本檔案將提供資料連結交換plus(DLSw+)服務存取點(SAP)和MAC過濾技術的組態範例。
過濾可用於增強DLSw+網路的可擴充性。例如,可以使用過濾執行以下操作:
減少WAN鏈路上的流量(對於速度極低的鏈路和使用NetBIOS的環境尤其重要)。
通過控制對某些裝置的訪問來增強網路的安全性。
增強資料中心DLSw+路由器的CPU效能和可擴充性。
DLSw+提供多個可用於執行篩選的選項。可以對MAC地址、SAP或NetBIOS名稱進行過濾。
本文件沒有特定需求。
本文件所述內容不限於特定軟體和硬體版本。
如需文件慣例的詳細資訊,請參閱思科技術提示慣例。
本節提供用於設定本文件中所述功能的資訊。
注意:要查詢有關本文檔中使用的命令的其他資訊,請使用命令查詢工具(僅限註冊客戶)。
使用網路圖部分中描述的網路拓撲,需要停止遠端位置的所有NetBIOS流量到達中央路由器(聖保羅)。DLSw+提供了多個選項來完成此任務,這些選項將在以下各節中分析。
注意:NetBIOS流量使用SAP值0xF0(用於命令)和0xF1(用於響應)。 通常,網路管理員使用上述SAP值來過濾(接受或拒絕)此協定。
注意:NetBIOS客戶端使用NetBIOS功能MAC地址(C000.0000.0080)作為其NetBIOS名稱查詢資料包上的目標MAC(DMAC)。如前所述,所有幀的SAP值為0xF0或0xF1。
對於此測試,CCSpcC PC配置為使用SAP 0xF0連線到FEP的MAC地址。實際上,此流量看起來與NetBIOS相同,至少從SAP的角度來看如此。因此,當此流量到達時,您可以在DLSw+路由器中觀察對應的調試。
本節使用下圖所示的網路設定。
在網路圖中,顯示了連線到主機的資料中心路由器(聖保羅)。此路由器收到來自所有遠端分支的多個DLSw+對等連線。每個遠端分支機構都有系統網路架構(SNA)和NetBIOS客戶端。資料中心中沒有需要從遠端辦公室訪問的NetBIOS伺服器。
為簡單起見,僅顯示一個遠端辦公室(Caracas)的配置詳細資訊。網路圖還顯示了前端處理器(FEP)和遠端PC(稱為CCSpcC)的MAC地址值。MAC地址以規範(乙太網)和非規範(令牌環)格式顯示。
使用此方法,所有遠端辦公室都必須使用lsap-output-list選項進行配置。中央路由器不需要進行其他配置更改。
lsap-output-list連結到SAP訪問清單(SAP ACL),該清單當前僅允許SNA SAP(例如0x00、0x04、0x08等)通向中央路由器,而拒絕所有其他內容。有關如何執行基於SAP的過濾的詳細資訊,請參閱瞭解服務接入點訪問控制清單。
加拉加斯 | 聖保羅 |
---|---|
Current configuration: ! hostname CARACAS ! dlsw local-peer peer-id 1.1.1.2 dlsw remote-peer 0 tcp 1.1.1.1 lsap-output-list 200 dlsw bridge-group 1 ! interface Ethernet0/0 no ip directed-broadcast bridge-group 1 ! interface Serial0/1 ip address 1.1.1.2 255.255.255.0 no ip directed-broadcast ! access-list 200 permit 0x0000 0x0D0D access-list 200 deny 0x0000 0xFFFF ! bridge 1 protocol ieee ! end |
Current configuration: ! hostname SAOPAULO ! source-bridge ring-group 3 dlsw local-peer peer-id 1.1.1.1 dlsw remote-peer 0 tcp 1.1.1.2 ! interface TokenRing0/0 no ip directed-broadcast ring-speed 16 source-bridge 10 1 3 source-bridge spanning ! interface Serial1/0 ip address 1.1.1.1 255.255.255.0 no ip directed-broadcast no ip mroute-cache clockrate 32000 ! end |
debug dlsw命令用於檢視加拉加斯路由器在接收NetBIOS流量時如何反應。
CARACAS#debug dlsw DLSw reachability debugging is on at event level for all protocol traffic DLSw peer debugging is on DLSw local circuit debugging is on DLSw core message debugging is on DLSw core state debugging is on DLSw core flow control debugging is on DLSw core xid debugging is on
如果遠端辦公室路由器(Caracas)沒有關於4000.3745.0000的可達性資訊,並且它獲取了一個利用某些「被禁止的」SAP查詢該MAC地址的瀏覽器,則請求將被阻止。
CARACAS# *Mar 1 01:02:16.387: DLSW Received-ctlQ : CLSI Msg : TEST_STN.Ind dlen: 40 *Mar 1 01:02:16.387: CSM: Received CLSI Msg : TEST_STN.Ind dlen: 40 from DLSw Port0 *Mar 1 01:02:16.387: CSM: smac 0000.8888.0000, dmac 4000.3745.0000, ssap F0, dsap 0 *Mar 1 01:02:16.387: DLSw: dsap(0) ssap(F0) filtered to peer 1.1.1.1(2065) *Mar 1 01:02:16.387: DLSw: frame output access list filtered to peer 1.1.1.1(2065) *Mar 1 01:02:16.387: CSM: Write to peer 1.1.1.1(2065) not ok - PEER_FILTERED
考慮一下遠端辦公室路由器(Caracas)確實有4000.3745.0000的可達性資訊的情況。例如,另一個站點(使用允許的SAP)已請求FEP MAC地址。在這種情況下,「罪犯」PC(CCSpcC)會傳送其NULL XID,但路由器會將其停止。
