Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1184
Views
0
Helpful
7
Replies

=SNA/DLSw+ & Impact Question=

rodney_robles
Level 1
Level 1

‎05-17-2005 01:47 AM

Hi all,

this is related to discussion:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd82da4

I opened this new one since my question was answered.

Our Topology:

Server---L2 switch---L3 Dist switch---Firewall---L3 switch(Core)--Firewall--CLOUD--IBM host

The server would generate both IP and SNA traffic (port LU6.2). All media are ethernet. The L3 switches are DLSw+ capable. I don't know much about the firewalls and I don't have control in the cloud because its under a different administrator.

Questions:

1. if I would use DLSw+, I need to bridge the ethernet port of the L3 Dist switch connecting the Server side. But, the server's connection is part of a VLAN, so, in the config of L3 Dist Switch, I would need to bridge the VLAN to DLSw. Would this setup impact the original behaviour of my VLAN? The VLAN is a Switched VLAN interface routed to another VLANs also.

2. Is it possible to control the port that would be used where the DLSW+ would pass through? I think I would have problems w/ our Firewall which requires source-destination ports and IPs to pass traffic.

Any suggestions/opinions are very much welcome... thanks!!!

rodney

Labels:
0 Helpful
7 Replies 7

bjr
Level 1
Level 1

‎05-17-2005 09:52 PM

Hi.

1.The DLSW only get bridged to interfaces you set up with bridge. So other VLANs do not automaticly gets the DLSW traffic. But beware, it is not only SNA traffic who runs over DLSW. So you might want to have some accesslists like ICANREACH and so on.

2. The DLSW traffic itself is TCP port 2065(I think) so it is easy in the FW. The only catch is that both DLSW peers can be server or client, so you have to open up for that in the FW. You also need a DLSW peer in the cloud who can deliver the SNA traffic to the MF somehow. A Cisco with SNASW can do that.

0 Helpful

romney
Cisco Employee
Cisco Employee
In response to bjr

‎05-17-2005 11:14 PM

Hi Rodney,

as Bjorn mentioned, you can use the snaswitch feature of IOS to deliver the SNA traffic to the M/F. This is called HPR (High Performance Routing) over IP, a.k.a. Enterprise Extender (EE). EE transports SNA traffic over IP as UDP packets over ports 12000-12004, so the FW would need to be configured accordingly. If the FW administrator is reluctant to allow UDP then he/she can limit access to specific IP address partners (the router loopback or ethernet IP address and the M/F VIPA address).

With EE you could actually avoid using DLSW at all. If your server supports EE it can be the endpoint itself. Or you could use a Cisco router on the same LAN as the server and let it be the endpoint. By putting EE in or near the server you have a simpler and more resilient solution (sessions over HPR can survive network outages for a period of time, where DLSW will drop the sessions and restart). All FWs between the EE endpoints must allow UDP ports 12000-12004.

If you do use DLSW to deliver the SNA traffic to the core switch/router you can put DLSW and snaswitch on the same router (i.e. 7200) and use a vdlc interface to connect them. If you leave DLSW on the layer 3 switch then you will have to bridge between it and the snaswitch router (snaswitch is not supported on the layer 3 switch).

- Ray

0 Helpful

mbinzer
Cisco Employee
Cisco Employee

‎05-17-2005 10:56 PM

Hi,

if you are using vlan interfaces already than your configuration would look similar to this:

dlsw local-peer peer-id 10.10.10.1

dlsw remote-peer tcp 0 20.20.20.1

dlsw bridge-group 10

interface loopback 0

ip address 10.10.10.1 255.255.255.0

.

.

.

interface vlan 234

ip address ...

bridge-group 10

bridge 10 protocol vlan-bridge

that would allow you to bridge sna traffic into dlsw.

It assumes that 20.20.20.1 is the local peer configured on the partner router in front of the host.

The local peer tied to the loopback interface is just an example.

If you have i.e. more than one vlan you want to bridge than you can create multiple bridge-groups and you can configure multiple dlsw bridge-group statements. This way you bridge multiple vlans into dlsw but you dont bridge them together.

If you know the sap's you are using for sna, default is 4 as far as i know. Most commonly known are 4,8,12 than you can create an access list like this:

access-list 200 permit 0x0000 0x0d0d

and apply it to the bridge-group command on the interface.

interface vlan 234

.

.

bridge-group 10

bridge-group 10 input-sap-list 200

that allows only sap's 0,4,8,12 with and without the response bit set into the bridge group and effectively blocks all other traffic.

In respect to the tcp ports that dlsw is using over the WAN. Dlsw version 1, RFC1795, that is what cisco is using, opens always two tcp sessions at startup.

This router starts the connection, it opens a tcp connection on the destination port 2065, source port is a random port above 11000.

Now the receiving end is also opening a tcp session back to the first router. Destination port 2065, local, source port is a random port above 11000.

Next the dlsw capabilities exchange happens and the two peers exchange their information. Once they detected that they both are cisco devices and that they both support the usage of only one tcp session in both directions the one with the "numerically higher ip address" will drop its connection on the local tcp port 2065.

The remaining tcp connection is used for dlsw traffic in both directions.

this is described in detail in RFC1795, section 7.6.7.

thanks...

