Configuring an AppleTalk Remote
Access Server

This chapter describes how to configure your communication server to act as an AppleTalk Remote Access server. It does not describe how to configure or use the client Macintosh. Refer to Apple Computer's AppleTalk Remote Access User's Guide for information about how to use AppleTalk Remote Access software on your Macintosh.

Cisco's Implementation

Cisco's implementation of AppleTalk Remote Access connectivity gives Macintosh users direct access to information and resources at a remote location. Macintosh users can connect to another Macintosh computer or AppleTalk network over standard telephone lines: For example, if you have a PowerBook at home and need to get a file from your Macintosh at the office, AppleTalk Remote Access software can make the connection between your home and office computers.

You can configure your communication server to act as an AppleTalk Remote Access server by enabling AppleTalk and AppleTalk Remote Access Protocol (ARAP). Configuring your communication server to act as an AppleTalk Remote Access server allows remote Macintosh users to dial in, become a network node, and connect to devices on other networks. ARAP support on the communication server is transparent to the Macintosh end user.

The following Macintosh and communication server software support is required for AppleTalk Remote Access connectivity:

• A Macintosh running AppleTalk Remote Access software and a connection control language (CCL) script.

• A communication server configured as an AppleTalk Remote Access server.

Figure 1-1 shows how your communication server can act as an AppleTalk Remote Access server between remote Macintosh computers (in Figure 1-1, a Macintosh SE and a PowerBook) and devices on another network.

AppleTalk Remote Access Protocol (ARAP)

Enabling ARAP on your communication server allows it to support ARAP on the Macintosh and, therefore, to act as an AppleTalk Remote Access server.

AppleTalk

AppleTalk is a client-server, or distributed, protocol. AppleTalk users share network resources, such as files and printers, with other users. Interactions with different servers are transparent to users, because the computer determines the location of the requested material and accesses it without requesting information from the user.

AppleTalk identifies several network entities, starting with a node. A node is any device connected to an AppleTalk network. The most common nodes are Macintosh computers and laser printers, but many other types of computers are also capable of AppleTalk communication, including IBM PCs, Digital VAX/VMS systems, and a variety of workstations. A Cisco communication server, which provides only one network interface, is considered a node on the network. In the section, the term router refers to any device that routes AppleTalk packets.

The next entity defined by AppleTalk is a network. An AppleTalk network is a single logical cable. Finally, an AppleTalk zone is a logical group of one or more (possibly noncontiguous) networks.

Apple Computer has produced a variety of internetworking products with which to connect AppleTalk local-area networks.Apple supports Ethernet, Token Ring, Fiber Distributed Data Interface (FDDI), and its own proprietary twisted-pair media access system (called LocalTalk).

Figure 1-2 compares the AppleTalk protocols with the standard seven-layer OSI model and illustrates how AppleTalk works with a variety of physical and link access mechanisms.

The Cisco AppleTalk implementation provides the following standard services, in addition to the ability to transmit any AppleTalk packet:

• AppleTalk Address Resolution Protocol (AARP)

• Datagram Delivery Protocol (DDP)

• Name Binding Protocol (NBP)

• AppleTalk Echo Protocol (AEP)

• AppleTalk Transaction Protocol (ATP)

• Zone Information Protocol (ZIP)

The DDP and AARP protocols provide end-to-end connectivity between internetworked nodes. NBP maps network names to AppleTalk internet addresses. NBP relies on ZIP to help determine which networks belong to which zones. File and print access is provided through AFP and PAP, respectively, which work with applications such as AppleShare and print servers.

The Cisco AppleTalk implementation also includes the following enhancements:

• Support for EtherTalk 1.2 and EtherTalk 2.0

• Support for serial protocols, including SMDS, Frame Relay, X.25, and HDLC

• Configurable protocol constants

• No software limits on the number of zones

• MacTCP support via the MacIP server

• NBP proxy service providing compatibility between AppleTalk Phase 1 and AppleTalk Phase 2

• Access control support to allow filtering of zones, routing data, and packets

• Integrated node name support to simplify AppleTalk management

• Interactive access to AEP and NBP provided via the ping command

• Support for both configured (called seed) and discovered configuration

• Responder support used by Inter·Poll and other network monitoring packages

AppleTalk, like many network protocols, makes no provision for network security. The AppleTalk protocol architecture requires that security measures be executed at higher application levels. The communication server software supports AppleTalk network access lists, providing filters at the packet level.

Extended (Phase 2) versus Nonextended (Phase 1) AppleTalk

AppleTalk was designed for local work groups. With the installation of over 1.5 million Macintosh computers in the first five years of the product's life, Apple found that some large corporations were exceeding the design limits of AppleTalk. Apple's solution was to create extended AppleTalk. The extended AppleTalk architecture increases the number of nodes per AppleTalk internetwork to over 16 million and an unlimited number of zones per cable.

The introduction of the extended AppleTalk architecture also introduced the concept of nonextended and extended networks. Nonextended AppleTalk networks are sometimes called "Phase 1," and extended networks are called "Phase 2." Nonextended networks refer to the nonextended AppleTalk Ethernet 1.0 networks (no longer supported by Apple but still supported by Cisco), and to the nonextended serial line-based networks, including those configured using X.25 and LocalTalk.

Extended networks refer to the extended AppleTalk-compliant networks configured on Ethernet (EtherTalk 2.0) and Token Ring media. Examples of nonextended and extended AppleTalk network configurations can be found in the section "Configuration Examples" later in this chapter.

The AppleTalk extended-network architecture provides extensions compatible with nonextended AppleTalk internetworks. The AppleTalk extended architecture was designed to remove the previous limits of 254 concurrently active AppleTalk nodes per cable, as well as the previous limit of one AppleTalk zone per cable. Extended AppleTalk contains better algorithms for choosing the best routers for traffic and is designed to minimize the amount of broadcast traffic generated for routing updates.

Another important feature in extended AppleTalk is the ability of a single AppleTalk cable to be assigned more than one network number. The size of the range of network numbers assigned to a cable determines the maximum number of concurrently active AppleTalk devices that can be supported on that cable, which is 254 devices per network number.

Nonextended AppleTalk Addressing

AppleTalk addresses are 24 bits long. They consist of two components: a 16-bit network number and an 8-bit node number. The Cisco AppleTalk software parses and displays these addresses as a sequence of two decimal numbers, first the network number, then the node number, separated by a period. For example, node 45 on network 3 is written as 3.45. A node is any AppleTalk-compatible device attached to the network. Each enabled AppleTalk interface on a router is a node on its connected network.

AppleTalk Zones

When a router is used to join two or more AppleTalk networks into an internetwork, the component physical networks remain independent of each other. A network manager may assign nodes on each physical network to a conceptual grouping known as a zone.

There are two main reasons to create zones in an AppleTalk internetwork: to simplify the process of locating and selecting network devices, and to allow for the creation of departmental work groups that may exist on several different and possibly geographically separated networks.

For example, consider a large AppleTalk internetwork that contains hundreds or thousands of shared resources and devices. Without a method of dividing this large number of resources and devices into smaller groups of devices, a user might have to scroll through hundreds or thousands of node names in the Chooser to select the one node to be used. By creating small conceptual groups of nodes, users can choose the resources they need much more quickly and easily than if they were sorting through a very long list of names.

A zone can include many networks that need not be located together physically. A zone is not limited by geographical area. The partitioning afforded by zone names is conceptual, not physical.

The network manager defines zones when he or she configures a router. For nonextended networks, each AppleTalk-configured interface must be associated with exactly one zone name, and for extended networks, each AppleTalk-configured interface can be associated with one or more zone names. Until a zone name has been assigned, AppleTalk capability is disabled for that interface. The section "Configure AppleTalk" later in this chapter describes the subcommands to use in the zone-naming process.

Name Binding Protocol (NBP)

The Name Binding Protocol (NBP) maps network entity names to internetwork addresses. It allows users to specify descriptive or symbolic names; software processes refer to numerical addresses for the same entities. With NBP, almost all user-level programs respond to names instead of numbers. When users select an AppleTalk device, they are using the NBP protocol to translate the device's entity name to the entity's network address. Numerical addresses dynamically assigned to nodes are primarily used by the router software and by network managers in the ping process.

NBP provides four basic services for binding names to nodes and zones:

• Name registration

• Name deletion

• Name lookup

• Name confirmation

The nature of the AppleTalk addressing scheme is inherently volatile, and node addresses change frequently. Therefore, NBP associates numerical addresses with aliases that continue to reference the correct address if the address changes.

