Cisco Systems BC-109 manual Secure the SRB Network, Configure NetBIOS Access Filters

Page 25

Secure the SRB Network

Secure the SRB Network

This section describes how to configure three features that are used primarily to provide network security: NetBIOS access filters, administrative filters, and access expressions that can be combined with administrative filters. In addition, these features can be used to increase network performance because they reduce the number of packets that traverse the backbone network.

Configure NetBIOS Access Filters

NetBIOS packets can be filtered when transmitted across a Token Ring bridge. Two types of filters can be configured:

Host access list

Used for source and destination station names

Byte offset access list

Used for arbitrary byte patterns in the packet itself.

As you configure NetBIOS access filters, keep the following issues in mind:

The access lists that apply filters to an interface are scanned in the order they are entered.

There is no way to put a new access list entry in the middle of an access list. All new additions to existing NetBIOS access lists are placed at the end of the existing list.

Access list arguments are case sensitive. The software makes a literal translation, so that a lowercase “a” is different from an uppercase “A.” (Most nodes are named in uppercase letters.)

A host NetBIOS access list and byte NetBIOS access list can each use the same name. The two lists are identified as unique and bear no relationship to each other.

The station names included in the access lists are compared with the source name field for NetBIOS commands 00 and 01 (ADD_GROUP_NAME_QUERY and ADD_NAME_QUERY), as well as the destination name field for NetBIOS commands 08, 0A, and 0E (DATAGRAM, NAME_QUERY, and NAME_RECOGNIZED).

If an access list does not contain a particular station name, the default action is to deny the access to that station.

To minimize any performance degradation, NetBIOS access filters do not examine all packets. Rather, they examine certain packets that are used to establish and maintain NetBIOS client/server connections, thereby effectively stopping new access and load across the router. However, applying a new access filter does not terminate existing sessions immediately. All new sessions will be filtered, but existing sessions could continue for some time.

There are two ways you can configure NetBIOS access filters:

Configure NetBIOS Access Filters Using Station Names

Configure NetBIOS Access Filters Using a Byte Offset

Configure NetBIOS Access Filters Using Station Names

To configure access filters using station names, you must do the following:

Step 1 Assign the station access list name.

Step 2 Specify the direction of the message to be filtered on the interface.

Configuring Source-Route Bridging BC-133

Page 24 Page 26
Image 25
Page 24 Page 26
Contents SRB Configuration Task List Configuring Source-Route BridgingConfigure a Dual-Port Bridge Configure Source-Route BridgingMultiple Dual-Port Bridges Configure a Multiport Bridge Using a Virtual RingSource-bridge ring-group ring-group Define a Ring Group in SRB ContextNo source-bridge ring-group ring-group Enable SRB and Assign a Ring Group to an Interface Configure SRB over FddiInterface fddi slot/port Source-bridge route-cache cbusConfigure SRB over Frame Relay Configure Fast-Switching SRB over FddiEnable the Automatic Spanning-Tree Function Limit the Maximum SRB Hops Enable Use of the RIF Configure Bridging of Routed ProtocolsConfigure the RIF Timeout Interval Configure a Static RIF EntryOverview of SR/TLB Following notes and caveats apply to all uses of SR/TLB Disable Fast-Switched SR/TLB Enable Bridging between Transparent Bridging and SRBEnable Translation Compatibility with IBM 8209 Bridges No source-bridge transparent ring-group fastswitchEnable 0x80d5 Processing Enable Token Ring LLC2-to-Ethernet ConversionEnable Standard Token Ring LLC2-to-Ethernet LLC2 Conversion Source-bridge sap-80d5 dsapConfigure NetBIOS Support Source-bridge proxy-netbios-only Specify Timeout and Enable NetBIOS Name CachingEnable NetBIOS Proxying Configure the NetBIOS Cache Name LengthCreate Static Entries in the NetBIOS Name Cache Specify Dead-Time Intervals for NetBIOS PacketsNetbios name-cache query-timeout seconds Configure LNM SupportNetbios name-cache recognized-timeout seconds LNM Linking to a Source-Route Bridge on Each Local Ring LAN Network Manager Monitoring and Translating How a Router Works with LNMDisable LNM Functionality Enable Other LRMs to Change Router Parameters Disable Automatic Report Path Trace FunctionEnable LNM Servers Apply a Password to an LNM Reporting LinkChange Reporting Thresholds Monitor LNM Operation Change an LNM Reporting IntervalLnm softerr milliseconds Configure NetBIOS Access Filters Using Station Names Configure NetBIOS Access FiltersSecure the SRB Network Netbios access-list host name permit deny pattern Configure NetBIOS Access Filters Using a Byte OffsetNetbios access-list bytes name permit deny offset Netbios input-access-filter bytes nameNetbios output-access-filter bytes name Configure Administrative Filters for Token Ring TrafficFilter Frames by Protocol Type Filter Source Addresses Filter Frames by Vendor CodeFilter Destination Addresses Access Expression Example Optimize Access Expressions Configure Access ExpressionsTune the SRB Network Alter Access Lists Used in Access ExpressionsEnable or Disable the Source-Route Fast-Switching Cache Establish the Connection Timeout Interval Enable or Disable the SSEOptimize Explorer Processing Controlling Explorer Storms in Redundant Network Topologies Establish SRB Interoperability with TI MAC Firmware Configure Proxy ExplorersMac-address ieee-address Monitor and Maintain the SRB Network Report Spurious Frame-Copied ErrorsSource-bridge tcp-queue-max number SRB Configuration ExamplesBasic SRB with Spanning-Tree Explorers Example Dual-Port Source-Route Bridge ConfigurationSRB-Only Example Optimized Explorer Processing Configuration ExampleMultiport SRB Example SRB and Routing Certain Protocols ExampleSRB with Multiple Virtual Ring Groups Example Configuration for Router aSRB over Fddi Fast-Switching Example SRB over Fddi Configuration ExamplesConfiguration for Router B Router aFrad Using SRB over Frame Relay to Connect to a Cisco Router SRB over Frame Relay Configuration ExampleConfiguration on Router B Configuration of Router aConfiguration on Router C Adding a Static RIF Cache Entry ExampleSR/TLB for a Simple Network Example Adding a Static RIF Cache Entry for a Two-Hop Path ExampleBC-154Bridging and IBM Networking Configuration Guide Example of a Bit-Swapped Address SR/TLB with Access Filtering ExampleSpecifying a Static Entry NetBIOS Support with a Static NetBIOS Cache Entry ExampleLNM for a Simple Network Example Wayfarer# show lnm configLNM for a More Complex Network Example NetBIOS Access Filters Example Filtering Bridged Token Ring Packets to IBM Machines Example Shows a router connecting four Token Rings Following access expression would result Creating Access Filters ExampleFast-Switching Example Access Filters ExampleAutonomous Switching Example
Top Page Image Contents