Re: RE: RE: DLSW netbios filter from beda (SEARCH IS GREAT !!!)

From: Prakash H Somani (pdsccie@rediffmail.com)
Date: Tue Sep 17 2002 - 10:28:04 GMT-3

Thanks Dmitry...

Its clarifies everything....I m not confuse now.

Regards...Prakash

On Sun, 15 Sep 2002 Volkov, Dmitry (Toronto - BCE) wrote :
>
>Prakash,
>
>There is Fred Ingham posting:
>
>http://www.groupstudy.com/archives/ccielab/200206/msg02066.html
>
>Also Caslow book pages 652, 658: DLSW+ operates in non-canonical
>format and
>coneversion happens when frame is delivered to ethertnet
>interface or
>comming from ethernet interface
>
>Dmitry
>
> > -----Original Message-----
> > From: Prakash H Somani [mailto:pdsccie@rediffmail.com]
> > Sent: Sunday, September 15, 2002 9:31 AM
> > To: Volkov,Dmitry(Toronto - BCE)
> > Cc: ccielab@groupstudy.com; 'beda jain'; 'Guoqi Cui'
> > Subject: Re: RE: DLSW netbios filter from beda
> >
> >
> >
> > Hi Dmitry,
> >
> > I have marked couple of things in this link:
> >
> > 1. He is using direct non-canonical address in icanreach and
> > ACL.
> >
> > But he has not mentioned anywhere that if we want icanreach
>for
> > Ethernet, should we use canonical or noncanonical ?
> >
> > regards...Prakash
> > On Fri, 13 Sep 2002 Volkov, Dmitry (Toronto - BCE) wrote :
> > >Beda,
> > >
> > >About this: How we can allow only a particular local host
>to
> > >access to
> > >remote wan link ?
> > >
> >
> >http://www.cisco.com/warp/public/697/dlswfilter.shtml#macfilter2
> >
> >
> ><http://www.cisco.com/warp/public/697/dlswfilter.shtml#macfilter2>
> > >With the dlsw icanreach mac-exclusive command configured at
>the
> > >central
> > >router, you ensure that only packets destined to the MAC
> > >addresses
> > >previously defined (in this case 4000.3745.0000) are allowed
>at
> > >the central
> > >location.
> > >
> > >Note that this filtering information is exchanged between all
>the
> > >DLSw+
> > >peers using CapExId messages. You save WAN bandwidth by
> > >configuring the
> > >filtering information at the central location, even though
>the
> > >actions (such
> > >as blocking frames) occur at the remote routers themselves.
> > >
> > >So, devices are not speciafied in "icanreach" will not be
>allowed
> > >to make
> > >outgoing connections.
> > >
> > >Ther is another usefull feature:
> > >
> >
> >http://www.cisco.com/warp/public/697/dlswfilter.shtml#macfilter4
> >
> >
> ><http://www.cisco.com/warp/public/697/dlswfilter.shtml#macfilter4>
> > ><http://www.cisco.com/warp/public/697/dlswfilter.shtml>
> > >
> > >dlsw icanreach mac-exclusive remote
> > >dlsw icanreach mac-address 4000.3745.0000 mask
>ffff.ffff.ffff
> > >
> > >With the remote keyword we allow other devices at the
>central
> > >router (THAT
> > >ARE NOT specified in the dlsw icanreach mac-address command)
>to
> > >make
> > >outgoing connections.
> > >
> > >
> > >Dmitry
> > >
> > >-----Original Message-----
> > > From: beda jain [mailto:bpjain@cisco.com]
> > >Sent: Friday, September 13, 2002 10:22 AM
> > >To: Volkov, Dmitry (Toronto - BCE); 'Guoqi Cui'
> > >Cc: ccielab@groupstudy.com
> > >Subject: RE: DLSW netbios filter from beda
> > >
> > >
> > >Hi,
> > >
> > >I also understand the same way you understand, but after
>reading
> > >this link i
> > >got confuse.
> > >
> > >Could some body clarify this. How we can allow only a
>particular
> > >local host
> > >to access to remote wan link.
> > >
> > >Thanks,
> > >Beda
> > >
> >
> >http://www.cisco.com/warp/public/cc/pd/ibsw/ibdlsw/tech/dls4_rg.htm
> >
> ><http://www.cisco.com/warp/public/cc/pd/ibsw/ibdlsw/tech/dls4_rg.htm>
> > >
> > >Figure 4-2 shows the configuration required to allow any
>NetBIOS
> > >host with a
> > >name starting with "sales" to access the WAN, but not allow
