Hello Mitchell,
>From RFC-1795:
---snip---
Wells & Bartky [...at the end of Page 5]
RFC 1795 Data Link Switching April 1995
The default parameters associated with the TCP connections between
Data Link Switches are as follows:
Socket Family AF_INET (Internet protocols)
Socket Type SOCK_STREAM (stream socket)
Read Port Number 2065
Write Port Number 2067
---/snip---
If you're just doing normal DLSw with TCP encapsulation, then you'll need
to open these ports through your firewall. If you're prioritizing this
data by using the "priority" keyword in the DLSw remote peer statement,
then the router will additionally open TCP ports 1981, 1982, and 1983.
If your firewall is performing NAT, then this should still work (if you're not
using any of the additional features of DLSw+), since none of the payload
fields are dependent upon any of the TCP or IP fields. However, I've been
told that Boarder Peers (part of DLSw+ from Cisco) won't work across a
NATificator since the payload of some of the packets contains the IP address
of the dynamic peers. This just means that you'll have to setup actual
peer statements.
Beyond this, however, I'd examine the traffic you expect to send through your
firewall very carefully before committing to this. Historically, SNA stuff is
pretty vital to an organization and all efforts should be made to keep this
from prying eyes. You might want to encrypt this over a Virtual Private Network
between your firewalls. NetBIOS/NetBEUI (the other reason for DLSw) is the
encapsulation of a data stream into an evil, and non-routable protocol and
should be eradicated. (In my humble and personal opinion, of course ;-)
Hope this helps,
Chris Lonvick
Cisco Systems
Consulting Engineering
Houston, TX, USA
+1-713-778-5663
At 01:53 PM 2/5/97 EST, uskanbye @
ibmmail .
com wrote:
>
>Question is how (or if) DLSw can be passed through a firewall (without
>opening up the entire network). Our WAN includes remotes sites that are
>running SNA encapsulated within IP (DLSw) via CISCO routers. We're
>hoping to NOT have to move them to pure IP before firewall
>implementation. Is anybody aware of implementation (or have done this)?
>Any/all advice appreciated.
>
>By the way, Eagle Raptor NT is the selected firewall...
>
>
>
>
> --------KANSAS DEPARTMENT OF HEALTH & ENVIRONMENT---------
> -----------------WWW.INK.ORG\PUBLIC\KDHE------------------
> ----------Mills Bldg Suite 501 Topeka, KS 66612-----------
> ---------Phone (913) 296-5643 FAX (913) 296-8943----------
>
>
|
|
