From: Daniel Cisco Group Study (danielcgs@imc.net.au)
Date: Wed Jun 25 2003 - 20:58:12 GMT-3
Getting real close for me now......
A quick question RE DLSW Filtering, and some revelations / insight to share....
This has been discussed in at some length in the past, and most agree that the ports used by DLSW are:
TCP 2065
and if doing DLSW prioritisation, then add
TCP 1981
TCP 1982
TCP 1983
Some references have been made to TCP 2067, but my research indicates that Cisco does not use this port.
The above list of ports appears to work well when playing with ACLs & DLSW. Peers come up fine.... except that I get the following log messages when I try and set up circuits...
18:17:36: %SEC-6-IPACCESSLOGP: list 145 denied udp 192.168.1.1(0) -> 192.168.4.4(2067), 5 packets
What the ?
I had a deeper look into this.... The Config guide makes a vague reference to UDP Unicast traffic at the following URL:
Quote:
UDP Unicast Feature
The UDP Unicast feature sends the SSP address resolution packets via UDP unicast service rather than TCP. (SSP packets include: CANUREACH_EX, NETBIOS_NQ_ex, NETBIOS_ANQ, and DATAFRAME.) The UDP unicast feature allows DLSw+ to better control address resolution packets and unnumbered information frames during periods of congestion. Previously, these frames were carried over TCP. TCP retransmits frames that get lost or delayed in transit, and hence aggravate congestion. Because address resolution packets and unnumbered information frames are not sent on a reliable transport on the LAN, sending them reliably over the WAN is unnecessary. By using UDP for these frames, DLSw+ minimizes network congestion.
Experimentation revealed that this behaviour was quite correct.... I could not initiate any circuits across DLSW without allowing UDP 2067 through on the ACLs....
It would be nice if the CD told us what the destination port was........ Looks like UDP 2067, with a source port of 0! (it mentions source port 0 earlier on in the doc).
The UDP can be disabled with:
dlsw udp-disable
This puts questions in my mind...... In the LAB, I guess we need to add something like the following to any filters:
access-list 145 permit udp any eq 0 any eq 2067
access-list 145 permit udp any eq 2067 any eq 0
Any comments? Do you think that this is a Lab gotcha? Am I over complicating this?
By the way, I haven't seen these lines added to any solutions of the commercial labs that I have done...
Any feed back would be appreciated.
Daniel
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**********************************************************************
This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:11:09 GMT-3