CARACAS# *Mar 1 01:03:24.439: DLSW Received-ctlQ : CLSI Msg : ID_STN.Ind dlen: 46 *Mar 1 01:03:24.439: CSM: Received CLSI Msg : ID_STN.Ind dlen: 46 from DLSw Port0 *Mar 1 01:03:24.443: CSM: smac 0000.8888.0000, dmac 4000.3745.0000, ssap F0, dsap F0 *Mar 1 01:03:24.443: DLSw: new_ckt_from_clsi(): DLSw Port0 0000.8888.0000:F0->4000.3745.0000:F0 *Mar 1 01:03:24.443: DLSw: START-TPFSM (peer 1.1.1.1(2065)): event:CORE-ADD CIRCUIT state:CONNECT *Mar 1 01:03:24.443: DLSw: dtp_action_u(), peer add circuit for peer 1.1.1.1(2065) *Mar 1 01:03:24.443: DLSw: END-TPFSM (peer 1.1.1.1(2065)): state:CONNECT->CONNECT *Mar 1 01:03:24.443: DLSw: START-FSM (872415295): event:DLC-Id state:DISCONNECTED *Mar 1 01:03:24.443: DLSw: core: dlsw_action_a() *Mar 1 01:03:24.447: DISP Sent : CLSI Msg : REQ_OPNSTN.Req dlen: 116 *Mar 1 01:03:24.447: DLSw: END-FSM (872415295): state:DISCONNECTED->LOCAL_RESOLVE *Mar 1 01:03:24.447: DLSW Received-ctlQ : CLSI Msg : REQ_OPNSTN.Cfm CLS_OK dlen: 116 *Mar 1 01:03:24.447: DLSw: START-FSM (872415295): event:DLC-ReqOpnStn.Cnf state:LOCAL_RESOLVE *Mar 1 01:03:24.447: DLSw: core: dlsw_action_b() *Mar 1 01:03:24.447: CORE: Setting lf : bits 8 : size 1500 *Mar 1 01:03:24.451: DLSw: dsap(F0) ssap(F0) filtered to peer 1.1.1.1(2065) *Mar 1 01:03:24.451: DLSw: frame output access list filtered to peer 1.1.1.1(2065) *Mar 1 01:03:24.451: DLSw: peer 1.1.1.1(2065) unreachable - reason code 1 *Mar 1 01:03:24.451: DLSw: END-FSM (872415295): state:LOCAL_RESOLVE->CKT_START
通過使用dlsw icannotreach saps命令,可以過濾您知道不允許通過傳送的協定。如果只知道必須明確拒絕的內容,請在中央路由器上使用dlsw icannotreach saps命令,如以下配置所示。
加拉加斯 | 聖保羅 |
---|---|
Current configuration: ! hostname CARACAS ! dlsw local-peer peer-id 1.1.1.2 dlsw remote-peer 0 tcp 1.1.1.1 dlsw bridge-group 1 ! interface Ethernet0/0 no ip directed-broadcast bridge-group 1 ! interface Serial0/1 ip address 1.1.1.2 255.255.255.0 no ip directed-broadcast ! bridge 1 protocol ieee ! end |
Current configuration: ! hostname SAOPAULO ! source-bridge ring-group 3 dlsw local-peer peer-id 1.1.1.1 dlsw remote-peer 0 tcp 1.1.1.2 dlsw icannotreach sap F0 ! interface TokenRing0/0 no ip directed-broadcast ring-speed 16 source-bridge 10 1 3 source-bridge spanning ! interface Serial1/0 ip address 1.1.1.1 255.255.255.0 no ip directed-broadcast no ip mroute-cache clockrate 32000 ! end |
您可以動態配置中央路由器(包括dlsw icannotreach saps命令),即使遠端對等體已啟動。此輸出顯示其中一個遠端路由器上的調試,它指示收到CapExId消息。此消息指示遠端辦公室不要向中央路由器傳送帶有SAP 0xF0/F1的任何幀。
CARACAS#debug dlsw peers DLSw peer debugging is on *Mar 1 18:30:30.388: DLSw: START-TPFSM (peer 1.1.1.1(2065)): event:SSP-CAP MSG RCVD state:CONNECT *Mar 1 18:30:30.388: DLSw: dtp_action_p() runtime cap rcvd for peer 1.1.1.1(2065) *Mar 1 18:30:30.392: DLSw: Recv CapExId Msg from peer 1.1.1.1(2065) *Mar 1 18:30:30.392: DLSw: received fhpr capex from peer 1.1.1.1(2065): support: false, fst-prio: false *Mar 1 18:30:30.392: DLSw: Pos CapExResp sent to peer 1.1.1.1(2065) *Mar 1 18:30:30.392: DLSw: END-TPFSM (peer 1.1.1.1(2065)): state:CONNECT->CONNECT
收到CapExId消息後,Caracas路由器得知Sao Paulo不支援SAP 0xF0。
