Re: Puzzlled by the netbios and mac address access-list, need help

From: Wu Jiang (wujiang@xxxxxxxxx)
Date: Thu Jan 11 2001 - 07:17:33 GMT-3

   
Yeap. From documentation, it says:
The station names included in the access lists are compared with the source nam
e field for NetBIOS commands 00 and 01 (ADD_GROUP_NAME_QUERY and ADD_NAME_QUERY
), as well as the destination name field for NetBIOS commands 08, 0A, and 0E (D
ATAGRAM, NAME_QUERY, and NAME_RECOGNIZED).

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ibm_c/b
cprt1/bcdsrb.htm#xtocid1287445

Thanks

----- Original Message -----
From: "Justin Menga" <Justin.Menga@computerland.co.nz>
To: "'Wu Jiang'" <wujiang@bj163.com>; "Justin Menga" <Justin.Menga@computerland
.co.nz>
Cc: <ccielab@groupstudy.com>
Sent: Thursday, January 11, 2001 5:50 PM
Subject: RE: Puzzlled by the netbios and mac address access-list, need help

> Basically, netbios host filtering is on DESTINATION, (although it looks at
> SOURCE for some packets).
>
> So B will also work.....NOT ideal, because other router willsned explorer
> traffic across network....
>
> Regards,
>
> Justin Menga CCIE #6640 MCSE+I CCSE
> WAN Specialist
> Computerland New Zealand
> PO Box 3631, Auckland
> DDI: (+64) 9 360 4864 Mobile: (+64) 25 349 599
> mailto: justin.menga@computerland.co.nz
>
>
>
> -----Original Message-----
> From: Wu Jiang [mailto:wujiang@bj163.com]
> Sent: Thursday, January 11, 2001 10:37 PM
> To: Justin Menga
> Cc: ccielab@groupstudy.com
> Subject: Re: Puzzlled by the netbios and mac address access-list, need
> help
>
>
> It makes things more clear for C and D, but I cannot figure out why A and B
> can't work. I will setup a lab to test it.
>
> Thanks,
> Wu
>
> ----- Original Message -----
> From: "Justin Menga" <Justin.Menga@computerland.co.nz>
> To: "'Wu Jiang'" <wujiang@bj163.com>
> Cc: <ccielab@groupstudy.com>
> Sent: Thursday, January 11, 2001 4:55 PM
> Subject: RE: Puzzlled by the netbios and mac address access-list, need help
>
>
> > Only C or D will work - it really depends on the scenario. E.g. C cuts
> Host
> > C away from ANY DLSW peer - whereas D only allows Host B to access Host A.
> >
> > Regards,
> >
> > Justin Menga CCIE #6640 MCSE+I CCSE
> > WAN Specialist
> > Computerland New Zealand
> > PO Box 3631, Auckland
> > DDI: (+64) 9 360 4864 Mobile: (+64) 25 349 599
> > mailto: justin.menga@computerland.co.nz
> >
> >
> >
> > -----Original Message-----
> > From: Wu Jiang [mailto:wujiang@bj163.com]
> > Sent: Thursday, January 11, 2001 8:33 PM
> > Cc: ccielab@groupstudy.com
> > Subject: Re: Puzzlled by the netbios and mac address access-list, need
> > help
> >
> >
> > In D, should it be host-netbios-out? Or if you want to permit only one mac
> > address (of hostA), you can use dest-mac option to simplify configuration.
> > I would prefer C and D because they don't send unwanted traffic over the
> WAN
> > link. Using C, even explorer packets are filtered.
> >
> > ----- Original Message -----
> > From: "Jiang" <jianggx@transcentury.com.cn>
> > To: <ccielab@groupstudy.com>
> > Sent: Thursday, January 11, 2001 2:18 PM
> > Subject: Puzzlled by the netbios and mac address access-list, need help
> >
> >
> > > Hello,
> > >
> > > I think the dlsw is my weekness, especially about the access-list,
> > > I try to find more information about them, but I am still very
> > > puzzled. for example, if I have the topology just like the following:
> > >
> > > ethernet hdlc ethernet
> > > hostA--------Router1----------Router2---------hostB
> > > |
> > > |
> > > hostC
> > >
> > > Now I want hosts on the ethernet of Router2 can only access hostA on
> > the
> > > ethernet of Router1. Router1 and Router2 are configed as dlsw+ peers.
> > > I think I can using the following methods to get it, but I can't sure
> > > which one is right and if more than one are right, which one is the
> > > best? and what is the diffrence among them?
> > >
> > > A:
> > > on Router1
> > > netbios access-list host test permit hostA
> > > netbios access-list host test deny *
> > >
> > > interface e0
> > > netbios input-access-filter host test
> > >
> > > B:
> > > still on Router1
> > > netbios access-list host test permit hostA
> > > netbios access-list host test deny *
> > >
> > > interface e0
> > > netbios output-access-filter host test
> > >
> > > C:
> > > also on Router1
> > > dlsw dlsw icanreach netbios-name hostA
> > > dlsw icanreach netbios-exclusive
> > >
> > > D:
> > > on Router2
> > > netbios access-list host test permit hostA
> > > netbios access-list host test deny *
> > >
> > > dlsw remote-peer 0 tcp 1.1.1.1 dmac-output-list test
> > >
> > >
> > > As for A and B, I found in documtation that input-access-filter is
> based
> > > on the source, the output-access-filter is based on destination. So I
> > > think A and B are all right, right? What is the difference between
> > > them. I think if I using input-access-filter, the Router2 and hostB
> > > can't know any other hosts except hostA, eg it can't see hostC. But
> > if I use
> > > output-access-filter, the Router2 and hostB will see hostC too, but
> > > just can't access hostC, the packet is denied on the point where the
> > traffic
> > > will leave the router1's ethernet. Do you think I am right or not?
> > >
> > > As for C, I think in my condition, it is the same as A. right? hostB
> > > will only see hostA.
> > >
> > > D, I think is just like B, hostB can see any host on the remote, eg
> > > hostA, hostC..., but just can access hostA.
> > >
> > > I just searched the archive, think there are maybe more solutions, but
> > > I am really not very clear about it, especially don't know I should
> > > using which one under different conditions? I think there is only one
> > > best solution under specail conditions.
> > >
> > > Best regards,
> > > Hiler mailto:jianggx@transcentury.com.cn
> > >
> > >

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:27:27 GMT-3