Zone Information Protocol (ZIP)

NBP uses the Zone Information Protocol (ZIP) to determine which networks belong to which zones. A router uses ZIP to maintain the network-number-to-zone-name mapping of the AppleTalk internet.

Each communication server or router maintains a data structure known as the zone information table (ZIT). The table provides a listing of network numbers for each network in every zone. Each entry is a tuple (an inseparable network number-hop number set) that matches a network number with a zone name as supplied by the network manager.

Dynamic Configuration (Discovery Mode)

AppleTalk supports dynamic configuration. Not all fields of an AppleTalk address need to be specified to configure an AppleTalk router. If there is another AppleTalk communication server or router on the network, it might be able to supply the network number and zone name. A preconfigured router on an AppleTalk network acts as a seed router or communication server, responding to configuration queries from other nodes on its network.

Seed routers come up and verify the configuration with an operational router. If the configuration is valid, they start functioning. Seed routers come up even if no other routers are on the network. On the other hand, a nonseed router must first communicate with a seed router before it can begin operation. A nonseed router must obtain and verify the configuration with another functioning router. The configuration of the nonseed router must match exactly with the configuration of the seed router for the nonseed router to function.

An end node always behaves in a manner similar to discovery mode. It uses any previous configuration as a starting point for initialization.

Unspecified parts of the AppleTalk address are entered as zero. Table 1-1 illustrates AppleTalk addresses that feature unspecified addressing.

As long as one fully configured communication server or router exists on a physical network segment (or cable), other routers directly attached to that cable can use discovery mode to determine their configuration; they can take their information from an operational communication server or router. However, once the configuration process has stabilized for a particular AppleTalk internet, all communication servers and routers thereafter should be configured as seed routers. Note that synchronous X.25 network interfaces must be explicitly configured on each communication server or router to be used as AppleTalk transports.

Node address information is maintained by tables appropriate to the media (usually AARP tables).

Extended AppleTalk Addressing

AppleTalk addresses, as explained in the section "Nonextended AppleTalk Addressing" earlier in this chapter, are composed of a 16-bit network and an 8-bit node number. In nonextended AppleTalk, nodes within a single cable can communicate using only their
8-bit node numbers.

A node in extended AppleTalk is always identified by its network and node number. Dynamic address resolution when a communication server or router is not present includes the assignment of a random network number within a small range, as well as a node number. When a communication server or router is present in the network, a node starts up using its newly acquired address for a short period of time. It then immediately requests the range of valid network numbers from an operational router. The node then uses this to determine its actual AppleTalk address by selecting an unassigned address.

A new concept of cable ranges is introduced with the extended AppleTalk. Ranges of network numbers and multiple zones that can exist on cables, so a node can access any device that is in any of the zones that are on the same cable as the node itself. But the node can exist in only one zone and on only one network.

In an extended AppleTalk network, the mapping of a physical cable to a zone name is no longer valid. End nodes are expected to know the zone to which they belong or to choose from the list of available zones provided by a router. The router maintains a default zone that new nodes will use automatically if they have not chosen a zone previously.

AppleTalk Name Registration

Cisco communication servers and routers with active AppleTalk interfaces register each interface separately. A unique interface name is generated by appending the interface type name and unit number to the communication server or router name. For example, if a communication server is named mycommserver and has AppleTalk enabled on Ethernet 0 in zone Engineering, the NBP registered name will be as follows:

mycommserver.Ethernet0:ciscoRouter@Engineering

The NBP name is deregistered in the event that AppleTalk is disabled on an interface by configuration or due to interface errors.

Registering each interface on the communication server provides the AppleTalk site administrator with a positive indication that the communication server and router is properly configured and operating.

One name is registered per interface; other service types are registered once for every zone name on the communication server. The following display output from the show apple nbp command shows that each interface is uniquely identified, but that only one SNMP Agent is generated per zone.

  Net Adr Skt Name                    Type            Zone
 4042   8 254 brown.Ethernet0         ciscoRouter				  Engineering
 4028   8 254 brown.Async1          	  ciscoRouter  Engineering

AppleTalk Responder Support

The communication server answers AppleTalk responder requests. The listener is installed on the AppleTalk interface name registration socket.

The response packet generated supplies the bootstrap firmware version string, followed by the router operating software version string. These are displayed in the position of the Macintosh system version and the Macintosh printer driver version, respectively, in such applications as Apple's Inter·Poll.

The response packet contains strings similar to those displayed by the show version EXEC command.

The information returned is as follows:

• The system bootstrap version (ROM version).

• The currently running software version.

• The AppleTalk version--This always indicates 56, which is the first Apple Macintosh version that contained AppleTalk Phase 2 support.

• The AppleTalk responder version--This always displays 100, which indicates support of Version 1.0 responder packets.

• Finally, the communication server reports that AppleShare is not installed.

Figure 1-3 illustrates a typical output display for Inter·Poll that lists this information.

Task Overview

To set up your communication server as an ARAP server, complete the following tasks:

• Connect cables (page 1-10)

• Configure the line and the modem (page 1-12)

• Configure AppleTalk (page 1-13)

The following tasks are optional:

• Customize ARAP (page 1-16)

• Customize the AppleTalk configuration (page 1-19)

• Configure system security (page 1-24)

• Monitor and debug an AppleTalk Remote Access server (page 1-27)

Connect Cables

Figure 1-4 shows how to connect a Macintosh directly to the communication server and how to connect a Macintosh by means of internal and external modems. The directly connected Macintosh can be used as a terminal from which you can configure the communication server.

Figure 1-5 shows the pins of a Mini 8 connector, the pins of a DB-25 connector, and how they are connected.

Table 1-2 explains the pin functions.

Configure the Line and the Modem

Configure the line on the communication server as follows:

• Specify line speed--38400 bps on high-speed modems is recommended

• Set hardware flow control--use the flowcontrol hardware command to enable hardware flow control

• Specify your dial-in type--use the modem inout command to configure the line for both incoming and outgoing calls, or use the modem ri-is-cd command to configure the line for incoming calls only

Configure the modem as follows:

• Set hardware flow control

• Disable software flow control (XON/XOFF)

• Disable echo

• Set quiet mode (that is, prevent the modem from responding to commands)

• Set auto-answer to answer on 1 ring (2 rings are required in Germany)

• Set modem so that DSR follows CD

• Reset to nonvolatile random-access memory (NVRAM) when DTR drops

If your modem does not support this configuration, see the Communication Server Configuration and Reference for information about configuring a line to support your modem.

Configure AppleTalk

To configure ARAP on your communication server, you need to enable AppleTalk, configure an AppleTalk interface, and enable ARAP. This section describes each task.

Enable AppleTalk Service

To perform the following task in global configuration mode:

Configure an AppleTalk Interface

You can manually configure an interface for AppleTalk or, if an interface is connected to a network that has at least one other communication server or router configured for AppleTalk, you can dynamically configure the interface using discovery mode.

If the internet already exists, the zone and cable range must match the existing configuration. To identify existing cable ranges and zone names, configure the communication server for discovery mode.

You can also configure an AppleTalk interface on a segment for which there are no AppleTalk routers.

Manual Interface Configuration

To manually configure an interface for extended AppleTalk, perform the following tasks:

If you assign more than one zone name, the first name you assign is the default zone.

You can define up to 255 unique zone names.

After you assign the address and zone name(s), the interface will attempt to verify them with another operational communication servers or routers on the connected network. If there are any discrepancies, the interface will not become operational. If there are no neighboring operational communication servers or routers, the communication server will assume the configuration is correct, and the interface will become operational.

Dynamic Interface Configuration

If an AppleTalk interface is connected to a network that has at least one other operational AppleTalk router or communication server, you can dynamically configure the interface using discovery mode. In discovery mode, an interface acquires information about the attached network from an operational communication server or router and then uses this information to configure itself. Once the interface has been configured, you can stabilize the interface by setting the dynamically acquired information.

Using discovery mode to configure interfaces saves time if the network numbers, cable ranges, or zone names change. You need to make the changes on only one operational communication server or router.

Discovery mode is useful when you are changing a network configuration or when you are adding a communication server to an existing network.

If there is no operational communication server or router on the attached network, you must manually configure the interface as described in the previous sections. Also, if a discovery-mode interface is restarted, another operational communication server or router must be present before the interface will become operational.