CARACAS#show dlsw capabilities DLSw: Capabilities for peer 1.1.1.1(2065) vendor id (OUI) : '00C' (cisco) version number : 2 release number : 0 init pacing window : 20 unsupported saps : F0 num of tcp sessions : 1 loop prevent support : no icanreach mac-exclusive : no icanreach netbios-excl. : no reachable mac addresses : none reachable netbios names : none V2 multicast capable : yes DLSw multicast address : none cisco version number : 1 peer group number : 0 peer cluster support : no border peer capable : no peer cost : 3 biu-segment configured : no UDP Unicast support : yes Fast-switched HPR supp : no NetBIOS Namecache length : 15 local-ack configured : yes priority configured : no cisco RSVP support : no configured ip address : 1.1.1.1 peer type : conf version string : Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-JK2O3S-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2) Copyright (c) 1986-1999 by cisco Systems, Inc.
此處顯示的show命令輸出位於中央路由器,顯示不支援SAP 0xF0的配置更改。
SAOPAULO#show dlsw capabilities local DLSw: Capabilities for local peer 1.1.1.1 vendor id (OUI) : '00C' (cisco) version number : 2 release number : 0 init pacing window : 20 unsupported saps : F0 num of tcp sessions : 1 loop prevent support : no icanreach mac-exclusive : no icanreach netbios-excl. : no reachable mac addresses : none reachable netbios names : none V2 multicast capable : yes DLSw multicast address : none cisco version number : 1 peer group number : 0 peer cluster support : yes border peer capable : no peer cost : 3 biu-segment configured : no UDP Unicast support : yes Fast-switched HPR supp. : no NetBIOS Namecache length : 15 cisco RSVP support : no current border peer : none version string : Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-JK2O3S-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2) Copyright (c) 1986-1999 by cisco Systems, Inc.
這是NetBIOS PC站嘗試連線時Caracas路由器的debug輸出:
CARACAS#debug dlsw peers DLSw peer debugging is on *Mar 1 18:40:27.575: DLSw: new_ckt_from_clsi(): DLSw Port0 0000.8888.0000:F0->4000.3745.0000:F0 *Mar 1 18:40:27.575: DLSw: START-TPFSM (peer 1.1.1.1(2065)): event:CORE-ADD CIRCUIT state:CONNECT *Mar 1 18:40:27.579: DLSw: dtp_action_u(), peer add circuit for peer 1.1.1.1(2065) *Mar 1 18:40:27.579: DLSw: END-TPFSM (peer 1.1.1.1(2065)): state:CONNECT->CONNECT *Mar 1 18:40:27.579: DLSw: START-FSM (1409286242): event:DLC-Id state:DISCONNECTED *Mar 1 18:40:27.579: DLSw: core: dlsw_action_a() *Mar 1 18:40:27.579: DISP Sent : CLSI Msg : REQ_OPNSTN.Req dlen: 116 *Mar 1 18:40:27.579: DLSw: END-FSM (1409286242): state:DISCONNECTED->LOCAL_RESOLVE *Mar 1 18:40:27.583: DLSW Received-ctlQ : CLSI Msg : REQ_OPNSTN.Cfm CLS_OK dlen: 116 *Mar 1 18:40:27.583: DLSw: START-FSM (1409286242): event:DLC-ReqOpnStn.Cnf state:LOCAL_RESOLVE *Mar 1 18:40:27.583: DLSw: core: dlsw_action_b() *Mar 1 18:40:27.583: CORE: Setting lf : bits 8 : size 1500 *Mar 1 18:40:27.583: peer_cap_filter(): Filtered by SAP to peer 1.1.1.1(2065), s: F0 d:F0 *Mar 1 18:40:27.583: DLSw: frame cap filtered (1) to peer 1.1.1.1(2065) *Mar 1 18:40:27.583: DLSw: peer 1.1.1.1(2065) unreachable - reason code 1
當您確切知道允許哪種型別的流量並且希望確保拒絕所有其他流量時,配置dlsw icanreach saps命令非常有用。例如,在配置dlsw icanreach saps 4時,會明確拒絕除0x04(和0x05,響應)之外的所有末節。
加拉加斯 | 聖保羅 |
---|---|
Current configuration: ! hostname CARACAS ! dlsw local-peer peer-id 1.1.1.2 dlsw remote-peer 0 tcp 1.1.1.1 dlsw bridge-group 1 ! interface Ethernet0/0 no ip directed-broadcast bridge-group 1 ! interface Serial0/1 ip address 1.1.1.2 255.255.255.0 no ip directed-broadcast ! bridge 1 protocol ieee ! end |
