From: ccie2be (ccie2be@nyc.rr.com)
Date: Sat Mar 05 2005 - 09:50:31 GMT-3
Hi Scott,
Thanks for chiming in on this thread. I think I understand this now but let
me make sure.
Assume for these examples rtr-1 is peering with rtr-2 and all config's are
done on rtr-1.
If only the command, icanreach netbios-name <name>, is used, then rtr-2 will
forward explorers for all other resources except the name(s) specified. In
this case, rtr-2 will know about the netbios host(s) specified on rtr-1 but
this doesn't mean or imply that the specified host(s) are the ONLY hosts
reachable via rtr-1.
If the command icanreach netbios-exclusive is added, then rtr-2 will NOT
forward explorers for any resources to rtr-1 because rtr-2 knows exactly
what can and can NOT be reached via rtr-1.
The same logic applies if icanreach mac-addr is used instead.
If the command, icanreach sap F0 is used, the logic is a bit different.
When sap is used, this is referring to a type of traffic (or hosts
supporting this type of traffic). Therefore, when sap F0 is specified, it
means that ONLY netbios hosts can be reached - peers shouldn't bother to
send explorers for sna hosts because no sna hosts are reachable via rtr-1.
So far, so good?
I still have one remaining question. Let's say I don't know the sap to use
for sna traffic (which I don't).
Are the following commands equivalent?
icannotreach sap F0 =? icanreach sap (sna traffic)
The above should be true if in the world of dlsw there are only 2 types of
traffic: netbios or sna. But, I don't know if that's true.
Also, suppose the lab requirement were something like this:
Configure your network such that only sna traffic transits the network
between rtr-1 and rtr-2. And, there's an IBM mainframe attached to rtr-1.
If I used, icannotreach sap F0, would that lose me points?
Thanks, Tim
-----Original Message-----
From: swm@emanon.com [mailto:swm@emanon.com]
Sent: Friday, March 04, 2005 9:35 PM
To: ccie2be; 'Steve Connolly'
Cc: Group Study
Subject: RE: dlsw icanreach
Actually, it's a little backwards....
The "dlsw icanreach" command is used to populate the tables sent during peer
capabilities or "canureach" requests. It is what you tell people who want
to ask you questions.
If you use the netbios-exclusive, that has to do with a host entry. And
that says to the peer, I can reach this host and only this/these hosts, so
don't ask me about any other.
The SAP will be the one that says I only know about netbios. The icanreach
netbios-exclusive is about hosts and it doesn't rule out mac reachability.
HTH,
Scott
---- Message from "ccie2be" <ccie2be@nyc.rr.com> at 2005-03-04 17:11:37
------
>Hey Steve,
>
>
>
>Thanks for your response and that link. It's a good link. I've studied it
>quite a bit.
>
>
>
>But, the CR and that link don't really address my question.
>
>
>
>The way I understand it, when dlsw icanreach sap F0 is configured on a dlsw
>peer, it only prevents explorers from other peers for that particular sap.
>If other peers need to reach an SNA, they'll send out explorers looking for
>the SNA host.
>
>
>
>My question was whether I could use the dlsw icanreach netbios-exclusive
>command in this scenario so that peers of this router will NOT send
>explorers for SNA traffic because they know that this peer can only reach
>netbios hosts.
>
>
>
>TIA, Tim
>
>
>
>
>
>
>
> _____
>
>From: Steve Connolly [mailto:sconnolly@aisnets.com]
>Sent: Friday, March 04, 2005 4:59 PM
>To: ccie2be
>Subject: RE: dlsw icanreach
>
>
>
>When using the icanreach saps command, the sap that you list is the only
sap
>type that will be reachable through the peer.
>
>
>
>This is from the cisco web site:
>
>
>
>Configuring the dlsw icanreach saps command is useful when you know exactly
>what type of traffic is allowed and you want to make sure that all other
>traffic is denied. For example, when you configure dlsw icanreach saps 4,
>you are explicitly denying all saps except 0x04 (and 0x05, the response).
>
>Check out this link. It is a good reference for filtering dlsw traffic.
>
>http://www.cisco.com/warp/public/697/dlswfilter.shtml#sapfilter3
>
>Steve Connolly
>
>-----Original Message-----
>From: nobody@groupstudy.com on behalf of ccie2be
>Sent: Fri 3/4/2005 3:45 PM
>To: Group Study
>Cc:
>Subject: dlsw icanreach
>
>Hi guys,
>
>
>
>Does this config make sense?
>
>
>
>I want to advertise that this peer can only reach netbios hosts.
>
>
>
>dlsw icanreach sap F0
>
>dlsw icanreach netbios-exclusive
>
>
>
>I'm not sure if the netbios-exclusive command can be used in this way or if
>this command is only good when one host is specified.
>
>
>
>Can someone let me know?
>
>
>
>TIA, Tim
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Apr 03 2005 - 17:56:41 GMT-3