本文档提供数据链路交换加(DLSw+)服务接入点(SAP)和MAC过滤技术的示例配置。
过滤可用于增强DLSw+网络的可扩展性。例如,您可以使用过滤来:
减少WAN链路上的流量(在低速链路和采用NetBIOS的环境中尤其重要)。
通过控制对某些设备的访问来增强网络的安全性。
增强数据中心DLSw+路由器的CPU性能和可扩展性。
DLSw+提供了几个可用于执行过滤的选项。可以对MAC地址、SAP或NetBIOS名称进行过滤。
本文档没有任何特定的要求。
本文档不限于特定的软件和硬件版本。
有关文件规则的更多信息请参见“ Cisco技术提示规则”。
本部分提供有关如何配置本文档所述功能的信息。
注:要查找有关本文档中使用的命令的其他信息,请使用命令查找工具(仅注册客户)。
使用网络图部分中描述的网络拓扑,要求阻止远程位置的所有NetBIOS流量到达中央路由器(圣保罗)。DLSw+提供了多个选项来完成此任务,这些选项将在以下各节中进行分析。
注意:NetBIOS流量使用SAP值0xF0(用于命令)和0xF1(用于响应)。 通常,网络管理员使用上述SAP值来过滤(接受或拒绝)此协议。
注意:NetBIOS客户端使用NetBIOS功能MAC地址(C000.0000.0080)作为其NetBIOS名称查询数据包上的目标MAC(DMAC)。如前所述,所有帧的SAP值都为0xF0或0xF1。
在本测试中,CCSpcC PC配置为使用SAP 0xF0连接到FEP的MAC地址。实际上,此流量与NetBIOS相同,至少从SAP的角度而言。因此,当此流量到达时,您可以观察DLSw+路由器中的相应调试。
本节使用此图中所示的网络设置。
在网络图中,使用与大型机的连接来描绘数据中心路由器(圣保罗)。此路由器从所有远程分支机构接收多个DLSw+对等连接。每个远程分支机构都有系统网络架构(SNA)和NetBIOS客户端。数据中心中没有需要从远程办公室访问的NetBIOS服务器。
为简单起见,仅显示一个远程办公室(Caracas)的配置详细信息。网络图还显示了前端处理器(FEP)和远程PC(称为CCSpcC)的MAC地址值。MAC地址以规范(以太网)和非规范(令牌环)格式显示。
使用此方法,所有远程办公室都必须使用lsap-output-list选项进行配置。中央路由器无需进行其他配置更改。
lsap-output-list链接到SAP访问列表(SAP ACL),该列表当前仅允许SNA SAP(例如,0x00、0x04、0x08等)通向中央路由器,并拒绝其他所有内容。有关如何基于SAP执行过滤的详细信息,请参阅了解服务接入点访问控制列表。
加拉加斯 | 圣保罗 |
---|---|
Current configuration: ! hostname CARACAS ! dlsw local-peer peer-id 1.1.1.2 dlsw remote-peer 0 tcp 1.1.1.1 lsap-output-list 200 dlsw bridge-group 1 ! interface Ethernet0/0 no ip directed-broadcast bridge-group 1 ! interface Serial0/1 ip address 1.1.1.2 255.255.255.0 no ip directed-broadcast ! access-list 200 permit 0x0000 0x0D0D access-list 200 deny 0x0000 0xFFFF ! bridge 1 protocol ieee ! end |
Current configuration: ! hostname SAOPAULO ! source-bridge ring-group 3 dlsw local-peer peer-id 1.1.1.1 dlsw remote-peer 0 tcp 1.1.1.2 ! interface TokenRing0/0 no ip directed-broadcast ring-speed 16 source-bridge 10 1 3 source-bridge spanning ! interface Serial1/0 ip address 1.1.1.1 255.255.255.0 no ip directed-broadcast no ip mroute-cache clockrate 32000 ! end |
debug dlsw命令用于查看Caracas路由器在收到NetBIOS流量时如何反应。
CARACAS#debug dlsw DLSw reachability debugging is on at event level for all protocol traffic DLSw peer debugging is on DLSw local circuit debugging is on DLSw core message debugging is on DLSw core state debugging is on DLSw core flow control debugging is on DLSw core xid debugging is on
如果远程办公室路由器(Caracas)没有4000.3745.0000的可达性信息,并且它获得一个使用某些“禁止的”SAP查找该MAC地址的浏览器,则请求将被阻止。
CARACAS# *Mar 1 01:02:16.387: DLSW Received-ctlQ : CLSI Msg : TEST_STN.Ind dlen: 40 *Mar 1 01:02:16.387: CSM: Received CLSI Msg : TEST_STN.Ind dlen: 40 from DLSw Port0 *Mar 1 01:02:16.387: CSM: smac 0000.8888.0000, dmac 4000.3745.0000, ssap F0, dsap 0 *Mar 1 01:02:16.387: DLSw: dsap(0) ssap(F0) filtered to peer 1.1.1.1(2065) *Mar 1 01:02:16.387: DLSw: frame output access list filtered to peer 1.1.1.1(2065) *Mar 1 01:02:16.387: CSM: Write to peer 1.1.1.1(2065) not ok - PEER_FILTERED
考虑远程办公室路由器(Caracas)确实具有4000.3745.0000的可达性信息的情况。例如,另一个站(使用允许的SAP)已经请求FEP MAC地址。在这种情况下,“违规者”PC(CCSpcC)发送其NULL XID,但路由器会停止它。