Current configuration: ! hostname SAOPAULO ! source-bridge ring-group 3 dlsw local-peer peer-id 1.1.1.1 dlsw remote-peer 0 tcp 1.1.1.2 dlsw icanreach sap 0 4 ! interface TokenRing0/0 no ip directed-broadcast ring-speed 16 source-bridge 10 1 3 source-bridge spanning ! interface Serial1/0 ip address 1.1.1.1 255.255.255.0 no ip directed-broadcast no ip mroute-cache clockrate 32000 ! end |
請注意,在此show命令輸出中,Caracas路由器識別出Sao Paulo僅支援目的地為0x04和0x05的幀。不支援所有其他sap。
CARACAS#show dlsw capabilities DLSw: Capabilities for peer 1.1.1.1(2065) vendor id (OUI) : '00C' (cisco) version number : 2 release number : 0 init pacing window : 20 unsupported saps : 0 2 6 8 A C E 10 12 14 16 18 1A 1C 1E 20 22 24 26 28 2A 2C 2E 30 32 34 36 38 3A 3C 3E 40 42 44 46 48 4A 4C 4E 50 52 54 56 58 5A 5C 5E 60 62 64 66 68 6A 6C 6E 70 72 74 76 78 7A 7C 7E 80 82 84 86 88 8A 8C 8E 90 92 94 96 98 9A 9C 9E A0 A2 A4 A6 A8 AA AC AE B0 B2 B4 B6 B8 BA BC BE C0 C2 C4 C6 C8 CA CC CE D0 D2 D4 D6 D8 DA DC DE E0 E2 E4 E6 E8 EA EC EE F0 F2 F4 F6 F8 FA FC FE num of tcp sessions : 1 loop prevent support : no icanreach mac-exclusive : no icanreach netbios-excl. : no reachable mac addresses : none reachable netbios names : none V2 multicast capable : yes DLSw multicast address : none cisco version number : 1 peer group number : 0 peer cluster support : no border peer capable : no peer cost : 3 biu-segment configured : no UDP Unicast support : yes Fast-switched HPR supp. : no NetBIOS Namecache length : 15 local-ack configured : yes priority configured : no cisco RSVP support : no configured ip address : 1.1.1.1 peer type : conf version string : Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-JK2O3S-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2) Copyright (c) 1986-1999 by cisco Systems, Inc.
您可以使用show dlsw capabilities local命令驗證中央路由器的配置更改是否出現在DLSw+代碼中。
SAOPAULO#show dlsw capabilities local DLSw: Capabilities for local peer 1.1.1.1 vendor id (OUI) : '00C' (cisco) version number : 2 release number : 0 init pacing window : 20 unsupported saps : 0 2 6 8 A C E 10 12 14 16 18 1A 1C 1E 20 22 24 26 28 2A 2C 2E 30 32 34 36 38 3A 3C 3E 40 42 44 46 48 4A 4C 4E 50 52 54 56 58 5A 5C 5E 60 62 64 66 68 6A 6C 6E 70 72 74 76 78 7A 7C 7E 80 82 84 86 88 8A 8C 8E 90 92 94 96 98 9A 9C 9E A0 A2 A4 A6 A8 AA AC AE B0 B2 B4 B6 B8 BA BC BE C0 C2 C4 C6 C8 CA CC CE D0 D2 D4 D6 D8 DA DC DE E0 E2 E4 E6 E8 EA EC EE F0 F2 F4 F6 F8 FA FC FE num of tcp sessions : 1 loop prevent support : no icanreach mac-exclusive : no icanreach netbios-excl. : no reachable mac addresses : none reachable netbios names : none V2 multicast capable : yes DLSw multicast address : none cisco version number : 1 peer group number : 0 peer cluster support : yes border peer capable : no peer cost : 3 biu-segment configured : no UDP Unicast support : yes Fast-switched HPR supp. : no NetBIOS Namecache length : 15 cisco RSVP support : no current border peer : none version string : Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-JK2O3S-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2) Copyright (c) 1986-1999 by cisco Systems, Inc.
