Extended IP Access Lists

Lab 27: DLSw+ TCP, LLC2, Promiscuous, Dynamic, and Backup Peer Configuration ”Part II

Lab Walkthrough

This lab continues from the previous lab; the only difference in the physical layout is that of the wolf router, which now has two Ethernet interfaces and no Token Ring interfaces. If you use the same configurations from the previous lab, be sure to disable transparent bridging on the WAN and RSRB.

Configure the Frame Relay switch and attach the four routers in a back-to-back manner to the frame switch. Use V.35 cables or CSU/DSUs with crossover cables to connect the routers. Create the four Ethernet LANs and Token Ring LANs by the using switches and hubs/MAUs, as illustrated previously in Figure 13-47.

When the physical connections are complete, assign IP addresses to all LAN and WAN interfaces, as depicted in Figure 13-47. On the wolf router, configure a Frame Relay multipoint network to the routers lone_rhino and trashman. Configure a Frame Relay point-to-point network between the wolf router and the beerbelly router. Configure EIGRP as the routing protocol. For trashman's subnet to be advertised to the lone_rhino router, you must disable EIGRP split horizon on the wolf router. Example 13-57 provides the EIGRP and the frame configurations of the wolf, lone_rhino, trashman, and beerbelly routers.

Example 13-57 Frame Relay and EIGRP Configurations of wolf, lone_rhino, and beerbelly

  hostname wolf   !  <<<text omitted>>>  !   interface Serial0   no ip address   no ip directed-broadcast   encapsulation frame-relay   no ip mroute-cache   logging event subif-link-status   logging event dlci-status-change   frame-relay lmi-type cisco   !   interface Serial0.1 multipoint   ip address 172.16.1.1 255.255.255.0    no ip directed-broadcast     no ip split-horizon eigrp 2001   Split horizon disabled    frame-relay map ip 172.16.1.5 110 broadcast   Map statement to lone_rhino    frame-relay map ip 172.16.1.6 130 broadcast   Map statement to trashman   !   interface Serial0.2 point-to-point    ip address 172.16.2.1 255.255.255.0    no ip directed-broadcast    frame-relay interface-dlci 180   Inverse ARP   !  <<<text omitted>>>  !    router eigrp 2001   Routing EIGRP   passive-interface Ethernet0   network 172.16.0.0   no auto-summary   !  _______________________________________________________________________  hostname lone_rhino   !  <<<text omitted>>>  !   interface Serial0   ip address 172.16.1.5 255.255.255.0   encapsulation frame-relay    frame-relay map ip 172.16.1.6 111 broadcast   Map statement to trashman    frame-relay map ip 172.16.1.1 111 broadcast   Map statement to wolf   !  <<<text omitted>>>  !    router eigrp 2001   Routing EIGRP  network 172.16.0.0  no auto-summary ! _______________________________________________________________________  hostname trashman   !  <<<text omitted>>>  !   interface Serial0   ip address 172.16.1.6 255.255.255.0   no ip directed-broadcast   encapsulation frame-relay   no ip mroute-cache    frame-relay map ip 172.16.1.5 131 broadcast   Map statement to lone_rhino    frame-relay map ip 172.16.1.1 131 broadcast   Map statement to wolf   frame-relay lmi-type cisco   !  <<<text omitted>>>  !    router eigrp 2001   Routing EIGRP   network 172.16.0.0   no auto-summary   !  _______________________________________________________________________  hostname beerbelly   !  <<<text omitted>>>  !   interface Serial0   ip address 172.16.2.2 255.255.255.0   encapsulation frame-relay   frame-relay interface-dlci 181   frame-relay lmi-type cisco   !  <<<text omitted>>>  !   router eigrp 2001   network 172.16.0.0   no auto-summary   !  

The abbreviated process to configure DLSw+ is as follows :

Step 1. Configure loopback address for peers.

Step 2. Configure local peers.

Step 3. Configure SRB or transparent bridging.

Step 4. Configure remote peers.