An interface that is not configured for discovery mode starts up as follows. The communication server acquires its configuration from memory. If the interface is not configured with the appletalk address or appletalk cable-range command and the appletalk zone command, the interface will not start up. If the interface is configured, the interface will attempt to verify the stored configuration with another communication server or router on the attached network. If there is any discrepancy, the interface will not start up. If there are no neighboring operational communication servers or routers, the communication server will assume the stored configuration is correct, and the interface will become operational.

Using discovery mode does not affect an interface's ability to respond to configuration queries from other communication servers on the connected network once the interface becomes operational.

When activating discovery mode, you do not need to assign a zone name. The interface will acquire the zone name from another interface.

Caution Do not enable discovery mode on all of the communication servers and routers on a network. If you do and all communication servers restart simultaneously (for instance, after a power failure), the network will be inaccessible until you manually configure at least one communication server.

You can activate discovery mode on an extended interface in one of two ways, depending on whether you know the cable range of the attached network.

In the first method, you immediately put the interface into discovery mode by specifying a cable range of 0-0. Use this method when you do not know the network number of the attached network. To do configure an interface for discovery mode using the first method, perform the following tasks:

In the second method, you first assign cable ranges and then explicitly enable discovery mode. Use this method when you know the cable range of the attached network. To configure an interface for discovery mode using the second method, perform the following tasks:

Configuring a Segment That Has No Routers

You can also configure an AppleTalk interface on a LAN segment that does not have any AppleTalk routers by performing the following tasks:

Note that you cannot use discovery mode for this configuration.

Enable ARAP

To enable ARAP on a line, perform the following tasks:

Customize ARAP

The commands in this section can be used to customize ARAP support. Some of the described in this section are required for certain configurations. Possible functions include the following:

• Configure automatic protocol startup (page 1-17)

• Set a dedicated ARAP line (page 1-17)

• Set the session time limit (page 1-17)

• Set the disconnect warning time (page 1-18)

• Disallow guests (page 1-18)

• Control access (page 1-18)

Configure Automatic Protocol Startup

To configure the communication server to automatically start an ARAP session, perform the following tasks in global configuration mode:

The autoselect command allows the communication server to automatically start an appropriate process when a starting character is received. The communication server detects either a Return character, which is the start character for an EXEC session, or the start character for ARAP.

This command is required for all ARAP-enabled lines that are not configured as dedicated ARAP lines and that are not configured for TACACS logins.

Set a Dedicated ARAP Line

To set a line to function only as an AppleTalk Remote Access connection, perform the following task in line configuration mode:

Alternatives are to set the line for autoselect or TACACS logins.

Set the Session Time Limit

To set the maximum length of an ARAP session for a line, perform the following task in line configuration mode:

The default is to have unlimited length connections. This task is optional.

Set the Disconnect Warning Time

To configure when to display a disconnect warning, perform the following task in line configuration mode:

This command is only valid if a session time limit is set.

Disallow Guests

A guest is a person who connects to the network without having to give a name or a password. To prohibit Macintosh guests from logging on through the communication server, perform the following task in line configuration mode:

Caution Do not enter the arap noguest command if TACACS is enabled.

Control Access

You can control Macintosh access to zones and networks by using arap commands to reference access control lists configured using AppleTalk access-list commands.

To control what zones the Macintosh user will see, perform the following task in line configuration mode:

To control traffic from the Macintosh to networks, perform the following task in line configuration mode:

Customize the AppleTalk Configuration

To customize the AppleTalk configuration, complete the following tasks:

• Disable checksum generation and verification (page 1-19)

• Configure MacIP (page 1-19)

• Control Access to AppleTalk Networks (page 1-22)

This section describes how to perform these configuration tasks.

Figure 1-6 shows a configuration in which a communication server acting as an AppleTalk Remote Access server is serving a local network that is not connected to an internet.

Disable Checksum Generation and Verification

By default, the communication server generates checksums for all ARAP traffic that requests them. You might want to disable checksum generation and verification is if you have an older LaserWriter printer or other device that cannot receive packets with checksums.

To disable checksum generation and verification, perform the following global configuration task:

Configure MacIP

The communication server implements MacIP, a protocol that routes IP datagrams to IP clients using AppleTalk Datagram Delivery Protocol (DDP) low-level encapsulation. MacIP allows the communication server to assign an ID number to a Macintosh computer that dials in. The ID number allows the Macintosh computer to run MacTCP applications.

Cisco communication servers implement the MacIP address management and routing services described in the draft Internet RFC, A Standard for the Transmission of Internet Packets over AppleTalk Networks. This implementation of MacIP conforms to the September 1991 draft RFC with the following exceptions:

• Communication servers do not fragment IP datagrams that exceed the DDP MTU and that are bound for DDP clients of MacIP.

• Communication servers do not route to DDP clients outside of configured MacIP client ranges.

MacIP is required to provide access to IP network servers for those users. It is also required for environments in which Macintosh users use AppleTalk Remote Access or are connected to the network using LocalTalk or PhoneNet cabling systems.

MacIP services also can be useful when you are managing IP address allocations for a large, dynamic Macintosh population. There are several advantages to using MacIP in this situation:

• Macintosh TCP/IP drivers can be configured in a completely standard way, regardless of the location of the Macintosh. Essentially, the dynamic properties of AppleTalk address management become available for IP address allocation.

• You can modify all global parameters, such as IP subnet mask, DNS services, and default routers. Macintosh IP users receive the updates by restarting their local TCP/IP drivers.

• The network administrator can monitor MacIP address allocations and packet statistics remotely by using the Telnet application to attach to the communication server console. This allows central administration of IP allocations in remote locations. For Internet sites, it allows remote technical assistance.

However, there is an important disadvantage in implementing MacIP on a communication server: Memory usage in the communication server increases in direct proportion to the total number of active MacIP clients (about 80 bytes per client).

To configure MacIP on the Cisco communication server, AppleTalk must be configured on the communication server as follows:

• AppleTalk must be enabled.

• IP must be enabled.

• The MacIP zone name you configure must be associated with a configured or seeded zone name.

• If you are using MacIP to allow Macintosh computers to communicate with IP hosts on the same LAN segment (that is, the Macintosh computers are on the Cisco interface on which MacIP is configured) and the IP hosts have extended IP access lists, these access lists should include entries to permit IP traffic destined for these IP hosts (from the MacIP addresses). If these entries are not present, packets destined for IP hosts on the local segment will be blocked (that is, they will not be forwarded).

When setting up MacIP routing, keep the following address-range issues in mind:

• Static and dynamic resource statements are cumulative, and you can specify as many as necessary. However, if possible, you should specify a single all-inclusive range rather than several adjacent ranges. For example, specifying the range 131.108.121.1 to 131.108.121.10 is preferable to specifying the ranges 131.108.121.1 to 131.108.121.5 and 131.108.121.6 to 131.108.121.10.

• Overlapping resource ranges (for example, 131.108.121.1 to 131.108.121.5 and 131.108.121.5 to 131.108.121.10) are not allowed. If it is necessary to change a range in a running server, use the no form of the resource address assignment command (such as the no appletalk macip dynamic zone server-zone command) to delete the original range, followed by the corrected range statement.

• You can add IP address allocations to a running server at any time as long as the new address range does not overlap with one of the current ranges.

To configure MacIP, perform the following tasks:

Step 1: Establish a MacIP server for a specific zone.

Step 2: Allocate IP addresses for Macintosh users by specifying at least one dynamic or static resource address assignment command for each MacIP server.

To establish a MacIP server for a specific zone, perform the following global configuration task:

A MacIP server is not registered using NBP until at least one MacIP resource is configured.

Dynamic clients are those that accept any IP address assignment within the dynamic range specified. Dynamic addresses are for users who do not require a fixed address, but can be assigned addresses from a pool.

To allocate IP addresses for Macintosh users if you are using dynamic addresses, perform the following global configuration task:

For an example of configuring MacIP with dynamic addresses, see the section "Configuring MacIP."

Static addresses are for users who require fixed addresses for IP DNS services and for administrators who do not want addresses to change so they always know the IP addresses of the devices on their network.

To allocate IP addresses for Macintosh users if you are using static addresses, perform the following global configuration task:

For an example of configuring MacIP with static addresses, see the section
"Configuring MacIP."

In general, you should not use fragmented address ranges in configuring ranges for MacIP. However, if this is unavoidable, use the appletalk macip dynamic command to specify as many addresses or ranges as required, and use the appletalk macip static command to assign a specific address or address range.

Control Access to AppleTalk Networks

An access list is a list of AppleTalk network numbers or zones that is maintained by the communication server and used to control access to or from specific zones or networks.