使用本檔案所示網路圖表,讓中央路由器只會接收目的地為FEP MAC位址(4000.3745.0000)的訊框。
使用dlsw icanreach mac-address命令,所有遠端辦公室的DLSw+可達性表中都有指向中央路由器IP地址的主機MAC地址的條目。此條目處於UNCONFIRM狀態,這表示如果遠端辦公室路由器收到主機的本地測試或XID,它將只向中央路由器傳送CUR_ex(Can U Reach Explorer)消息。
加拉加斯 | 聖保羅 |
---|---|
Current configuration: ! hostname CARACAS ! dlsw local-peer peer-id 1.1.1.2 dlsw remote-peer 0 tcp 1.1.1.1 dlsw bridge-group 1 ! interface Ethernet0/0 no ip directed-broadcast bridge-group 1 ! interface Serial0/1 ip address 1.1.1.2 255.255.255.0 no ip directed-broadcast ! bridge 1 protocol ieee ! end |
Current configuration: ! hostname SAOPAULO ! source-bridge ring-group 3 dlsw local-peer peer-id 1.1.1.1 dlsw remote-peer 0 tcp 1.1.1.2 dlsw icanreach mac-address 4000.3745.0000 mask ffff.ffff.ffff ! interface TokenRing0/0 no ip directed-broadcast ring-speed 16 source-bridge 10 1 3 source-bridge spanning ! interface Serial1/0 ip address 1.1.1.1 255.255.255.0 no ip directed-broadcast no ip mroute-cache clockrate 32000 ! end |
這裡,加拉加斯路由器在其可達性快取中建立了永久條目。如果條目不新,則狀態為UNCONFIRM。有關DLSw+路由器如何快取MAC地址和NetBIOS名稱的詳細資訊,請參閱DLSw+故障排除指南可達性一章。
CARACAS#show dlsw reachability DLSw Local MAC address reachability cache list Mac Addr status Loc. port rif 0000.8888.0000 FOUND LOCAL TBridge-001 --no rif-- DLSw Remote MAC address reachability cache list Mac Addr status Loc. peer 4000.3745.0000 UNCONFIRM REMOTE 1.1.1.1(2065) DLSw Local NetBIOS Name reachability cache list NetBIOS Name status Loc. port rif DLSw Remote NetBIOS Name reachability cache list NetBIOS Name status Loc. peer
加拉加斯路由器上show dlsw capabilities命令的輸出確認此遠端辦公室知道MAC地址4000.3745.0000可通過對等路由器1.1.1.1訪問。另請注意「icanreach mac-exclusive:否」。 這表示中央路由器能夠到達除主機之外的其他MAC地址。因此,如果任何遠端辦公室查詢其他MAC地址,它們可以將請求傳送到中央路由器。但是,通過新增icanreach mac-address 4000.3745.000命令,所有遠端分支都知道這一重要資源的位置。如果要對哪些幀到達中央路由器施加進一步的限制,請參閱在中央路由器上配置dlsw icanreach mac-exclusive。
CARACAS#show dlsw capabilities DLSw: Capabilities for peer 1.1.1.1(2065) vendor id (OUI) : '00C' (cisco) version number : 2 release number : 0 init pacing window : 20 unsupported saps : none num of tcp sessions : 1 loop prevent support : no icanreach mac-exclusive : no icanreach netbios-excl. : no reachable mac addresses : 4000.3745.0000reachable netbios names : none V2 multicast capable : yes DLSw multicast address : none cisco version number : 1 peer group number : 0 peer cluster support : no border peer capable : no peer cost : 3 biu-segment configured : no UDP Unicast support : yes Fast-switched HPR supp. : no NetBIOS Namecache length : 15 local-ack configured : yes priority configured : no cisco RSVP support : no configured ip address : 1.1.1.1 peer type : conf version string : Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-JK2O3S-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2) Copyright (c) 1986-1999 by cisco Systems, Inc.
