RE: ICANREACH Mac-Exclusive

From: Mahmud, Yasser (YMahmud@Solutions.UK.ATT.com)
Date: Fri Dec 06 2002 - 22:45:57 GMT-3

• Next message: Kip Palmer: "Switch Config Proset"
• Previous message: carnold_@onebox.com: "RE: RE: ICANREACH Mac-Exclusive"
• Maybe in reply to: Young K. Bae: "ICANREACH Mac-Exclusive"
• Next in thread: carnold_@onebox.com: "RE: RE: ICANREACH Mac-Exclusive"
• Maybe reply: carnold_@onebox.com: "RE: RE: ICANREACH Mac-Exclusive"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,
Yep there's a lot of confusion out there with DLSW, mainly because it isn't
really throughly covered in books and some of the cisco CCO documents are
not correct which creates confusion

I've found just configuring ICANREACH commands (excluding saps which is very
powerful) does absolutely nothing in terms of functionality

The reason for configuring mac-exclusive is that when you use mac-exclusive
on a router it implements security by using a local filter for both inbound
and outbound DLSW packets based on destination mac address/source mac
address respectively
And in addition the router receiving the MAC exclusive parameter from a peer
during capabilities exchange will create a filter towards that peer

Example,

other peers
|
|
R1---------------------------R2

R2 has the MAC address 4000.3745.0000 mask ffff.ffff.ffff (in non-cannonical
format) and others.

        R2 is configured for just ICANREACH mac-address 4000.3745.0000 mask
ffff.ffff.ffff, then R1 will get this info. so for any explorerers for
4000.3745.0000 mask ffff.ffff.ffff it will check it's reachiblity just for
<FOUND> entries and in this case if no prior communication with
4000.3745.0000 mask ffff.ffff.ffff then it will send an expolrer to all DLSW
peers i.e R2 +other peers (even though it has the entry as <UNCONFIRMED> in
it's reachability table via R2). R2 will send locally and send response
back. For other MAC addresses it will do the same i.e send explorers to R2
+other peers if not in reachability table (so no real benefit of just using
ICANREACH commands)

        R2 is configured for just ICANREACH mac-address 4000.3745.0000 mask
ffff.ffff.ffff as well as dlsw icanreach mac-exclusive, then R1 will get
this info. so for any explorerers for 4000.3745.0000 mask ffff.ffff.ffff it
will check it's reachiblity just for <FOUND> entries and in this case if no
prior communication with 4000.3745.0000 mask ffff.ffff.ffff then it will
send to all DLSW peers i.e R2 +other peers (even though it has the entry as
<UNCONFIRMED> in it's reachability table). R2 will send locally and send
response back.
        For other MAC addresses it will not do the same i.e because now R1
uses a filter for it's peer connection to R2 and the only MAC's that pass
the filter are the destination MAC's coming from R2 during capabilities
exchange with R2.
        In addition R2 will also use a MAC filter on inbound DLSW connection
based on destination address and an outbound MAC filter baseed on source
addresses which means that the other hosts local to R2 won't be able to pass
through DLSW due to the inbound MAC filter based on souce address

        Note: You can disable this local filter on R2 by using the <remote>
keyword so the only filter that applies is on R1 towards R2

        HTH
        Yasser Mahmud

> -----Original Message-----
> From: Joe Chang [SMTP:changjoe@earthlink.net]
> Sent: Friday, December 06, 2002 10:34 PM
> To: ccielab@groupstudy.com
> Subject: Re: ICANREACH Mac-Exclusive
>
> Whoa, there's an incredible degree of different ideas about these two
> issues
> going on in our mailing list. There have been previous posts stating the
> exact opposite of what either of you two gentlemen have written!
>
> ----- Original Message -----
> From: <Sam.MicroGate@usa.telekom.de>
> To: <ybae@cisco.com>; <ccielab@groupstudy.com>
> Sent: Friday, December 06, 2002 6:04 PM
> Subject: RE: ICANREACH Mac-Exclusive
>
>
> > Hello,
> >
> > 1- The mac-exclusive has nothing to do with the deny statement at the
> end.
> > It is just telling the remote peer do not send me any explorer packet
> for
> > any other mac address. All I know is mac address 4000.3745.0000. Nothing
> > else.
> >
> > 2- True you have to change the mac add from its canonical to
> non-canonical
> > format.
> >
> > Sam
> >
> > -----Original Message-----
> > From: Young K. Bae [mailto:ybae@cisco.com]
> > Sent: Friday, December 06, 2002 4:29 PM
> > To: ccielab@groupstudy.com
> > Subject: ICANREACH Mac-Exclusive
> >
> >
> > A quick sanity check on the ICANREACH statement:
> >
> > dlsw icanreach mac-exclusive
> > dlsw icanreach mac-address 4000.3745.0000 mask ffff.ffff.ffff
> >
> > 1. According to the documentation, there is an 'implicit deny-all'
> within
> > the ICANREACH <mac-address> statement. If that's true, why would one
> need
> > to configure 'dlsw icanreach mac-exclusive'?
> >
> > 2. Considering above configuration, if the device (MAC 4000.3745.0000)
> > resides on an Ethernet segment, the true MAC address of the device is
> > 0200.ECA2.0000, correct?
> >
> > TIA,
> > .
.

• Next message: Kip Palmer: "Switch Config Proset"
• Previous message: carnold_@onebox.com: "RE: RE: ICANREACH Mac-Exclusive"
• Maybe in reply to: Young K. Bae: "ICANREACH Mac-Exclusive"
• Next in thread: carnold_@onebox.com: "RE: RE: ICANREACH Mac-Exclusive"
• Maybe reply: carnold_@onebox.com: "RE: RE: ICANREACH Mac-Exclusive"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jan 17 2003 - 17:21:40 GMT-3