The communication server supports two general types of AppleTalk access lists:

• AppleTalk-style access lists, which are based on AppleTalk zones

• IP-style access lists, which are based on network numbers

AppleTalk-style access lists use zone names to regulate access to the internetwork. Zone names are good control points, because they are the only network-level abstraction that users can access. You can express zones names either explicitly or by using generalized argument keywords.Thus, using AppleTalk access lists simplifies network management and allows for greater flexibility when adding segments because reconfiguration requirements are minimal.

The main advantage of AppleTalk-style access lists is that they allow you to define access regardless of the existing network topology or any changes in future topologies--because they are based on zones. A zone access list is effectively a dynamic list of network numbers. The user specifies a zone name but the effect is as if the user had specified all the network numbers belonging to that zone.

IP-style access lists control network access based on network numbers. This feature is useful for defining access lists that control the disposition of networks that overlap, are contained by, or exactly match a specific network number range.

You can combine zone and network entries in a single access list. Network filtering is performed first, then zone filtering is applied to the result. However, for optimal performance, access lists should not include both zones and numeric network entries.

There are two types of filters you can use on AppleTalk networks:

• Data packet filters

• GetZoneList (GZL) filters

AppleTalk network access control differs from that of other protocols in that the order of the entries in an access list is unimportant. However, there are still some constraints you need to keep in mind when defining access lists:

• You must design and type access list entries properly to ensure that entries do not overlap each other. An example of an overlap is if you were to enter a "permit network xxx" command and then enter a "deny network xxx" command. If you do enter entries that overlap, the last one you entered overwrites and removes the previous one from the access list. In the example earlier in this paragraph, this means that the "permit network" statement would be removed from the access list when you typed the "deny network" statement.

• Each access list always has a method for handling packets that do not satisfy any of the access control statements in the access list.

To explicitly specify how you want these packets to be handled, use the access-list other-access command when defining access conditions for networks and cable ranges, and use the access-list additional-zones command when defining access conditions for zones. If you use one of these commands, it does not matter where in the list you put it: The router software automatically puts the access-list other-access or access-list additional-zones command at the end of the access list. (With other protocols, you must type the equivalent commands last.)

If you do not explicitly specify how to handle packets that do not satisfy any of the access control statements in the access list, the packets are automatically denied access and, in the case of data packets, are discarded.

You perform the following tasks to control access to AppleTalk networks. These tasks are described in the sections that follow.

• Create access lists.

• Create filters.

Create Access Lists

An access list defines the conditions used to filter packets sent out of the interface. (These conditions are sometimes also used to filter incoming packets.) Each access list is identified by a number. All access-list commands that specify the same access list number create a single access list.

A single access list can contain any number and any combination of access-list commands. You can include network and cable range access-list commands and zone access-list commands in the same access list. However, you can only specify one each of the commands that specify default actions to take if none of the access conditions are matched (that is, a single access list can include only one access-list other-access command to handle networks and cable ranges that do not match the access conditions and only one access-list additional-zones command to handle zones that do not match the access conditions).

To create access lists that define access conditions for networks and cable ranges, perform one or more of the following tasks in global configuration mode:

The access list number can be a decimal value from 600 to 699.

To create access lists that define access conditions for zones, perform one or more of the following tasks in global configuration mode:

The access list number can be a decimal value from 600 to 699.

Configure System Security

Two types of security can be used on your communication server when it is acting as an AppleTalk Remote Access server:

• Internal user authentication, with username and password information stored on the communication server

• TACACS user authentication, with username and password information stored on a TACACS server

Configure Internal Username Authentication

To configure your communication server for internal username authentication, perform the following task in global configuration mode:

Enter this information for each supported user.

Configure TACACS Security

You can use TACACS security if you have configured a TACACS server and have a CCL script that allows you to use TACACS security. This section tells you how modify your CCL script so that you can use TACACS security and how to configure a line to use a TACACS server for user authentication.

Modifying Scripts to Support TACACS

To use AppleTalk Remote Access with TACACS, you must modify your CCL scripts. For a number of popular modems, Cisco provides CCL files that you can use to modify your CCL scripts to support TACACS security. This section explains how to use the CCL files provided by Cisco to modify AppleTalk Remote Access CCL scripts to work with TACACS security.

Cisco recommends using the Appletalk Remote Access Modem Toolkit provided through the AppleTalk Programmers and Developers Association (APDA); it provides both syntax checking and a script player.

Appletalk Remote Access CCL scripts are primarily used to work with modems to make connections to remote machines. When the connection has been established, the script ends and the Appletalk Remote Access Protocol is activated. TACACS authentication occurs after the connection is established but before the protocol becomes active.

Insert TACACS logic just before the end of a script. The CCL TACACS logic performs the following user authentication tasks:

• When the "Username:" prompt is transmitted from the communications server, the user's name is obtained from the Macintosh and sent to the TACACS server.

• When the "Password:" prompt is transmitted, the user's password is obtained from the Macintosh and sent to the TACACS server.

• After a successful login, indicated by an EXEC prompt at communication server, the EXEC arap command is sent.

The script ends and the Appletalk Remote Access Protocol begins.

CCL scripts control logical flow by jumping to labels. The labels are the numbers 1 through 128, and will not necessarily be in sequential order in the script file. The TACACS logic in CCL files provided by Cisco have label numbers from 100 through 127. In most environments, copy the complete TACACS logic from an existing file.

The steps for creating a new TACACS CCL file are as follows:

Step 1: Copy the TACACS logic from the CCL file provided by Cisco into the file being modified.

Step 2: Locate the logical end of the script and insert the command jump 100.

Copying the TACACS Logic

In most cases, you can simply insert the TACACS logic at the appropriate place in your CCL script. The one case that requires extra attention is when the original CCL script has labels that conflict with the Cisco logic. The labels must be resolved on a case-by-case basis, usually by changing the label numbers used by the original script. This is a fairly simple programming job, but you should read and understand the manual that comes with the Modem Toolkit before beginning.

Locating the Logical End of the Script

You can locate the logical end of the script by following its flow. Most scripts have the following basic structure:

• Initialize the modem

• Dial the number

• After connection, display what the connection speed is

• Exit

The characteristic logical end of the script is as follows:

@label N
! N is any integer between 1 and 128
if ANSWER N+1
! If we're answering the phone, jump directly
! to the label N+1
pause 30
! We're not answering the phone, therefore we
! must be calling. Wait three seconds for the
! modems to sync up.
@label N+1
exit 0
! quit and start up ARAP

It is common in this case to replace "pause 30" with "jump 100." In fact, this is usually the only change made to the logic of the original script.

Configuring TACACS Server User Authentication

To configure a line to use a TACACS server for user authentication, perform the following tasks:

Figure 1-7 shows the TACACS login screen on the Macintosh.

Figure 1-8 shows the TACACS password screen on the Macintosh.

Monitor and Debug an AppleTalk Remote Access Server

To display information about a running ARAP connection, perform the following task in privileged EXEC mode (reached by entering the enable command and a password):

The show arap command with no arguments displays a summary of ARAP traffic since the communication server was last booted. The show arap command with a specified line number displays information about the connection on that line.

Monitor the AppleTalk Network

The communication server software provides several commands you can use to monitor an AppleTalk network. In addition, you can use Apple Computer's Inter·Poll, which is a tool to verify that a communication server is configured and operating properly. Use the commands described in this section to monitor an AppleTalk network using both communication server commands and Inter·Poll.

To monitor the AppleTalk network, perform one or more of the following tasks:

Debug the AppleTalk Remote Access Server

To debug ARAP connections, perform the following tasks in privileged EXEC mode:

Configuration Examples

This section contains examples of ARAP configuration on the communication server.

Configuring an Extended AppleTalk Network

The following example configures the interface for an extended AppleTalk network. It defines the zones Orange and Brown. The cable range of one allows compatibility with nonextended AppleTalk networks.

appletalk service
interface ethernet 0
appletalk cable-range 69-69 69.128
appletalk zone Orange
appletalk zone Brown

Configuring an Extended Network in Discovery Mode

The following example configures an extended network in discovery mode.
In Figure 1-9, communication server A provides the zone and network number information to the interface when it starts.

appletalk service
interface ethernet 0
appletalk cable-range 0-0 0.0

Configuring ARAP

The following example configures the communication server for ARAP support, as described in the comments (lines beginning with an exclamation point (!)).