Figure 13-49 illustrates the network, highlighting some more specific configuration details. Figure 13-49 illustrates bridge groups, virtual rings, and the loopback address that you will use for local and remote peers.

Step 1 in configuring DLSW is to assign the loopback interfaces, as denoted in Figure 13-49. EIGRP will propagate these addresses because they are in the same major bit boundary configured previously. When you can ping all the loopback interfaces, move on to the next step.

Step 2 involves assigning local peers to the routers. In this model, you accomplish this by using the global router command dlsw local-peer peer-id loopback_IP_address. You are allowed to configure only a single remote-peer on the wolf router. Therefore, the wolf's local peer must be configured as promiscuous. If you want to save some time configuring remote peers, you also should configure the local peer of the lone_rhino router to be promiscuous. The syntax to configure the local peer on the wolf is as follows:

 wolf(config)#  dlsw local-peer peer-id 172.16.192.1 promiscuous  

The third step involves configuring transparent or source-route bridging on the routers and interfaces that you want to add to the DLSw domain. For the routers lone_rhino, trashman, and beerbelly, this is accomplished in the exact same manner as it was in the previous lab; therefore, we will not spend a lot of time going over the details of this portion of the configuration. The wolf router, on the other hand, needs two bridge groups configured. Ethernet 0 will be in bridge group 1, and Ethernet 2 will be in bridge group 2. You need to do this to set up the DLSw bridge list when you configure the remote peers. Example 13-58 lists the transparent bridging portion and DLSw portion of the wolf router to this point.

Example 13-58 Transparent Bridging on the wolf Router

  hostname wolf   !    dlsw local-peer peer-id 172.16.192.1 promiscuous   Local Peer, Loopback 20    dlsw bridge-group 1   Link to bridge 1    dlsw bridge-group 2   Linkn to bridge 2   !   interface Loopback20   ip address 172.16.192.1 255.255.255.252   no ip directed-broadcast   !   interface Ethernet0   ip address 172.16.55.1 255.255.255.0   no ip directed-broadcast   media-type 10BaseT    bridge-group 1   In bridge 1   !  <<<text omitted>>>  !   interface Ethernet2   no ip address   no ip directed-broadcast   media-type 10BaseT    bridge-group 2   In bridge 2   !  <<<text omitted>>>  !    bridge 1 protocol ieee   STP for bridge 1 and bridge 2  bridge 2 protocol ieee 

When the transparent bridge groups are configured, they need to be attached to DLSw domain with the command dlsw bridge-group X command. This command is demonstrated in the previous example for the wolf router. For source-route bridging, such as found on the beerbelly router, the virtual ring links the SRB to the DLSw domain. Example 13-59 lists the configuration of the beerbelly router to this point.

Example 13-59 SRB Configuration on the beerbelly Router

  hostname beerbelly   !  <<<text omitted>>>  !    source-bridge ring-group 101   virtual ring    dlsw local-peer peer-id 172.16.192.5   Local Peer- Loopback address   !   interface Loopback20   ip address 172.16.192.5 255.255.255.252   !   interface Serial0   ip address 172.16.2.2 255.255.255.0   encapsulation frame-relay   frame-relay interface-dlci 181   frame-relay lmi-type cisco   !  <<<text omitted>>>  !   interface TokenRing0   ip address 172.16.3.1 255.255.255.0   ring-speed 16   multiring all    source-bridge 2 1 101   SRB enabled   !  <<<text omitted>>>  !   router eigrp 2001   network 172.16.0.0   no auto-summary   !  <<<text omitted>>>  beerbelly#  

Step 4 of the DLSw+ configuration process involves configuring remote peers for all the routers. All of the remote peers are different in this model, so we will focus on a router at a time, starting with the wolf router.

The wolf router is allowed only one remote peer, and that is why its local peer is configured as promiscuous. The one remote peer that you need to define is a DLSw+ Lite or LLC2 peer to the trashman router. You also must limit what Ethernet segments the router trashman has reachability to. To accomplish this, use a DLSw bridge list defining only bridge 2. The bridge list then will be attached to the remote peer statement for the trashman router. When configuring a LLC2 peer, you also need to add a frame relay map llc2 statement to the S0.1 interface. Example 13-60 lists the DLSw configuration of the wolf router.