Matthias

0 Helpful

mbinzer
Cisco Employee
Cisco Employee
In response to mbinzer

‎05-17-2005 11:04 PM

Hi,

one correction and one extra information i forgot:

I have a typo in this command:

bridge-group 10

bridge-group 10 input-sap-list 200

It should be:

bridge-group 10 input-lsap-list 200

Additional:

you may need to configure:

dlsw udp-disable

as a global command if your firewall blocks udp by default.

Cisco is using by default udp for the canureach/icanreach traffic to offload the cpu in a router. If your firewall blocks this than a dlsw circuit will not establish. The ports are: destination port 2065, source port 0.

dlsw udp-disable turns this behaviour off and we send all traffic via tcp.

thanks...

Matthias

0 Helpful

rodney_robles
Level 1
Level 1
In response to mbinzer

‎05-18-2005 09:12 AM

Thanks Bjorn, Ray, and Matthias,

There are things that are clearer to me now.

I got additional questions for everyone again:

In the same topology:

Server---L2 switch---L3 Dist switch---Firewall---L3 switch(Core)--Firewall--CLOUD--IBM host

The Server (which has SNA traffic) will be connecting to VLAN 10 as a project requirement because it needs to communicate also with other IP based servers, aside from communicating with an IBM host accross the network. Therefore, the (SNA) Server would actually generate SNA and IP based traffics.

VLAN 10 would then contain both SNA and IP. If I bridge VLAN 10 to DLSw, I am concerned that my other IP based servers would lose its connectivity to other IP server/hosts in the network (most are not part of the above topolgy) connecting to other switches.

3. Now, am I correct that I would have IP communication problem with this setup since VLAN 10 would be bridged to DLSw?

So far, in my readings, DLSw would convert the above topology to something like this:

Server---L3 switch(DLSw enabled)-----------Router (part of CLOUD, DLSw enabled)---IBM host

|---- SNA ---| |------------- TCP/IP (DLSw+) -----------| |-------- SNA ---------|

4. In the above communication, quoting Bjorn, do I "need a DLSW peer in the cloud who can deliver the SNA traffic to the MF somehow." ?

With Bjorn's advise and Matthias detailed explanation, it seems that I would have problem to determine the EXACT TCP PORTS that would be used as source and destination since both peers would initiate a DLSw session from random ports above 11000.

5. In my case that our firewall REQUIRE us to have specific, either UDP or TCP, source AND destination port, this leaves me NO WAY to use dlsw?

6. In my humble understanding, it appears that only SNASw could help me, is it correct?

I really appreciate your efforts to help and thanks for your suggestions and advise!!!

Cheers,

rodney

0 Helpful

mbinzer
Cisco Employee
Cisco Employee
In response to rodney_robles

‎05-18-2005 11:22 PM

Rodney,

When you enable bridging on an interface the idea is that we only bridge non routeable protocols. So in other words every routeable protocol which is configured on this interface will still be routed and the rest bridged.

We have lots and lots of customers who have a bridge group on an interface and also do ip routing on that same interface and that works just fine. Ip is routed and the bridge group is connected to dlsw.

Dlsw under normal circumstances comes always as at least two routers. A typical sna network has a host end and a branch end. In the branch you have the clients and in the host end you have the mainframe.

So you would need a router in the branch and a router at the host end. both form a dlsw peer between them, both need a local dlc, ethernet, tokenring, sdlc, ... to attach to the actual end system.

It is not possible in our implementation to configure the tcp source port of the dlsw peer. All i can say is that the local port is a random port above 11000.

If you try to use snasw than you also need to know what udp ports the EE hpr/ip upstream connection will use. The destination udp ports are 12000...12006 or something like this. I dont know what the source port for this would be. Propable a random port number aswell.

Additional with snasw you must install a separate router, since the cisco cat6k will not support snasw.

thanks...

Matthias

0 Helpful

mbinzer
Cisco Employee
Cisco Employee
In response to mbinzer

‎05-18-2005 11:29 PM

Rodney,

an example is most likely much better than anything else.

c7500-1-r443#sh tcp brief

TCB Local Address Foreign Address (state)

633805D4 c7500-1-r443.2065 172.18.62.144.11009 ESTAB

6338597C c7500-1-r443.2065 c7206-1-r441.63511 ESTAB

63385E18 c7500-1-r443.2065 c2600-2-r443.11004 ESTAB

62985344 c7500-1-r443.2065 172.18.62.93.11063 ESTAB

6329830C c7500-1-r443.2065 c2600-1-r443.11029 ESTAB

633854E0 c7500-1-r443.2065 c7206-2-r441.11005 ESTAB

63386874 c7500-1-r443.2065 172.18.62.205.11019 ESTAB

c7500-1-r443#

this is from one of my lab routers. The 7500 has the numerically lower ip address in this setup so the other routers closed their local tcp session on the local tcp port 2065. That is why all the tcp sessions are on the local tcp port 2065 on the 7500.

The local tcp ports are actually starting at 11000 and it is counting up depending on the amount of tcp connections in each individuall router.

In my setup the 7500 is promiscuous, it is the center of the nework, where the host is. And the "branch" routers are initiating the dlsw peers.

thanks...

Matthias

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card