IBM 技术 : 数据链路交换 (DLSw) 和加强版数据链路交换 (DLSW+)

DLSw+ SAP/MAC 过滤技术

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 4 月 22 日) | 反馈


目录


简介

本文为加强版数据链路交换(DLSW+)服务接入点(SAP)和MAC过滤技术提供配置示例。

过滤可以用于提高DLSw+网络的可扩展性。例如,您能使用过滤对:

  • 减少在广域网链路间的流量(特别重要在非常低速链路和在环境与NetBIOS)。

  • 由控制访问增强网络的安全到某些设备。

  • 提高data-center DLSw+路由器的CPU性能和可扩展性。

DLSw+提供能使用执行过滤的几个选项。过滤在MAC地址可以执行, SAP或者NetBIOS名称。

先决条件

要求

本文档没有任何特定的要求。

使用的组件

本文档不限于特定的软件和硬件版本。

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

针对 DLSW+ SAP 过滤技术进行配置

本部分提供有关如何配置本文档所述功能的信息。

注意: 要查找本文档所用命令的其他信息,请使用命令查找工具仅限注册用户)。

使用在Network Diagram部分表示的网络拓扑,需求是终止所有NetBIOS数据流在远程位置从到达中央路由器(圣保罗)。DLSw+提供几个选项完成此任务,在以下部分被分析。

注意: NetBIOS数据流使用SAP值0xF0 (命令)和0xF1 (答复)。一般,网络管理员使用上述的SAP值过滤(请接受或拒绝)此协议。

注意: NetBIOS客户端使用NetBIOS功能MAC地址(C000.0000.0080)作为在他们的NetBIOS名称查询数据包的目的地MAC (DMAC)。如前面提到,所有帧有SAP值0xF0或0xF1。

使用SAP 0xF0,对于此测验, CCSpcC PC配置连接到FEP的MAC地址。实际上此流量查找同NetBIOS一样,至少从SAP透视图。所以,当此流量到达时,您能观察在DLSw+路由器的对应的调试。

网络图

此部分在此图表中使用表示的网络设置。

/image/gif/paws/12356/dlswfilter1.gif

在网络图中,数据中心路由器(圣保罗)表示与对大型机的一连接。此路由器接受从所有远程分支机构的多DLSw+对等连接。每远程分支机构有系统网络体系结构(SNA)和NetBIOS客户端。没有需要从远程办公室接通的NetBIOS服务器在数据中心。

为了简化,配置细节一远程办公室(加拉加斯)只显示。网络图也显示呼叫CCSpcC的前端处理器(FEP)和远程PC的MAC地址值。MAC地址在规范(以太网)和非规范(令牌环)格式显示。

在远程办公室配置LSAP输出访问控制列表

使用此方法,必须配置所有远程办公室与lsap-output-list选项。其他配置更改没有要求在中央路由器。

lsap-output-list与SAP连接访问列表(SAP ACL) (例如, 0x00、只当前允许SNA SAP的0x04, 0x08,等等)去往中央路由器,并且拒绝一切别的东西。参考了解服务接入点访问控制列出关于如何执行根据SAP的过滤的更多信息。

加拉加斯 圣保罗
Current configuration:
!
hostname CARACAS 
!
dlsw local-peer peer-id 1.1.1.2
dlsw remote-peer 0 tcp 1.1.1.1 
lsap-output-list 200
dlsw bridge-group 1
!
interface Ethernet0/0
 no ip directed-broadcast
 bridge-group 1
!
interface Serial0/1
 ip address 1.1.1.2 255.255.255.0
 no ip directed-broadcast
!         
access-list 200 permit 0x0000 0x0D0D
access-list 200 deny   0x0000 0xFFFF
!
bridge 1 protocol ieee
!
end
Current configuration:
!
hostname SAOPAULO
!
source-bridge ring-group 3
dlsw local-peer peer-id 1.1.1.1
dlsw remote-peer 0 tcp 1.1.1.2
!
interface TokenRing0/0
 no ip directed-broadcast
 ring-speed 16
 source-bridge 10 1 3
 source-bridge spanning
!
interface Serial1/0
 ip address 1.1.1.1 255.255.255.0
 no ip directed-broadcast
 no ip mroute-cache
 clockrate 32000
!
end

debug dlsw命令用于发现Caracas路由器如何起反应,当收到NetBIOS数据流。

CARACAS#debug dlsw    
 DLSw reachability debugging is on at event level for all protocol traffic
 DLSw peer debugging is on
 DLSw local circuit debugging is on
 DLSw core message debugging is on
 DLSw core state debugging is on
 DLSw core flow control debugging is on
 DLSw core xid debugging is on

如果远端办公室路由器(加拉加斯)没有4000.3745.0000的可达性信息和它获得寻找的Explorer MAC地址使用一些“禁止” SAP,则请求阻塞。

CARACAS#
 *Mar  1 01:02:16.387: DLSW Received-ctlQ : CLSI Msg : TEST_STN.Ind   dlen: 40 
 *Mar  1 01:02:16.387: CSM: Received CLSI Msg : TEST_STN.Ind   dlen: 40 from DLSw Port0
 *Mar  1 01:02:16.387: CSM:  smac 0000.8888.0000, dmac 4000.3745.0000, ssap F0, dsap 0 
 *Mar  1 01:02:16.387: DLSw: dsap(0) ssap(F0) filtered to peer 1.1.1.1(2065)
 *Mar  1 01:02:16.387: DLSw: frame output access list filtered to peer 1.1.1.1(2065)
 *Mar  1 01:02:16.387: CSM: Write to peer 1.1.1.1(2065) not ok - PEER_FILTERED 

设想远端办公室路由器的案件(加拉加斯)有4000.3745.0000的可达性信息。例如,别的站点(使用允许SAP)为FEP MAC地址已经询问。在这种情况下“违者” PC (CCSpcC)发送其空XID,但是路由器终止它。

CARACAS#
 *Mar  1 01:03:24.439: DLSW Received-ctlQ : CLSI Msg : ID_STN.Ind   dlen: 46 
 *Mar  1 01:03:24.439: CSM: Received CLSI Msg : ID_STN.Ind   dlen: 46 from DLSw Port0
 *Mar  1 01:03:24.443: CSM:  smac 0000.8888.0000, dmac 4000.3745.0000, ssap F0, dsap F0 
 *Mar  1 01:03:24.443: DLSw: new_ckt_from_clsi(): DLSw Port0 0000.8888.0000:F0->4000.3745.0000:F0
 *Mar  1 01:03:24.443: DLSw: START-TPFSM (peer 1.1.1.1(2065)): event:CORE-ADD CIRCUIT state:CONNECT
 *Mar  1 01:03:24.443: DLSw: dtp_action_u(), peer add circuit for peer 1.1.1.1(2065)
 *Mar  1 01:03:24.443: DLSw: END-TPFSM (peer 1.1.1.1(2065)): state:CONNECT->CONNECT
 *Mar  1 01:03:24.443: DLSw: START-FSM (872415295): event:DLC-Id state:DISCONNECTED
 *Mar  1 01:03:24.443: DLSw: core: dlsw_action_a()
 *Mar  1 01:03:24.447: DISP Sent : CLSI Msg : REQ_OPNSTN.Req   dlen: 116 
 *Mar  1 01:03:24.447: DLSw: END-FSM (872415295): state:DISCONNECTED->LOCAL_RESOLVE
 *Mar  1 01:03:24.447: DLSW Received-ctlQ : CLSI Msg : REQ_OPNSTN.Cfm CLS_OK dlen: 116 
 *Mar  1 01:03:24.447: DLSw: START-FSM (872415295): event:DLC-ReqOpnStn.Cnf state:LOCAL_RESOLVE
 *Mar  1 01:03:24.447: DLSw: core: dlsw_action_b()
 *Mar  1 01:03:24.447: CORE: Setting lf : bits 8 : size 1500
 *Mar  1 01:03:24.451: DLSw: dsap(F0) ssap(F0) filtered to peer 1.1.1.1(2065)
 *Mar  1 01:03:24.451: DLSw: frame output access list filtered to peer 1.1.1.1(2065)
 *Mar  1 01:03:24.451: DLSw: peer 1.1.1.1(2065) unreachable - reason code 1
 *Mar  1 01:03:24.451: DLSw: END-FSM (872415295): state:LOCAL_RESOLVE->CKT_START

配置dlsw icannotreach saps在中央路由器

使用dlsw icannotreach saps命令允许您过滤您已知没有允许发送的那些协议。如果只了解必须明确地拒绝什么,如这些配置所显示,请使用dlsw icannotreach saps命令在中央路由器。

加拉加斯 圣保罗
Current configuration:
!
hostname CARACAS
!
dlsw local-peer peer-id 1.1.1.2
dlsw remote-peer 0 tcp 1.1.1.1
dlsw bridge-group 1
!
interface Ethernet0/0
 no ip directed-broadcast
 bridge-group 1
!
interface Serial0/1
 ip address 1.1.1.2 255.255.255.0
 no ip directed-broadcast
!
bridge 1 protocol ieee
!
end
Current configuration:
!
hostname SAOPAULO
!
source-bridge ring-group 3
dlsw local-peer peer-id 1.1.1.1
dlsw remote-peer 0 tcp 1.1.1.2
dlsw icannotreach sap F0
!
interface TokenRing0/0
 no ip directed-broadcast
 ring-speed 16
 source-bridge 10 1 3
 source-bridge spanning
!
interface Serial1/0
 ip address 1.1.1.1 255.255.255.0
 no ip directed-broadcast
 no ip mroute-cache
 clockrate 32000
!
end

您能正在进行中配置中央路由器(请包括dlsw icannotreach saps命令),既使当远端对等体已经是。此输出显示在其中一个的调试远程路由器,指示CapExId消息的接收。此消息指示远程办公室不发送有SAP的0xF0/F1任何帧往中央路由器。

CARACAS#debug dlsw peers
 DLSw peer debugging is on

 *Mar  1 18:30:30.388: DLSw: START-TPFSM (peer 1.1.1.1(2065)): event:SSP-CAP MSG RCVD state:CONNECT
 *Mar  1 18:30:30.388: DLSw: dtp_action_p() runtime cap rcvd for peer 1.1.1.1(2065)
 *Mar  1 18:30:30.392: DLSw: Recv CapExId Msg from peer 1.1.1.1(2065)
 *Mar  1 18:30:30.392: DLSw: received fhpr capex from peer 1.1.1.1(2065): support: false, fst-prio: false
 *Mar  1 18:30:30.392: DLSw: Pos CapExResp sent to peer 1.1.1.1(2065)
 *Mar  1 18:30:30.392: DLSw: END-TPFSM (peer 1.1.1.1(2065)): state:CONNECT->CONNECT

