From: beda jain (bpjain@cisco.com)
Date: Fri Sep 20 2002 - 01:06:08 GMT-3
Hi Dmitry,
I have two different group configure.
r1------r2------r3------r4
r1 and r2 are in one group and r3 and r4 are in another group
r1 and r2 has fst encap and r2, r3 and r4 has tcp encap
i want to allow only sna between r1 and r4.
There is no direct peer between r1 and r4.
How i will do this.
Isdn ipx.
I put list 900 in dialer list i saw broad cast traffic are uninteresting
even after isdn link is up.
900 list deny rip, sap and 457 and permit rest.
But my understanding is that these list is only to bring the link up, once
it is up these list are not check for any traffic
if there is no traffic pass through for the idle timeout period then the
link goes down .
But in my case even if rip update is going through the link but link is
still went down after 120 sec.
when i configure protocol ipx permit then the link stay up for the time
which is ok.
is this normal in isdn with ipx ??????
Thanks,
Beda
At 11:09 PM 9/19/2002 -0400, Volkov, Dmitry (Toronto - BCE) wrote:
>Craig,
>
>I was asking about using "acceess-experssions" for filtering NETBIOS on
>ethernet.
>You don't need usual (numbered/named) access-lists for that..
>"expression" in this case is "netbios-host(name)"
>where is "name" - name of "netbios access-list host"
>Like here:
>
>netbios access-list host test deny BLABLA
>netbios access-list host test permit *
>int e0
>access-expression input netbios-host(test)
>
>http://127.0.0.1:8080/cc/td/doc/product/software/ios121/121cgcr/ibm_r/brprt1
>/br1dsrb.htm#xtocid11211
>
>
>Dmitry
>
> > -----Original Message-----
> > From: Craig Tompkins [mailto:craig.tompkins@verizon.net]
> > Sent: Thursday, September 19, 2002 10:51 PM
> > To: 'Volkov, Dmitry (Toronto - BCE)'; ccielab@groupstudy.com
> > Subject: RE: (DLSW) NETBIOS filtering on Ethernet
> >
> >
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > [no] access-expression {in | out} expression
> >
> > Use the access-expression interface configuration command to define
> > an access expression. Use the no form of this command to remove the
> > access expression from the given interface. You use this command in
> > conjunction with the access-list interface configuration command.
> >
> > in | out Indicates whether the access expression is applied to
> > packets entering or leaving this interface. You can specify both an
> > input and an output access expression for an interface, but only one
> > of each.
> > expression Boolean access list expression, built as explained in the
> > "Usage Guidelines" section for this command in the Router Products
> > Command Reference publication.
> >
> > [no] access-list access-list-number {permit | deny} {type-code
> > wild-mask | address mask}
> >
> > Use the access-list global configuration command to configure the
> > access list mechanism for filtering frames by protocol type or vendor
> > code. Use the no form of this command to remove the single specified
> > entry from the access list.
> >
> > As stated in the above reference, do you have a defined access list
> > to use in conjuction with it?
> >
> > Craig W. Tompkins
> > Network Engineer
> > Temecula, CA 92592
> > 760.583.6544
> >
> > "The credit belongs to the man who is actually in the arena, whose
> > face is marred by dust and sweat and blood; who strives valiantly;
> > who errs and comes short again and again, who knows the great
> > enthusiasms, the great devotions, and spends himself in a worthy
> > cause; who at best, knows the triumph of high achievement; and who,
> > at the worst, if he fails, at least fails while daring greatly, so
> > that his place shall never be with those cold and timid souls who
> > know neither victory nor defeat."
> > - -Theodore Roosevelt, "Citizen in a Republic", April 23, 1910
> >
> >
> > - -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > Of Volkov, Dmitry (Toronto - BCE)
> > Sent: Thursday, September 19, 2002 2:09 PM
> > To: 'ccielab@groupstudy.com'
> > Subject: (DLSW) NETBIOS filtering on Ethernet
> >
> > How to filter Netbios names on Ethernet interfaces ???
> >
> > I tried this:
> >
> > netbios access-list host test deny *
> > !
> > int e0
> > access-expression input netbios-host(test)
> > access-expression output netbios-host(test)
> >
> > I still was able to do "net view \\computer" from PC on Ethernet to
> > outside
> > and from outside towards to PC running on Ethernet
> >
> > I works on Tok ring but not on Ethernet... !!!
> > Are access-expressions valid only for SRB ? Not valid for TB ??
> >
> > We can use netbios input(output)-access-filter on Tok Ring as well ,
> > NOT on
> > Ethernet.
> > We can use "dlsw icanreach netbios-name (exclusive)" - but this
> > advertises
> > reachability to remote peer.
> > We can use "dlsw remote-peer 0 tcp 1.1.1.1 host-netbios-out" but this
> > configures netbios host output filtering for this peer
> > We can use "dlsw prom-peer-defaults host-netbios-out" but this
> > configure
> > netbios host output filtering for prom peers
> >
> > I don't see any way selectively to filter NETBIOS traffic coming
> > through
> > router into ethernet, all methods are about
> > advertising of reachability or filter outbound netbios traffic from
> > Ethernet
> > into router, etc.
> >
> > Any comments please
> >
> > Thanks,
> >
> > Dmitry
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
> >
> > iQA/AwUBPYqNIsBQYrtUgT/NEQIpEACdFvpZ4aZ5hxysGwAQ07XMa0raLeAAoLx8
> > P3I21daPzb7PwZReyeqsMoSI
> > =w4HR
> > -----END PGP SIGNATURE-----
This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:57 GMT-3