Re: Dlsw

From: ccie2be (ccie2be@nyc.rr.com)
Date: Thu Sep 30 2004 - 18:23:08 GMT-3

Mani,

I agree with you since AFAIK, with dlsw, filtering is done only in the
outbound direction.

Here's how I believe this works.

A host behind rtr B wants to talk to another host somewhere in the network -
it doesn't know where (although you do). The host sends an explorer packet.
When the explorer gets to rtr B, rtr B checks it's various caches and filters
(I don't know in what order). With the filter you've configured on rtr B, rtr
B won't send that explorer packet across the WAN if it isn't allowed by your
acl -although rtr B would send the explorer out another lan interface if it
were part of the same bridge group as the interface from the explorer came
into the rtr.

Now, if you trying to reduce traffic on the WAN, another option is to
configure an icanreach on rtr A. When rtr A's peering session with rtr B
becomes active, during the capabiltiy exchange rtr A will tell rtr B about the
mac addresses you've configured with the icanreach command. rtr B will cache
that info and use it to cut down on unnecessary traffic so that in the future
rtr B doesn't have to forward explorer packets for those addresses it already
knows are reachable via rtr A.

One thing I don't know (at least off-hand) but would like to is this.

When the icanreach command is configured on a dlsw peer, does that mean
icanreach ONLY THOSE ADDRESSES specified in this command or does it mean "Hey
dlsw remote peers, just letting you know if you have packets for these
addresses send them directly to me. If you want to know about other addresses
I haven't mentioned, just ask and I'll tell you."

HTH, Tim

  ----- Original Message -----
  From: mani poopal
  To: ccie2be ; Scott Morris ; 'Group Study'
  Sent: Thursday, September 30, 2004 4:32 PM
  Subject: Re: Dlsw

  Hi Tim,

  Since you are reviewing dlsw I thought of asking this doubt. Assume you
want to allow only mac address starting with ABCD.11BB.xxxx from router B to
Router A by using access-list(dmac-output-list permit statment. Pls look at
following configuration. Is this configuration must be given on router A or B

  hosts(ABCD.11BB.xxxx)--RA----------dlsw------------RB

  access-list 701 permit ABCD.11BB.0000 0000.0000.ffff
  access-list 701 permit c000.0000.0000 0000.0000.0000

  dlsw prom-peer-defaults dmac-output-list 701

  My doubt is where to apply this command, on the remote side(router B) or
local side(router A). My assumption is for filtering we have to give this
command on remote side and with I can reach command the configuration must be
given on the local side(router A). According to Karl Solie, for mac address
filtering we need the above second access list statement. Pls look and give
your feedback.
  ASSUMPTIONS: PROMISCOUS PEERS AND NON CANONICAL MAC ADDRESS

  thanks

  Mani

  ccie2be <ccie2be@nyc.rr.com> wrote:
    Hey Mani,

    It's my understanding that whenever you must specify a mac address in the
context of dlsw, it must always be specified in Token-Ring (non-cononical)
format. This is true for any acl's or anything that requires a mac address be
specified.

    Tim
      ----- Original Message -----
      From: mani poopal
      To: Scott Morris ; 'ccie2be' ; 'Group Study'
      Sent: Thursday, September 30, 2004 1:37 PM
      Subject: RE: Dlsw

      Hi Scott,

      Whenever you want to filter any mac address in dlsw, by using icanreach
command or filtering(by any three methods ie: remote peer statment, prom-peer
default statement or peer-on-demand default statements), do we have to change
the given mac address in to non canonical format(assume in the scenario they
are not specifying mac address format ie:ethernet or token ring)

      thanks

      Mani

      Scott Morris <swm@emanon.com> wrote:
        Correct. While advertised during the peer's capabilities exchange, I
may
        tell you one thing, but in your remote-peer statement to me, you
"know
        better" and whatever value you have locally for our peering
relationship
        overrides what I may try to tell you.

        HTH,

        Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
CISSP,
        JNCIP, et al.
        IPExpert CCIE Program Manager
        IPExpert Sr. Technical Instructor
        swm@emanon.com/smorris@ipexpert.net
        http://www.ipexpert.net

        -----Original Message-----
        From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
        ccie2be
        Sent: Thursday, September 30, 2004 12:29 PM
        To: Group Study
        Subject: Dlsw

        Hi guys,

        I've noticed that some parameters e.g. cost, circuit weight, etc can
be used
        on both the dlsw local peer and dlsw remote peer commands.

        Is it always true that if the same parameter is configured on both
dlsw peer
        (local & remote), the parameter configured on the remote command
takes
        precedence?

        TIA, Tim

        _____________________________________________________________________
__
        Subscription information may be found at:
        http://www.groupstudy.com/list/CCIELab.html

        _____________________________________________________________________
__
        Subscription information may be found at:
        http://www.groupstudy.com/list/CCIELab.html

      B.ENG,A+,CCNA,CCNP,CCNP-VOICE, CSS1,CNA,MCSE
      (416)431 9929
      MANI_CCIE@YAHOO.COM

--------------------------------------------------------------------------
      Do you Yahoo!?
      vote.yahoo.com - Register online to vote today!

  B.ENG,A+,CCNA,CCNP,CCNP-VOICE, CSS1,CNA,MCSE
  (416)431 9929
  MANI_CCIE@YAHOO.COM

-----------------------------------------------------------------------------
-
  Do you Yahoo!?
  Yahoo! Mail Address AutoComplete - You start. We finish.

This archive was generated by hypermail 2.1.4 : Fri Oct 01 2004 - 15:00:51 GMT-3