在CapExId消息接收后, Caracas路由器了解圣保罗不支持SAP 0xF0。

CARACAS#show dlsw capabilities 
 DLSw: Capabilities for peer 1.1.1.1(2065)
   vendor id (OUI)          : '00C' (cisco)
   version number           : 2
   release number           : 0
   init pacing window       : 20
   unsupported saps  : F0
   num of tcp sessions      : 1
   loop prevent support     : no
   icanreach mac-exclusive  : no
   icanreach netbios-excl.  : no
   reachable mac addresses  : none
   reachable netbios names  : none
   V2 multicast capable     : yes
   DLSw multicast address   : none
   cisco version number     : 1
   peer group number        : 0
   peer cluster support     : no
   border peer capable      : no
   peer cost                : 3
   biu-segment configured   : no
   UDP Unicast support      : yes
   Fast-switched HPR supp   : no
   NetBIOS Namecache length : 15
   local-ack configured     : yes
   priority configured      : no
   cisco RSVP support       : no
   configured ip address    : 1.1.1.1        
   peer type                : conf
   version string           : 
 Cisco Internetwork Operating System Software 
 IOS (tm) C2600 Software (C2600-JK2O3S-M), Version 12.0(7)T,  RELEASE SOFTWARE (fc2)
 Copyright (c) 1986-1999 by cisco Systems, Inc.

显示的show命令输出此处,采取在中央路由器,显示配置更改不支持的地方SAP 0xF0。

SAOPAULO#show dlsw capabilities local
 DLSw: Capabilities for local peer 1.1.1.1
   vendor id (OUI)          : '00C' (cisco)
   version number           : 2
   release number           : 0
   init pacing window       : 20
   unsupported saps  : F0 
   num of tcp sessions      : 1
   loop prevent support     : no
   icanreach mac-exclusive  : no
   icanreach netbios-excl.  : no
   reachable mac addresses  : none
   reachable netbios names  : none
   V2 multicast capable     : yes
   DLSw multicast address   : none
   cisco version number     : 1
   peer group number        : 0
   peer cluster support     : yes
   border peer capable      : no
   peer cost                : 3
   biu-segment configured   : no
   UDP Unicast support      : yes
   Fast-switched HPR supp.  : no
   NetBIOS Namecache length : 15
   cisco RSVP support       : no
   current border peer      : none
   version string           : 
 Cisco Internetwork Operating System Software 
 IOS (tm) C2600 Software (C2600-JK2O3S-M), Version 12.0(7)T,  RELEASE SOFTWARE (fc2)
 Copyright (c) 1986-1999 by cisco Systems, Inc.

当NetBIOS PC站点尝试连接时,这是从Caracas路由器的debug输出

CARACAS#debug dlsw peers
 DLSw peer debugging is on

 *Mar  1 18:40:27.575: DLSw: new_ckt_from_clsi(): DLSw Port0 0000.8888.0000:F0->4000.3745.0000:F0
 *Mar  1 18:40:27.575: DLSw: START-TPFSM (peer 1.1.1.1(2065)): event:CORE-ADD CIRCUIT state:CONNECT
 *Mar  1 18:40:27.579: DLSw: dtp_action_u(), peer add circuit for peer 1.1.1.1(2065)
 *Mar  1 18:40:27.579: DLSw: END-TPFSM (peer 1.1.1.1(2065)): state:CONNECT->CONNECT
 *Mar  1 18:40:27.579: DLSw: START-FSM (1409286242): event:DLC-Id state:DISCONNECTED
 *Mar  1 18:40:27.579: DLSw: core: dlsw_action_a()
 *Mar  1 18:40:27.579: DISP Sent : CLSI Msg : REQ_OPNSTN.Req   dlen: 116 
 *Mar  1 18:40:27.579: DLSw: END-FSM (1409286242): state:DISCONNECTED->LOCAL_RESOLVE
 *Mar  1 18:40:27.583: DLSW Received-ctlQ : CLSI Msg : REQ_OPNSTN.Cfm CLS_OK dlen: 116 
 *Mar  1 18:40:27.583: DLSw: START-FSM (1409286242): event:DLC-ReqOpnStn.Cnf state:LOCAL_RESOLVE
 *Mar  1 18:40:27.583: DLSw: core: dlsw_action_b()
 *Mar  1 18:40:27.583: CORE: Setting lf : bits 8 : size 1500
 *Mar  1 18:40:27.583: peer_cap_filter(): Filtered by SAP to peer 1.1.1.1(2065), s: F0 d:F0
 *Mar  1 18:40:27.583: DLSw: frame cap filtered (1) to peer 1.1.1.1(2065)
 *Mar  1 18:40:27.583: DLSw: peer 1.1.1.1(2065) unreachable - reason code 1

配置dlsw icanreach saps在中央路由器

配置dlsw icanreach saps命令是有用的,当您知道时正确地什么类型的流量允许和您要确保,其他流量拒绝。例如,当您配置dlsw icanreach saps 4时,您明确地拒绝除了0x04 (和0x05的所有sap,答复)。