您可以使用mask引數作為dlsw icanreach mac-address 4000.3745.0000 mask ffff.ffff.ffff。使用此引數時,請注意MAC地址通常以十六進位制格式(0x4000.3745.0000)顯示。 因此,全一掩碼(二進位制形式)由十六進位制數0xFFFF.FFFF.FFFF表示。
以下示例說明如何確定已配置的dlsw icanreach mac-address命令下是否包含特定輸入MAC:
從使用dlsw icanreach mac-address 4000.3745.0000 mask ffff.ffff 0000命令配置的路由器開始。
評估之前的路由器配置命令是否包含輸入MAC地址4000.3745.0009。
首先,將MAC地址(4000.3745.0009)和配置的MASK(FFFF.FFFF.0000)從十六進位制表示轉換為二進位制表示。該表的前兩行顯示了此步驟。
然後,在這兩個二進位制數之間執行邏輯AND運算,將結果轉換為十六進位制表示(4000.3745.0000)。 該操作的結果顯示在該表的第三行中。
0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 1 | 0 | 1 | 1 | 1 | 0 | 1 | 0 | 0 | 0 | 1 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 1 | 4000.3745.0009 | |||||||||||
1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | ffff.ffff.0000 | |||||||||||
0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 1 | 0 | 1 | 1 | 1 | 0 | 1 | 0 | 0 | 0 | 1 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 4000.3745.0000 |
如果AND運算的結果與dlsw icanreach mac-address命令中的MAC地址匹配(在我們的示例中,4000.3745.0000),則dlsw icanreach mac-address命令允許輸入MAC地址(4000.3745.0009)。在我們的示例中,dlsw icanreach mac-address命令會包括4000.3745.0000到4000.3745.FFFF範圍內的任何輸入MAC地址。您可以對此範圍內的任何MAC地址重複相同步驟來驗證這一點。
下面是幾個示例:
dlsw icanreach mac-address 4000.3745.0000 mask ffff.ffff.ffff — 此命令僅包括MAC地址4000.3745.0000。沒有其他MAC地址通過此掩碼。
dlsw icanreach mac-address 4000.0000.3745 mask ffff.0000.ffff — 此命令包括4000.XXXX.3745範圍內的所有MAC地址,其中XXXX為0x000-0xFFFF。
在中央路由器上配置dlsw icanreach mac-exclusive命令後,可確保中央位置只允許發往先前定義的MAC地址(本例中為4000.3745.0000)的資料包。
請注意,此過濾資訊在所有DLSw+對等體之間使用CapExId消息交換。通過在中心位置配置過濾資訊來節省WAN頻寬,即使操作(如阻止幀)發生在遠端路由器本身。
加拉加斯 | 聖保羅 |
---|---|
Current configuration: ! hostname CARACAS ! dlsw local-peer peer-id 1.1.1.2 dlsw remote-peer 0 tcp 1.1.1.1 dlsw bridge-group 1 ! interface Ethernet0/0 no ip directed-broadcast bridge-group 1 ! interface Serial0/1 ip address 1.1.1.2 255.255.255.0 no ip directed-broadcast ! bridge 1 protocol ieee ! end |
Current configuration: ! hostname SAOPAULO ! source-bridge ring-group 3 dlsw local-peer peer-id 1.1.1.1 dlsw remote-peer 0 tcp 1.1.1.2 dlsw icanreach mac-exclusive dlsw icanreach mac-address 4000.3745.0000 mask ffff.ffff.fffff ! interface TokenRing0/0 no ip directed-broadcast ring-speed 16 source-bridge 10 1 3 source-bridge spanning ! interface Serial1/0 ip address 1.1.1.1 255.255.255.0 no ip directed-broadcast no ip mroute-cache clockrate 32000 ! end |
觀察此輸出中,Caracas路由器知道MAC地址4000.3745.0000可通過對等點1.1.1.1到達。此範例與先前情境的區別在於,此處我們顯示「icanreach mac-exclusive:是」,這意味著遠端辦公室除了發往4000.3745.0000的幀之外,不向中央路由器傳送幀。
CARACAS#show dlsw capabilities DLSw: Capabilities for peer 1.1.1.1(2065) vendor id (OUI) : '00C' (cisco) version number : 2 release number : 0 init pacing window : 20 unsupported saps : none num of tcp sessions : 1 loop prevent support : no icanreach mac-exclusive : yes icanreach netbios-excl. : no reachable mac addresses : 4000.3745.0000reachable netbios names : none V2 multicast capable : yes DLSw multicast address : none cisco version number : 1 peer group number : 0 peer cluster support : no border peer capable : no peer cost : 3 biu-segment configured : no UDP Unicast support : yes Fast-switched HPR supp. : no NetBIOS Namecache length : 15 local-ack configured : yes priority configured : no cisco RSVP support : no configured ip address : 1.1.1.1 peer type : conf version string : Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-JK2O3S-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2) Copyright (c) 1986-1999 by cisco Systems, Inc.
