- A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: netbios filter on DLSW - am I missing something? posted 01/20/2001
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


I tried both. JCONNARY-W2K is off of R3 and JULIE-95 is off of R2 - but I'm 
going to do it again this morning with
a fresh mind.

I read in Source-Route-Bridging the following caveats:
As you configure NetBIOS access filters, keep the following issues in mind:

      The access lists that apply filters to an interface are scanned in 
the order they are entered.

      There is no way to put a new access list entry in the middle of an 
access list. All new additions to existing NetBIOS access lists are placed 
at the end of the
      existing list.

      Access list arguments are case sensitive. The software makes a 
literal translation, so that a lowercase "a" is different from an uppercase 
"A." (Most nodes are
      named in uppercase letters.)

      A host NetBIOS access list and byte NetBIOS access list can each use 
the same name. The two lists are identified as unique and bear no 
relationship to each

      The station names included in the access lists are compared with the 
source name field for NetBIOS commands 00 and 01
      (ADD_GROUP_NAME_QUERY and ADD_NAME_QUERY), as well as the destination 
name field for NetBIOS commands 08, 0A, and 0E

      If an access list does not contain a particular station name, the 
default action is to deny the access to that station.

To minimize any performance degradation, NetBIOS access filters do not 
examine all packets. Rather, they examine certain packets that are used to 
establish and
maintain NetBIOS client/server connections, thereby effectively stopping 
new access and load across the router. However, applying a new access 
filter does not
terminate existing sessions immediately. All new sessions will be filtered, 
but existing sessions could continue for some time.

so I disabled DLSW, made sure the connections were gone, re-enabled and 
still a connection.
I guess I have to figure out whether my list should filter on the source or 
destination. In examples - they usually put
in the source, but when jconnary-w2k goes to talk to julie-95 -  it sends 
out a name_query - right. So then it should be
the destination.

Well, I'm going to try one more time and move on to multicasting.


At 02:23 PM 1/19/2001 -0800, you wrote:
>If I've read your scenario right, the netbios access-list on R3 should 
>deny JULIE-95.
>or put the existing one on R2.
> >>> "Connary, Julie Ann" <jconnary@xxxxxxxxx> 01/19 2:05 PM >>>
>Hi All,
>I went back and read all the messages on netbios filtering and it still
>doesn't work as I expected, can
>someone point out my problem? I think I'm just missing something really
>simple here.
>I have a simple netowrk:
>--------netbeuie pc-on Ethernet---r2------ip network-----r3----ethernet -
>netbeui pc
>           netbios name julie-95
>So I wanted to prevent jconnary-w2k on R3's ethernet from establishing a
>circuit with julie-95 on R2's ethernet.
>First I filtered sap f0f0, worked great.
>Then  I tried netbios name filtering.
>On R3 I setup a netbios access-list and applied it to the remote-peer
>statement for R2.
>netbios access-list host selab deny JCONNARY-W2K
>netbios access-list host selab permit *
>enable password cisco
>username r5 password 0 julie
>ip subnet-zero
>no ip domain-lookup
>isdn switch-type basic-ni
>sap-priority-list 1 medium dmac 0001.38ac.1f00
>source-bridge ring-group 30
>dlsw local-peer peer-id
>dlsw remote-peer 0 tcp priority host-netbios-out selab
>dlsw duplicate-path-bias load-balance
>dlsw timer explorer-wait-time 10
>But I still get a connection. I looked at debug and I can watch the
>connection be setup - but why? I even tried lower and upper case
>on my access-list with the same results. I then read manuals and looked in
>emails and they all say to do it this way - that this would filter the
>request from jconnary-w2k going to julie-95 and would
>filter any return traffic if julie-95 tried to establish the connection.
>Or have I got that wrong?
>Julie Ann
>                                          Julie Ann Connary
>            |           |                  Network Consulting Engineer
>           |||         |||                  Federal Support Program
>         .|||||.     .|||||.                 13635 Dulles Technology Drive,
>Herndon VA 20171
>       .:|||||||||:.:|||||||||:.                Pager: 1-888-642-0551
>      c i s c o S y s t e m s     Email: jconnary@xxxxxxxxx
>To unsubscribe from the CCIELAB list, send a message to
>majordomo@xxxxxxxxxxxxxx with the body containing:
>unsubscribe ccielab

                                         Julie Ann Connary
           |           |                  Network Consulting Engineer
          |||         |||                  Federal Support Program
        .|||||.     .|||||.                 13635 Dulles Technology Drive, 
Herndon VA 20171
      .:|||||||||:.:|||||||||:.                 Pager: 1-888-642-0551
     c i s c o S y s t e m s     Email: jconnary@xxxxxxxxx

To unsubscribe from the CCIELAB list, send a message to
majordomo@xxxxxxxxxxxxxx with the body containing:
unsubscribe ccielab