加拉加斯 圣保罗
Current configuration:
!
hostname CARACAS
!
dlsw local-peer peer-id 1.1.1.2
dlsw remote-peer 0 tcp 1.1.1.1
dlsw bridge-group 1
!
interface Ethernet0/0
 no ip directed-broadcast
 bridge-group 1
!
interface Serial0/1
 ip address 1.1.1.2 255.255.255.0
 no ip directed-broadcast
!
bridge 1 protocol ieee
!
end
Current configuration:
!
hostname SAOPAULO
!
source-bridge ring-group 3
dlsw local-peer peer-id 1.1.1.1
dlsw remote-peer 0 tcp 1.1.1.2
dlsw icanreach sap 0 4
!
interface TokenRing0/0
 no ip directed-broadcast
 ring-speed 16
 source-bridge 10 1 3
 source-bridge spanning
!
interface Serial1/0
 ip address 1.1.1.1 255.255.255.0
 no ip directed-broadcast
 no ip mroute-cache
 clockrate 32000
!
end

注意在此show命令输出中Caracas路由器认可该圣保罗仅支持帧被注定了对sap 0x04和0x05。其他sap不支持的。

CARACAS#show dlsw capabilities 
 DLSw: Capabilities for peer 1.1.1.1(2065)
   vendor id (OUI)          : '00C' (cisco)
   version number           : 2
   release number           : 0
   init pacing window       : 20
   unsupported saps  : 0 2 6 8 A C E 10 12 14 16 18 1A 1C 1E 20 22 24 26 28
  2A 2C 2E 30 32 34 36 38 3A 3C 3E 40 42 44 46 48 4A 4C 4E 50 52 54 56 58 5A 5C 5E 
  60 62 64 66 68 6A 6C 6E 70 72 74 76 78 7A 7C 7E 80 82 84 86 88 8A 8C 8E 90 92 94
  96 98 9A 9C 9E A0 A2 A4 A6 A8 AA AC AE B0 B2 B4 B6 B8 BA BC BE C0 C2 C4 C6 C8 CA
  CC CE D0 D2 D4 D6 D8 DA DC DE E0 E2 E4 E6 E8 EA EC EE F0 F2 F4 F6 F8 FA FC FE 
   num of tcp sessions      : 1
   loop prevent support     : no
   icanreach mac-exclusive  : no
   icanreach netbios-excl.  : no
   reachable mac addresses  : none
   reachable netbios names  : none
   V2 multicast capable     : yes
   DLSw multicast address   : none
   cisco version number     : 1
   peer group number        : 0
   peer cluster support     : no
   border peer capable      : no
   peer cost                : 3
   biu-segment configured   : no
   UDP Unicast support      : yes
   Fast-switched HPR supp.  : no
   NetBIOS Namecache length : 15
   local-ack configured     : yes
   priority configured      : no
   cisco RSVP support       : no
   configured ip address    : 1.1.1.1        
   peer type                : conf
   version string           : 
 Cisco Internetwork Operating System Software 
 IOS (tm) C2600 Software (C2600-JK2O3S-M), Version 12.0(7)T,  RELEASE SOFTWARE (fc2)
 Copyright (c) 1986-1999 by cisco Systems, Inc.

您能使用show dlsw capabilities local命令验证在中央路由器的配置更改在DLSw+代码出现。

SAOPAULO#show dlsw capabilities local 
 DLSw: Capabilities for local peer 1.1.1.1
   vendor id (OUI)          : '00C' (cisco)
   version number           : 2
   release number           : 0
   init pacing window       : 20
   unsupported saps  : 0 2 6 8 A C E 10 12 14 16 18 1A 1C 1E 20 22 24 26 28
  2A 2C 2E 30 32 34 36 38 3A 3C 3E 40 42 44 46 48 4A 4C 4E 50 52 54 56 58 5A 5C 5E
  60 62 64 66 68 6A 6C 6E 70 72 74 76 78 7A 7C 7E 80 82 84 86 88 8A 8C 8E 90 92 94
  96 98 9A 9C 9E A0 A2 A4 A6 A8 AA AC AE B0 B2 B4 B6 B8 BA BC BE C0 C2 C4 C6 C8 CA
  CC CE D0 D2 D4 D6 D8 DA DC DE E0 E2 E4 E6 E8 EA EC EE F0 F2 F4 F6 F8 FA FC FE 
   num of tcp sessions      : 1
   loop prevent support     : no
   icanreach mac-exclusive  : no
   icanreach netbios-excl.  : no
   reachable mac addresses  : none
   reachable netbios names  : none
   V2 multicast capable     : yes
   DLSw multicast address   : none
   cisco version number     : 1
   peer group number        : 0
   peer cluster support     : yes
   border peer capable      : no
   peer cost                : 3
   biu-segment configured   : no
   UDP Unicast support      : yes
   Fast-switched HPR supp.  : no
   NetBIOS Namecache length : 15
   cisco RSVP support       : no
   current border peer      : none
   version string           : 
 Cisco Internetwork Operating System Software 
 IOS (tm) C2600 Software (C2600-JK2O3S-M), Version 12.0(7)T,  RELEASE SOFTWARE (fc2)
 Copyright (c) 1986-1999 by cisco Systems, Inc.

