RE: DLSW netbios filter from beda

From: Volkov, Dmitry (Toronto - BCE) (dmitry_volkov@ca.ml.com)
Date: Fri Sep 13 2002 - 15:31:26 GMT-3

• Next message: pego peg: "encryption"
• Previous message: Kohli, Harbir: "Netbios filter direction"
• Maybe in reply to: beda jain: "RE: DLSW netbios filter from beda"
• Next in thread: Prakash H Somani: "Re: RE: DLSW netbios filter from beda"
• Maybe reply: Prakash H Somani: "Re: RE: DLSW netbios filter from beda"
• Maybe reply: Fred Ingham: "Re: RE: DLSW netbios filter from beda"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> -----Original Message-----
> From: beda jain [mailto:bpjain@cisco.com]
> Sent: Friday, September 13, 2002 2:07 PM
> To: Volkov, Dmitry (Toronto - BCE); 'beda jain'; 'Guoqi Cui'
> Cc: ccielab@groupstudy.com
> Subject: RE: DLSW netbios filter from beda
>
>
> Hi,
>
> If if you not allow to configure in Central router , how you
> will do that.

Sorry,

I don't understand..what do You ask -

central_host---central_router-----wan---other_router--other_host

on central router using host-netbios-out You can specify where
central_host(S) can connect to.

or using:
dlsw icanreach mac-exclusive
dlsw icanreach mac-address aaaa.bbbb.cccc mask ffff.ffff.ffff
dlsw icanreach mac-address cccc.dddd.eeee mask ffff.ffff.ffff

You can tell the other remote routers: "Hey, I can reach only
particular mac addresses: aaaa.bbbb.cccc and cccc.dddd.eeee !"

And remote will not be able to connect to central for the other macs.

Only packets destined to the MAC addresses previously defined are allowed.

If You add "remote" to "dlsw icanreach mac-exclusive" - the other hosts on
central location (with different mac addreses) can make outgoing connections

