across the
> >WAN link. By
> >applying the access lists to the remote peers instead of the
> >local
> >interfaces, you allow traffic to be locally bridged.
> >
> >Figure 4-2: Using Filtering to Limit the Broadcasts and Network
> >Access of
> >Individual NetBIOS Servers
> >
> >
> >
> >At 06:02 PM 9/12/2002 -0400, Volkov, Dmitry (Toronto - BCE)
> >wrote:
> >
> >
> >here how I understand this:
> >
> >1)dlsw remote-peer 0 tcp 172.17.59.137 host-netbios-out CISCO
> >permits sending NETBIOS traffic from 172.17.59.69 to host CISCO
> >through peer
> >172.17.59.137
> >
> >2)dlsw icanreach netbios-name CISCO
> >tells all peers connected to this peer 172.17.59.69 that this
> >local peer
> >can reach host CISCO, i.e. remote peers peering with this peer
> >won't send
> >explorers to find where they can send traffic to CISCO, but will
> >send
> >traffic towards to 172.17.59.69 destined to CISCO. Other peers
> >will know
> >that CISCO is reachable via 172.17.59.69
> >
> >Please correct me if I'm wrong
> >
> >Dmitry
> >
> >
> > > -----Original Message-----
> > > From: Guoqi Cui [ mailto:guoqicui@yahoo.com
> ><mailto:guoqicui@yahoo.com> ]
> > > Sent: Thursday, September 12, 2002 5:14 PM
> > > To: ccielab@groupstudy.com
> > > Subject: DLSW netbios filter
> > >
> > >
> > > Hi, Group:
> > >
> > > I am configuring DLSW netbios filter and have a
> > > problem
> > > with the operartion.
> > >
> > > R6-----------------R2
> > >
> > > in R6:
> > >
> > > netbios access-list host CISCO permit CISCO
> > >
> > > dlsw local-peer peer-id 172.17.59.69 promiscuous
> > > dlsw remote-peer 0 tcp 172.17.59.137 host-netbios-out
> > > CISCO
> > > dlsw remote-peer 0 tcp 172.17.59.138 backup-peer
> > > 172.17.59.137 linger 8
> > > dlsw icanreach netbios-exclusive
> > > dlsw icanreach netbios-name ABC
> > > dlsw icanreach netbios-name CISCO
> > > dlsw icanreach netbios-name CISCOA
> > > dlsw icanreach netbios-name ACISCOA
> > > dlsw bridge-group 1
> > >
> > > in R2
> > > source-bridge ring-group 1000
> > > dlsw local-peer peer-id 172.17.59.137 promiscuous
> > > dlsw bridge-group 1
> > >
> > > I want to see only CISCO in R2, somehow I can see all
> > > of them.
> > >
> > > r2#sh dlsw re
> > > r2#sh dlsw reachability
> > > DLSw Local MAC address reachability cache list
> > > Mac Addr status Loc. port
> > > rif
> > > 0008.de81.990e FOUND LOCAL TBridge-001
> > > --no rif--
> > >
> > > DLSw Remote MAC address reachability cache list
> > > Mac Addr status Loc. peer
> > > 0006.907f.fba0 FOUND REMOTE 172.17.59.69(2065)
> > >
> > > DLSw Local NetBIOS Name reachability cache list
> > > NetBIOS Name status Loc. port
> > > rif
> > >
> > > DLSw Remote NetBIOS Name reachability cache list
> > > NetBIOS Name status Loc. peer
> > > ABC UNCONFIRM REMOTE 172.17.59.69(2065)
> > > ACISCOA UNCONFIRM REMOTE 172.17.59.69(2065)
> > > CISCO UNCONFIRM REMOTE 172.17.59.69(2065)
> > > CISCOA UNCONFIRM REMOTE 172.17.59.69(2065)
> > >
> > >
> > > What is wrong with my configuration?
> > >
> > > Thanks,
> > >
> > > Guoqi
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > __________________________________________________
> > > Do you Yahoo!?
> > > Yahoo! News - Today's headlines
> > > http://news.yahoo.com <http://news.yahoo.com/>
This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:52 GMT-3