DLSW+ MAC 过滤技术

使用在本文显示的网络图,请使中央路由器接收帧只被注定对FEP MAC地址(4000.3745.0000)。

配置dlsw icanreach mac-address在中央路由器

使用dlsw icanreach mac-address命令,所有远程办公室有在他们的DLSw+可达性表的一个条目主机MAC地址的对中央路由器IP地址的该点。此条目在UNCONFIRM状态,表明,如果远端办公室路由器接收局部检验或XID主机的,它传送CUR_ex (您能够进入资源管理器吗)信息到只有中央路由器。

加拉加斯 圣保罗
Current configuration:
!
hostname CARACAS
!
dlsw local-peer peer-id 1.1.1.2
dlsw remote-peer 0 tcp 1.1.1.1
dlsw bridge-group 1
!
interface Ethernet0/0
 no ip directed-broadcast
 bridge-group 1
!
interface Serial0/1
 ip address 1.1.1.2 255.255.255.0
 no ip directed-broadcast
!
bridge 1 protocol ieee
!
end
Current configuration:
!
hostname SAOPAULO
!
source-bridge ring-group 3
dlsw local-peer peer-id 1.1.1.1
dlsw remote-peer 0 tcp 1.1.1.2
dlsw icanreach mac-address 
4000.3745.0000 mask ffff.ffff.ffff
!
interface TokenRing0/0
 no ip directed-broadcast
 ring-speed 16
 source-bridge 10 1 3
 source-bridge spanning
!
interface Serial1/0
 ip address 1.1.1.1 255.255.255.0
 no ip directed-broadcast
 no ip mroute-cache
 clockrate 32000
!
end

这里, Caracas路由器在其可达性缓存创建一个永久性条目。如果条目不是新鲜的,状态是UNCONFIRM。参考DLSw+故障排除指南可达性章节关于DLSw+路由器如何的更多信息缓存MAC地址和NetBIOS名称。

CARACAS#show dlsw reachability
 DLSw Local MAC address reachability cache list
 Mac Addr         status     Loc.    port                 rif
 0000.8888.0000   FOUND      LOCAL   TBridge-001    --no rif--

 DLSw Remote MAC address reachability cache list
 Mac Addr         status     Loc.    peer
 4000.3745.0000   UNCONFIRM  REMOTE  1.1.1.1(2065)

 DLSw Local NetBIOS Name reachability cache list
 NetBIOS Name     status     Loc.    port                 rif

 DLSw Remote NetBIOS Name reachability cache list
 NetBIOS Name     status     Loc.    peer

输出show dlsw capabilities命令在Caracas路由器确认此远程办公室知道MAC地址4000.3745.0000通过对等体1.1.1.1是可及的。并且请注意说“icanreach mac-exclusive的线路:不”。它表明中央路由器能够到达除主机以外的其他MAC地址。所以,如果其中任一远程办公室寻找其他MAC地址,他们能发送他们的请求到中央路由器。然而,与包括icanreach mac-address 4000.3745.0000命令,所有远程分支机构知道此重要资源的位置。如果要限制进一步什么帧到达在中央路由器,参考配置dlsw icanreach mac-exclusive在中央路由器

CARACAS#show dlsw capabilities
 DLSw: Capabilities for peer 1.1.1.1(2065)
   vendor id (OUI)          : '00C' (cisco)
   version number           : 2
   release number           : 0
   init pacing window       : 20
   unsupported saps         : none
   num of tcp sessions      : 1
   loop prevent support     : no
   icanreach mac-exclusive  : no
   icanreach netbios-excl.  : no
   reachable mac addresses  : 4000.3745.0000 <mask ffff.ffff.ffff>
   reachable netbios names  : none
   V2 multicast capable     : yes
   DLSw multicast address   : none
   cisco version number     : 1
   peer group number        : 0
   peer cluster support     : no
   border peer capable      : no
   peer cost                : 3
   biu-segment configured   : no
   UDP Unicast support      : yes
   Fast-switched HPR supp. : no
   NetBIOS Namecache length : 15
   local-ack configured     : yes
   priority configured      : no
   cisco RSVP support      : no
   configured ip address    : 1.1.1.1        
   peer type                : conf
   version string           : 
 Cisco Internetwork Operating System Software 
 IOS (tm) C2600 Software (C2600-JK2O3S-M), Version 12.0(7)T,  RELEASE SOFTWARE (fc2)
 Copyright (c) 1986-1999 by cisco Systems, Inc.

您能使用掩码参数作为dlsw icanreach mac-address 4000.3745.0000掩码ffff.ffff.ffff。当您使用此参数时,请注意MAC地址在十六进制格式(0x4000.3745.0000)典型地被提交。所以一全1掩码(在二进制)由十六进制数0xFFFF.FFFF.FFFF代表。

这是示例如何确定一个特定的输入MAC控制是否包括在一已经已配置的dlsw icanreach mac-address命令下

  1. 从用dlsw icanreach mac-address 4000.3745.0000掩码ffff.ffff 0000命令配置的路由器开始。

  2. 评估输入MAC地址4000.3745.0009是否由previous router configuration命令包括。

  3. 首先,请转换MAC地址(4000.3745.0009)和已配置的MASK (FFFF.FFFF.0000)从十六进制到二进制表示。前两行在此表里显示此步骤。

