From: Pickell, Aaryn (Aaryn.Pickell@xxxxxxxxxxxxx)
Date: Thu May 10 2001 - 14:05:20 GMT-3
The access list was originally written to allow traffic destined for port
2056, and the log showed traffic sourced from port 2056. Reword the acl,
and you shouldn't need to permit the gt 10000 range.
I think that DLSW is going to be like BGP, assuming that you're not using
promiscuous peers, both sides will try to establish a connection, and take
it from there.
Aaryn Pickell - CCNP ATM, CCDP, MCSE
Senior Engineer - Routing Protocols
Getronics Inc.
Direct: 713-394-1609
Email:aaryn.pickell@getronics.com
This e-mail message and any attachments are confidential and may be
privileged. If you are not the intended recipient, please notify me
immediately by replying to this message and please destroy all copies of
this message and attachments. Thank you.
> While I am on this subject, can someone verify that the dlsw
> endpoint with
> the highest ip address is the one that initiates a session
> all other things
> being equal?
>
> Johnny Dedon
> Senior Staff Consultant
> Exodus Professional Services
> johnny.dedon@exodus.net
> www.exodus.net
> ----- Original Message -----
> From: "ShahzaD Ali" <shahzad-ali@home.com>
> To: <HENDERSON_DAVE_G@Lilly.com>; "Tariq Sharif"
> <tariq_sharif@btinternet.com>
> Cc: "Ccielab@Groupstudy. Com" <ccielab@groupstudy.com>;
> <nobody@groupstudy.com>
> Sent: Thursday, May 10, 2001 9:26 AM
> Subject: RE: DLSw+ & ACL
>
>
> > Dave,
> >
> > I tried permitting 2065 and 2067 but no luck. Here is the log
> >
> > %SEC-6-IPACCESSLOGP: list 101 denied tcp 140.1.2.2(2065) ->
> > 140.1.4.4(11001), 1
> > packet
> > %SEC-6-IPACCESSLOGP: list 101 denied tcp 140.1.134.3(179) ->
> > 140.1.134.4(11002),
> > 1 packet
> > %SEC-6-IPACCESSLOGP: list 101 denied tcp 140.1.2.2(2065) ->
> > 140.1.4.4(11004), 1
> > packet
> > %SEC-6-IPACCESSLOGP: list 101 denied tcp 140.1.2.2(2065) ->
> > 140.1.4.4(11005), 1
> > packet
> > %SEC-6-IPACCESSLOGP: list 101 denied tcp 140.1.2.2(2065) ->
> > 140.1.4.4(11006), 1
> > packet
> > r4#
> > %SEC-6-IPACCESSLOGP: list 101 denied tcp 140.1.2.2(2065) ->
> > 140.1.4.4(11007), 1
> >
> > I think, I need to permit all the ports gt 11000
> >
> > Any Suggestion Folks ???
> >
> >
> > Regards,
> >
> > ShahzaD
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com]On Behalf Of
> > HENDERSON_DAVE_G@Lilly.com
> > Sent: Thursday, May 10, 2001 8:26 AM
> > To: Tariq Sharif
> > Cc: Ccielab@Groupstudy. Com; nobody@groupstudy.com; ShahzaD Ali
> > Subject: RE: DLSw+ & ACL
> >
> >
> > Try also permitting port 2067. I beleive 2067 is the read port.
> >
> >
> >
> >
> > Tariq Sharif <tariq_sharif@btinternet.com>
> > Sent by: nobody@groupstudy.com
> > 05/10/01 08:03 AM
> > Please respond to Tariq Sharif
> >
> >
> > To: "Ccielab@Groupstudy. Com" <ccielab@groupstudy.com>,
> ShahzaD
> > Ali
> > <shahzad-ali@home.com>
> > cc:
> > Subject: RE: DLSw+ & ACL
> >
> > This is strange. I'm now using physical interface addresses
> for DLSw+ &
> > permitting port 2065 but DLSw+ doesn't come up unless I
> remove the ACL:
> > Here
> > are the partial configs:
> >
> > Many thanks & regards.
> >
> > Tariq Sharif
> >
> >
> > hostname r3
> > !
> > dlsw local-peer peer-id 132.1.23.2
> > dlsw remote-peer 0 tcp 132.1.23.1
> > dlsw remote-peer 0 tcp 132.1.10.4
> > dlsw bridge-group 3
> > !
> > interface Ethernet0/0
> > ip address 132.1.50.3 255.255.255.0
> > no ip directed-broadcast
> > ipx network 50
> > bridge-group 3
> > !
> > interface Serial2/0
> > ip address 132.1.10.3 255.255.255.224
> > no ip directed-broadcast
> > encapsulation frame-relay
> > ip ospf network point-to-multipoint
> > no ip mroute-cache
> > logging event subif-link-status
> > logging event dlci-status-change
> > ipx network 134
> > frame-relay map ipx 134.0004.0004.0004 103 broadcast
> > frame-relay map ip 132.1.10.1 103 broadcast
> > frame-relay map ip 132.1.10.3 103 broadcast
> > frame-relay map ip 132.1.10.4 103 broadcast
> > frame-relay map ipx 134.0001.0001.0001 103 broadcast
> > no frame-relay inverse-arp
> > !