Dmitry

>
> Thanks,
> Beda
> At 12:54 PM 9/13/2002 -0400, Volkov, Dmitry (Toronto - BCE) wrote:
> >Beda,
> >
> >About this: How we can allow only a particular local host
> to access to
> >remote wan link ?
> >
> >http://www.cisco.com/warp/public/697/dlswfilter.shtml#macfilter2
> ><http://www.cisco.com/warp/public/697/dlswfilter.shtml#macfilter2>
> >With the dlsw icanreach mac-exclusive command configured at
> the central
> >router, you ensure that only packets destined to the MAC addresses
> >previously defined (in this case 4000.3745.0000) are allowed
> at the central
> >location.
> >
> >Note that this filtering information is exchanged between
> all the DLSw+
> >peers using CapExId messages. You save WAN bandwidth by
> configuring the
> >filtering information at the central location, even though
> the actions (such
> >as blocking frames) occur at the remote routers themselves.
> >
> >So, devices are not speciafied in "icanreach" will not be
> allowed to make
> >outgoing connections.
> >
> >Ther is another usefull feature:
> >
> >http://www.cisco.com/warp/public/697/dlswfilter.shtml#macfilter4
> ><http://www.cisco.com/warp/public/697/dlswfilter.shtml#macfilter4>
> ><http://www.cisco.com/warp/public/697/dlswfilter.shtml>
> >
> >dlsw icanreach mac-exclusive remote
> >dlsw icanreach mac-address 4000.3745.0000 mask ffff.ffff.ffff
> >
> >With the remote keyword we allow other devices at the
> central router (THAT
> >ARE NOT specified in the dlsw icanreach mac-address command) to make
> >outgoing connections.
> >
> >
> >Dmitry
> >
> >-----Original Message-----
> >From: beda jain [mailto:bpjain@cisco.com]
> >Sent: Friday, September 13, 2002 10:22 AM
> >To: Volkov, Dmitry (Toronto - BCE); 'Guoqi Cui'
> >Cc: ccielab@groupstudy.com
> >Subject: RE: DLSW netbios filter from beda
> >
> >
> >Hi,
> >
> >I also understand the same way you understand, but after
> reading this link i
> >got confuse.
> >
> >Could some body clarify this. How we can allow only a
> particular local host
> >to access to remote wan link.
> >
> >Thanks,
> >Beda
> >
> >http://www.cisco.com/warp/public/cc/pd/ibsw/ibdlsw/tech/dls4_rg.htm
> ><http://www.cisco.com/warp/public/cc/pd/ibsw/ibdlsw/tech/dls4_rg.htm>
> >
> >Figure 4-2 shows the configuration required to allow any
> NetBIOS host with a
> >name starting with "sales" to access the WAN, but not allow any other
> >servers (for example, Engserv01 or Acctserv02) to access the
> WAN. This can
> >be done for security reasons or to limit the traffic across
> the WAN link. By
> >applying the access lists to the remote peers instead of the local
> >interfaces, you allow traffic to be locally bridged.
> >
> >Figure 4-2: Using Filtering to Limit the Broadcasts and
> Network Access of
> >Individual NetBIOS Servers
> >
> >
> >
> >At 06:02 PM 9/12/2002 -0400, Volkov, Dmitry (Toronto - BCE) wrote:
> >
> >
> >here how I understand this:
> >
> >1)dlsw remote-peer 0 tcp 172.17.59.137 host-netbios-out CISCO
> >permits sending NETBIOS traffic from 172.17.59.69 to host
> CISCO through peer
> >172.17.59.137
> >
> >2)dlsw icanreach netbios-name CISCO
> >tells all peers connected to this peer 172.17.59.69 that
> this local peer
> >can reach host CISCO, i.e. remote peers peering with this
> peer won't send
> >explorers to find where they can send traffic to CISCO, but will send
> >traffic towards to 172.17.59.69 destined to CISCO. Other
> peers will know
> >that CISCO is reachable via 172.17.59.69
> >
> >Please correct me if I'm wrong
> >
> >Dmitry
> >
> >
> > > -----Original Message-----
> > > From: Guoqi Cui [ mailto:guoqicui@yahoo.com
> <mailto:guoqicui@yahoo.com> ]
> > > Sent: Thursday, September 12, 2002 5:14 PM
> > > To: ccielab@groupstudy.com
> > > Subject: DLSW netbios filter
> > >
> > >
> > > Hi, Group:
> > >
> > > I am configuring DLSW netbios filter and have a
> > > problem
> > > with the operartion.
> > >
> > > R6-----------------R2
> > >
> > > in R6:
> > >
> > > netbios access-list host CISCO permit CISCO
> > >
> > > dlsw local-peer peer-id 172.17.59.69 promiscuous
> > > dlsw remote-peer 0 tcp 172.17.59.137 host-netbios-out
> > > CISCO
> > > dlsw remote-peer 0 tcp 172.17.59.138 backup-peer
> > > 172.17.59.137 linger 8
> > > dlsw icanreach netbios-exclusive
> > > dlsw icanreach netbios-name ABC
> > > dlsw icanreach netbios-name CISCO
> > > dlsw icanreach netbios-name CISCOA
> > > dlsw icanreach netbios-name ACISCOA
> > > dlsw bridge-group 1
> > >
> > > in R2
> > > source-bridge ring-group 1000
> > > dlsw local-peer peer-id 172.17.59.137 promiscuous
> > > dlsw bridge-group 1
> > >
> > > I want to see only CISCO in R2, somehow I can see all
> > > of them.
> > >
> > > r2#sh dlsw re
> > > r2#sh dlsw reachability
> > > DLSw Local MAC address reachability cache list
> > > Mac Addr status Loc. port
> > > rif
> > > 0008.de81.990e FOUND LOCAL TBridge-001
> > > --no rif--
> > >
> > > DLSw Remote MAC address reachability cache list
> > > Mac Addr status Loc. peer
> > > 0006.907f.fba0 FOUND REMOTE 172.17.59.69(2065)
> > >
> > > DLSw Local NetBIOS Name reachability cache list
> > > NetBIOS Name status Loc. port
> > > rif
> > >
> > > DLSw Remote NetBIOS Name reachability cache list
> > > NetBIOS Name status Loc. peer
> > > ABC UNCONFIRM REMOTE 172.17.59.69(2065)
> > > ACISCOA UNCONFIRM REMOTE 172.17.59.69(2065)
> > > CISCO UNCONFIRM REMOTE 172.17.59.69(2065)
> > > CISCOA UNCONFIRM REMOTE 172.17.59.69(2065)
> > >
> > >
> > > What is wrong with my configuration?
> > >
> > > Thanks,
> > >
> > > Guoqi
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > __________________________________________________
> > > Do you Yahoo!?
> > > Yahoo! News - Today's headlines
> > > http://news.yahoo.com <http://news.yahoo.com/>

• Next message: pego peg: "encryption"
• Previous message: Kohli, Harbir: "Netbios filter direction"
• Maybe in reply to: beda jain: "RE: DLSW netbios filter from beda"
• Next in thread: Prakash H Somani: "Re: RE: DLSW netbios filter from beda"
• Maybe reply: Prakash H Somani: "Re: RE: DLSW netbios filter from beda"
• Maybe reply: Fred Ingham: "Re: RE: DLSW netbios filter from beda"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:51 GMT-3