  4. 然后,请执行在那两个二进制数之间的一逻辑和操作,并且转换结果给十六进制表示法(4000.3745.0000)。此操作结果在此表第三行表示。

    0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 1 1 0 1 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 4000.3745.0009
    1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ffff.ffff.0000
    0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 1 1 0 1 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4000.3745.0000

  5. 如果这和操作结果匹配在dlsw icanreach mac-address命令的MAC地址(在我们的示例, 4000.3745.0000),则输入MAC地址(4000.3745.0009)由dlsw icanreach mac-address命令允许。在我们的示例中,在范围4000.3745.0000内的所有输入MAC地址对4000.3745.FFFF由dlsw icanreach mac-address命令包括。您能通过重复所有MAC地址的同样步骤验证此在此范围。

这些是更多一些示例:

  • dlsw icanreach mac-address 4000.3745.0000掩码ffff.ffff.ffff —此命令只包括MAC地址4000.3745.0000。其他MAC地址不通过此掩码。

  • dlsw icanreach mac-address 4000.0000.3745掩码ffff.0000.ffff —此命令在是0x0000-0xFFFF的范围包括所有MAC地址。

配置dlsw icanreach mac-exclusive在中央路由器

使用dlsw icanreach mac-exclusive命令已配置的在中央路由器,您保证仅数据包被注定对以前定义的MAC地址(在这种情况下4000.3745.0000)在中央位置允许。

注意此过滤信息交换在使用CapExId消息的所有DLSw+对等体之间。您通过配置过滤信息保存WAN带宽在中央位置,即使操作(例如阻塞帧)发生在远程路由器。

加拉加斯 圣保罗
Current configuration:
!
hostname CARACAS
!
dlsw local-peer peer-id 1.1.1.2
dlsw remote-peer 0 tcp 1.1.1.1
dlsw bridge-group 1
!
interface Ethernet0/0
 no ip directed-broadcast
 bridge-group 1
!
interface Serial0/1
 ip address 1.1.1.2 255.255.255.0
 no ip directed-broadcast
!
bridge 1 protocol ieee
!
end
Current configuration:
!
hostname SAOPAULO
!
source-bridge ring-group 3
dlsw local-peer peer-id 1.1.1.1
dlsw remote-peer 0 tcp 1.1.1.2
dlsw icanreach mac-exclusive
dlsw icanreach mac-address 
4000.3745.0000 mask ffff.ffff.fffff
!
interface TokenRing0/0
 no ip directed-broadcast
 ring-speed 16
 source-bridge 10 1 3
 source-bridge spanning
!
interface Serial1/0
 ip address 1.1.1.1 255.255.255.0
 no ip directed-broadcast
 no ip mroute-cache
 clockrate 32000
!
end

观察在此输出中Caracas路由器知道MAC地址4000.3745.0000通过对等体1.1.1.1是可及的。在此示例和前一场景之间的区别是此处我们显示“icanreach mac-exclusive :是”,因此意味着远程办公室不发送帧往为4000.3745.0000除那些之外注定的中央路由器。

CARACAS#show dlsw capabilities
 DLSw: Capabilities for peer 1.1.1.1(2065)
   vendor id (OUI)          : '00C' (cisco)
   version number           : 2
   release number           : 0
   init pacing window       : 20
   unsupported saps         : none
   num of tcp sessions      : 1
   loop prevent support     : no
   icanreach mac-exclusive  : yes
   icanreach netbios-excl.  : no
   reachable mac addresses  : 4000.3745.0000 <mask ffff.ffff.ffff> 
   reachable netbios names  : none
   V2 multicast capable     : yes
   DLSw multicast address   : none
   cisco version number     : 1
   peer group number        : 0
   peer cluster support     : no
   border peer capable      : no
   peer cost                : 3
   biu-segment configured   : no
   UDP Unicast support      : yes
   Fast-switched HPR supp.  : no
   NetBIOS Namecache length : 15
   local-ack configured     : yes
   priority configured      : no
   cisco RSVP support       : no
   configured ip address    : 1.1.1.1        
   peer type                : conf
   version string           : 
 Cisco Internetwork Operating System Software 
 IOS (tm) C2600 Software (C2600-JK2O3S-M), Version 12.0(7)T,  RELEASE SOFTWARE (fc2)
 Copyright (c) 1986-1999 by cisco Systems, Inc.

此处debug输出显示Caracas路由器如何起反应对流入的数据流被注定对所有MAC地址除4000.3745.0000之外(使用得4000.3745.0080这里)。加拉加斯不使用圣保罗帧没被注定对主机(4000.3745.0000)。在这种情况下,圣保罗是在加拉加斯配置的唯一的远端对等体,因此此路由器没有发送它的其他对等体。

CARACAS#debug dlsw
 DLSw reachability debugging is on at event level for all protocol traffic
 DLSw peer debugging is on
 DLSw local circuit debugging is on
 DLSw core message debugging is on
 DLSw core state debugging is on
 DLSw core flow control debugging is on
 DLSw core xid debugging is on