Example 13-60 DLSw Configuration of the wolf Router

  hostname wolf   !  <<<text omitted>>>  !   dlsw local-peer peer-id 172.16.192.1 promiscuous    dlsw bgroup-list 2 bgroups 2   allows only bridge 2    dlsw remote-peer 2 frame-relay interface Serial0.1 130   LLC2 remote peer w/bridge   list    dlsw bridge-group 1   DLSW link to bridge groups   dlsw bridge-group 2   !   interface Loopback20   ip address 172.16.192.1 255.255.255.252   no ip directed-broadcast   !   interface Ethernet0   ip address 172.16.55.1 255.255.255.0   no ip directed-broadcast   media-type 10BaseT    bridge-group 1   Bridge group 1   !  <<<text omitted>>>  !   interface Ethernet2   no ip address   no ip directed-broadcast   media-type 10BaseT    bridge-group 2   Bridge group 2   !  <<<text omitted>>>  !   interface Serial0   no ip address   no ip directed-broadcast   encapsulation frame-relay   no ip mroute-cache   logging event subif-link-status   logging event dlci-status-change   frame-relay lmi-type cisco   !   interface Serial0.1 multipoint   ip address 172.16.1.1 255.255.255.0   no ip directed-broadcast   no ip split-horizon eigrp 2001    frame-relay map llc2  130 broadcast   LLC2 MAP statement for DLSW   frame-relay map ip 172.16.1.5 110 broadcast   frame-relay map ip 172.16.1.6 130 broadcast   !   interface Serial0.2 point-to-point   ip address 172.16.2.1 255.255.255.0   no ip directed-broadcast   frame-relay interface-dlci 180   !  <<<text omitted>>>  !   router eigrp 2001   network 172.16.0.0   no auto-summary   !   bridge 1 protocol ieee   bridge 2 protocol ieee   !  

Example 13-61 represents the other side of the configuration, the trashman router.

Example 13-61 DLSw Configuration of the trashman Router

  hostname trashman   !   <<<text omitted>>>   !   dlsw local-peer peer-id 172.16.192.9    dlsw remote-peer 0 frame-relay interface Serial0 131   LLC2 peer   !   interface Loopback20   ip address 172.16.192.9 255.255.255.0   no ip directed-broadcast   !   interface Ethernet0   ip address 172.16.6.1 255.255.255.0   no ip directed-broadcast   bridge-group 1   !   interface Serial0   ip address 172.16.1.6 255.255.255.0   no ip directed-broadcast   encapsulation frame-relay   no ip mroute-cache    frame-relay map llc2  131 broadcast   LLC2 map statement   frame-relay map ip 172.16.1.5 131 broadcast   frame-relay map ip 172.16.1.1 131 broadcast   frame-relay lmi-type cisco   !  <<<text omitted>>>  !   router eigrp 2001   network 172.16.0.0   no auto-summary   !  <<<text omitted>>>  !   bridge 1 protocol ieee  

The remote peer configuration of the beerbelly router involves configuring a primary peer to the lone_rhino router and a backup peer to the wolf router. This peer cannot tear down LLC2 session when the primary becomes active again. Therefore, you do not want to add the linger option. Example 13-62 shows the configuration of the beerbelly router.

Example 13-62 DLSw Configuration of the beerbelly Router

  hostname beerbelly   !   <<<text omitted>>>   !   source-bridge ring-group 101   dlsw local-peer peer-id 172.16.192.5    dlsw remote-peer 0 tcp 172.16.192.13   Primary Peer    dlsw remote-peer 0 tcp 172.16.192.1 backup-peer 172.16.192.13   Backup Peer   !   interface Loopback20   ip address 172.16.192.5 255.255.255.252   !   interface Serial0   ip address 172.16.2.2 255.255.255.0   encapsulation frame-relay   frame-relay interface-dlci 181   frame-relay lmi-type cisco   !  <<<text omitted>>>  !   interface TokenRing0   ip address 172.16.3.1 255.255.255.0   ring-speed 16   multiring all   source-bridge 2 1 101   !  <<<text omitted>>>  !   router eigrp 2001   network 172.16.0.0   no auto-summary  