! Enable AppleTalk on the communication server
appletalk service	
!
interface Ethernet 0
ip address 128.66.1.1 255.255.255.0
!
! On interface Ethernet 0, assign network number 103 to the physical cable and
! assign zone name "Marketing Lab" to the interface. Assign a zone name if 
! you are creating a new AppleTalk internet. If the internet already exists,
! the zone and cable range must match exactly, or you can leave the cable
! range at 0 to enter discovery mode. The suggested AppleTalk
! address for the interface in this example is 103.1
interface Ethernet 0
appletalk cable-range 103-103 103.1
appletalk zone Marketing Lab
! Configure a username and password for the communication server. 
username jake password sesame
! On lines 4 through 8, InOut modems are specified, the lines are configured
! to automatically start an EXEC session or enable AppleTalk, AppleTalk Remote ! Access Protocol is enabled, the modem speed is specified as 38400 bps, and ! hardware flow control is enabled.
line 4 8
modem InOut
autoselect
arap enabled
speed 38400
flowcontrol hardware

Note that must set your terminal emulator to match the speed that you set for the line.

Expanding the Cable Range

In the following example, the cable range is changed and the zone name is reentered.

The initial configuration is as follows:

appletalk cable-range 100-103
appletalk zone Twilight Zone

The cable range is expanded as follows:

appletalk cable-range 100-109

At this point, you must reenter the zone name as follows:

appletalk zone Twilight Zone

Configuring MacIP

The following example illustrates MacIP support for dynamically addressed MacIP clients with dynamically allocated IP addresses in the range 131.108.8.2 to 131.108.8.10:

! Specify server address and zone
appletalk macip server 131.108.8.1 zone Snark
! Specify dynamically addressed clients
appletalk macip dynamic 131.108.8.2 131.108.8.10 zone Snark
!
! Assign the address and subnet mask for Ethernet interface 0
interface ethernet 0
ip address 131.108.8.1 255.255.255.0
!
! Enable AppleTalk service
appletalk service
!
interface ethernet 0
appletalk cable range 69-69 69.128
appletalk zone Snark
!
! Specify server address and zone
appletalk macip server 131.108.8.1 zone Snark
!
! Specify dynamically addressed clients
appletalk macip dynamic 131.108.8.2 131.108.8.10 zone Snark

The following example illustrates MacIP support for MacIP clients with statically allocated IP addresses:

! Assign the address and subnet mask for Ethernet interface 0
interface ethernet 0
ip address 131.108.8.1 255.255.255.0
!
! Enable AppleTalk 
appletalk service
!
interface ethernet 0
appletalk cable range 69-69 69.128
appletalk zone Snark
! Specify the server address and zone
appletalk macip server 131.108.8.1 zone Snark
!
Specify statically addressed clients
appletalk macip static 131.108.8.11 131.108.8.20 zone Snark
appletalk macip static 131.108.8.31 zone Snark
appletalk macip static 131.108.8.41 zone Snark
appletalk macip static 131.108.8.49 zone Snark

Configuring TACACS Username Authentication

In the following example, line 1 is configured for ARAP and username authentication will be performed on a TACACS server.

line 1
login tacacs
arap enable

Caution Do not use the autoselect command if TACACS is enabled.

Configuring a Dedicated ARAP Line

In the following example, line 2 is configured as a dedicated ARAP line, user authentication information is configured on the AppleTalk Remote Access server, and guests are disallowed from making ARAP sessions.

username jsmith password woof
line 2
arap dedicated
arap noguest

Configuring a Multiuse Line

In the following configuration, ARAP is enabled on lines 2 through 16, username authentication is configured on the AppleTalk Remote Access server, and the lines are configured to automatically start an ARAP session when an AppleTalk Remote Access user on a Macintosh attempts a connection.

username jsmith password woof
line 2 16
autoselect 
arap enabled
arap noguest

Configuring an AppleTalk Remote Access Server

The following example shows the steps required to set up ARAP functionality on a communication server.

Log into the communication server, use the enable command to enter your password if one is set, use the configure command to enter configuration mode, and add the following commands to your configuration:

appletalk service
interface ethernet 0
appletalk cable-range 0-0 0.0
! sets 500-CS into discovery mode
line 5 6
modem inout
speed 38400
arap enabled
autoselect

If you already know the cable-range and the zone names you need, include the information in the configuration file. If you do not know this information, let the communication server learn about the AppleTalk network in discovery mode. The communication server will monitor to the line for a few minutes. Then log in and enable configuration mode. Show the configuration again (using the show config command), and note the
appletalk cable-range and appletalk zone variables. Manually add the information in those two entries, add any user accounts, and save the configuration.

appletalk cable-range 105-105 105.222
appletalk zone Marketing Lab
! Do not use quotation marks in this entry
username arauser password arapasswd
! Add as many users as you need

Finally, show the configuration again (using the show config command) to make sure the configuration is correct.

Setting up a Telebit T-3000 Modem

The following example describes how to set up a Telebit T-3000 modem that you are attaching to a 500-CS communication server, which supports hardware flow control. The Macintosh will use a CCL script to configure the attached modem.

Start with the modem at factory defaults. (AT&F9 is the preferred configuration for hardware flow control. Use the direct command if you have a terminal attached to the modem, or use the T/D Reset sequence described in Chapter 3 of the Telebit T-3000 manual to reset the modem to the &F9 defaults.)

Attach a hardware flow control-capable cable between the modem and the device with which you are configuring the modem. (At this point, the modem is in hardware flow control mode, with auto-baudrate-recognition, and can detect your speed between 300 and 38,400 bps at 8-N-1. However, the modem must receive the flow control signals from the device to which you have the modem attached.)

Send the modem the following commands:

ATS51=6 E0 Q1 S0=2 &D3 &R3 S58=2 &W

This sequence tells the modem to perform the following tasks:

• Lock your DTE interface speed to 38,400 bps.

• Turn "command echo" off.

• Do not send any result codes.

• Auto-answer on the second ring (Germany requires this, but elsewhere you can set it to answer on the first ring with "s0=1".)

• When DTR is toggled, reset to the settings in NVRAM.

• CTS is always enabled if hardware flow control is disabled.

• Use full-duplex RTS/CTS flow control.

• Write these settings to NVRAM.

At this point, if you press the carriage return or type characters, you will not see any characters on your screen because the result codes are turned off.You can determine that the modem is functioning by obtaining a list of its configuration registers by entering the following command:

AT&V

After the modem is configured, connect it to the communication server with a
modem-to-RJ45 adapter (Cisco Part Number: CAB-5MODCM) and an RJ-45 cable to the lines(s) that you plan to use.

The following commands are compatible with the Telebit 3000 settings described in this section:

arap enable
autoselect
no escape-character
flowcontol hardware
modem ri-is-cd
speed 38400

If you are attaching a Telebit T-3000 modem to an ASM-CS communication server, use an RJ-11 adapter and a straight cable. See the ASM-CS Hardware Installation and Maintenance publication.

Command Reference

This section provides a full description of the commands presented in this chapter, including command syntax and usage guidelines. Commands are presented in alphabetical order.

access-list additional-zones

To define the default action for access checks that apply to zones, use the access-list additional-zones global configuration command.

Syntax Description

Default

To deny other access

Command Mode

Global configuration

Usage Guidelines

The access-list additional-zones command defines the action to take for access checks not explicitly defined with the access-list zone command. If you do not specify this command, the default action is to deny other access.

Example

The following example creates an access list based on AppleTalk zones:

access-list 610 deny zone Twilight
access-list 610 permit additional-zones

Related Commands

access-list cable-range
access-list includes
access-list network
access-list other-access
access-list within
access-list zones

access-list cable-range

To define an AppleTalk access list for a cable range (for extended networks only), use the access-list cable-range global configuration command. To remove an access list, use the no form of this command.

Syntax Description

Default

None

Command Mode

Global configuration

Usage Guidelines

The access-list cable-range command affects matching on extended networks only. The conditions defined by this access list are used only when the packet's cable range exactly matches the cable range specified in the access-list network command. The conditions are never used to match a network number (for a nonextended network) even if the cable range has the same starting and ending number as the nonextended network number.

To delete an access list, specify the minimum number of keywords and arguments needed to delete the proper access list. For example, to delete the entire access list, use the following command:

To delete the access list for a specific network, use the following command:

Example

The access list created by the following commands allows all packets to be forwarded except those destined to cable range 10 to 20:

access-list 600 deny cable-range 10-20
access-list 600 permit other-access

Related Commands

access-list additional-zones
access-list network
access-list includes
access-list other-access
access-list within
access-list zone

access-list includes

To define an AppleTalk access list that overlaps any part of a range of network numbers or cable ranges (for both extended and nonextended networks), use the access-list includes global configuration command. To remove an access list, use the no form of this command.