 *Mar  1 22:41:33.200:  DLSW Received-ctlQ : CLSI Msg : TEST_STN.Ind   dlen: 40 
 *Mar  1 22:41:33.204: CSM: Received CLSI Msg : TEST_STN.Ind   dlen: 40 from DLSw Port0
 *Mar  1 22:41:33.204: CSM:   smac 0000.8888.0000, dmac 4000.3745.0080, ssap 4 , dsap 0 
 *Mar  1 22:41:33.204: broadcast filter failed mac check
 *Mar  1 22:41:33.204: CSM: Write to all peers not ok - PEER_NO_CONNECTIONS

使用dlsw icanreach mac-address命令,如果配置一个路由器用dlsw icanreach mac-exclusive命令没有定义任何MAC地址,路由器通告给其对等体不能到达MAC地址。所以您通过该对等体将丢失通信。

注意: 此处配置示例显示只为例。它是错误,并且不应该使用

圣保罗
Current configuration:
!
hostname SAOPAULO
!
source-bridge ring-group 3
dlsw local-peer peer-id 1.1.1.1
dlsw remote-peer 0 tcp 1.1.1.2
dlsw icanreach mac-exclusive
!
interface TokenRing0/0
 no ip directed-broadcast
 ring-speed 16
 source-bridge 10 1 3
 source-bridge spanning
!
interface Serial1/0
 ip address 1.1.1.1 255.255.255.0
 no ip directed-broadcast
 no ip mroute-cache
 clockrate 32000
!
end

debug输出指示什么发生在Caracas路由器,当接收帧被注定到4000.3745.0000时。注意加拉加斯只有一Dlsw远程对等项(圣保罗),但是在先前配置里,圣保罗表明给其对等体不能到达任何MAC地址。

CARACAS#show debug                
 DLSw:
   DLSw Peer debugging is on
   DLSw RSVP debugging is on
 DLSw reachability debugging is on at verbose level for SNA traffic
   DLSw basic debugging for peer 1.1.1.1(2065) is on
 DLSw core message debugging is on
 DLSw core state debugging is on
 DLSw core flow control debugging is on
 DLSw core xid debugging is on
   DLSw Local Circuit debugging is on

 CARACAS#
 Mar  2 21:37:42.570:  DLSW Received-ctlQ : CLSI Msg : TEST_STN.Ind   dlen: 40 
 Mar  2 21:37:42.570: CSM: update local cache for mac 0000.8888.0000, DLSw Port0
 Mar  2 21:37:42.570: DLSW+: DLSw Port0 I d=4000.3745.0000-0 s=0000.8888.0000-F0 
 Mar  2 21:37:42.570: CSM: test_frame_proc: ws_status = NO_CACHE_INFO
 Mar  2 21:37:42.570: CSM: mac address NOT found in PEER reachability list
 Mar  2 21:37:42.570: broadcast filter failed mac check
 Mar  2 21:37:42.574: CSM: Write to all peers not ok - PEER_NO_CONNECTIONS
 Mar  2 21:37:42.574: CSM: csm_peer_put returned rc_ssp not OK

配置dlsw mac-address在远程路由器

在本例中,当寻找特定MAC地址时,每个远端办公室路由器手工配置并且处理到希望的中央路由器。这减少去错误对等体的不必要的流量。如果远程办公室只有一个远端对等体配置,则此配置不是有利的。然而,如果多个远程对等体配置,此配置处理远程站点路由器到正确的位置,无需浪费WAN带宽。

一个新的DLSw+远端对等体(2.2.2.1)配置在Caracas路由器。

加拉加斯 圣保罗
Current configuration:
!
hostname CARACAS
!
dlsw local-peer peer-id 1.1.1.2
dlsw remote-peer 0 tcp 1.1.1.1
dlsw remote-peer 0 tcp 2.2.2.1
dlsw mac-addr 4000.3745.0000 
remote-peer ip-address 1.1.1.1
dlsw bridge-group 1
!
interface Ethernet0/0
 no ip directed-broadcast
 bridge-group 1
!
interface Serial0/1
 ip address 1.1.1.2 255.255.255.0
 no ip directed-broadcast
!
interface Serial0/2
 ip address 2.2.2.2 255.255.255.0
 no ip directed-broadcast
 clockrate 64000
!
bridge 1 protocol ieee
!
end
Current configuration:
!
hostname SAOPAULO
!
source-bridge ring-group 3
dlsw local-peer peer-id 1.1.1.1
dlsw remote-peer 0 tcp 1.1.1.2
!
interface TokenRing0/0
 no ip directed-broadcast
 ring-speed 16
 source-bridge 10 1 3
 source-bridge spanning
!
interface Serial1/0
 ip address 1.1.1.1 255.255.255.0
 no ip directed-broadcast
 no ip mroute-cache
 clockrate 32000
!
end

从在Caracas路由器的一张空可达性表开始,请注意FEP的条目在UNCONFIRM状态:

CARACAS#show dlsw reachability   
 DLSw Local MAC address reachability cache list
 Mac Addr         status     Loc.    port                 rif

 DLSw Remote MAC address reachability cache list
 Mac Addr         status     Loc.    peer
 4000.3745.0000   UNCONFIRM  REMOTE  1.1.1.1(2065) max-lf(4472)

 DLSw Local NetBIOS Name reachability cache list
 NetBIOS Name     status     Loc.    port                 rif

 DLSw Remote NetBIOS Name reachability cache list
 NetBIOS Name     status     Loc.    peer

