|
|
This chapter lists all the sections and syntax you can use with the edit config command.
This section allows you to define, edit and name a set of AppleTalk filtering rules. Once a set of rules is defined and named, those rules may be applied to a variety of AppleTalk interpreters to accomplish different types of AppleTalk filtering. Each interpreter looks at a subset of the rules that are suitable for that interpreter. The interpreters available are general packet filtering, get zone list filtering, zip reply filtering and route (RTMP) filtering.
edit config AppleTalk Filter "Name"
"Name" | A unique name, with spaces allowed, for this filter set. |
Rules which have been specified using Cisco's VPN 5000 Manager Manager may be edited or examined through the command line interface. Likewise, rules defined through the command line interface may be edited through VPN 5000 Manager. When the rules are downloaded into the device from VPN 5000 Manager, they will be encrypted.
The rules are applied in the order they were written. When you select multiple filter sets for an interface, they are read from first to last as you entered them.
There is an interaction between the packet filtering interpreter and the other interpreters which should be considered when defining filter sets. The packet filter interpreter applies its filters to packets as they are received by the device. If not filtered, the packets will then be passed on to the other interpreters. The reverse is true for packets going out. First the ZipReply, GetZoneList filter and RTMP filters are applied, and if the packet is not filtered, it is passed on to the packet filter interpreter before being transmitted.
When you specify a rule, even if it is only a deny rule, the interface automatically rejects all packets unless you explicitly allow them. To allow all other packets not filtered, make the last rule:
permit
See the AppleTalk section for information about how to apply these named filters to the different interpreters. This method allows the greatest flexibility since common rules may be established and applied independently to the various types of AppleTalk interpreters. Each of the interpreters is described below.
The Packet Filtering interpreter allows packets being forwarded by the device to be filtered on the input and output side of an interface. The only rules used in this interpreter are the the following rules. See the "Filter Rule Syntax" section for a complete description of the rules.
For Name Binding Protocol (NBP) request and reply packets, the following rules are also used:
All other rules are ignored. The keywords InFilters and OutFilters in the AppleTalk section are used to specify the named set of rules for this interpreter.
The Get Zone List (GZL) interpreter allows the filtering of outgoing GZL replies on an interface. These replies contain the zone list displayed by the Chooser on a Macintosh when it is opened. This interpreter will allow control of the zones that are seen on a Macintosh behind a device. The only rules used in this interpreter are the following rules. See the "Filter Rule Syntax" section for a complete description of the rules.
All other rules are ignored. The keyword GetZoneFilters in the AppleTalk section is used to specify the named set of rules for this interpreter.
The ZIP Reply interpreter allows incoming zone names in ZIP reply packets to be filtered. ZIP reply packets are used between routers and access servers to exchange the zone names for the networks kept in their routing tables. These devices are required to maintain a zone list for each of the networks maintained in the AppleTalk routing table and receive the zone name from an upstream router advertising the network. Extended networks allow more than one zone name to be associated with the range, even if it is a single range.
The Routing Table Maintenance Protocol (RTMP) interpreter allows network numbers in input and output AppleTalk RTMP routing packets to be filtered on an interface. The only rules used in this interpreter are the following rules. See "Filter Rule Syntax" for a complete description of the rules.
All other rules are ignored. The keywords InRTMPFilters and OutRTMPFilters in the AppleTalk section are used to specify the named set of rules for this interpreter.
After entering the edit config command, and then the append command, enter one or more filter rules using the following syntax. See the "AppleTalk Interpreters" section for a description of each interpreter and which rules can be used for the interpreter.