>any
> > >other
> > >servers (for example, Engserv01 or Acctserv02) to access the
>WAN.
> > >This can
> > >be done for security reasons or to limit the traffic across
>the
> > >WAN link. By
> > >applying the access lists to the remote peers instead of
>the
> > >local
> > >interfaces, you allow traffic to be locally bridged.
> > >
> > >Figure 4-2: Using Filtering to Limit the Broadcasts and
>Network
> > >Access of
> > >Individual NetBIOS Servers
> > >
> > >
> > >
> > >At 06:02 PM 9/12/2002 -0400, Volkov, Dmitry (Toronto - BCE)
> > >wrote:
> > >
> > >
> > >here how I understand this:
> > >
> > >1)dlsw remote-peer 0 tcp 172.17.59.137 host-netbios-out
>CISCO
> > >permits sending NETBIOS traffic from 172.17.59.69 to host
>CISCO
> > >through peer
> > >172.17.59.137
> > >
> > >2)dlsw icanreach netbios-name CISCO
> > >tells all peers connected to this peer 172.17.59.69 that
>this
> > >local peer
> > >can reach host CISCO, i.e. remote peers peering with this
>peer
> > >won't send
> > >explorers to find where they can send traffic to CISCO, but
>will
> > >send
> > >traffic towards to 172.17.59.69 destined to CISCO. Other
>peers
> > >will know
> > >that CISCO is reachable via 172.17.59.69
> > >
> > >Please correct me if I'm wrong
> > >
> > >Dmitry
> > >
> > >
> > > > -----Original Message-----
> > > > From: Guoqi Cui [ mailto:guoqicui@yahoo.com
> > ><mailto:guoqicui@yahoo.com> ]
> > > > Sent: Thursday, September 12, 2002 5:14 PM
> > > > To: ccielab@groupstudy.com
> > > > Subject: DLSW netbios filter
> > > >
> > > >
> > > > Hi, Group:
> > > >
> > > > I am configuring DLSW netbios filter and have a
> > > > problem
> > > > with the operartion.
> > > >
> > > > R6-----------------R2
> > > >
> > > > in R6:
> > > >
> > > > netbios access-list host CISCO permit CISCO
> > > >
> > > > dlsw local-peer peer-id 172.17.59.69 promiscuous
> > > > dlsw remote-peer 0 tcp 172.17.59.137 host-netbios-out
> > > > CISCO
> > > > dlsw remote-peer 0 tcp 172.17.59.138 backup-peer
> > > > 172.17.59.137 linger 8
> > > > dlsw icanreach netbios-exclusive
> > > > dlsw icanreach netbios-name ABC
> > > > dlsw icanreach netbios-name CISCO
> > > > dlsw icanreach netbios-name CISCOA
> > > > dlsw icanreach netbios-name ACISCOA
> > > > dlsw bridge-group 1
> > > >
> > > > in R2
> > > > source-bridge ring-group 1000
> > > > dlsw local-peer peer-id 172.17.59.137 promiscuous
> > > > dlsw bridge-group 1
> > > >
> > > > I want to see only CISCO in R2, somehow I can see all
> > > > of them.
> > > >
> > > > r2#sh dlsw re
> > > > r2#sh dlsw reachability
> > > > DLSw Local MAC address reachability cache list
> > > > Mac Addr status Loc. port
> > > > rif
> > > > 0008.de81.990e FOUND LOCAL TBridge-001
> > > > --no rif--
> > > >
> > > > DLSw Remote MAC address reachability cache list
> > > > Mac Addr status Loc. peer
> > > > 0006.907f.fba0 FOUND REMOTE 172.17.59.69(2065)
> > > >
> > > > DLSw Local NetBIOS Name reachability cache list
> > > > NetBIOS Name status Loc. port
> > > > rif
> > > >
> > > > DLSw Remote NetBIOS Name reachability cache list
> > > > NetBIOS Name status Loc. peer
> > > > ABC UNCONFIRM REMOTE 172.17.59.69(2065)
> > > > ACISCOA UNCONFIRM REMOTE 172.17.59.69(2065)
> > > > CISCO UNCONFIRM REMOTE 172.17.59.69(2065)
> > > > CISCOA UNCONFIRM REMOTE 172.17.59.69(2065)
> > > >
> > > >
> > > > What is wrong with my configuration?
> > > >
> > > > Thanks,
> > > >
> > > > Guoqi
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > __________________________________________________
> > > > Do you Yahoo!?
> > > > Yahoo! News - Today's headlines
> > > > http://news.yahoo.com <http://news.yahoo.com/>

This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:54 GMT-3