当第一数据包到达寻找FEP,只有并列的数据包1.1.1.1 (圣保罗)被发送和不对2.2.2.1。所以,您节约WAN带宽和CPU资源在其他对等体。

CARACAS#debug dlsw reachability verbose sna
 DLSw reachability debugging is on at verbose level for SNA traffic

 *Mar  2 18:38:59.324: CSM: update local cache for mac 0000.8888.0000, DLSw Port0
 *Mar  2 18:38:59.324: DLSW+: DLSw Port0 I d=4000.3745.0000-0 s=0000.8888.0000-F0 
 *Mar  2 18:38:59.324: CSM: test_frame_proc: ws_status = UNCONFIRMED
 *Mar  2 18:38:59.324: CSM: Write to peer 1.1.1.1(2065) ok
 *Mar  2 18:38:59.324: CSM: csm_peer_put returned rc_ssp 1
 *Mar  2 18:38:59.328: CSM: adding new icr pend record - test_frame_proc
 *Mar  2 18:38:59.328: CSM: update local cache for mac 0000.8888.0000, DLSw Port0
 *Mar  2 18:38:59.328: CSM: Received CLSI Msg : TEST_STN.Ind   dlen: 40 from DLSw Port0

配置dlsw icanreach mac-exclusive remote在中央路由器

这时,网络图和设计需求更改。这是新的网络示例:

dlswfilter2.gif

在本例中,一个新的SNA设备(4000.3746.0000)在圣保罗位置被添加。此计算机需要在另一个位置(对等体3.3.3.1)建立通信用设备。圣保罗路由器运行此配置。

圣保罗
Current configuration:
!
hostname SAOPAULO
!
source-bridge ring-group 3
dlsw local-peer peer-id 1.1.1.1
dlsw remote-peer 0 tcp 1.1.1.2
dlsw remote-peer 0 tcp 3.3.3.1
dlsw icanreach mac-exclusive
dlsw icanreach mac-address 4000.3745.0000 mask ffff.ffff.ffff
!
interface TokenRing0/0
 no ip directed-broadcast
 ring-speed 16
 source-bridge 10 1 3
 source-bridge spanning
!
interface Serial1/0
 ip address 1.1.1.1 255.255.255.0
 no ip directed-broadcast
 no ip mroute-cache
 clockrate 32000
!
end

使用此圣保罗配置,圣保罗路由器通知,由于mac-exclusive命令,能只到达MAC地址4000.3745.0000的所有其对等体。如此debug输出所显示,这也防止新的SNA设备(4000.3746.0000)建立通信通过DLSw+。

SAOPAULO#debug dlsw reachability verbose sna
 DLSw reachability debugging is on at verbose level for SNA traffic

 SAOPAULO#
 Mar  3 00:20:27.737: CSM: Deleting Reachability cache
 Mar  3 00:20:44.485: CSM: mac address NOT found in LOCAL list
 Mar  3 00:20:44.485: CSM: 4000.3746.0000 DID NOT pass local mac excl. filter
 Mar  3 00:20:44.485: CSM: And it is a test frame - drop frame

要修复此,请做对圣保罗配置的这些变动。

圣保罗
Current configuration:
!
hostname SAOPAULO
!
source-bridge ring-group 3
dlsw local-peer peer-id 1.1.1.1
dlsw remote-peer 0 tcp 1.1.1.2
dlsw icanreach mac-exclusive remote
dlsw icanreach mac-address 4000.3745.0000 mask ffff.ffff.ffff
!
interface TokenRing0/0
 no ip directed-broadcast
 ring-speed 16
 source-bridge 10 1 3
 source-bridge spanning
!
interface Serial1/0
 ip address 1.1.1.1 255.255.255.0
 no ip directed-broadcast
 no ip mroute-cache
 clockrate 32000
!
end

使用remote关键字,在中央路由器的其它设备允许(在dlsw icanreach mac-address命令没有指定)建立输出连接。当设备4000.3746.0000开始其连接,这是在圣保罗的debug输出

SAOPAULO#debug dlsw reachability verbose sna
 DLSw reachability debugging is on at verbose level for SNA traffic

 Mar  3 00:28:26.916: CSM: update local cache for mac 4000.3746.0000, TokenRing0/0
 Mar  3 00:28:26.916: CSM: Received CLSI Msg : TEST_STN.Ind   dlen: 40 from TokenRing0/0
 Mar  3 00:28:26.916: CSM:   smac c000.3746.0000, dmac 0000.8888.0000, ssap 4 , dsap 0 
 Mar  3 00:28:26.916: CSM: test_frame_proc: ws_status = FOUND
 Mar  3 00:28:26.920: CSM: sending TEST to TokenRing0/0
 Mar  3 00:28:26.924: CSM: update local cache for mac 4000.3746.0000, TokenRing0/0
 Mar  3 00:28:26.924: CSM: Received CLSI Msg : ID_STN.Ind   dlen: 54 from TokenRing0/0
 Mar  3 00:28:26.924: CSM:   smac c000.3746.0000, dmac 0000.8888.0000, ssap 4 , dsap 8 
 Mar  3 00:28:26.924: CSM: new_connection: ws_status = FOUND
 Mar  3 00:28:26.924: CSM: Calling csm_to_core with CLSI_START_NEWDL

相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


相关信息


Document ID: 12356