Re: DLSW

From: Chris Larson (clarson52@comcast.net)
Date: Fri May 14 2004 - 10:53:46 GMT-3

• Next message: Brian McGahan: "RE: DLSW"
• Previous message: Kristof Ulrix: "RE: NetFlow on 3550"
• Maybe in reply to: Ahmed Mustafa: "DLSW"
• Next in thread: Brian McGahan: "RE: DLSW"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

If the requirement said no inbound or for example said make sure no traffic
flows between host a and b then I would think you would have to use
icannotreach mac-address or else at a minimum you would receive an explorer
frame for that host. With the icannotreach mac you will recieve no traffic.

Chris

----- Original Message -----
From: "Ahmed Mustafa" <ahmed.mustafa@sbcglobal.net>
To: "Chris Larson" <clarson52@comcast.net>; <ccielab@groupstudy.com>
Sent: Thursday, May 13, 2004 8:05 PM
Subject: Re: DLSW

> so it means,
>
> If the requirment is for the inbound then one must use icanreach or
> icantreach and for the outbound access-list 200.
>
> Does icanreach or icantreach commands also have implicit deny statement at
> the end?
>
> Regards,
> ----- Original Message -----
> From: "Chris Larson" <clarson52@comcast.net>
> To: "Ahmed Mustafa" <ahmed.mustafa@sbcglobal.net>;
<ccielab@groupstudy.com>
> Sent: Thursday, May 13, 2004 4:30 PM
> Subject: Re: DLSW
>
>
> > If you use icanreach or icantreach commands, they are exchanged when the
> > dlsw is setup during capabilities exchange. When you use an icannotreach
> for
> > example, the remote end won't even bother sending anything to you for
that
> > addy. With an access-list however, the remote will send you traffic even
> > though it ends up being blocked on the return by your list.
> >
> > Chris
> >
> >
> >
> >
> > ----- Original Message -----
> > From: "Ahmed Mustafa" <ahmed.mustafa@sbcglobal.net>
> > To: <ccielab@groupstudy.com>
> > Sent: Thursday, May 13, 2004 3:20 PM
> > Subject: DLSW
> >
> >
> > > Can some please clear this confusion?
> > >
> > > In DLSW, there are more than two options to filtering traffic such as
> one
> > > could you
> > >
> > > 1) access-list 200 for filtering SNA and Netbios SAPS
> > >
> > > 2) Icanreach SAP commands
> > >
> > > 3) Icannotreach SAP commands
> > >
> > > 4) Icannreach mac-address
> > >
> > > 5) Icannotreach mac-address.
> > >
> > >
> > > If I were to filter netbios saps, I could either use
> > >
> > >
> > > access-list 200 deny 0xf0f0 0x 0101 and attach to the remote peer by
> using
> > > LSAP-FILTER-OUTPUT.
> > >
> > > or
> > >
> > > I could simply do
> > >
> > > icanreach sap 00 04 08 0C-----------> This will permit SNA SAPs, and
> deny
> > > Netbios SAPs F0.
> > >
> > >
> > > I just can't understand when to use which filtering.
> > >
> > >
> > > Regards,
> > >
> > >
> > > Ahmed
> > >
> > >

• Next message: Brian McGahan: "RE: DLSW"
• Previous message: Kristof Ulrix: "RE: NetFlow on 3550"
• Maybe in reply to: Ahmed Mustafa: "DLSW"
• Next in thread: Brian McGahan: "RE: DLSW"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Jun 02 2004 - 11:12:12 GMT-3