Syntax Description

Default

None

Command Mode

Global configuration

Usage Guidelines

The access-list includes command affects matching on extended and nonextended AppleTalk networks. The conditions defined by this access list are used when the packet's cable range or network number overlaps, either partially or completely, one (or more) of those specified in the access-list network command.

To delete an access list, specify the minimum number of keywords and arguments needed to delete the proper access list. For example, to delete the entire access list, use the following command:

To delete the access list for a specific network, use the following command:

Example

The following example defines an access list that permits access to packets destined to any nonextended or extended network whose network number or cable range overlaps any part of the range 10 to 20. This means, for example, that packets whose cable ranges are 13 to 16 and 17 to 25 will be forwarded. This access list also allows all other packets to be forwarded.

access-list 600 permit includes 10-20
access-list 600 permit other-access

Related Commands

access-list additional-zones
access-list cable-range
access-list network
access-list other-access
access-list within
access-list zone

access-list network

To define an AppleTalk access list for a single network number (that is, for a nonextended network), use the access-list network global configuration command. To remove an access list, use the no form of this command.

Syntax Description

Default

None

Command Mode

Global configuration

Usage Guidelines

The access-list network command affects matching on nonextended networks only. The conditions defined by this access list are used only when the packet's network number matches a network number specified in one of the access-list network commands. The conditions are never used to match a cable range (for an extended network) even if the cable range has the same starting and ending number.

Use the no access-list command with the access-list number only to remove an entire access list from the configuration. Specify the optional arguments to remove a particular network.

To delete an access list, specify the minimum number of keywords and arguments needed to delete the desired access list. For example, to delete an entire access list, use the following command:

To delete the access list for a specific network, use the following command:

Example

The following example defines an access list that forwards all packets except those destined for networks 1 and 2:

access-list 650 deny network 1
access-list 650 deny network 2
access-list 650 permit other-access

Related Commands

access-list additional-zones
access-list cable-range
access-list includes
access-list other-access
access-list within
access-list zone

access-list other-access

To define the default action to take for access checks that apply to networks or cable ranges, use the access-list other-access global configuration command.

Syntax Description

Default

To deny other access

Command Mode

Global configuration

Usage Guidelines

The access-list other-access command defines the action to take for access checks not explicitly defined with an access-list network, access-list cable-range, access-list includes, or access-list within command. If you do not specify this command, the default action is to deny other access.

Example

The following example defines an access list that forwards all packets except those destined for networks 1 and 2:

access-list 650 deny network 1
access-list 650 deny network 2
access-list 650 permit other-access

Related Commands

access-list additional-zones
access-list cable-range
access-list includes
access-list network
access-list within
access-list zone

access-list within

To define an AppleTalk access list for an extended or a nonextended network whose network number or cable range is included entirely within the specified cable range, use the access-list within global configuration command. To remove this access list, use the no form of this command.

Syntax Description

Default

None

Command Mode

Global configuration

Usage Guidelines

The access-list within command affects matching on extended and nonextended AppleTalk networks. The conditions defined by this access list are used when the packet's cable range or network number is completely included in one (or more) of those specified in the access-list network command.

To delete an access list, specify the minimum number of keywords and arguments needed to delete the desired access list. For example, to delete the entire access list, use the following command:

To delete the access list for a specific network, use the following command:

Example

The following example defines an access list that permits access to packets destined to any nonextended or extended network whose network number or cable range is completely included in the range 10 to 20. This means, for example, that packets whose cable range is 13 to 16 will be forwarded, but those whose cable range is 17 to 25 will not be forwarded. The second line of the example causes all other packets to be forwarded.

access-list 600 permit within 10-20
access-list 600 permit other-access

Related Commands

access-list additional-zones
access-list cable-range
access-list includes
access-list network
access-list other-access
access-list zone

access-list zone

To define an AppleTalk access list that applies to a zone, use the access-list zone global configuration command. To remove an access list, use the no form of this command.

Syntax Description

Default

None

Command Mode

Global configuration

Usage Guidelines

To delete an access list, specify the minimum number of keywords and arguments needed to delete the proper access list. For example, to delete the entire access list, use the following command:

To delete the access list for a specific network, use the following command:

Use the access-list additional-zones command to define the action to take for access checks not explicitly defined with the access-list zone command.

Example

The following example creates an access list based on AppleTalk zones:

access-list 610 deny zone Twilight
access-list 610 permit additional-zones

Related Commands

access-list additional-zones
access-list cable-range
access-list includes
access-list network
access-list other-access
access-list within

appletalk address

To enable nonextended AppleTalk on an interface, use the appletalk address interface configuration command. To disable nonextended AppleTalk, use the no form of this command.

Syntax Description

Default

Disabled

Command Mode

Interface configuration

Usage Guidelines

You must enable AppleTalk on the interface before assigning zone names.

Specifying an address of 0.0, 0.node, or network.0 puts the interface into discovery mode. When in this mode, the communication server attempts to determine network address information from another communication server or router on the network. You also can enable discovery mode with the appletalk discovery command. Note that discovery mode does not run over synchronous serial lines.

Example

The following example enables nonextended AppleTalk on Ethernet interface 0:

appletalk service
interface ether 0 
appletalk address 1.129

Related Commands

appletalk cable-range
appletalk discovery
appletalk zone

appletalk cable-range

To assign a range of networks to a cable, use the appletalk cable-range interface subcommand. Use the no form of this command to disable a cable-range setting.

Syntax Description

Default

Disabled (no appletalk cable-range)

Type

Interface subcommand

Usage Guidelines

The communication server needs both a valid cable range and a zone list to use AppleTalk. This command must be entered before the appletalk zone command.

Whenever you change the cable range, the communication server clears the internal zone list and you must enter a new zone list.

Configure the communication server for discovery mode if you want to find out what the current cable range is. To configure the communication server for discovery mode, use the appletalk cable-range 0-0 0.0 command. This causes the communication server to learn about the AppleTalk network. After saving the command in your configuration file, log back in and enable configuration mode. When you display the configuration, will see the AppleTalk cable range and the AppleTalk zone variables. Then, add those two entries to the configuration and save the configuration file.

Example

The following example shows how to use discovery mode:

appletalk service
interface ether 0
appletalk cable-range 0-0 0.0
line 5 6
modem inout
speed 38400
arap enabled
autoselect

After you learn the cable range values, add them to the configuration file. For example:

appletalk cable-range 105-105 105.222
appletalk zone Marketing
username arauser password arapasswd

This example assigns a cable range of 2-2 to the interface:

interface async 1
appletalk cable-range 2-2

Related Command

appletalk zone

appletalk checksum

To enable the generation and verification of checksums for all AppleTalk packets, use the appletalk checksum global configuration command. To disable checksum generation and verification, use the no form of this command.

Syntax Description

This command has no arguments or keywords.

Default

Enabled

Command Mode

Global

Usage Guidelines

When the appletalk checksum command is enabled, the communication server discards incoming DDP packets when the checksum is nonzero and is incorrect and when the communication server is the final destination for the packet.

You might want to disable checksum generation and verification if you have older LaserWriter printers or other devices that cannot receive packets that contain checksums.

Example

The following example disables the generation and verification of checksums:

no appletalk checksum

Related Command

show appletalk global

appletalk discovery

To put an interface into discovery mode, use the appletalk discovery interface configuration command. To disable discovery mode, use the no form of this command.

Syntax Description

This command has no arguments or keywords.

Default

Disabled

Command Mode

Interface configuration

Usage Guidelines

If an interface is connected to a network that has at least one other operational AppleTalk communication server or router, you can dynamically configure the interface using discovery mode. In discovery mode, an interface acquires network address information about the attached network from an operational communication server or router and then uses this information to configure itself.

If you enable discovery mode on an interface, that interface must configure itself by acquiring information from another operational communication server or router on the attached network when the communication server is starting up that interface. If no operational communication server or router is present on the connected network, the interface will not start up.

If you do not enable discovery mode, the interface must acquire its configuration from memory when the communication server is starting up. If the stored configuration is not complete, the interface will not start up. If there is another operational communication server on the connected network, the communication server will verify the stored interface configuration with that communication server. If there is any discrepancy, the interface will not start up. If there are no neighboring operational communication servers, the communication server will assume the stored interface configuration is correct and will start up.

Once an interface is operational, it can seed the configurations of other communication servers on the connected network regardless of whether you have enabled discovery mode on any of the communication servers.

