From: mani poopal (mani_ccie@yahoo.com)
Date: Thu Sep 30 2004 - 18:38:43 GMT-3
Thanks Tim,
According to Karl Solie, recommeded way of filtering is to use i cannot reach command, because if you use icanreach command only addresses/netbios/sap specified by the commands are exchanged during capabilities exchange and any other querry(mac/netbios or sap) not specified by the icanrecah command are not sent by the remote dlsw peers. So if you are going to filter by icanreach/icannot reach, it is wise to use icannot reach command. Tim I think if you use mac or netbios exclusive key word, you are specifying only one(1) mac or netbios address.
Mani
ccie2be <ccie2be@nyc.rr.com> wrote:
Mani,
I agree with you since AFAIK, with dlsw, filtering is done only in the outbound direction.
Here's how I believe this works.
A host behind rtr B wants to talk to another host somewhere in the network - it doesn't know where (although you do). The host sends an explorer packet. When the explorer gets to rtr B, rtr B checks it's various caches and filters (I don't know in what order). With the filter you've configured on rtr B, rtr B won't send that explorer packet across the WAN if it isn't allowed by your acl -although rtr B would send the explorer out another lan interface if it were part of the same bridge group as the interface from the explorer came into the rtr.
Now, if you trying to reduce traffic on the WAN, another option is to configure an icanreach on rtr A. When rtr A's peering session with rtr B becomes active, during the capabiltiy exchange rtr A will tell rtr B about the mac addresses you've configured with the icanreach command. rtr B will cache that info and use it to cut down on unnecessary traffic so that in the future rtr B doesn't have to forward explorer packets for those addresses it already knows are reachable via rtr A.
One thing I don't know (at least off-hand) but would like to is this.
When the icanreach command is configured on a dlsw peer, does that mean icanreach ONLY THOSE ADDRESSES specified in this command or does it mean "Hey dlsw remote peers, just letting you know if you have packets for these addresses send them directly to me. If you want to know about other addresses I haven't mentioned, just ask and I'll tell you."
HTH, Tim
----- Original Message -----
From: mani poopal
To: ccie2be ; Scott Morris ; 'Group Study'
Sent: Thursday, September 30, 2004 4:32 PM
Subject: Re: Dlsw
Hi Tim,
Since you are reviewing dlsw I thought of asking this doubt. Assume you want to allow only mac address starting with ABCD.11BB.xxxx from router B to Router A by using access-list(dmac-output-list permit statment. Pls look at following configuration. Is this configuration must be given on router A or B
hosts(ABCD.11BB.xxxx)--RA----------dlsw------------RB
access-list 701 permit ABCD.11BB.0000 0000.0000.ffff
access-list 701 permit c000.0000.0000 0000.0000.0000
dlsw prom-peer-defaults dmac-output-list 701
My doubt is where to apply this command, on the remote side(router B) or local side(router A). My assumption is for filtering we have to give this command on remote side and with I can reach command the configuration must be given on the local side(router A). According to Karl Solie, for mac address filtering we need the above second access list statement. Pls look and give your feedback.
ASSUMPTIONS: PROMISCOUS PEERS AND NON CANONICAL MAC ADDRESS
thanks
Mani
ccie2be <ccie2be@nyc.rr.com> wrote:
Hey Mani,
It's my understanding that whenever you must specify a mac address in the context of dlsw, it must always be specified in Token-Ring (non-cononical) format. This is true for any acl's or anything that requires a mac address be specified.
Tim
----- Original Message -----
From: mani poopal
To: Scott Morris ; 'ccie2be' ; 'Group Study'
Sent: Thursday, September 30, 2004 1:37 PM
Subject: RE: Dlsw
Hi Scott,
Whenever you want to filter any mac address in dlsw, by using icanreach command or filtering(by any three methods ie: remote peer statment, prom-peer default statement or peer-on-demand default statements), do we have to change the given mac address in to non canonical format(assume in the scenario they are not specifying mac address format ie:ethernet or token ring)
thanks
Mani
Scott Morris <swm@emanon.com> wrote:
Correct. While advertised during the peer's capabilities exchange, I may
tell you one thing, but in your remote-peer statement to me, you "know
better" and whatever value you have locally for our peering relationship
overrides what I may try to tell you.
HTH,
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, CISSP,
JNCIP, et al.
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
swm@emanon.com/smorris@ipexpert.net
http://www.ipexpert.net
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ccie2be
Sent: Thursday, September 30, 2004 12:29 PM
To: Group Study
Subject: Dlsw
Hi guys,
I've noticed that some parameters e.g. cost, circuit weight, etc can be used
on both the dlsw local peer and dlsw remote peer commands.
Is it always true that if the same parameter is configured on both dlsw peer
(local & remote), the parameter configured on the remote command takes
precedence?
TIA, Tim
This archive was generated by hypermail 2.1.4 : Fri Oct 01 2004 - 15:00:51 GMT-3