The last remote peer that you need to configure is a dynamic TCP peer from lone_rhino to the wolf router. When you configure this peer, you need to include an LSAP-OUTPUT-FILTER to allow only SNA to pass. The SAP value for SNA is 0x0d0d. To make the peer dynamic, simply add the dynamic and inactivity keywords to the remote peer statement. The inactivity timer that you need to specify is seven minutes. Example 13-63 lists the configuration of the lone_rhino router. The keepalive value and a timeout value automatically are added when a dynamic peer is configured.

Example 13-63 Configuration of the lone_rhino Router

  hostname lone_rhino   !   <<<text omitted>>>   !   dlsw local-peer peer-id 172.16.192.13 promiscuous    dlsw remote-peer 0 tcp 172.16.192.1 keepalive 0 lsap-output-list 201 timeout 90     dynamic inactivity 7   dynamic peer   dlsw bridge-group 1   !   interface Loopback20   ip address 172.16.192.13 255.255.255.252   !   interface Ethernet0   ip address 172.16.5.1 255.255.255.0   bridge-group 1   !   interface Serial0   ip address 172.16.1.5 255.255.255.0   encapsulation frame-relay   frame-relay map ip 172.16.1.6 111 broadcast   frame-relay map ip 172.16.1.1 111 broadcast   !  <<<text omitted>>>  !   router eigrp 2001   network 172.16.0.0   no auto-summary   !   ip classless   no ip http server   !    access-list 201 permit 0x0000 0x0D0D   Allow SNA only   !   bridge 1 protocol ieee  

You can verify the configuration by viewing peers on the various routers. By deactivating the serial link on the lone_rhino router, the backup peer should become active on the beerbelly router. Use Windows networking to verify reachability, as we discussed earlier in this chapter. To test the dynamic peer, you might want to switch the SAP to NetBIOS and use WIN 9 x. It might be hard to easily simulate a SAP 0x0d.

Example 13-64 displays all the possible peers on the wolf router, including the backup peer for beerbelly. Notice that one peer is an LLC2 peer, and the other two are TCP promiscuous peers.

Example 13-64 DLSW Peers on the wolf Router

 wolf#  show dlsw peer  Peers:                state     pkts_rx   pkts_tx  type  drops ckts TCP   uptime  LLC2  Se0.1     130 CONNECT         50        50  conf      0    0   - 00:23:38  TCP 172.16.192.5    CONNECT         14        53  prom      0    0   0 00:06:19  TCP 172.16.192.13   CONNECT         12         9  prom      0    0   0 00:01:02 Total number of connected peers: 3 Total number of connections:     3 wolf# 

Example 13-65 displays all the possible peers on the lone_rhino router, including the dynamic peer for the wolf router. Notice that one peer is an LLC2 peer, and the other two are TCP promiscuous.

Example 13-65 DLSW Peers on the lone_rhino Router

 wolf#  show dlsw peer  Peers:                state     pkts_rx   pkts_tx  type  drops ckts TCP   uptime  TCP 172.16.192.5    CONNECT         26        32  prom      0    0   0 00:12:34  TCP 172.16.192.1    CONNECT          2         5 dynam      0    0   0 00:00:06 Total number of connected peers: 2 Total number of connections:     2 lone_rhino# 

Example 13-66 displays all the possible peers on the beerbelly router. Notice that the backup peer is down at this time.

Example 13-66 DLSW Peers on the beerbelly Router

 wolf#  show dlsw peer  Peers:                state     pkts_rx   pkts_tx  type  drops ckts TCP   uptime  TCP 172.16.192.13   CONNECT         43        32  conf      0    0   0 00:15:23  TCP 172.16.192.1    DISCONN          0         0  conf      0    0   -        - Total number of connected peers: 1 Total number of connections:     1 beerbelly#