Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Filtering unwanted traffic from DLSW peers

I have about 60 dlsw peers coming from remote location 2651s in to a 7513 router at a core operations center. Each remote location has an AS400 that connects to 10 AS400s at the core location via SNA. I am looking to filter traffic so that only SNA traffic is allowed and (possibly) only to the MAC addresses at the core location. Anyone know the easiest way to do this?

Thanks,

John Singer

2 REPLIES

Re: Filtering unwanted traffic from DLSW peers

SNA uses SAPS ranging from 0x00 to 0x0FF.

access-list 200 permit 0x0000 0x0D0D - permits almost all SNA saps, and denies the rest.

This can be applied on dlsw remote peers, to filter outbound SAPS.

dlsw remote-peer 0 tcp lsap-output-list 200

But this sounds like a tedious task to apply on all the 60 remote peers.

To filter the traffic with specific mac-address of the AS400 at the core,

Use the command,

dlsw mac-addr remote-peer ip-address

You can add multiple statements.

Hope that helps!

Silver

Re: Filtering unwanted traffic from DLSW peers

Another way to do it is using DLSw icanreach saps 04

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fibm_r1/br1fprt2/br1fdlsw.htm#1017857

Assuming that you do not modify the default SAP on the line description. This prevents the router accepts any non-sna packet. If you use HPR, please use "dlsw icanreach saps 04 c8."

dlsw icanreach works better when you want the filter applies to all remote peers. It is more effective than SAP access list because it prevent the router sending CUR (can you reach) frame.

193
Views
0
Helpful
2
Replies