這裡的debug輸出顯示加拉加斯路由器如何對目的地為任何MAC位址(4000.3745.0000(此處使用4000.3745.0080)以外的傳入流量進行回應。 對於目的地不是主機(4000.3745.0000)的幀,加拉加斯不會使用聖保羅。 在本例中,聖保羅是在Caracas中配置的唯一一個遠端對等體,因此該路由器沒有其它對等體可將其傳送。
CARACAS#debug dlsw DLSw reachability debugging is on at event level for all protocol traffic DLSw peer debugging is on DLSw local circuit debugging is on DLSw core message debugging is on DLSw core state debugging is on DLSw core flow control debugging is on DLSw core xid debugging is on *Mar 1 22:41:33.200: DLSW Received-ctlQ : CLSI Msg : TEST_STN.Ind dlen: 40 *Mar 1 22:41:33.204: CSM: Received CLSI Msg : TEST_STN.Ind dlen: 40 from DLSw Port0 *Mar 1 22:41:33.204: CSM: smac 0000.8888.0000, dmac 4000.3745.0080, ssap 4 , dsap 0 *Mar 1 22:41:33.204: broadcast filter failed mac check *Mar 1 22:41:33.204: CSM: Write to all peers not ok - PEER_NO_CONNECTIONS
如果使用dlsw icanreach mac-exclusive命令配置路由器,但未使用dlsw icanreach mac-address 命令定義任何MAC地址,則路由器會通告其對等路由器,表示它根本無法到達任何MAC地址。因此,您將丟失通過該對等體的通訊。
注意:此處顯示的示例配置僅作為示例顯示。這是一個錯誤,不應該使用。
聖保羅 |
---|
Current configuration: ! hostname SAOPAULO ! source-bridge ring-group 3 dlsw local-peer peer-id 1.1.1.1 dlsw remote-peer 0 tcp 1.1.1.2 dlsw icanreach mac-exclusive ! interface TokenRing0/0 no ip directed-broadcast ring-speed 16 source-bridge 10 1 3 source-bridge spanning ! interface Serial1/0 ip address 1.1.1.1 255.255.255.0 no ip directed-broadcast no ip mroute-cache clockrate 32000 ! end |
debug輸出表明當Caracas路由器收到目的地為4000.3745.0000的幀時發生了什麼情況。請注意,Caracas只有一個DLSw遠端對等體(聖保羅),但在以前的配置中,聖保羅向它的對等體表明它無法到達任何MAC地址。
CARACAS#show debug DLSw: DLSw Peer debugging is on DLSw RSVP debugging is on DLSw reachability debugging is on at verbose level for SNA traffic DLSw basic debugging for peer 1.1.1.1(2065) is on DLSw core message debugging is on DLSw core state debugging is on DLSw core flow control debugging is on DLSw core xid debugging is on DLSw Local Circuit debugging is on CARACAS# Mar 2 21:37:42.570: DLSW Received-ctlQ : CLSI Msg : TEST_STN.Ind dlen: 40 Mar 2 21:37:42.570: CSM: update local cache for mac 0000.8888.0000, DLSw Port0 Mar 2 21:37:42.570: DLSW+: DLSw Port0 I d=4000.3745.0000-0 s=0000.8888.0000-F0 Mar 2 21:37:42.570: CSM: test_frame_proc: ws_status = NO_CACHE_INFO Mar 2 21:37:42.570: CSM: mac address NOT found in PEER reachability list Mar 2 21:37:42.570: broadcast filter failed mac check Mar 2 21:37:42.574: CSM: Write to all peers not ok - PEER_NO_CONNECTIONS Mar 2 21:37:42.574: CSM: csm_peer_put returned rc_ssp not OK
在本示例中,手動配置每台遠端辦公室路由器,並在查詢特定MAC地址時將其定向到所需的中央路由器。這會減少流向錯誤對等體的不必要流量。如果遠端辦公室僅配置了一個遠端對等體,則此配置沒有好處。但是,如果配置了多個遠端對等點,此配置會將遠端站點路由器定向到正確的位置,而不會浪費WAN頻寬。
在Caracas路由器上配置了一個新的DLSw+遠端對等路由器(2.2.2.1)。
加拉加斯 | 聖保羅 |
---|---|
Current configuration: ! hostname CARACAS ! dlsw local-peer peer-id 1.1.1.2 dlsw remote-peer 0 tcp 1.1.1.1 dlsw remote-peer 0 tcp 2.2.2.1 dlsw mac-addr 4000.3745.0000 remote-peer ip-address 1.1.1.1 dlsw bridge-group 1 ! interface Ethernet0/0 no ip directed-broadcast bridge-group 1 ! interface Serial0/1 ip address 1.1.1.2 255.255.255.0 no ip directed-broadcast ! interface Serial0/2 ip address 2.2.2.2 255.255.255.0 no ip directed-broadcast clockrate 64000 ! bridge 1 protocol ieee ! end |
Current configuration: ! hostname SAOPAULO ! source-bridge ring-group 3 dlsw local-peer peer-id 1.1.1.1 dlsw remote-peer 0 tcp 1.1.1.2 ! interface TokenRing0/0 no ip directed-broadcast ring-speed 16 source-bridge 10 1 3 source-bridge spanning ! interface Serial1/0 ip address 1.1.1.1 255.255.255.0 no ip directed-broadcast no ip mroute-cache clockrate 32000 ! end |
請注意,從Caracas路由器上的空可達表開始,FEP條目處於UNCONFIRM狀態:
CARACAS#show dlsw reachability DLSw Local MAC address reachability cache list Mac Addr status Loc. port rif DLSw Remote MAC address reachability cache list Mac Addr status Loc. peer 4000.3745.0000 UNCONFIRM REMOTE 1.1.1.1(2065) max-lf(4472) DLSw Local NetBIOS Name reachability cache list NetBIOS Name status Loc. port rif DLSw Remote NetBIOS Name reachability cache list NetBIOS Name status Loc. peer
當第一個資料包到達並尋找FEP時,只傳送到達對等體1.1.1.1(聖保羅)的資料包,而不是傳送到2.2.2.1。因此,您節省了其他對等體上的WAN頻寬和CPU資源。
CARACAS#debug dlsw reachability verbose sna DLSw reachability debugging is on at verbose level for SNA traffic *Mar 2 18:38:59.324: CSM: update local cache for mac 0000.8888.0000, DLSw Port0 *Mar 2 18:38:59.324: DLSW+: DLSw Port0 I d=4000.3745.0000-0 s=0000.8888.0000-F0 *Mar 2 18:38:59.324: CSM: test_frame_proc: ws_status = UNCONFIRMED *Mar 2 18:38:59.324: CSM: Write to peer 1.1.1.1(2065) ok *Mar 2 18:38:59.324: CSM: csm_peer_put returned rc_ssp 1 *Mar 2 18:38:59.328: CSM: adding new icr pend record - test_frame_proc *Mar 2 18:38:59.328: CSM: update local cache for mac 0000.8888.0000, DLSw Port0 *Mar 2 18:38:59.328: CSM: Received CLSI Msg : TEST_STN.Ind dlen: 40 from DLSw Port0
此時,網路圖和設計要求已更改。以下是新的網路範例:
在本示例中,在聖保羅位置新增了一個新的SNA裝置(4000.3746.000)。此電腦需要與另一位置(對等點3.3.3.1)的裝置建立通訊。 聖保羅路由器運行此配置。
聖保羅 |
---|
Current configuration: ! hostname SAOPAULO ! source-bridge ring-group 3 dlsw local-peer peer-id 1.1.1.1 dlsw remote-peer 0 tcp 1.1.1.2 dlsw remote-peer 0 tcp 3.3.3.1 dlsw icanreach mac-exclusive dlsw icanreach mac-address 4000.3745.0000 mask ffff.ffff.ffff ! interface TokenRing0/0 no ip directed-broadcast ring-speed 16 source-bridge 10 1 3 source-bridge spanning ! interface Serial1/0 ip address 1.1.1.1 255.255.255.0 no ip directed-broadcast no ip mroute-cache clockrate 32000 ! end |
使用此Sao Paulo配置,Sao Paulo路由器通知其所有對等體,由於mac-exclusive命令,它只能到達MAC地址4000.3745.000。如debug輸出所示,這也會阻止新SNA裝置(4000.3746.000)通過DLSw+建立通訊。
SAOPAULO#debug dlsw reachability verbose sna DLSw reachability debugging is on at verbose level for SNA traffic SAOPAULO# Mar 3 00:20:27.737: CSM: Deleting Reachability cache Mar 3 00:20:44.485: CSM: mac address NOT found in LOCAL list Mar 3 00:20:44.485: CSM: 4000.3746.0000 DID NOT pass local mac excl. filter Mar 3 00:20:44.485: CSM: And it is a test frame - drop frame
要解決此問題,請對聖保羅配置進行以下更改。
聖保羅 |
---|
Current configuration: ! hostname SAOPAULO ! source-bridge ring-group 3 dlsw local-peer peer-id 1.1.1.1 dlsw remote-peer 0 tcp 1.1.1.2 dlsw icanreach mac-exclusive remote dlsw icanreach mac-address 4000.3745.0000 mask ffff.ffff.ffff ! interface TokenRing0/0 no ip directed-broadcast ring-speed 16 source-bridge 10 1 3 source-bridge spanning ! interface Serial1/0 ip address 1.1.1.1 255.255.255.0 no ip directed-broadcast no ip mroute-cache clockrate 32000 ! end |
使用remote關鍵字,中央路由器上的其他裝置(未在dlsw icanreach mac-address命令中指定)可以進行傳出連線。這是裝置4000.3746.0000啟動連線時聖保羅上的debug輸出。
SAOPAULO#debug dlsw reachability verbose sna DLSw reachability debugging is on at verbose level for SNA traffic Mar 3 00:28:26.916: CSM: update local cache for mac 4000.3746.0000, TokenRing0/0 Mar 3 00:28:26.916: CSM: Received CLSI Msg : TEST_STN.Ind dlen: 40 from TokenRing0/0 Mar 3 00:28:26.916: CSM: smac c000.3746.0000, dmac 0000.8888.0000, ssap 4 , dsap 0 Mar 3 00:28:26.916: CSM: test_frame_proc: ws_status = FOUND Mar 3 00:28:26.920: CSM: sending TEST to TokenRing0/0 Mar 3 00:28:26.924: CSM: update local cache for mac 4000.3746.0000, TokenRing0/0 Mar 3 00:28:26.924: CSM: Received CLSI Msg : ID_STN.Ind dlen: 54 from TokenRing0/0 Mar 3 00:28:26.924: CSM: smac c000.3746.0000, dmac 0000.8888.0000, ssap 4 , dsap 8 Mar 3 00:28:26.924: CSM: new_connection: ws_status = FOUND Mar 3 00:28:26.924: CSM: Calling csm_to_core with CLSI_START_NEWDL