> > router ospf 1
> > router-id 3.3.3.3
> > area 3 virtual-link 2.2.2.2
> > timers spf 30 60
> > redistribute static metric 10 subnets
> > network 132.1.3.0 0.0.0.255 area 0
> > network 132.1.10.0 0.0.0.255 area 0
> > network 132.1.23.0 0.0.0.255 area 3
> > network 132.1.50.0 0.0.0.255 area 3
> > !
> > end
> >
> >
> > hostname r4
> > !
> > source-bridge ring-group 40
> > dlsw local-peer peer-id 132.1.10.4
> > dlsw remote-peer 0 tcp 132.1.23.2
> > !
> > interface Serial0/0
> > ip address 132.1.10.4 255.255.255.224
> > ip access-group 120 in
> > no ip directed-broadcast
> > encapsulation frame-relay
> > ip ospf network point-to-multipoint
> > no ip mroute-cache
> > logging event subif-link-status
> > logging event dlci-status-change
> > ipx network 134
> > no ipx split-horizon eigrp 1
> > frame-relay map ip 132.1.10.1 101 broadcast
> > frame-relay map ip 132.1.10.3 103 broadcast
> > frame-relay map ip 132.1.10.4 101 broadcast
> > frame-relay map ipx 134.0001.0001.0001 101 broadcast
> > frame-relay map ipx 134.0003.0003.0003 103 broadcast
> > no frame-relay inverse-arp
> > frame-relay broadcast-queue 80 240000 160
> > !
> > interface TokenRing0/0
> > ip address 132.1.40.4 255.255.255.224
> > ip access-group 110 in
> > no ip directed-broadcast
> > ipx network 40
> > ring-speed 16
> > source-bridge 2 1 40
> > source-bridge spanning
> > hold-queue 100 in
> > !
> > router ospf 1
> > router-id 4.4.4.4
> > network 132.1.4.0 0.0.0.255 area 0
> > network 132.1.10.0 0.0.0.255 area 0
> > network 132.1.40.0 0.0.0.255 area 4
> > network 222.0.0.0 0.255.255.255 area 0
> > !
> > access-list 110 permit tcp 132.1.52.0 0.0.0.255 132.1.40.0
> 0.0.0.255 eq
> > smtp
> > access-list 110 permit tcp 132.1.52.0 0.0.0.255 132.1.40.0
> 0.0.0.255 eq
> > pop2
> > access-list 110 permit tcp 132.1.52.0 0.0.0.255 132.1.40.0
> 0.0.0.255 eq
> > pop3
> > access-list 110 permit ospf any any
> > access-list 110 permit tcp any any eq bgp
> > access-list 110 permit icmp any any echo
> > access-list 110 permit icmp any any echo-reply
> > access-list 110 permit udp 132.1.52.0 0.0.0.255 132.1.40.0
> 0.0.0.255 eq
> > tftp
> > access-list 110 permit tcp 132.1.52.0 0.0.0.255 132.1.40.0
> 0.0.0.255 eq
> > telnet
> > access-list 110 permit tcp 132.1.52.0 0.0.0.255 132.1.40.0
> 0.0.0.255 eq
> > www
> > access-list 120 permit ospf any any
> > access-list 120 permit tcp any any eq bgp
> > access-list 120 permit icmp any any echo
> > access-list 120 permit icmp any any echo-reply
> > access-list 120 permit tcp 132.1.52.0 0.0.0.255 132.1.40.0 0.0.0.255
> > established
> > access-list 120 permit tcp 132.1.52.0 0.0.0.255 132.1.40.0
> 0.0.0.255 eq
> > smtp
> > access-list 120 permit tcp any any eq 2065
> > end
> >
> >
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: ShahzaD Ali [mailto:shahzad-ali@home.com]
> > Sent: 10 May 2001 13:47
> > To: Tariq Sharif
> > Subject: RE: DLSw+ & ACL
> >
> >
> > Use
> >
> > access-list 101 deny ip any any
> >
> > at the end of your access-list and the log will show you which
> > port is being block. I think you need to permit tcp 2065.
> >
> >
> > Regards,
> >
> > ShahzaD
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com]On Behalf Of
> > Tariq Sharif
> > Sent: Thursday, May 10, 2001 6:46 AM
> > To: Ccielab@Groupstudy. Com
> > Subject: DLSw+ & ACL
> >
> >
> > I've IP & DSLw+ running between R4 & R3 (linked with Frame)
> . DLSw+ is
> > using
> > loopback interfaces to communicate. I've added an ACL on R4 frame
> > interface
> > inbound & now DLSw+ does not work! " Qs:
> > 1) Are loopback treated differently than router's normal interfaces
> > (because
> > ACL on a router does not include apply to the router communications)
> > 2) How can I allow DSLw+ through the ACL
> >
> > Many thanks & regards.
> >
> > Tariq Sharif
> >
> > [GroupStudy.com removed an attachment of type
> application/ms-tnef which
> > had
> > a name of winmail.dat]
> > **Please read:http://www.groupstudy.com/list/posting.html
> > **Please read:http://www.groupstudy.com/list/posting.html
> > **Please read:http://www.groupstudy.com/list/posting.html
> > **Please read:http://www.groupstudy.com/list/posting.html
> **Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:30:38 GMT-3