From: Jonathan V Hays (jhays@jtan.com)
Date: Thu Jun 26 2003 - 12:03:13 GMT-3
Daniel,
I have had similar experiences, occasionally seeing port 2067 show up in
"debug ip packet detail".
On Monday of this week, I posted the following in response to Scott
Morris' assertion that 2067 was not used any longer, and got no
response:
<QUOTE>
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf Of Scott Morris
Sent: Monday, June 23, 2003 8:54 AM
To: polarccie@yahoo.co.uk; ccielab@groupstudy.com
Subject: RE: RE: Difference between these two ( QoS)
2067 isn't really used any longer. 1981 - 1983 are used only if you
have priority configured on your DLSw peers.
Scott
--- Hmmm. I know I saw a bunch of port 2067 packets the other day in a "debug ip packet detail". I was doing a practice lab. What commands might trigger the use of port 2067?TIA,
Jonathan </QUOTE>
After I posted, I spent a couple of hours with DLSW in my lab but was unable to get debug to show up any port 2067 traffic. So my question for you is, could you please post your configs? And what version of IOS and what platforms are you running when 2067 appears?
I too would like to understand the exact conditions that trigger the IOS to start sending port 2067 packets.
I think the answer for the CCIE lab exam is to use "no logging console", "logging buffered", and "debug ip packet detail" to determine what ports need to be addressed in an access list, and not rely on documentation or hearsay.
Thanks,
Jonathan
> -----Original Message----- > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On > Behalf Of Daniel Cisco Group Study > Sent: Wednesday, June 25, 2003 7:58 PM > To: ccielab@groupstudy.com > Subject: DLSW Filtering Question > > > Getting real close for me now...... > > A quick question RE DLSW Filtering, and some revelations / > insight to share.... > > This has been discussed in at some length in the past, and > most agree that the ports used by DLSW are: > > TCP 2065 > > and if doing DLSW prioritisation, then add > TCP 1981 > TCP 1982 > TCP 1983 > > Some references have been made to TCP 2067, but my research > indicates that Cisco does not use this port. > > The above list of ports appears to work well when playing > with ACLs & DLSW. Peers come up fine.... except that I get > the following log messages when I try and set up circuits... > > 18:17:36: %SEC-6-IPACCESSLOGP: list 145 denied udp > 192.168.1.1(0) -> 192.168.4.4(2067), 5 packets > > What the ? > > I had a deeper look into this.... The Config guide makes a > vague reference to UDP Unicast traffic at the following URL: > > http://www.cisco.com/univercd/cc/td/doc/product/software/ios12 > 1/121cgcr/ibm_c/bcprt2/bcddlsw.htm#1002245 > > Quote: > UDP Unicast Feature > The UDP Unicast feature sends the SSP address resolution > packets via UDP unicast service rather than TCP. (SSP packets > include: CANUREACH_EX, NETBIOS_NQ_ex, NETBIOS_ANQ, and > DATAFRAME.) The UDP unicast feature allows DLSw+ to better > control address resolution packets and unnumbered information > frames during periods of congestion. Previously, these frames > were carried over TCP. TCP retransmits frames that get lost > or delayed in transit, and hence aggravate congestion. > Because address resolution packets and unnumbered information > frames are not sent on a reliable transport on the LAN, > sending them reliably over the WAN is unnecessary. By using > UDP for these frames, DLSw+ minimizes network congestion. > > > > Experimentation revealed that this behaviour was quite > correct.... I could not initiate any circuits across DLSW > without allowing UDP 2067 through on the ACLs.... > > It would be nice if the CD told us what the destination port > was........ Looks like UDP 2067, with a source port of 0! (it > mentions source port 0 earlier on in the doc). > > The UDP can be disabled with: > > dlsw udp-disable > > > This puts questions in my mind...... In the LAB, I guess we > need to add something like the following to any filters: > > access-list 145 permit udp any eq 0 any eq 2067 > access-list 145 permit udp any eq 2067 any eq 0 > > Any comments? Do you think that this is a Lab gotcha? Am I > over complicating this? > > By the way, I haven't seen these lines added to any solutions > of the commercial labs that I have done... > > Any feed back would be appreciated. > > Daniel > > > > > > > > > > > > > > > ********************************************************************** > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > This footnote also confirms that this email message has been swept by > MIMEsweeper for the presence of computer viruses. > www.mimesweeper.com > ********************************************************************** > > > ______________________________________________________________ > _________ > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group. > > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:11:10 GMT-3