From: Chris Lewis \(chrlewis\) (chrlewis@cisco.com)
Date: Thu Jul 21 2005 - 19:07:52 GMT-3
This is my view. If the question just refers to DLSw, all you need be
concerned with is TCP port 2065 and 2067. DLSw only uses UDP to reply to
multicast frames for address resolution, this is a quote from the Cisco
CD.
"DLSw Version 2 uses UDP unicast in response to an IP multicast. When
address resolution packets (CANUREACH_EX, NETBIOS_NQ_ex, NETBIOS_ANQ,
and DATAFRAME) are sent to multiple destinations (IP multicast service),
DLSw Version 2 sends the response frames (ICANREACH_ex and
NAME_RECOGNIZED_ex) via UDP unicast."
If the question refers in any way to these capabilities needing to get
through an ACL, UDP classification is also required. However, if you
configure dlsw udp-disable, this problem goes away, which may or may not
be allowed by the wording of the question :)
Chris
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
gladston@br.ibm.com
Sent: Thursday, July 21, 2005 4:41 PM
To: Chris Lewis (chrlewis)
Cc: ccielab@groupstudy.com
Subject: RE: RFC2067
Thanks a lot Chris,
Then, if I understand all of this now, we need to allow tcp 2065, tcp
2067 and udp 2067 (if not disabling UDP).
Cordially,
------------------------------------------------------------------
Gladston
"Chris Lewis \(chrlewis\)" <chrlewis@cisco.com>
21/07/2005 17:03
To
Alaerte Gladston Vidali/Brazil/IBM@IBMBR, <ccielab@groupstudy.com> cc
Subject
RE: RFC2067
Gladstone,
RFC2166 (I think it was a typo listing 2067) from which you took the
quoted text is an informational RFC. Quoting from the Status of RFC2166
"This memo provides information for the Internet community. This memo
does not specify an Internet standard of any kind."
For the Cisco implementation of DLSw to occur between two routers, two
TCP connections are necessary, port 2065 is the read port number and
2067 is the write port number.
To get full marks on the exam if you have to identify DLSw in an ACL,
you need to identify TCP 2067 too.
Chris
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
gladston@br.ibm.com
Sent: Thursday, July 21, 2005 12:45 PM
To: ccielab@groupstudy.com
Subject: RFC2067
RFC2067 says:
"DLSws implementing these enhancements will use a TCP destination port
of 2067 (as opposed to RFC 1795 which uses 2065) for single session TCP
connections."
Cisco uses tcp 2065 to connect to the peer:
Rack2R4#sh dls pee
Peers: state pkts_rx pkts_tx type drops ckts TCP
uptime
TCP 148.5.2.1 CONNECT 274 266 prom 0 0 0
02:12:37
TCP 148.5.1.1 CONNECT 284 292 prom 0 0 0
02:18:54
Total number of connected peers: 2
Total number of connections: 2
Rack2R4#sh tcp brief
TCB Local Address Foreign Address (state)
83258FC8 148.5.4.1.11031 148.5.2.1.2065 ESTAB
83257F3C 148.5.4.1.11027 148.5.1.1.2065 ESTAB
And logging messages shows there is udp port 2067 going on too:
*Mar 1 04:27:21: %SEC-6-IPACCESSLOGP: list Returning-traffic denied udp
148.5.1.1(0) (Serial0/0 ) -> 148.5.4.1(2067), 6 packets
So, it seems to be enough for Cisco DLSW operate fine:
permit tcp any any eq 2065 (12 matches)
permit udp any any eq 2067 (15)
permit tcp any eq 2065 any log-input (568 matches) permit udp any eq
2067 any log-input (10) deny ip any any log-input
Would you agree?
If some day IOS strictly followns DLSW v2, tcp 2067 will be necessary.
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:30 GMT-3