Filter
Top Products
Secure the SRB Network
Configuring Source-Route Bridging BC-133
Secure the SRB Network
This section describes how to configure three features that are used primarily to provide network
security: NetBIOS access filters, administrative filters, and access expressions that can be combined
with administrative filters. In addition, these features can be used to increase network performance
because they reduce the number of packets that traverse the backbone network.
Configure NetBIOS Access Filters
NetBIOS packets can be filtered when transmitted across a Token Ring bridge. Two types of filters
can be configured:
• Host access list
Used for source and destination station names
• Byte offset access list
Used for arbitrary byte patterns in the packet itself.
As you configure NetBIOS access filters, keep the following issues in mind:
• The access lists that apply filters to an interface are scanned in the order they are entered.
• There is no way to put a new access list entry in the middle of an access list. All new additions
to existing NetBIOS access lists are placed at the end of the existing list.
• Access list arguments are case sensitive. The software makes a literal translation, so that a
lowercase “a” is different from an uppercase “A.” (Most nodes are named in uppercase letters.)
• A host NetBIOS access list and byte NetBIOS access list can each use the same name. The two
lists are identified as unique and bear no relationship to each other.
• The station names included in the access lists are compared with the source name field for
NetBIOS commands 00 and 01 (ADD_GROUP_NAME_QUERY and ADD_NAME_QUERY),
as well as the destination name field for NetBIOS commands 08, 0A, and 0E (DATAGRAM,
NAME_QUERY, and NAME_RECOGNIZED).
• If an access list does not contain a particular station name, the default action is to deny the access
to that station.
To minimize any performance degradation, NetBIOS access filters do not examine all packets.
Rather, they examine certain packets that are used to establish and maintain NetBIOS client/server
connections, thereby effectively stopping new access and load across the router. However, applying
a new access filter does not terminate existing sessions immediately. All new sessions will be
filtered, but existing sessions could continue for some time.
There are two ways you can configure NetBIOS access filters:
• Configure NetBIOS Access Filters Using Station Names
• Configure NetBIOS Access Filters Using a Byte Offset
Configure NetBIOS Access Filters Using Station Names
To configure access filters using station names, you must do the following:
Step 1 Assign the station access list name.
Step 2 Specify the direction of the message to be filtered on the interface.