From: Bob Sinclair (bsin@cox.net)
Date: Mon May 31 2004 - 18:57:18 GMT-3
Tomasz,
Quote below from the config guide appears to mean that in order to filter
OUTgoing explorers, you need to do dest-mac or dmac-output-list on the
remote-peer command.
quote
The dest-mac option permits the connection to be established only when there
is an explorer frame destined for the specified MAC address. The
dmac-output-list option permits the connection to be established only when
the explorer frame passes the specified access list. To permit access to a
single MAC address, use the dest-mac option, because it is a configuration
"shortcut" compared to the dmac-output-list option.
end quote
Bob Sinclair
CCIE #10427, CISSP, MCSE
www.netmasterclass.net
----- Original Message -----
From: "Tomasz Szymaqski" <tomasz.szymanski@trecom.pl>
To: "CCIE2B" <sumit.kumar@comcast.net>; <ccielab@groupstudy.com>
Sent: Monday, May 31, 2004 4:23 PM
Subject: Re: Netbios access lists /DLSW
> Sorry, but it's not a clear answer to me.
>
> I would like to know if the command "dlsw icannotreach saps F0" on
> router X prevents router X from sending explorer frames in response to
> netbios queries in it's local Ethernet interface?
>
>
> CCIE2B wrote:
>
> >Check out the Dlsw filtering doc at
> >http://www.netmasterclass.net/site/lib.php#
> >It will answer your first question.
> >
> >For second question DLSW is peer relationship based protocol, with
> >access-lists and SAP filters you are providing /blocking access of remote
> >DLSW peer to local resources. You may block certain resources like
netbios
> >SAPS to a peer and allow to others. Somewhat like bgp ---neighbors.
> >
> >
> >----- Original Message -----
> >From: "Tomasz Szymanski" <tomasz.szymanski@trecom.pl>
> >To: <ccielab@groupstudy.com>
> >Sent: Monday, May 31, 2004 12:20 PM
> >Subject: Netbios access lists /DLSW
> >
> >
> >
> >
> >>Hi All,
> >>
> >>I would like to ask if someon can give me clear answers to 2 questions:
> >>
> >>1. In netbios access-list how should I permit any host?
> >>
> >>netbios access-list host test permit *
> >>
> >>or
> >>
> >>netbios access-list host test permit ?*
> >>
> >>Somewhere I saw that * cannot be used at the beginning of host name. Is
> >>that true?
> >>
> >>
> >>2. When there is a task to block Netbios traffic on the router what
> >>would be the correct solution
> >>
> >> a) dlsw icannotreach saps F0
> >>
> >> b) dlsw icannotreach saps F0
> >> + lsap-output-list denying netbios
> >>
> >> for example:
> >> dlsw remote-peer 0 tcp x.x.x.x lsap-output-list 200
> >> access-list 200 deny 0xF0F0 0x0101
> >> access-list 200 permit 0x0000 0xFFFF
> >>
> >>My question is:
> >> Does "dlsw icannotreach saps F0" block outgoing netbios traffic
also?
> >>
> >>_______________________________________________________________________
> >>Please help support GroupStudy by purchasing your study materials from:
> >>http://shop.groupstudy.com
> >>
> >>Subscription information may be found at:
> >>http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Jun 02 2004 - 11:12:19 GMT-3