{permit | deny}[type operator ATalk_packet_type_number]
permit | deny |
| |||
operator | Specifies a range of the characteristic to compare to the packet's characteristics. For example, if you specify zone = "name", then all packets with the zone name "name" are filtered. Names and the network_range can only use the Equals and Does not Equal operators. Numbers can use all operators. The operator can have one of the following functions: | |||
|
|
| ||
type operator ATalk_packet_type_number | This option allows filtering of the packet type from the AppleTalk DDP header. The packet type value must be between 1 and 255. The numbers of some well-known packet types are listed below. RTMP (1); NBP (2); ATP (3); ECHO (4); RTMP Request (5); ZIP (6); ADSP (7); SNMP (8); IP-in-AppleTalk (22); DECnet-in-AppleTalk (68) | |||
srcnet operator network_number | This option allows filtering of the source network from the AppleTalk DDP header. The network value must be between 1 and 65279. The keyword all may be used to specify all network values. | |||
dstnet operator network_number | This option allows filtering of the destination network from the AppleTalk DDP header. The network value must be between 1 and 65279. The keyword all may be used to specify all network values. | |||
srcnode operator node_address | This option allows filtering of the destination node from the AppleTalk DDP header. The node value must be between 1 and 253. | |||
dstnode operator node_address | This option allows filtering of the source node from the AppleTalk DDP header. The node value must be between 1 and 253. | |||
srcskt operator socket_number | This option allows filtering of the source socket from the AppleTalk DDP header. The socket value must be between 1 and 255. | |||
dstskt operator socket_number | This option allows filtering of the destination socket from the AppleTalk DDP header. The socket value must be between 1 and 255. | |||
network operator network_number | This option allows filtering of the network number in Get Zone List, Zip Reply and RTMP packets. The network value must be between 1 and 65279. The keyword all may be used to specify all network values. | |||
net-range operator network_range | This option allows filtering of GetZoneList and RTMP packets using a network range. Two AppleTalk network numbers separated by a space make up the network range. Each number must be between 1 and 65279. The first number must be less than or equal to the second number. This option can only use the Equals and Does not Equal operators. | |||
zone operator "zone_name" | This option allows filtering of the zone name in Get Zone List, Zip Reply and RTMP packets. The zone name must be enclosed in quotes ("") and cannot be more than 32 characters long. It must not contain the approximately equal sign wildcard (Ý) character or a "*". This option can only use the Equals and Does not Equal operators. | |||
NBPName operator "NBP_entity_name" | This option allows filtering of the NBP name in an NBP request or reply packet. The NBP entity name must be between 1 and 32 characters and enclosed in quotation marks (""). It may contain the approximately equal sign wildcard (Ý) character. All characters will be mapped to upper case before any comparisons are done. This option can only use the Equals and Does not Equal operators. | |||
NBPType operator "NBP_entity_name" | This option allows filtering of the NBP type in an NBP request or reply packet. The NBP entity name must be between 1 and 32 characters and included in quotation marks (""). It may contain the approximately equal sign wildcard (Ý) character. All characters will be mapped to upper case before any comparisons are done. This option can only use the Equals and Does not Equal operators. | |||
NBPZone operator "zone_name" | This option allows filtering of the NBP zone name in an NBP request or reply packet. The zone name must be enclosed in quotes ("") and cannot be more than 32 characters long. It must not contain the approximately equal sign wildcard (Ý) character or a "*". This option can only use the Equals and Does not Equal operators. | |||
log | The log option causes the device to log data about the packet to syslog when the condition of the rule is met. See the Logging section for more information about logging. | |||
The following is an AppleTalk packet filter which denies echo packets (type 4) from network 55, and permits everything else.
deny srcnet = 55 type = 4 permit
The following is an AppleTalk packet filter which denies NBP lookups for the printer named "Engineering Printer," permits NBP lookups for the printer named "HP Printer" by the NBP zone "Sales," and permits everything else.
deny NBPName = "Engineering Printer" permit NBPName = "HP Printer" NBPZone = "Sales" permit
The following is an AppleTalk Get Zone List filter. These rules filter what is seen in the Chooser of Macintoshes attached to the network to which the rules are assigned. The example would: deny all zone names from networks 1-10; permit the zone name "Engineering;" deny the zone name "Sales;" permit all networks not equal to 100; and permit everything else.
deny net-range = 1 10 permit zone = "Engineering" deny zone = "Sales" permit network != 100 permit
The following is an AppleTalk RTMP filter. These rules can be used for either input or output RTMP filters to limit the network numbers that are allowed into the routing table or to be advertised from the device, respectively. The example performs the following actions: deny networks with a number of 100; permit networks between 200 and 300; deny networks numbered greater than 301; and permit everything else.
deny network = 100 permit net-range = 200 300 deny network > 301 permit
The following is an AppleTalk ZIP Reply filter. These rules can be used to restrict the zone names that are returned in ZIP Reply requests from other routers. This limits the zone list in routers behind the interfaces to which these rules are applied. The following example would: deny the zone name "Engineering;" deny the zone name of "Twilight" where the network number is 301 (if there is a zone name of "Twilight" associated with another network number, that would be permitted); and permit everything else.
deny zone = "Engineering" deny zone = "Twilight" network = 301 permit
| Command | Description |
|---|---|
configure AppleTalk | Configures AppleTalk parameters for an interface |
configure Logging | Configures logging options |
show appletalk | Shows AppleTalk configuration, status and statistics |
Posted: Wed Sep 27 10:53:16 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.