CARACAS# *Mar 1 01:03:24.439: DLSW Received-ctlQ : CLSI Msg : ID_STN.Ind dlen: 46 *Mar 1 01:03:24.439: CSM: Received CLSI Msg : ID_STN.Ind dlen: 46 from DLSw Port0 *Mar 1 01:03:24.443: CSM: smac 0000.8888.0000, dmac 4000.3745.0000, ssap F0, dsap F0 *Mar 1 01:03:24.443: DLSw: new_ckt_from_clsi(): DLSw Port0 0000.8888.0000:F0->4000.3745.0000:F0 *Mar 1 01:03:24.443: DLSw: START-TPFSM (peer 1.1.1.1(2065)): event:CORE-ADD CIRCUIT state:CONNECT *Mar 1 01:03:24.443: DLSw: dtp_action_u(), peer add circuit for peer 1.1.1.1(2065) *Mar 1 01:03:24.443: DLSw: END-TPFSM (peer 1.1.1.1(2065)): state:CONNECT->CONNECT *Mar 1 01:03:24.443: DLSw: START-FSM (872415295): event:DLC-Id state:DISCONNECTED *Mar 1 01:03:24.443: DLSw: core: dlsw_action_a() *Mar 1 01:03:24.447: DISP Sent : CLSI Msg : REQ_OPNSTN.Req dlen: 116 *Mar 1 01:03:24.447: DLSw: END-FSM (872415295): state:DISCONNECTED->LOCAL_RESOLVE *Mar 1 01:03:24.447: DLSW Received-ctlQ : CLSI Msg : REQ_OPNSTN.Cfm CLS_OK dlen: 116 *Mar 1 01:03:24.447: DLSw: START-FSM (872415295): event:DLC-ReqOpnStn.Cnf state:LOCAL_RESOLVE *Mar 1 01:03:24.447: DLSw: core: dlsw_action_b() *Mar 1 01:03:24.447: CORE: Setting lf : bits 8 : size 1500 *Mar 1 01:03:24.451: DLSw: dsap(F0) ssap(F0) filtered to peer 1.1.1.1(2065) *Mar 1 01:03:24.451: DLSw: frame output access list filtered to peer 1.1.1.1(2065) *Mar 1 01:03:24.451: DLSw: peer 1.1.1.1(2065) unreachable - reason code 1 *Mar 1 01:03:24.451: DLSw: END-FSM (872415295): state:LOCAL_RESOLVE->CKT_START
使用dlsw icannotreach saps命令可以过滤您知道不允许通过的协议。如果您只知道必须明确拒绝的内容,请在中央路由器上使用dlsw icannotreach saps命令,如以下配置所示。
加拉加斯 | 圣保罗 |
---|---|
Current configuration: ! hostname CARACAS ! dlsw local-peer peer-id 1.1.1.2 dlsw remote-peer 0 tcp 1.1.1.1 dlsw bridge-group 1 ! interface Ethernet0/0 no ip directed-broadcast bridge-group 1 ! interface Serial0/1 ip address 1.1.1.2 255.255.255.0 no ip directed-broadcast ! bridge 1 protocol ieee ! end |
Current configuration: ! hostname SAOPAULO ! source-bridge ring-group 3 dlsw local-peer peer-id 1.1.1.1 dlsw remote-peer 0 tcp 1.1.1.2 dlsw icannotreach sap F0 ! interface TokenRing0/0 no ip directed-broadcast ring-speed 16 source-bridge 10 1 3 source-bridge spanning ! interface Serial1/0 ip address 1.1.1.1 255.255.255.0 no ip directed-broadcast no ip mroute-cache clockrate 32000 ! end |
即使远程对等体已启动,您也可以即时配置中央路由器(包括dlsw icannotreach saps命令)。此输出显示其中一个远程路由器上的调试,该调试指示CapExId消息的接收。此消息指示远程办公室不要向中央路由器发送任何带有SAP 0xF0/F1的帧。
CARACAS#debug dlsw peers DLSw peer debugging is on *Mar 1 18:30:30.388: DLSw: START-TPFSM (peer 1.1.1.1(2065)): event:SSP-CAP MSG RCVD state:CONNECT *Mar 1 18:30:30.388: DLSw: dtp_action_p() runtime cap rcvd for peer 1.1.1.1(2065) *Mar 1 18:30:30.392: DLSw: Recv CapExId Msg from peer 1.1.1.1(2065) *Mar 1 18:30:30.392: DLSw: received fhpr capex from peer 1.1.1.1(2065): support: false, fst-prio: false *Mar 1 18:30:30.392: DLSw: Pos CapExResp sent to peer 1.1.1.1(2065) *Mar 1 18:30:30.392: DLSw: END-TPFSM (peer 1.1.1.1(2065)): state:CONNECT->CONNECT
收到CapExId消息后,Caracas路由器获知圣保罗不支持SAP 0xF0。
