Novell Documentation: NetWare 6 - Configuring AppleTalk Filters

Configuring AppleTalk Filters

AppleTalk supports the following types of filters:

Device hiding filters

Outgoing route filters (routes advertised)

Incoming route filters (routes accepted)
NOTE: When you configure a filter for a primary WAN call, an equivalent filter is automatically generated for the backup call. If the primary call should fail, the backup call is automatically connected. You can only view primary filters using FILTCFG. Backup filters do not appear in FILTCFG.

Refer to Understanding for more information.

This section contains the following topics:

How to Configure AppleTalk Device Hiding Filtering

Example AppleTalk Device Hiding Filter

How to Configure AppleTalk Route Filtering

AppleTalk Outgoing Routing Information Filter Example

How to Configure AppleTalk Device Hiding Filtering

Before you begin, make sure that filtering support is enabled for AppleTalk in NIASCFG. Otherwise, filtering will not work.

To configure AppleTalk device hiding filtering, complete the following steps:

Load FILTCFG, then select the following parameter path:

Select Configure AppleTalk Filters > Device Hiding Filters

Select Action and toggle the choice to show or hide the devices listed in the filter list.

This specifies the action taken when an NBP reply packet matches a filter in the filter list. If you specify to show the devices, the AppleTalk router forwards only the NBP replies that match a filter in the filter list. If you specify to hide the devices, the AppleTalk router discards all NBP replies that match a filter in the filter list.

Select Filters .

This displays a list of filters that hide or show devices, depending on the setting of the Action parameter. The name, type, device location, and user location are listed for each device filter.

Modify the filter list.

Select a filter from the list and press Enter to modify the filter or Del to remove it. Press Ins to add a new filter.

If you are modifying an existing filter or adding a filter, specify the following parameters in the Define Filter menu:

Device Name ---Enter an NBP name of up to 32 characters.

Keep the default (=) to select all NBP names. An AppleTalk device advertises itself on the network according to the Device Name and Device Type values.

Device Type ---Press Enter and select from a list of defined AppleTalk NBP device types, or press Ins to add a new NBP type with the following information:
Device Type ---Enter a text string of up to 32 characters.

Comment ---Enter an optional short description.

Device Location Type ---Specify where the filtered device is located from the following choices: <Any> (the default), Interface , Interface Group , Non-extended Network , Multiple/Extended Network, Zone , or AURP Tunnel .
Select <Any> to select all device locations to show or hide all devices to the user location.

Device Location ---Specify the following parameters, based on what you selected for Device Location Type :
<Any > or AURP Tunnel ---This field cannot be edited.

Interface ---Press Enter , then select a specific interface on which you want to filter the service. You can select a LAN interface, a WAN interface, the internal network, or all interfaces. The default is All Interfaces .

Interface Group ---Press Enter , then select a network interface group from the list.

Non-extended Network ---Press Enter , then type a network number to identify the nonextended network in which the filtered device is located.

Multiple/Extended Networks ---Press Enter , then type the start and end network numbers for the extended network in which the filtered device is located. The start number must be greater than zero, and the end number must be greater than or equal to the start value.

You can enter a specific extended network, or a range of extended and nonextended networks. For example, for networks 1-9, 10, 11-20, 21-30, specifying an extended range of 1-30 will filter all devices in the 1-9, 10, 11-20, and 21-30 extended networks.

Zone ---Press Enter , then type the name of the AppleTalk zone in which the filtered device is located.

Device Circuit ---If you selected a WAN circuit, press Enter to modify the following optional circuit information:
Local Frame Relay DLCI # (for frame relay)---The DLCI circuit number used for calls.

Remote System ID (for PPP, X.25, ISDN, or ATM)---The name of the remote system server or remote peer associated with this circuit.

Circuit Parameter Type (for X.25 or ATM)---The type of virtual circuit used to establish a connection.

Remote DTE Address (for X.25)---The X.121 DTE address assigned to the specific remote DTE.

Remote ATM Address (for ATM)---The address assigned to the specific remote ATM.