If you enable appletalk discovery and the interface is restarted, you must have another operational communication server or router on the directly connected network or the interface will not start up.

It is not advisable to have all communication servers and routers on a network configured with discovery mode enabled. If all communication servers were to restart simultaneously (for instance, after a power failure), the network would become inaccessible until at least one communication server or router were restarted with discovery mode disabled.

You also can enable discovery mode by specifying an address of 0.0. in the appletalk address command or a cable range of 0-0 in the appletalk cable-range command.

Discovery mode is useful when you are changing a network configuration or when you are adding a communication server to an existing network.

Discovery mode does not run over synchronous serial lines.

Use the no appletalk discovery command to disable discovery mode and allow the interface to be a seed port. If the interface is not operational when you issue this command, you must configure the zone name before the interface will be operational. If you are reconfiguring an operational interface by issuing the no appletalk discovery command, the command will have no effect because the network configuration is already established.

Example

The following example enables discovery mode on Ethernet interface 0:

interface ethernet 0
appletalk cable-range 0-0
appletalk discovery

Related Commands

appletalk address
appletalk cable-range
appletalk zone
show appletalk interface

appletalk macip dynamic

To allocate IP addresses to dynamic MacIP clients, use the appletalk macip dynamic global configuration command. To delete a MacIP dynamic address assignment, use the no form of this command.

Syntax Description

Default

None

Command Mode

Global

Usage Guidelines

Use the appletalk macip dynamic command when configuring MacIP.

Dynamic clients are those that accept any IP address assignment within the dynamic range specified.

In general, it is recommended that you do not use fragmented address ranges in configuring ranges for MacIP. However, if this is unavoidable, use the appletalk macip dynamic command to specify as many addresses or ranges as required and use the appletalk macip static command to assign a specific address or address range.

To shut down all running MacIP services, use the following command:

To delete a particular dynamic address assignment from the configuration, use the following command:

Example

The following example illustrates MacIP support for dynamically addressed MacIP clients with IP addresses in the range 131.108.1.28 to 131.108.1.44.

! This global statement specifies the MacIP server address and zone:
appletalk macip server 131.108.1.27 zone Engineering
!
! This global statement identifies the dynamically addressed clients:
appletalk macip dynamic 131.108.1.28 131.108.1.44 zone Engineering
!
! These statements assign the IP address and subnet mask for Ethernet
! interface 0:
interface ether 0
ip address 131.108.1.27 255.255.255.0
!
! This global statement enables AppleTalk on the communication server.
appletalk service
!
! These statements enable AppleTalk on the interface and 
! set the zone name for the interface 
interface ether 0
appletalk cable-range 69-69 69.128
appletalk zone Engineering

Related Commands

appletalk macip server
appletalk macip static
ip address (See the Communication Server Configuration and Reference publication.)
show appletalk macip-servers

appletalk macip server

To establish a MacIP server for a zone, use the appletalk macip server global configuration command. To shut down a MACIP server, use the no form of this command.

Syntax Description

Default

None

Command Mode

Global

Usage Guidelines

Use the appletalk macip server command when configuring MacIP.

You can configure multiple MacIP servers for a communication server, but you can assign only one MacIP server to a particular zone and only one IP interface to each MacIP server. In general, you must be able to establish an alias between the IP address you assign with the appletalk macip server command and an existing IP interface. For implementation simplicity, it is suggested that the address specified in this command match an existing IP interface address.

A MacIP server is not registered using NBP until at least one MacIP resource is configured.

To shut down all active MacIP servers, use the following command:

To delete a specific MacIP server from the MacIP configuration, use the following command:

Example

The following example establishes a MacIP server on Ethernet interface 0 in AppleTalk zone Engineering. It then assigns an IP address to the Ethernet interface and enables AppleTalk on the communication server and the Ethernet interface.

appletalk macip server 131.108.1.27 zone Engineering
ip address 131.108.1.27 255.255.255.0
appletalk service
interface ether 0
appletalk cable-range 69-69 69.128
appletalk zone Engineering

Related Commands

appletalk macip dynamic
appletalk macip static
ip address (See the Communication Server Configuration and Reference publication.)
show appletalk macip-servers

appletalk macip static

To allocate an IP address to be used by a MacIP client that has reserved a static IP address, use the appletalk macip static global configuration command. To delete a MacIP static address assignment, use the no form of this command.

Syntax Description

Default

None

Command Mode

Global

Usage Guidelines

Use the appletalk macip static command when configuring MacIP.

Static addresses are for users who require fixed addresses for IP name domain name service and for administrators who do want addresses to change so they can always know who has what IP address.

In general, it is recommended that you do not use fragmented address ranges in configuring ranges for MacIP. However, if this is unavoidable, use the appletalk macip dynamic command to specify as many addresses or ranges as required, and then use the appletalk macip static command to assign a specific address or address range.

To shut down all running MacIP services, use the following command:

To delete a particular static address assignment from the configuration, use the following command:

Example

The following example illustrates MacIP support for MacIP clients with statically allocated IP addresses. The IP addresses range is from 131.108.1.50 to 131.108.1.66. The three nodes that have the specific addresses are 131.108.1.81, 131.108.1.92, and 131.108.1.101.

! This global statement specifies the MacIP server address and zone:
appletalk macip server 131.108.1.27 zone Engineering
!
! These global statements identify the statically addressed clients:
appletalk macip static 131.108.1.50 131.108.1.66 zone Engineering
appletalk macip static 131.108.1.81 zone Engineering
appletalk macip static 131.108.1.92 zone Engineering
appletalk macip static 131.108.1.101 zone Engineering
!
! These statements assign the IP address and subnet mask for Ethernet
! interface 0:
interface ether 0 
ip address 131.108.1.27 255.255.255.0
!
! This global statement enables AppleTalk on the communication server.
appletalk service
!
! These statements enable AppleTalk on the interface and 
! set the zone name for the interface 
interface ethernet 0
appletalk cable-range 69-69 69.128
appletalk zone Engineering

Related Commands

appletalk macip dynamic
appletalk macip server
ip address (See the Communication Server Configuration and Reference publication.)
show appletalk macip-servers

appletalk service

To enable AppleTalk connections, use the appletalk service global configuration command. To disable AppleTalk, use the no form of this command.

Syntax Description

This command has no arguments or keywords.

Default

Disabled (no appletalk service)

Type

Global

Example

The following example enables AppleTalk protocol processing on the communication server:

appletalk service

Related Commands

appletalk cable-range
appletalk zone

appletalk zone

To set the zone name for the connected AppleTalk network, use the appletalk zone interface subcommand. To delete a zone, use the no form of this command.

Syntax Description

Default

None

Type

Interface subcommand

Usage Guidelines

The communication server needs both a valid cable range and zone list to use AppleTalk.

The appletalk zone command accepts spaces in zone names. Do not use quotation marks in the command entry. When you have completed the entry, use the show config command to display the configuration file.

The appletalk cable-range command must be entered before the appletalk zone command.

The first zone specified in the list is the default zone.

The no form of the command deletes a zone name from a zone list or, if you do not specify a zone name, it deletes the entire zone list. Before configuring a new zone list, delete any existing zone-name list using the no appletalk zone interface subcommand.

The internal zone list is cleared automatically when you issue an appletalk cable-range command. The list also is cleared if you issue the appletalk zone command on an existing network.

Changing the Zone List

AppleTalk communication servers maintain a complete list of zone names and associated network numbers. AppleTalk network protocols assume that the list of zones is stable as long as the associated networks remain reachable. The only way to make an old zone name disappear throughout your network is to cause the associated routes to disappear. If you change a zone name and keep the network numbers the same, you might need to wait for the next general power failure for parts of your network to acquire new zone lists and flush the old entry.

Examples

The following example assigns the zone name Twilight to an interface:

interface ether 0
appletalk cable-range 10-20
appletalk zone Twilight

The following example uses a colon and two hexadecimal numbers to specify a Macintosh special character in the zone name Cisco·Zone.

appletalk zone Cisco:A5Zone

Related Commands

appletalk cable-range
show appletalk zone

arap dedicated

To configure a line to be used only as an ARAP connection, use the arap dedicated line. Use the no form of the command to return the line to interactive mode.

Syntax Description

This command has no arguments or keywords.

Default

Disabled (no arap dedicated)

Type

Line subcommand

Example

The following example configures line 3 to be used only for ARAP connections:

line 3 
arap dedicated

arap enable

To enable ARAP for a line, use the arap enable command. Use the no form of this command to disable ARAP.

Syntax Description

This command has no arguments or keywords.