CARACAS#show dlsw capabilities DLSw: Capabilities for peer 1.1.1.1(2065) vendor id (OUI) : '00C' (cisco) version number : 2 release number : 0 init pacing window : 20 unsupported saps : F0 num of tcp sessions : 1 loop prevent support : no icanreach mac-exclusive : no icanreach netbios-excl. : no reachable mac addresses : none reachable netbios names : none V2 multicast capable : yes DLSw multicast address : none cisco version number : 1 peer group number : 0 peer cluster support : no border peer capable : no peer cost : 3 biu-segment configured : no UDP Unicast support : yes Fast-switched HPR supp : no NetBIOS Namecache length : 15 local-ack configured : yes priority configured : no cisco RSVP support : no configured ip address : 1.1.1.1 peer type : conf version string : Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-JK2O3S-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2) Copyright (c) 1986-1999 by cisco Systems, Inc.
此处显示的show命令输出(在中央路由器上)显示不支持SAP 0xF0的配置更改。
SAOPAULO#show dlsw capabilities local DLSw: Capabilities for local peer 1.1.1.1 vendor id (OUI) : '00C' (cisco) version number : 2 release number : 0 init pacing window : 20 unsupported saps : F0 num of tcp sessions : 1 loop prevent support : no icanreach mac-exclusive : no icanreach netbios-excl. : no reachable mac addresses : none reachable netbios names : none V2 multicast capable : yes DLSw multicast address : none cisco version number : 1 peer group number : 0 peer cluster support : yes border peer capable : no peer cost : 3 biu-segment configured : no UDP Unicast support : yes Fast-switched HPR supp. : no NetBIOS Namecache length : 15 cisco RSVP support : no current border peer : none version string : Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-JK2O3S-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2) Copyright (c) 1986-1999 by cisco Systems, Inc.
以下是NetBIOS PC站尝试连接时Caracas路由器的调试输出:
CARACAS#debug dlsw peers DLSw peer debugging is on *Mar 1 18:40:27.575: DLSw: new_ckt_from_clsi(): DLSw Port0 0000.8888.0000:F0->4000.3745.0000:F0 *Mar 1 18:40:27.575: DLSw: START-TPFSM (peer 1.1.1.1(2065)): event:CORE-ADD CIRCUIT state:CONNECT *Mar 1 18:40:27.579: DLSw: dtp_action_u(), peer add circuit for peer 1.1.1.1(2065) *Mar 1 18:40:27.579: DLSw: END-TPFSM (peer 1.1.1.1(2065)): state:CONNECT->CONNECT *Mar 1 18:40:27.579: DLSw: START-FSM (1409286242): event:DLC-Id state:DISCONNECTED *Mar 1 18:40:27.579: DLSw: core: dlsw_action_a() *Mar 1 18:40:27.579: DISP Sent : CLSI Msg : REQ_OPNSTN.Req dlen: 116 *Mar 1 18:40:27.579: DLSw: END-FSM (1409286242): state:DISCONNECTED->LOCAL_RESOLVE *Mar 1 18:40:27.583: DLSW Received-ctlQ : CLSI Msg : REQ_OPNSTN.Cfm CLS_OK dlen: 116 *Mar 1 18:40:27.583: DLSw: START-FSM (1409286242): event:DLC-ReqOpnStn.Cnf state:LOCAL_RESOLVE *Mar 1 18:40:27.583: DLSw: core: dlsw_action_b() *Mar 1 18:40:27.583: CORE: Setting lf : bits 8 : size 1500 *Mar 1 18:40:27.583: peer_cap_filter(): Filtered by SAP to peer 1.1.1.1(2065), s: F0 d:F0 *Mar 1 18:40:27.583: DLSw: frame cap filtered (1) to peer 1.1.1.1(2065) *Mar 1 18:40:27.583: DLSw: peer 1.1.1.1(2065) unreachable - reason code 1
当您确切知道允许哪种类型的流量并且希望确保拒绝所有其他流量时,配置dlsw icanreach saps命令非常有用。例如,在配置dlsw icanreach saps 4时,您会明确拒绝除0x04(和0x05,响应)外的所有sap。
加拉加斯 | 圣保罗 |
---|---|
Current configuration: ! hostname CARACAS ! dlsw local-peer peer-id 1.1.1.2 dlsw remote-peer 0 tcp 1.1.1.1 dlsw bridge-group 1 ! interface Ethernet0/0 no ip directed-broadcast bridge-group 1 ! interface Serial0/1 ip address 1.1.1.2 255.255.255.0 no ip directed-broadcast ! bridge 1 protocol ieee ! end |