User Location Type ---Select a location type from one of the following choices: <Any> (the default), Interface , Interface Group , Non-extended Network , Multiple/Extended Network , Zone , or AURP Tunnel . Select <Any> if you do not know the location of the device or if the network location does not matter.

User Location ---Specify the locations of the users whose access to the devices must be controlled. Specify one of the following, based on what you selected for User Location Type :
<Any > or AURP Tunnel ---This field cannot be edited.

Interface ---Press Enter , then select a specific interface on which you want to filter the service. You can select a LAN interface, a WAN interface, the internal network, or all interfaces. The default is All Interfaces .

Interface Group ---Press Enter , then select a network interface group from the list.

Non-extended Network ---Press Enter , then type a network number to identify the nonextended network in which the filtered device is located.

Multiple/Extended Networks ---Press Enter , then type the start and end network numbers for the extended network in which the filtered device is located. The start number must be greater than zero, and the end number must be greater than or equal to the start value.

You can enter a specific extended network, or a range of extended and nonextended networks. For example, for networks 1-9, 10, 11-20, 21-30, specifying an extended range of 1-30 will filter all devices in the 1-9, 10, 11-20, and 21-30 extended networks.

Zone ---Press Enter , then type the name of the AppleTalk zone in which the filtered device is located.

User Circuit ---If you selected a WAN interface, press Enter to modify the following optional circuit information:
Local Frame Relay DLCI # (for frame relay)---The DLCI circuit number used for calls.

Remote System ID (for PPP, X.25, ISDN, or ATM)---The name of the remote system server or remote peer associated with this circuit.

Circuit Parameter Type (for X.25 or ATM)---The type of virtual circuit used to establish a connection.

Remote DTE Address (for X.25)---The X.121 DTE address assigned to the specific remote DTE.

Remote ATM Address (for ATM)---The address assigned to the specific remote ATM.

Comment ---Enter an optional short description.

Press Esc and save the filter information.

Select Exceptions .

This lists the exceptions to the device filter list. Depending on the Action parameter setting, devices that match a filter on this list are always or are never permitted or denied, even if another filter is configured to do the opposite.

Modify the exceptions list.

Select a filter from the list and press Enter to modify the filter or Del to remove it. Press Ins to add a new filter. Refer to Step 4 and Step 5 to modify or add a filter to the exceptions list.

Select Status and toggle the choice to read Enabled or Disabled .

All configured filters immediately become active (enabled) or inactive (disabled).

Press Esc to save the information and return to the Configure AppleTalk Filters menu.

Example AppleTalk Device Hiding Filter

FigureFigure 7 shows the internetwork topology for an organization with an FDDI backbone connecting several departments within the organization and a link to external networks. Routers A and C connect the departmental networks to the backbone. In general, users can communicate freely across the internetwork. However, access to printers within the Accounting department is restricted.

Figure 7
AppleTalk Device Hiding Filter Example

All networks within the Accounting department are in Zone Accounting. A device hiding filter on Router C stops access from specific areas to the LaserWriter* printers within the Accounting zone.

When configuring this example, set the parameters as shown in Table 7.

Table 7. Parameters for AppleTalk Device Hiding Filter Example

Parameter	Value
Action	Deny
Device Name	= (for all NBP names)
Device Type	LaserWriter
Device Location Type	Zone
Device Location	Accounting
User Location Type	Interface
User Location	FDDI Backbone-Interface connecting to FDDI
User Circuit	All Circuits

How to Configure AppleTalk Route Filtering

Before you begin, make sure that filtering support is enabled for AppleTalk in NIASCFG. Otherwise, filtering will not work.

To configure AppleTalk routing information filtering for incoming (or outgoing) route filters, complete the following steps:

Load FILTCFG, then select the following parameter path:

Select Configure AppleTalk Filters > Incoming Route Filters (or Outgoing Route Filters )

Select Action and toggle the choice to permit or deny the routes listed in the filter list.

