AppleTalk Access List Enhancements

Description

This feature adds functionality and improved performance when using AppleTalk access lists and filters.

The specific AppleTalk access list enhancements include the following:

• Access list fast switching

• Access lists for inbound interfaces

In previous releases of the Cisco IOS software, AppleTalk access lists, with the exception of NBP access lists, could be applied to outbound interfaces only. With this release, access lists can be applied to inbound and outbound interfaces.

• NBP access lists for outbound interfaces

In previous releases of Cisco IOS software, NBP access lists could be applied to inbound interfaces only. With this release, NBP access lists can be applied to inbound and outbound interfaces.

• NBP filter based on NBP packet type:

  • Broadcast Request

  • Forward Request

  • Lookup

  • Lookup Reply

Benefits

AppleTalk access list enhancements offer the following benefits:

• Access list fast switching improves the performance of AppleTalk traffic when access lists are defined on an interface.

• Access lists for inbound interfaces provide greater flexibility in isolating network traffic. For example, using inbound access lists makes it very easy to implement firewalls by filtering all traffic coming in to the network from remote nodes.

• NBP access lists for outbound interfaces provide greater flexibility in creating access lists and designing a routed network.

• NBP filtering based on packet type broadens the choices in creating access lists for AppleTalk networks using NBP.

Platforms

This feature is supported on these platforms:

• Cisco 1003, Cisco 1004

• Cisco 2500 series

• Cisco 4000-M, Cisco 4500-M, Cisco 4700-M

• Cisco 5200 series

• Cisco 7000 series

• Cisco 7200 series

• Cisco 7500 series

Configuration Tasks

This section describes configuration tasks associated with AppleTalk access list enhancements.

Access List Fast Switching

There are no configuration tasks associated with access list fast switching. This feature is automatically installed with the Cisco IOS software.

Apply Access Lists to Inbound Interfaces

To apply an access list to an interface, perform the following task in interface configuration mode:

Task	Command
Apply the data packet filter to the interface.	appletalk access-group access-list-number [in | out]

Apply NBP Access Lists to Outbound Interfaces

Prior to Cisco IOS Release 11.2 F, you could configure only inbound interfaces for NBP access lists. With this release, NBP access lists can be applied to inbound or outbound interfaces. To apply an access list to an interface, perform the following task in interface configuration mode:

Task	Command
Apply the data packet filter to the interface.	appletalk access-group access-list-number [in | out]

---

Note Prior to Cisco IOS Release 11.2 F, all NBP access lists were applied to inbound interfaces by default. Using Cisco IOS 11.2 F, the default interface direction for all access lists, including NBP access lists, is outbound. In order to retain the inbound direction of access lists created with previous Cisco IOS software releases, you must specify an inbound interface for all NBP access lists using the appletalk access-group command.

---

Create NBP Packet Filters

To create an NBP packet filter, perform the following tasks:

Step 1 Create an NBP access list.

Step 2 Apply an NBP filter to an interface.

To create an NBP access list that defines access conditions for NBP packets based on the NBP packet type, from particular NBP named entities, from classes of NBP named entities, or from NBP named entities within particular zones, perform one or both of the following tasks in global configuration mode:

Task	Command
Define access for an NBP packet type, named entity, type of named entity, or named entities within a specific zone.	access-list access-list-number {deny | permit} nbp sequence-number {BrRq | FwdRq | Lookup | LkReply | object string | type string | zone string}
Define the default action to take for access checks that apply to NBP packets.	access-list access-list-number {deny | permit} other-nbps

Refer to the Cisco IOS Release 11.2 Network Protocols Configuration Guide, Part 2, "Configuring AppleTalk" chapter for information on applying an NBP filter to an interface.

Configuration Examples

This section provides sample configurations for applying an access list to an inbound interface and for creating an access list based on NBP packet type.

Inbound Filter Access List Example

The following example defines an inbound filter access list for Ethernet interface 0:

interface ethernet 0
appletalk access-group 600 in

NBP Packet Filter Examples

The following example creates an access list to filter on NBP Lookup Reply packets for all named entities:

access-list 600 deny nbp 1 LkReply
access-list 600 permit other-nbps

The following example creates an access list that denies forwarding of the following:

• All NBP Lookup Reply packets

• NBP packets from the server named Bob's Server

• Packets from all AppleTalk file servers of type AFPServer

• All NBP Lookup Reply packets which contain the specified named entities belonging to the zone twilight

access-list 600 deny nbp 1 LkReply
access-list 600 deny nbp 1 object Bob's Server
access-list 600 deny nbp 1 type AFPServer
access-list 600 deny nbp 1 zone twilight
access-list 600 permit other-nbps

Command Reference

This section documents modified commands. All other commands used with this feature are documented in the Cisco IOS Release 11.2 command references. The following commands have been modified as a result of feature enhancements:

• access-list nbp

• appletalk access-group

access-list nbp

To define an AppleTalk access list entry for a particular Name Binding Protocol (NBP) named entity, class of NBP named entities, NBP packet type, or NBP named entities belonging to a specific area, use the access-list nbp global configuration command. To remove an NBP access list entry from the access list, use the no form of this command.

access-list access-list-number {deny | permit} nbp sequence-number {BrRq | FwdRq |
Lookup | LkReply | object string | type string | zone string}
no access-list access-list-number

Syntax Description

access-list-number	Number of the access list. This is a decimal number from 600 to 699.
deny	Denies access if conditions are matched.
permit	Permits access if conditions are matched.
sequence-number	A number used to tie together two or three portions of an NBP name tuple and to keep track of the number of access-list nbp entries in an access list. Each command entry must have a sequence number.
BrRq	Broadcast Request packet type.
FwdRq	Forward Request packet type.
Lookup	Lookup packet type.
LkReply	Lookup Reply packet type.
object	Characterizes string as the portion of an NBP name that identifies a particular object or named entity.
type	Characterizes string as the portion of an NBP name that identifies a category or type of named entity.
zone	Characterizes string as the portion of an NBP name that identifies an AppleTalk zone.
string	A portion of an NBP name identifying the object, type, or zone of a named entity. The name string can be up to 32 characters long, and it can include special characters from the Apple Macintosh character set. To include a special character, type a colon followed by two hexadecimal characters. For an NBP name with a leading space, enter the first character as the special sequence :20.

