Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

How to host addresses with DLSw

I'm not quite sure how to ask this question but...

We have leveraged DLSw peers inside our data center. Leveraged meaning more than one client peers with them. How can I keep a client from advertizing unwanted host mac addresses to us and how can we keep from advertizing other clients mac addresses?

I have been told that access list will not work with DLSW and am looking for somebody with first hand experiance/knowlage to share their experiance.

ie when we do a show dlsw reachability I don't want to see every host a client has nor do I want client A to see client B's host.

New Member

Re: How to host addresses with DLSw


there is a good article with examples on CCO

Let me know if it fit your needs.



Cisco Employee

Re: How to host addresses with DLSw


i assume you are talking about a secnario where you have a host end dlsw router, in the data center, and you have one or more branch routers which form dlsw peers with the host end router.

On the host end you have some form of a host mac address reachable. this mac address is the address your clients are connecting too.

There can be quite some different physical setups so that is why i try to keep this discussion a littlebit "high level".

If you assume that your host end mac address, the one your clients connect too, is 4000.3745.0000, than you can simply configure on the hostend router:

dlsw icanreach mac-address 4000.3745.0000

dlsw icanreach mac-exclusive

If you are in a pure sna environment and you i.e. have the sna saps 4 and 8 in use than you can also configure:

dlsw icanreach sap 0 4 8

All of these commands are advertised via runtime capabilities exchange to all connected dlsw remote peers.

The first one:

dlsw icanreach mac-address....

Is creating a static dlsw reachability cache entry on the remote peers.

That prevents them from exploring to all possible peers. They will only verify that the mac address in the static reach entry is really reachable via the peer the entry points to.

dlsw icanreach mac-exclusive

this one creates a filter, both on the branch and the host end router.

On the branch router it prohibites dlsw canureach frames for any other mac address than the ones you have configured. In other words no sna explorer/test with a different dmac than the configured one is forwarded.

On the host end router it prohibites the same with the source address. So it makes sure that no circuits can come up with any other mac address than the configured one. ( you can configure more than one address, either multiple statements or if it is a block of addresses you can use the address mask).

dlsw icanreach sap 0 4 8

this applies to all frames, basically on the branch routers it prohibits the forwarding of any other frame with dsap anything else than the configured one.


access-list do work with dlsw!

one very simple and powerfull one is like this:

access-list 200 permit 0x0000 0x0d0d


interface ethernet x

bridge-group 1

bridge-group 1 input-lsap-list 200

access-list 200 only allows saps 0, 4, 8, 12. Command and response.

You can also apply the same list on a source-bridge statement on a tokenring interface.

This one filters as close to the source as possible. Frames we dont want to transport dont even enter the router to be processed. However it requires a config step on every branch router. You can also apply address lists on the bridge-group or source-bridge statements.

the dlsw icanreach filters work aswell but the router first processes the frame to figure out it needs to be dropped. But they are configured only on the host end, the central router.

Let me know if you need more information.



CreatePlease to create content