This specifies the action taken with a route that appears in the filter list. If you select to permit routes, the AppleTalk router accepts (or advertises) only the routes from (or to) the networks in the filter list. If you select to deny routes, the AppleTalk router does not accept (or advertise) specific routes from (or to) specific networks in the filter list, but does accept (or advertise) all other entries in the routing table.

Select Filters .

This lists the filters that are permitted or denied, according to the Action parameter setting.

Modify the filter list.

Select a filter from the list and press Enter to modify the filter or Del to remove it. Press Ins to add a new filter.

If you are modifying an existing filter or adding a filter, specify the following parameters in the Define Filter menu:

Route to Network (or Route to Network or Zone )---Select All Routes , Non-extended Network , Multiple/Extended Network , or Zone as the type of route or network to be filtered.

Network Number/Range ---Enter a network number or a network range, depending on whether you selected a nonextended or an extended network. If you select an extended network, you can enter a single extended network or a range of extended and nonextended networks.

Zone Name (Outgoing only)---Enter the zone name of the AppleTalk zone to be filtered.

Source (or Destination ) Type ---Press Enter and select Interface , Interface Group , or AURP Tunnel .

Source (or Destination )---Press Enter and select the interface or interface group from the list. This option does not apply for an AURP tunnel.
If you specified Interface as the Source Type , select a specific interface on which you want to filter the service. You can select a LAN interface, a WAN interface, the internal network, or all interfaces. The default is All Interfaces .

Source (or Destination ) Circuit ---If you selected a WAN circuit, press Enter to modify the following optional circuit information:
Local Frame Relay DLCI # (for frame relay)---The DLCI circuit number used for calls.

Remote System ID (for PPP, X.25, ISDN, or ATM)---The name of the remote system server or remote peer associated with this circuit.

Circuit Parameter Type (for X.25 or ATM)---The type of virtual circuit used to establish a connection.

Remote DTE Address (for X.25)---The X.121 DTE address assigned to the specific remote DTE.

Remote ATM Address (for ATM)---The address assigned to the specific remote ATM.

Comment ---Enter an optional short description.

Press Esc and save the filter information.

Select Exceptions .

This lists the exceptions to the filter list. Depending on the Action parameter setting, routes that match a filter on this list are always or are never permitted or denied, even if another filter is configured to do the opposite.

Modify the exceptions list.

Select a filter from the list and press Enter to modify the filter or Del to remove it. Press Ins to add a new filter. Refer to Step 4 and Step 5 to modify or add a filter.

Select Status and toggle the choice to read Enabled or Disabled .

Any configured filters immediately become active (enabled) or inactive (disabled).

Press Esc to save the information and return to the Configure AppleTalk Filters menu.

AppleTalk Outgoing Routing Information Filter Example

In the following example, the Accounting department is connected to the FDDI backbone by Router C. One of the AppleTalk networks within Accounting is 165-170. Because access to this network from outside the Accounting department is not required, the administrator has chosen not to propagate a route to this network outside the Accounting department. Figure 8 shows the internetwork topology.

NOTE: When you configure a filter for a primary WAN call, an equivalent filter is automatically generated for the backup call. If the primary call should fail, the backup call is automatically connected.

Figure 8
AppleTalk Routing Information Filter Example

Extended network 165-170 can be hidden from the rest of the organization if an outgoing route filter is configured on Router C.

The route being hidden from the rest of the network is extended network 165-170. Router C's connection to the departments outside Accounting is through the FDDI backbone. The destination from which to hide the Accounting network is most easily defined as the interface to the backbone. Note that no node or server in the internetwork can see the Accounting network 165-170. However, nodes in Accounting can see the internetwork routes, but cannot see any devices on the internetwork.

When configuring this example, set the parameters as shown in Table 8.

Table 8. Parameters for AppleTalk Routing Information Filter Example

Parameter	Value
Action	Deny
Filtered Route: Route to Network or Zone	. Multiple/Extended Network
Network Number/Range	165-170
Destination Type Destination	Interface FDDI