14-4 AppleTalk Access Lists

  • AppleTalk zone lists can be used to match against zone names .

  • Name Binding Protocol lists can be used to match against the NBP request type, object, entity type, and AppleTalk zone.

  • AppleTalk address access lists can be used to match against AppleTalk network numbers and cable ranges.

Configuration

  1. Define an AppleTalk Zone list:

     (global)  access-list   acc-list-number  {  permit   deny  } {  zone   zone-name   additional-zones  } 

    AppleTalk zones can be filtered based on the zone name. The access list number (600 to 699) can permit or deny a zone-name (a character string; for Macintosh special characters , use a colon followed by two hex digits). Multiple access-list commands can be assigned to the same acc-list-number. The additional-zones keyword can be used to match zones other than those that are specified.

  2. Define a Name-Binding Protocol (NBP) list.

    1. Match specific NBP packets:

       (global)  access-list   acc-list-number  {  permit   deny  }  nbp   sequence-number  {  BrRq   FwdRq   Lookup   LkReply   object   string   type   type   zone   zone  } 

      NBP packets can be filtered based on the NBP request type, object or named entity, entity type, and AppleTalk zone. The access list number (600 to 699) can permit or deny an NBP packet. Each NBP access-list statement must have a unique sequence-number to assign a specific order to the access list.

      The NBP request type can be given as BrRq (broadcast request), FwdRq (forward request), Lookup (lookup request), or LkReply (lookup reply request). An NBP entity name can be given with the object keyword and string (up to 32 characters; for Macintosh special characters, use a colon followed by two hex digits). The NBP category or type of entity can be given as type and type (a character string). The AppleTalk zone name used in the NBP entity can be given as zone zone (character string).

    2. Match all other NBP packets:

       (global)  access-list   acc-list-number  {  permit   deny  }  other-nbps  

      All NBP packets that don't match specific NBP access list statements are matched here.

  3. Define a filter based on an AppleTalk address or cable range.

    1. Filter a single (nonextended) network address:

       (global)  access-list   acc-list-number  {  permit   deny  }  network   network  [  broadcast-deny   broadcast-permit  ] 

      AppleTalk network addresses can be filtered by the access list numbered acc-list-number (600 to 699). The access list can either permit or deny the network address specified by network. Broadcasts can be permitted ( broadcast-permit ) or denied ( broadcast-deny ) for the matched statement if desired.

    2. Filter a cable range:

       (global)  access-list   acc-list-number  {  permit   deny  }  cable-range   cable-range  [  broadcast-deny   broadcast-permit  ] 

      AppleTalk cable ranges can be filtered by the access list numbered acc-list-number (600 to 699). The access list can either permit or deny the cable range specified by cable-range (the start and end of the cable range, separated by a dash; each value can be 1 to 65279). Broadcasts can be permitted ( broadcast-permit ) or denied ( broadcast-deny ) for the matched statement if desired.

    3. Permit or deny all other network and cable ranges:

       (global)  access-list   acc-list-number  {  permit   deny  }  other-access  

      Any network addresses or cable ranges not specified or matched elsewhere in the acc- list-number are matched here. The access list can either permit or deny them.

Examples

AppleTalk access list 601 acts as a zone name filter. Zones named Hackers and Nowhere are denied, and all other zones are permitted.

  access-list 601 deny zone Hackers   access-list 601 deny zone Nowhere   access-list 601 permit additional-zones  

AppleTalk access list 602 filters NBP packets. NBP packets from a server called PublicFiles, type AFPServer, in zone Workroom are denied. (Notice that all three rules have a sequence number of 1. This allows more granular control over an NBP entity, linking several attributes.) The access list also denies a server called GameServer and permits all other NBP packets.

  access-list 602 deny nbp 1 object PublicFiles   access-list 602 deny nbp 1 type AFPServer   access-list 602 deny nbp 1 zone Workroom   access-list 602 deny nbp 2 object GameServer   access-list 602 permit other nbps  

AppleTalk access list 603 filters network addresses and cable ranges. Network 50 is permitted, along with the cable range 4020 to 4100. All other addresses are denied.

  access-list 603 permit network 50   access-list 603 permit cable-range 4020-4100   access-list 603 deny other-access  


Cisco Field Manual[c] Router Configuration
Cisco Field Manual[c] Router Configuration
ISBN: 1587050242
EAN: N/A
Year: 2005
Pages: 185

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net