Current configuration: ! hostname SAOPAULO ! source-bridge ring-group 3 dlsw local-peer peer-id 1.1.1.1 dlsw remote-peer 0 tcp 1.1.1.2 dlsw icanreach sap 0 4 ! interface TokenRing0/0 no ip directed-broadcast ring-speed 16 source-bridge 10 1 3 source-bridge spanning ! interface Serial1/0 ip address 1.1.1.1 255.255.255.0 no ip directed-broadcast no ip mroute-cache clockrate 32000 ! end |
请注意,在此show 命令输出中,Caracas路由器识别出圣保罗只支持发往sap 0x04和0x05的帧。所有其他sap都不受支持。
CARACAS#show dlsw capabilities DLSw: Capabilities for peer 1.1.1.1(2065) vendor id (OUI) : '00C' (cisco) version number : 2 release number : 0 init pacing window : 20 unsupported saps : 0 2 6 8 A C E 10 12 14 16 18 1A 1C 1E 20 22 24 26 28 2A 2C 2E 30 32 34 36 38 3A 3C 3E 40 42 44 46 48 4A 4C 4E 50 52 54 56 58 5A 5C 5E 60 62 64 66 68 6A 6C 6E 70 72 74 76 78 7A 7C 7E 80 82 84 86 88 8A 8C 8E 90 92 94 96 98 9A 9C 9E A0 A2 A4 A6 A8 AA AC AE B0 B2 B4 B6 B8 BA BC BE C0 C2 C4 C6 C8 CA CC CE D0 D2 D4 D6 D8 DA DC DE E0 E2 E4 E6 E8 EA EC EE F0 F2 F4 F6 F8 FA FC FE num of tcp sessions : 1 loop prevent support : no icanreach mac-exclusive : no icanreach netbios-excl. : no reachable mac addresses : none reachable netbios names : none V2 multicast capable : yes DLSw multicast address : none cisco version number : 1 peer group number : 0 peer cluster support : no border peer capable : no peer cost : 3 biu-segment configured : no UDP Unicast support : yes Fast-switched HPR supp. : no NetBIOS Namecache length : 15 local-ack configured : yes priority configured : no cisco RSVP support : no configured ip address : 1.1.1.1 peer type : conf version string : Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-JK2O3S-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2) Copyright (c) 1986-1999 by cisco Systems, Inc.
您可以使用show dlsw capabilities local命令验证中央路由器上的配置更改是否显示在DLSw+代码中。
SAOPAULO#show dlsw capabilities local DLSw: Capabilities for local peer 1.1.1.1 vendor id (OUI) : '00C' (cisco) version number : 2 release number : 0 init pacing window : 20 unsupported saps : 0 2 6 8 A C E 10 12 14 16 18 1A 1C 1E 20 22 24 26 28 2A 2C 2E 30 32 34 36 38 3A 3C 3E 40 42 44 46 48 4A 4C 4E 50 52 54 56 58 5A 5C 5E 60 62 64 66 68 6A 6C 6E 70 72 74 76 78 7A 7C 7E 80 82 84 86 88 8A 8C 8E 90 92 94 96 98 9A 9C 9E A0 A2 A4 A6 A8 AA AC AE B0 B2 B4 B6 B8 BA BC BE C0 C2 C4 C6 C8 CA CC CE D0 D2 D4 D6 D8 DA DC DE E0 E2 E4 E6 E8 EA EC EE F0 F2 F4 F6 F8 FA FC FE num of tcp sessions : 1 loop prevent support : no icanreach mac-exclusive : no icanreach netbios-excl. : no reachable mac addresses : none reachable netbios names : none V2 multicast capable : yes DLSw multicast address : none cisco version number : 1 peer group number : 0 peer cluster support : yes border peer capable : no peer cost : 3 biu-segment configured : no UDP Unicast support : yes Fast-switched HPR supp. : no NetBIOS Namecache length : 15 cisco RSVP support : no current border peer : none version string : Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-JK2O3S-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2) Copyright (c) 1986-1999 by cisco Systems, Inc.