Default

No particular access list entry for an NBP named entity is defined, and the default filtering specified by the access-list other-nbps command takes effect.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.0.

The access-list nbp command defines the action to take for filtering NBP packets from a particular object (particular named entity), type (class of named entities), or zone (AppleTalk zone in which named entities reside), or for a particular NBP packet type, superseding the default action for NBP packets from all named entities specified by the access-list other-nbps command. For each command that you enter, you must specify a sequence number.

The sequence number serves two purposes:

• Its principal purpose is to allow you to associate two or three portions of an NBP three-part name, referred to as an NBP tuple. To do this, you enter two or three commands having the same sequence number but each specifying a different keyword and NBP name portion: object, type, or zone. The same sequence number binds them together. This provides you with the ability to restrict forwarding of NBP packets at any level, down to a single named entity.

• Its second purpose is to allow you to keep track of the number of access-list nbp entries you have made. You must enter a sequence number even if you do not use it to associate portions of an NBP name.

Examples

The following example adds entries to access list number 607 to allow forwarding of NBP packets from specific sources and deny forwarding of NBP packets from all other sources. The first command adds an entry that allows NBP packets from all printers of type LaserWriter. The second command adds an entry that allows NBP packets from all AppleTalk file servers of type AFPServer. The third command adds an entry that allows NBP packets from all applications called HotShotPaint. For example, there might be an application with a zone name of Accounting and an application with a zone name of engineering, both having the object name of HotShotPaint. NBP packets forwarded from both applications will be allowed.

The access-list other-nbps command denies forwarding of NBP packets from all other sources.

access-list 607 permit nbp 1 type LaserWriter
access-list 607 permit nbp 2 type AFPServer
access-list 607 permit nbp 3 object HotShotPaint
access-list 607 deny other-nbps
access-list 607 permit other-access

The following example adds entries to access list number 608 to deny forwarding of NBP packets from two specific servers whose fully qualified NBP names are specified. It permits forwarding of NBP packets from all other sources.

access-list 608 deny nbp 1 object ServerA
access-list 608 deny nbp 1 type AFPServer
access-list 608 deny nbp 1 zone Bld3
access-list 608 deny nbp 2 object ServerB
access-list 608 deny nbp 2 type AFPServer
access-list 608 deny nbp 2 zone Bld3
access-list 608 permit other-nbps
access-list 608 permit other-access

The following example denies forwarding of NBP Lookup Reply packets for all named entities. It permits forwarding of other NBP packet types from all other sources.

access-list 600 deny nbp 1 LkReply
access-list 600 permit other-nbps
access-list 600 permit other-access

The following example creates an access list that denies forwarding of the following packets:

• All NBP Lookup Reply packets

• NBP packets from the server named Bob's Server

• Packets from all AppleTalk file servers of type AFPServer

• All NBP Lookup Reply packets that contain the specified named entities belonging to the zone twilight

access-list 600 deny nbp 1 LkReply
access-list 600 deny nbp 1 object Bob's Server
access-list 600 deny nbp 1 type AFPServer
access-list 600 deny nbp 1 zone twilight
access-list 600 permit other-nbps
access-list 600 permit other-access

Related Commands

access-list additional-zones
access-list cable-range
access-list includes
access-list network
access-list other-access
access-list other-nbps
access-list within
access-list zone
appletalk access-group
appletalk distribute-list in
appletalk distribute-list out
appletalk getzonelist-filter
priority-list protocol

appletalk access-group

To assign an access list to an interface, use the appletalk access-group interface configuration command. To remove the access list, use the no form of this command.

appletalk access-group access-list-number [in | out]
no appletalk access-group access-list-number

Syntax Description

access-list-number	Number of the access list. This is a decimal number from 600 to 699.
in	(Optional) Filters on incoming packets.
out	(Optional) Filters on outgoing packets. This is the default direction.

Default

No access lists are predefined. The default interface direction is out.

Command Mode

Interface configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

The appletalk access-group command applies data-packets filter to an inbound or outbound interface. These filters check data packets being received on or sent out an interface. If the source network of the packets has access denied, these packets are not processed but rather are discarded.

When you apply a data-packet filter to an interface, you should ensure that all networks or cable ranges within a zone are governed by the same filters.

Example

The following example applies access list 601 to outbound Ethernet interface 0:

access-list 601 deny cable-range 1-10
access-list 601 permit other-access
interface ethernet 0
appletalk access-group 601

The following example applies access list 600 to inbound Ethernet interface 0:

interface ethernet 0
appletalk access-group 600 in

Related Commands

access-list cable-range
access-list includes
access-list network
access-list other-access
access-list within
appletalk access-group
appletalk distribute-list in
appletalk distribute-list out

What to Do Next

For more information on creating AppleTalk access lists, see the Cisco IOS Release 11.2 Network Protocols Configuration Guide, Part 2.