AppleTalk zone lists can be used to match against zone names .
Name Binding Protocol lists can be used to match against the NBP request type, object, entity type, and AppleTalk zone.
AppleTalk address access lists can be used to match against AppleTalk network numbers and cable ranges.
Define an AppleTalk Zone list:
(global) access-list acc-list-number { permit deny } { zone zone-name additional-zones }
AppleTalk zones can be filtered based on the zone name. The access list number (600 to 699) can permit or deny a zone-name (a character string; for Macintosh special characters , use a colon followed by two hex digits). Multiple access-list commands can be assigned to the same acc-list-number. The additional-zones keyword can be used to match zones other than those that are specified.
Define a Name-Binding Protocol (NBP) list.
Match specific NBP packets:
(global) access-list acc-list-number { permit deny } nbp sequence-number { BrRq FwdRq Lookup LkReply object string type type zone zone }
NBP packets can be filtered based on the NBP request type, object or named entity, entity type, and AppleTalk zone. The access list number (600 to 699) can permit or deny an NBP packet. Each NBP access-list statement must have a unique sequence-number to assign a specific order to the access list.
The NBP request type can be given as BrRq (broadcast request), FwdRq (forward request), Lookup (lookup request), or LkReply (lookup reply request). An NBP entity name can be given with the object keyword and string (up to 32 characters; for Macintosh special characters, use a colon followed by two hex digits). The NBP category or type of entity can be given as type and type (a character string). The AppleTalk zone name used in the NBP entity can be given as zone zone (character string).
Match all other NBP packets:
(global) access-list acc-list-number { permit deny } other-nbps
All NBP packets that don't match specific NBP access list statements are matched here.
Define a filter based on an AppleTalk address or cable range.
Filter a single (nonextended) network address:
(global) access-list acc-list-number { permit deny } network network [ broadcast-deny broadcast-permit ]
AppleTalk network addresses can be filtered by the access list numbered acc-list-number (600 to 699). The access list can either permit or deny the network address specified by network. Broadcasts can be permitted ( broadcast-permit ) or denied ( broadcast-deny ) for the matched statement if desired.
Filter a cable range:
(global) access-list acc-list-number { permit deny } cable-range cable-range [ broadcast-deny broadcast-permit ]
AppleTalk cable ranges can be filtered by the access list numbered acc-list-number (600 to 699). The access list can either permit or deny the cable range specified by cable-range (the start and end of the cable range, separated by a dash; each value can be 1 to 65279). Broadcasts can be permitted ( broadcast-permit ) or denied ( broadcast-deny ) for the matched statement if desired.
Permit or deny all other network and cable ranges:
(global) access-list acc-list-number { permit deny } other-access
Any network addresses or cable ranges not specified or matched elsewhere in the acc- list-number are matched here. The access list can either permit or deny them.
AppleTalk access list 601 acts as a zone name filter. Zones named Hackers and Nowhere are denied, and all other zones are permitted.
access-list 601 deny zone Hackers access-list 601 deny zone Nowhere access-list 601 permit additional-zones
AppleTalk access list 602 filters NBP packets. NBP packets from a server called PublicFiles, type AFPServer, in zone Workroom are denied. (Notice that all three rules have a sequence number of 1. This allows more granular control over an NBP entity, linking several attributes.) The access list also denies a server called GameServer and permits all other NBP packets.
access-list 602 deny nbp 1 object PublicFiles access-list 602 deny nbp 1 type AFPServer access-list 602 deny nbp 1 zone Workroom access-list 602 deny nbp 2 object GameServer access-list 602 permit other nbps
AppleTalk access list 603 filters network addresses and cable ranges. Network 50 is permitted, along with the cable range 4020 to 4100. All other addresses are denied.
access-list 603 permit network 50 access-list 603 permit cable-range 4020-4100 access-list 603 deny other-access