使用本文中所示的网络图,使中央路由器仅接收发往FEP MAC地址(4000.3745.0000)的帧。
使用dlsw icanreach mac-address命令,所有远程办公室的DLSw+可达性表中都有一个条目,指向中心路由器IP地址的主机MAC地址。此条目处于UNCONFIRM状态,表示如果远程办公室路由器收到主机的本地测试或XID,它只向中央路由器发送CUR_ex(Can U Reach Explorer)消息。
加拉加斯 | 圣保罗 |
---|---|
Current configuration: ! hostname CARACAS ! dlsw local-peer peer-id 1.1.1.2 dlsw remote-peer 0 tcp 1.1.1.1 dlsw bridge-group 1 ! interface Ethernet0/0 no ip directed-broadcast bridge-group 1 ! interface Serial0/1 ip address 1.1.1.2 255.255.255.0 no ip directed-broadcast ! bridge 1 protocol ieee ! end |
Current configuration: ! hostname SAOPAULO ! source-bridge ring-group 3 dlsw local-peer peer-id 1.1.1.1 dlsw remote-peer 0 tcp 1.1.1.2 dlsw icanreach mac-address 4000.3745.0000 mask ffff.ffff.ffff ! interface TokenRing0/0 no ip directed-broadcast ring-speed 16 source-bridge 10 1 3 source-bridge spanning ! interface Serial1/0 ip address 1.1.1.1 255.255.255.0 no ip directed-broadcast no ip mroute-cache clockrate 32000 ! end |
在此,Caracas路由器已在其可达性缓存中创建永久条目。如果条目不是新的,则状态为UNCONFIRM。有关DLSw+路由器如何缓存MAC地址和NetBIOS名称的详细信息,请参阅DLSw+故障排除指南可达性一章。
CARACAS#show dlsw reachability DLSw Local MAC address reachability cache list Mac Addr status Loc. port rif 0000.8888.0000 FOUND LOCAL TBridge-001 --no rif-- DLSw Remote MAC address reachability cache list Mac Addr status Loc. peer 4000.3745.0000 UNCONFIRM REMOTE 1.1.1.1(2065) DLSw Local NetBIOS Name reachability cache list NetBIOS Name status Loc. port rif DLSw Remote NetBIOS Name reachability cache list NetBIOS Name status Loc. peer
在Caracas路由器上,show dlsw capabilities命令的输出确认,此远程办公室知道MAC地址4000.3745.0000可通过对等体1.1.1访问。另请注意显示“icanreach mac-exclusive:否”。 它表示中央路由器能够到达除主机之外的其他MAC地址。因此,如果任何远程办公室查找其他MAC地址,他们可以将请求发送到中央路由器。但是,随着icanreach mac-address 4000.3745.0000命令的加入,所有远程分支都知道此重要资源的位置。如果要对到达中央路由器的帧进行进一步限制,请参阅在中央路由器上配置dlsw icanreach mac-exclusive。
CARACAS#show dlsw capabilities DLSw: Capabilities for peer 1.1.1.1(2065) vendor id (OUI) : '00C' (cisco) version number : 2 release number : 0 init pacing window : 20 unsupported saps : none num of tcp sessions : 1 loop prevent support : no icanreach mac-exclusive : no icanreach netbios-excl. : no reachable mac addresses : 4000.3745.0000reachable netbios names : none V2 multicast capable : yes DLSw multicast address : none cisco version number : 1 peer group number : 0 peer cluster support : no border peer capable : no peer cost : 3 biu-segment configured : no UDP Unicast support : yes Fast-switched HPR supp. : no NetBIOS Namecache length : 15 local-ack configured : yes priority configured : no cisco RSVP support : no configured ip address : 1.1.1.1 peer type : conf version string : Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-JK2O3S-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2) Copyright (c) 1986-1999 by cisco Systems, Inc.
