cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
376
Views
0
Helpful
2
Replies

Filtering unwanted traffic from DLSW peers

johnsinger
Level 1
Level 1

I have about 60 dlsw peers coming from remote location 2651s in to a 7513 router at a core operations center. Each remote location has an AS400 that connects to 10 AS400s at the core location via SNA. I am looking to filter traffic so that only SNA traffic is allowed and (possibly) only to the MAC addresses at the core location. Anyone know the easiest way to do this?

Thanks,

John Singer

2 Replies 2

thisisshanky
Level 11
Level 11

SNA uses SAPS ranging from 0x00 to 0x0FF.

access-list 200 permit 0x0000 0x0D0D - permits almost all SNA saps, and denies the rest.

This can be applied on dlsw remote peers, to filter outbound SAPS.

dlsw remote-peer 0 tcp lsap-output-list 200

But this sounds like a tedious task to apply on all the 60 remote peers.

To filter the traffic with specific mac-address of the AS400 at the core,

Use the command,

dlsw mac-addr remote-peer ip-address

You can add multiple statements.

Hope that helps!

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

Another way to do it is using DLSw icanreach saps 04

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fibm_r1/br1fprt2/br1fdlsw.htm#1017857

Assuming that you do not modify the default SAP on the line description. This prevents the router accepts any non-sna packet. If you use HPR, please use "dlsw icanreach saps 04 c8."

dlsw icanreach works better when you want the filter applies to all remote peers. It is more effective than SAP access list because it prevent the router sending CUR (can you reach) frame.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: