From: Edwards, Andrew M (andrew.m.edwards@boeing.com)
Date: Thu Jul 21 2005 - 15:03:06 GMT-3
Gladston,
There is also an option to disable Dlsw UDP peering.
Dlsw udp-disable
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/
ibm_r2/ib2_d1g.htm#wp1052003
Just in case you can avoid the hassle. 8)
-----Original Message-----
From: gladston@br.ibm.com [mailto:gladston@br.ibm.com]
Sent: Thursday, July 21, 2005 10:45 AM
To: ccielab@groupstudy.com
Subject: RFC2067
RFC2067 says:
"DLSws implementing these enhancements will use a TCP destination port
of 2067 (as opposed to RFC 1795 which uses 2065) for single session
TCP connections."
Cisco uses tcp 2065 to connect to the peer:
Rack2R4#sh dls pee
Peers: state pkts_rx pkts_tx type drops ckts TCP
uptime
TCP 148.5.2.1 CONNECT 274 266 prom 0 0 0
02:12:37
TCP 148.5.1.1 CONNECT 284 292 prom 0 0 0
02:18:54
Total number of connected peers: 2
Total number of connections: 2
Rack2R4#sh tcp brief
TCB Local Address Foreign Address (state)
83258FC8 148.5.4.1.11031 148.5.2.1.2065 ESTAB
83257F3C 148.5.4.1.11027 148.5.1.1.2065 ESTAB
And logging messages shows there is udp port 2067 going on too:
*Mar 1 04:27:21: %SEC-6-IPACCESSLOGP: list
Returning-traffic denied udp 148.5.1.1(0) (Serial0/0 ) ->
148.5.4.1(2067), 6 packets
So, it seems to be enough for Cisco DLSW operate fine:
permit tcp any any eq 2065 (12 matches)
permit udp any any eq 2067 (15)
permit tcp any eq 2065 any log-input (568 matches)
permit udp any eq 2067 any log-input (10)
deny ip any any log-input
Would you agree?
If some day IOS strictly followns DLSW v2, tcp 2067 will be necessary.
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:30 GMT-3