可以将mask参数用作dlsw icanreach mac-address 4000.3745.0000 mask fff.ffff.ffff。使用此参数时,请注意MAC地址通常以十六进制格式(0x4000.3745.0000)表示。 因此,全1掩码(二进制)由十六进制数0xFFFF.FFFF.FFFF表示。
以下是如何确定特定输入MAC是否包含在已配置的dlsw icanreach mac-address命令下的一个示例:
从配置了dlsw icanreach mac-address 4000.3745.0000 mask fff.ffff. 0000命令的路由器开始。
评估之前的路由器配置命令是否包含输入MAC地址4000.3745.0009。
首先,将MAC地址(4000.3745.0009)和配置的MASK(FFFF.FFFF.0000)从十六进制转换为二进制表示。此表中的前两行显示此步骤。
然后,在这两个二进制数之间执行逻辑AND运算,并将结果转换为十六进制表示(4000.3745.0000)。 此操作的结果在此表的第三行中描述。
0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 1 | 0 | 1 | 1 | 1 | 0 | 1 | 0 | 0 | 0 | 1 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 1 | 4000.3745.0009 | |||||||||||
1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | ffff.ffff.0000 | |||||||||||
0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 1 | 0 | 1 | 1 | 1 | 0 | 1 | 0 | 0 | 0 | 1 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 4000.3745.0000 |
如果AND运算的结果与dlsw icanreach mac-address命令(在本例中为4000.3745.0000)中的MAC地址匹配,则允许输入MAC地址(4000.3745.0009) DLSW icanreach mac-address命令。在本例中,dlsw icanreach mac-address命令包含范围在4000.3745.0000到4000.3745.FFFF之间的任何输入MAC地址。您可以通过对此范围内的任何MAC地址重复相同步骤来检验这一点。
以下是几个更多示例:
dlsw icanreach mac-address 4000.3745.0000 mask fff.ffff.ffff — 此命令仅包括MAC地址4000.3745.0000。没有其他MAC地址通过此掩码。
dlsw icanreach mac-address 4000.0000.3745 mask ffff.0000.ffff — 此命令包括范围4000.XXXX.3745中XXXX为0x000-0x的所有MAC地址FFFF。
在中央路由器上配置dlsw icanreach mac-exclusive命令后,您可以确保在中央位置仅允许发往先前定义的MAC地址(在本例中为4000.3745.0000)的数据包。
请注意,此过滤信息在所有DLSw+对等体之间使用CapExId消息交换。您可以通过在中央位置配置过滤信息来节省广域网带宽,即使远程路由器本身也会执行阻止帧等操作。
加拉加斯 | 圣保罗 |
---|---|
Current configuration: ! hostname CARACAS ! dlsw local-peer peer-id 1.1.1.2 dlsw remote-peer 0 tcp 1.1.1.1 dlsw bridge-group 1 ! interface Ethernet0/0 no ip directed-broadcast bridge-group 1 ! interface Serial0/1 ip address 1.1.1.2 255.255.255.0 no ip directed-broadcast ! bridge 1 protocol ieee ! end |
Current configuration: ! hostname SAOPAULO ! source-bridge ring-group 3 dlsw local-peer peer-id 1.1.1.1 dlsw remote-peer 0 tcp 1.1.1.2 dlsw icanreach mac-exclusive dlsw icanreach mac-address 4000.3745.0000 mask ffff.ffff.fffff ! interface TokenRing0/0 no ip directed-broadcast ring-speed 16 source-bridge 10 1 3 source-bridge spanning ! interface Serial1/0 ip address 1.1.1.1 255.255.255.0 no ip directed-broadcast no ip mroute-cache clockrate 32000 ! end |
在此输出中观察,Caracas路由器知道MAC地址4000.3745.0000可通过对等体1.1.1.1到达。本示例与上一个场景的区别是,此处显示“icanreach mac-exclusive:是”,这意味着远程办公室不会向除发往4000.3745.0000的帧外的中央路由器发送帧。
CARACAS#show dlsw capabilities DLSw: Capabilities for peer 1.1.1.1(2065) vendor id (OUI) : '00C' (cisco) version number : 2 release number : 0 init pacing window : 20 unsupported saps : none num of tcp sessions : 1 loop prevent support : no icanreach mac-exclusive : yes icanreach netbios-excl. : no reachable mac addresses : 4000.3745.0000reachable netbios names : none V2 multicast capable : yes DLSw multicast address : none cisco version number : 1 peer group number : 0 peer cluster support : no border peer capable : no peer cost : 3 biu-segment configured : no UDP Unicast support : yes Fast-switched HPR supp. : no NetBIOS Namecache length : 15 local-ack configured : yes priority configured : no cisco RSVP support : no configured ip address : 1.1.1.1 peer type : conf version string : Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-JK2O3S-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2) Copyright (c) 1986-1999 by cisco Systems, Inc.
