|
|

To access this editor window, select Global/Filtering/AppleTalk Filtering from the Device View.
The editor window shown above is used in the VPN 5000 Manager for editing all AppleTalk filter sets, including those for AppleTalk Route, Zone List, and Packet filters.
The AppleTalk filter editor window allows a set of AppleTalk filtering rules to be defined, edited and identified with a specific name.
Once a set of rules is defined and named, those rules may be linked to several different AppleTalk filter interpreters to accomplish different types of filtering.
Each interpreter understands and uses a subset of the complete AppleTalk rules. The interpreters available are: general packet filtering, get-zone-list filtering and route (RTMP) filtering. Each is described below.
The interpreters will not reorder the rules as they are specified. They will be applied sequentially from the first rule through the last. Any filtered information not specifically allowed by the set of rules will be dropped silently. If that information is to be allowed, a final permit rule must be specified:
permit
There is an interaction between the packet filtering interpreter and the other interpreters. The packet filter interpreter will be applied to incoming packets before the other interpreters, and it will be applied to outgoing packets after the other interpreters. For example, a received get-zone-list request may be filtered by an input packet filter before it arrives at the get-zone-list interpreter and the reply may also be filtered again by an outgoing packet filter.
Rules that have been specified using the VPN 5000 Manager may be edited or examined through the command line interface. Likewise, rules defined through the command line interface may be edited through the Manager. When the rules are downloaded into the device from the Manager, they will be encrypted.
This interpreter allows packets being forwarded by the device to be filtered on the input and output side of an interface. The only rules used in this interpreter are the type, srcnet, dstnet, srcnode, dstnode, srcskt and dstskt for all packets. For NBP request and reply packets the NBPName, NBPType and NBPZone rules are also used. All other rules are ignored.
The get-zone-list interpreter allows the filtering of outgoing get-zone-list replies on an interface. These replies contain the zone list displayed by the Chooser on a Macintosh when it is opened. Thus, the get-zone-list interpreter allows control of the zones that are seen on a Macintosh behind a device. The only rules used in this interpreter are the network, net-range and zone rules. All other rules are ignored.
The RTMP interpreter allows network numbers in input and output AppleTalk RTMP routing packets to be filtered on an interface. The only rules used in this interpreter are the network and net-range rules. All other rules are ignored.
At a minimum, every non-comment line in a filter set must include an action. However, an action alone will not create a useful filter rule (except for setting a default rule as noted above).
Every line in a packet filter set must begin with the actions permit, or deny, or the comment indicator #.
The basic action specified in the rule will almost always be accompanied with an option. AppleTalk filter options use some or all of a set of operators to determine whether the filter rule matches the information being examined or not. These operators are discussed below:
The following is an AppleTalk packet filter which denies echo packets (type 4) from network 55, and permits everything else.
deny srcnet = 55 type = 4 permit
The following is an AppleTalk packet filter which denies NBP lookups for the printer named "Engineering Printer," permits NBP lookups for the printer named "HP Printer" by the NBP zone "Sales," and permits everything else.
deny NBPName = "Engineering Printer" permit NBPName = "HP Printer" NBPZone = "Sales" permit
AppleTalk Get Zone List filter rules filter what is seen in the Chooser of Macintoshes attached to the network to which the rules are assigned. The example would: deny all zone names from networks 1-10; permit the zone name "Engineering;" deny the zone name "Sales;" permit all networks not equal to 100; and permit everything else.
deny net-range = 1 10 permit zone = "Engineering" deny zone = "Sales" permit network != 100 permit
AppleTalk RTMP filter rules can be used to limit the network numbers that are allowed into the routing table or to be advertised from the device. The example performs the following actions: deny networks with a number of 100; permit networks between 200 and 300; deny networks numbered greater than 301; and permit everything else.
deny network = 100 permit net-range = 200 300 deny network > 301 permit

To access this dialog box, select Interface/Filtering/AppleTalk Filtering from the Device View.
This set of pull-downs allows you to select previously defined sets of routing (RTMP) filter rules. These rules will be applied to information arriving on this interface. Up to four sets of rules can be selected.
This set of pulldowns allows you to select previously defined sets of routing (RTMP) filter rules. These rules will be applied to information which is to be sent on this interface. Up to four sets of rules can be selected.
This set of pulldowns allows you to select previously defined sets of get-zone-list filter rules. These rules will be applied to replies to AppleTalk get-zone-list requests which are received on this interface. Up to four sets of rules can be selected.
This set of pulldowns allows you to select previously defined sets of packet filter rules. These rules will be applied to packets arriving on this interface. Up to four sets of rules can be selected.
This set of pulldowns allows you to select previously defined sets of packet filter rules. These rules will be applied to packets which are to be sent on this interface. Up to four sets of rules can be selected.
![]()
![]()
![]()
![]()
![]()
![]()
![]()
Posted: Wed Sep 27 11:58:46 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.