| |
AppleTalk routing information filters restrict the exchange of routing information between routers by limiting the routes added to the routing tables of specified routers. These filters increase security by limiting the visibility of selected networks or zones and reduce the network bandwidth consumed by the periodic exchange of routing information between routers. There are two types of AppleTalk routing information filters:
AppleTalk uses Routing Table Maintenance Protocol (RTMP) as its primary routing protocol. This protocol is similar to the RIP used by TCP/IP and IPX. The routing tables maintained by RTMP contain an entry for every known route. These routing tables acquire routing information in two ways:
When all routing information filters are not enabled, an AppleTalk router learns all the routes known by its neighboring routers through periodic routing table updates (sent by RTMP). In this way, every router on the internetwork acquires the routing information from all other routers on the internetwork.
Routing information filters are also available over AppleTalk Update-based Routing Protocol (AURP). In this case, a neighboring router can be either a network interface (all neighbors directly connected to the cable) or all peers on the AURP tunnel.
AppleTalk outgoing route filters can be used for networks and zones. Incoming route filters can be used only for networks.
NOTE: If AppleTalk networks have more than one router between them (such as for redundant or loop routing), these routers are required to have the same filters configured (device hiding, outgoing router, or incoming route filters). Configuring filters in only one router does not filter out the required information.
For more information on AppleTalk routing information filters, refer to
AppleTalk outgoing route filters limit the routing information advertised by a router to its neighbors. A typical outgoing route filter consists of a network or zone (the route) and the interface through which filtered advertisements are sent. The filters affect all routers on the network to which the interface connects.
An AppleTalk router learns only about networks that are not directly connected through its neighbors. Because of this, neighboring routers with enabled outgoing route filtering can limit the routing information that the AppleTalk router receives. This effectively cuts off access from one part of the network to another.
NOTE: If you hide a route from a neighbor, none of the routers on the neighbor's side of the network has any information about this route.
If the specified action is to deny routes in the filter list, the router ignores all the route information in the filters going to the designated neighbors, but sends all other routing information. If the specified action is to permit routes in the filter list, the router uses only routes designated in the filter list to the specific neighbors and ignores everything else.
Novell Internet Access Server 4.1 supports zone-based and network number-based outgoing route filters, as discussed in the following sections.
Zone-based outgoing route filters limit the advertisement of all routes associated with a particular zone. A zone is an abstraction of networks into which many physical networks, including noncontiguous networks, can be grouped. The main advantage of using zone names in filters is that the filter does not need to be modified when new networks are added to the zone.
For example, when filters are configured for the Marketing zone, the zone is made up of only one physical network. As the department grows, more physical networks are added, but they are still grouped under the Marketing zone. All filters configured for the Marketing zone are enforced automatically for all new physical networks added to the zone. This capability greatly simplifies network management.
NOTE: When you specify a zone from a network that has multiple zones, all set filters affect the entire network, not just the selected zone.
Network number-based outgoing route filters limit the advertisement of the routes to specific networks. This kind of filtering gives very explicit control to the user about which physical network should or should not be advertised to different neighbors.
You must reconfigure network number-based outgoing route filters when changes occur in the network topology.
AppleTalk incoming route filters limit the routing information that a router accepts and adds to its routing tables.
When these filters are enabled on a router, the router accepts only the allowed routes from each of its neighboring routers so that specified routes are hidden from particular routers and from particular parts of the network. Novell Internet Access Server 4.1 supports only network number-based incoming route filters.
An incoming route filter consists of a route and the interface through which the route advertisements are expected to be transmitted. The specified route can be to a nonextended network or to an extended network.
Directly connected networks cannot be filtered by incoming route filters. If the specified action is to deny routes in the filter list, the router ignores all the route information designated in the filters received from the specified neighbors, but accepts and records all other routing information. If the specified action is to permit routes in the filter list, the router accepts only routes designated in the filter list from the named neighbors and ignores everything else.
| |