此处的debug输出显示了Caracas路由器如何对发往除4000.3745.0000(此处使用4000.3745.0080以外的任何MAC地址的传入流量做出反应。 Caracas不使用圣保罗来传输未发往主机(4000.3745.0000)的帧。 在本例中,圣保罗是加拉加斯配置的唯一远程对等体,因此此路由器没有其他对等体可将其发送到。
CARACAS#debug dlsw DLSw reachability debugging is on at event level for all protocol traffic DLSw peer debugging is on DLSw local circuit debugging is on DLSw core message debugging is on DLSw core state debugging is on DLSw core flow control debugging is on DLSw core xid debugging is on *Mar 1 22:41:33.200: DLSW Received-ctlQ : CLSI Msg : TEST_STN.Ind dlen: 40 *Mar 1 22:41:33.204: CSM: Received CLSI Msg : TEST_STN.Ind dlen: 40 from DLSw Port0 *Mar 1 22:41:33.204: CSM: smac 0000.8888.0000, dmac 4000.3745.0080, ssap 4 , dsap 0 *Mar 1 22:41:33.204: broadcast filter failed mac check *Mar 1 22:41:33.204: CSM: Write to all peers not ok - PEER_NO_CONNECTIONS
如果使用dlsw icanreach mac-exclusive 命令配置路由器,而未使用dlsw icanreach mac-address 命令定义任何MAC地址,则路由器会向其对等体通告它根本无法到达任何MAC地址。因此,您将通过该对等体失去通信。
注意:此处的示例配置仅作为示例显示。这是个错误,不应该使用。
圣保罗 |
---|
Current configuration: ! hostname SAOPAULO ! source-bridge ring-group 3 dlsw local-peer peer-id 1.1.1.1 dlsw remote-peer 0 tcp 1.1.1.2 dlsw icanreach mac-exclusive ! interface TokenRing0/0 no ip directed-broadcast ring-speed 16 source-bridge 10 1 3 source-bridge spanning ! interface Serial1/0 ip address 1.1.1.1 255.255.255.0 no ip directed-broadcast no ip mroute-cache clockrate 32000 ! end |
此debug 输出指示当Caracas路由器收到发往4000.3745.0000的帧时,会发生什么情况。请注意,Caracas只有一个DLSw远程对等体(圣保罗),但在之前的配置中,圣保罗向其对等体表示它无法到达任何MAC地址。
CARACAS#show debug DLSw: DLSw Peer debugging is on DLSw RSVP debugging is on DLSw reachability debugging is on at verbose level for SNA traffic DLSw basic debugging for peer 1.1.1.1(2065) is on DLSw core message debugging is on DLSw core state debugging is on DLSw core flow control debugging is on DLSw core xid debugging is on DLSw Local Circuit debugging is on CARACAS# Mar 2 21:37:42.570: DLSW Received-ctlQ : CLSI Msg : TEST_STN.Ind dlen: 40 Mar 2 21:37:42.570: CSM: update local cache for mac 0000.8888.0000, DLSw Port0 Mar 2 21:37:42.570: DLSW+: DLSw Port0 I d=4000.3745.0000-0 s=0000.8888.0000-F0 Mar 2 21:37:42.570: CSM: test_frame_proc: ws_status = NO_CACHE_INFO Mar 2 21:37:42.570: CSM: mac address NOT found in PEER reachability list Mar 2 21:37:42.570: broadcast filter failed mac check Mar 2 21:37:42.574: CSM: Write to all peers not ok - PEER_NO_CONNECTIONS Mar 2 21:37:42.574: CSM: csm_peer_put returned rc_ssp not OK
在本示例中,当查找特定MAC地址时,每台远程办公室路由器都会手动配置并定向到所需的中央路由器。这可减少流向错误对等体的不必要的流量。如果远程办公室仅配置了一个远程对等体,则此配置无益。但是,如果配置了多个远程对等体,此配置会将远程站点路由器定向到正确的位置,而不会浪费广域网带宽。
在Caracas路由器上配置了一个新的DLSw+远程对等体(2.2.2.1)。
加拉加斯 | 圣保罗 |
---|---|
Current configuration: ! hostname CARACAS ! dlsw local-peer peer-id 1.1.1.2 dlsw remote-peer 0 tcp 1.1.1.1 dlsw remote-peer 0 tcp 2.2.2.1 dlsw mac-addr 4000.3745.0000 remote-peer ip-address 1.1.1.1 dlsw bridge-group 1 ! interface Ethernet0/0 no ip directed-broadcast bridge-group 1 ! interface Serial0/1 ip address 1.1.1.2 255.255.255.0 no ip directed-broadcast ! interface Serial0/2 ip address 2.2.2.2 255.255.255.0 no ip directed-broadcast clockrate 64000 ! bridge 1 protocol ieee ! end |
Current configuration: ! hostname SAOPAULO ! source-bridge ring-group 3 dlsw local-peer peer-id 1.1.1.1 dlsw remote-peer 0 tcp 1.1.1.2 ! interface TokenRing0/0 no ip directed-broadcast ring-speed 16 source-bridge 10 1 3 source-bridge spanning ! interface Serial1/0 ip address 1.1.1.1 255.255.255.0 no ip directed-broadcast no ip mroute-cache clockrate 32000 ! end |
从Caracas路由器的空可达性表开始,请注意FEP的条目处于“未确认”状态:
CARACAS#show dlsw reachability DLSw Local MAC address reachability cache list Mac Addr status Loc. port rif DLSw Remote MAC address reachability cache list Mac Addr status Loc. peer 4000.3745.0000 UNCONFIRM REMOTE 1.1.1.1(2065) max-lf(4472) DLSw Local NetBIOS Name reachability cache list NetBIOS Name status Loc. port rif DLSw Remote NetBIOS Name reachability cache list NetBIOS Name status Loc. peer
当第一个数据包到达寻找FEP时,仅发送到对等体1.1.1.1(圣保罗)的数据包,而不发送到2.2.2.1。因此,您可以节省其他对等体的WAN带宽和CPU资源。
CARACAS#debug dlsw reachability verbose sna DLSw reachability debugging is on at verbose level for SNA traffic *Mar 2 18:38:59.324: CSM: update local cache for mac 0000.8888.0000, DLSw Port0 *Mar 2 18:38:59.324: DLSW+: DLSw Port0 I d=4000.3745.0000-0 s=0000.8888.0000-F0 *Mar 2 18:38:59.324: CSM: test_frame_proc: ws_status = UNCONFIRMED *Mar 2 18:38:59.324: CSM: Write to peer 1.1.1.1(2065) ok *Mar 2 18:38:59.324: CSM: csm_peer_put returned rc_ssp 1 *Mar 2 18:38:59.328: CSM: adding new icr pend record - test_frame_proc *Mar 2 18:38:59.328: CSM: update local cache for mac 0000.8888.0000, DLSw Port0 *Mar 2 18:38:59.328: CSM: Received CLSI Msg : TEST_STN.Ind dlen: 40 from DLSw Port0
此时,网络图和设计要求已发生更改。以下是新的网络示例:
在本例中,在圣保罗位置添加了新的SNA设备(4000.3746.0000)。此计算机需要与另一位置(对等体3.3.3.1)的设备建立通信。 圣保罗路由器运行此配置。
圣保罗 |
---|
Current configuration: ! hostname SAOPAULO ! source-bridge ring-group 3 dlsw local-peer peer-id 1.1.1.1 dlsw remote-peer 0 tcp 1.1.1.2 dlsw remote-peer 0 tcp 3.3.3.1 dlsw icanreach mac-exclusive dlsw icanreach mac-address 4000.3745.0000 mask ffff.ffff.ffff ! interface TokenRing0/0 no ip directed-broadcast ring-speed 16 source-bridge 10 1 3 source-bridge spanning ! interface Serial1/0 ip address 1.1.1.1 255.255.255.0 no ip directed-broadcast no ip mroute-cache clockrate 32000 ! end |
使用此圣保罗配置,圣保罗路由器通知其所有对等体,由于使用mac-exclusive命令,它只能到达MAC地址4000.3745.0000。如此debug 输出所示,这也会阻止新的SNA设备(4000.3)746.0000)。
SAOPAULO#debug dlsw reachability verbose sna DLSw reachability debugging is on at verbose level for SNA traffic SAOPAULO# Mar 3 00:20:27.737: CSM: Deleting Reachability cache Mar 3 00:20:44.485: CSM: mac address NOT found in LOCAL list Mar 3 00:20:44.485: CSM: 4000.3746.0000 DID NOT pass local mac excl. filter Mar 3 00:20:44.485: CSM: And it is a test frame - drop frame
要解决此问题,请对圣保罗配置进行这些更改。
圣保罗 |
---|
Current configuration: ! hostname SAOPAULO ! source-bridge ring-group 3 dlsw local-peer peer-id 1.1.1.1 dlsw remote-peer 0 tcp 1.1.1.2 dlsw icanreach mac-exclusive remote dlsw icanreach mac-address 4000.3745.0000 mask ffff.ffff.ffff ! interface TokenRing0/0 no ip directed-broadcast ring-speed 16 source-bridge 10 1 3 source-bridge spanning ! interface Serial1/0 ip address 1.1.1.1 255.255.255.0 no ip directed-broadcast no ip mroute-cache clockrate 32000 ! end |
使用remote关键字,允许中央路由器上的其他设备(在dlsw icanreach mac-address命令中未指定)建立传出连接。这是设备4000.3746.0000开始连接时圣保罗上的debug输出。
SAOPAULO#debug dlsw reachability verbose sna DLSw reachability debugging is on at verbose level for SNA traffic Mar 3 00:28:26.916: CSM: update local cache for mac 4000.3746.0000, TokenRing0/0 Mar 3 00:28:26.916: CSM: Received CLSI Msg : TEST_STN.Ind dlen: 40 from TokenRing0/0 Mar 3 00:28:26.916: CSM: smac c000.3746.0000, dmac 0000.8888.0000, ssap 4 , dsap 0 Mar 3 00:28:26.916: CSM: test_frame_proc: ws_status = FOUND Mar 3 00:28:26.920: CSM: sending TEST to TokenRing0/0 Mar 3 00:28:26.924: CSM: update local cache for mac 4000.3746.0000, TokenRing0/0 Mar 3 00:28:26.924: CSM: Received CLSI Msg : ID_STN.Ind dlen: 54 from TokenRing0/0 Mar 3 00:28:26.924: CSM: smac c000.3746.0000, dmac 0000.8888.0000, ssap 4 , dsap 8 Mar 3 00:28:26.924: CSM: new_connection: ws_status = FOUND Mar 3 00:28:26.924: CSM: Calling csm_to_core with CLSI_START_NEWDL