Default

Disabled (no arap enable)

Type

Line subcommand

Example

The following example enables ARAP on a line:

line 3 
arap enable

Related Command

autoselect

arap logging

To enable logging of user names and addresses each time a new AppleTalk Remote Access Protocol session starts, use the arap logging command.

Syntax Description

This command has no arguments or keywords.

Default

Disabled (no arap logging)

Type

Global

Example

The following example enables AppleTalk Remote Access Protocol logging: 

arap logging

Related Command

logging (See the Communication Server Configuration and Reference publication.)

arap net-access-list

To control Macintosh control access to networks, use the arap net-access-list command. Use the no form of this command to return to the default setting.

Syntax Description

Default

Disabled. The Macintosh has access to all networks.

Usage Guidelines

You can use the arap net-access-list command to apply access lists defined by the access-list cable-range, access-list includes, access-list network, access-list within, and access-list other-access commands.

You cannot use the arap net-access list command to apply access lists defined by the access-list zone and access-list additional-zones commands.

Example

In the following example, ARAP is enabled on line 3 and the Macintosh will have access to the AppleTalk access list numbered 650.

line 3
arap enable
arap net-access-list 650

Related Commands

arap zonelist zone-access-list-number
access-list list {permit | deny} network
access-list list {permit | deny} cable-range
access-list list {permit | deny} includes
access-list list {permit | deny} within
access-list list {permit | deny} other-access

arap noguest

To prevent Macintosh guests from logging on to the communication server, use the arap noguest command. Use the no form of this command to remove this restriction.

Syntax Description

This command has no arguments or keywords.

Default

Disabled (no arap noguest)

Type

Line subcommand

Usage Guidelines

A guest is a person who connects to the network without having to give a name or a password.

Caution Do not use the arap noguest command if TACACS is enabled.

Example

The following example prohibits guests from logging in to the communication server:

line 3
arap enable
arap noguest

arap timelimit

To set the maximum length of an ARAP session for a line, use the arap timelimit command. Use the no form of the command to return to the default of unlimited session length.

Syntax Description

Default

Unlimited session length

Type

Line subcommand

Usage Guidelines

After the specified length of time, the session will be terminated.

Example

The following example specifies a maximum length of 20 minutes for ARAP sessions:

line 3
arap enable
arap timelimit 20 

Related Command

arap warningtime

arap warningtime

To set when a disconnect warning message is displayed, use the arap warningtime command. Use the no form of the command to return to disable this function.

Syntax Description

Default

Disabled

Type

Line subcommand

Usage Guidelines

This command can only be used if a session time limit has been configured on the line.

Example

The following example shows a line configured for twenty-minute ARAP sessions, with a warning seventeen minutes after the session is started:

line 3
arap enable
arap dedicated
arap timelimit 20
arap warningtime 3 

Related Command

arap timelimit

arap zonelist

To control what zones the Macintosh client will see, use the arap zonelist command. Use the no form of this command to return to the default setting.

Syntax Description

Default

Disabled. The Macintosh will see all defined zones.

Usage Guidelines

You can use the arap zonelist command to apply access lists defined by the access-list zone and access-list additional-zones command.

You cannot use the arap zonelist command to apply access lists defined by the access-list network command.

Example

In the following example, ARAP is enabled on line 3 and the Macintosh will see only zones permitted by access list 650.

line 3
arap enable
arap zonelist 650

Related Commands

access-list list {permit | deny} zone
access-list list {permit | deny} additional-zones
arap net-access-list net-access-list-number

autoselect

To configure a line to automatically start either an ARAP session or an EXEC session, use the autoselect command. Use the no form of this command to disable this function on a line.

Syntax Description

This command has no arguments or keywords.

Default

Disabled. The default behavior for a line is to ignore any character other than 13, which starts an EXEC session.

Type

Line subcommand

Usage Guidelines

This command eliminates the need for Macintosh users to enter an EXEC command to start an ARAP session. The autoselect command configures the communication server to identify the type of connection being requested. In other words, when a user on a Macintosh running AppleTalk Remote Access presses the "Connect" button, the communication server automatically starts an ARAP session. If, on the other hand, the user is running SLIP or PPP, the communication server starts an EXEC session that requires the user to enter the slip or ppp command to start a session. This command is used on lines used for making different types of connections.

The autoselect command is required on all lines configured with arap enabled, except for lines configured for arap dedicated or lines configured for TACACS logins. The autoselect command should not be used with TACACS. A line that does not have autoselect configured will see an attempt to open an ARAP connection as noise and the communication server will not respond and the user client will time out.

Caution Do not use the autoselect command if TACACS is enabled.

Example

The following example enables ARAP on a line:

line 3
arap enable
autoselect

debug arap

To debug ARAP sessions, use the debug arap command. Use the no form of the command to turn off the debugging function.

Syntax Description

Default

Disabled

Type

Privileged EXEC

Example

The following example activates debugging internal ARAP packets on line 3:

CS# debug arap internal

login tacacs

To configure your communication server to use TACACS user authentication, use the login tacacs command. The no form of the command disables TACACS user authentication for a line.

Syntax Description

This command has no arguments or keywords.

Default

Disabled

Type

Line subcommand

Usage Guidelines

You can use TACACS security if you have configured a TACACS server and you have a CCL script that allows you to use TACACS security. See the "Configure TACACS Security" section for information about using files provided by Cisco to modify CCL scripts to support TACACS user authentication.

Example

In the following example, lines 1 through 16 are configured for TACACS user authentication:

line 1 16
login tacacs

show appletalk arp

To display the entries in the AppleTalk ARP (AARP) cache, use the show appletalk arp EXEC command.

Syntax Description

This command has no arguments or keywords.

Command Mode

EXEC

Usage Guidelines

ARP establishes associates between network addresses and hardware (MAC) addresses. This information is maintained in the communication server's ARP cache.

Sample Display

The following is sample output from the show appletalk arp command:

CS# show appletalk arp
Address      Age (min)  Type      Hardware Addr   Encap     Interface
2000.1               -  Hardware  0000.0c04.1111  SNAP      Ethernet1

Table 1-3 describes the fields shown in the display.

show appletalk interface

To display the status of the AppleTalk interfaces and the parameters configured on each interface, use the show appletalk interface EXEC command.

Syntax Description

Type

EXEC

Usage Guidelines

The show appletalk interface is particularly useful for discovering the status of the interface when you first enable AppleTalk.

Sample Displays

The following is a sample display of the show appletalk interface command output for an AppleTalk network:

CS> show appletalk interface
Ethernet0 is up, line protocol is up
  AppleTalk cable range is 111-111
  AppleTalk address is 111.188, Valid
  AppleTalk zone is Cisco Interop Demo
  AppleTalk port configuration verified by 111.59
  AppleTalk route cache is not supported by hardware

Table 1-4 describes the fields shown in the display as well as some fields not shown but that might also be displayed.

CS# show appletalk interface e0
Ethernet0 is up, line protocol is up
  AppleTalk address is 666.128, Valid
  AppleTalk zone is Underworld

Table 1-5 describes the fields shown in the display.

CS# show appletalk interface brief
Interface   Address     Config        Status/Line Protocol   Atalk Protocol
Ethernet0   10.82       Extended      up                     up
Async 0     unassigned  not config'd  administratively down  n/a

Table 1-6 describes the fields shown in the display.

show appletalk macip-clients

To display status information about all known MacIP clients, use the show appletalk macip-clients EXEC command.

Syntax Description

This command has no arguments or keywords.

Command Mode

EXEC

Sample Display

The following is sample output from the show appletalk macip-clients command:

CS# show appletalk macip-clients
   131.108.199.1@[27001n,69a,72s] 45 secs    'S/W Test Lab'

Table 1-7 describes the fields shown in the display.

Related Command

show appletalk traffic

show appletalk macip-servers

To display status information about a communication server's servers, use the show appletalk macip-servers EXEC command.

Syntax Description

This command has no arguments or keywords.

Command Mode

EXEC

Usage Guidelines

The information in the show appletalk macip-servers display can help you quickly determine the status of your MacIP configuration. In particular, the STATE field can help identify problems in your AppleTalk environment.

Sample Display

The following is sample output from the show appletalk macip-servers command:

CS# show appletalk macip-servers
MACIP SERVER 1, IP 131.108.199.221,  ZONE 'S/W Test Lab' STATE is server_up
Resource #1 DYNAMIC 131.108.199.1-131.108.199.10, 1/10 IP in use
Resource #2 STATIC 131.108.199.11-131.108.199.20, 0/10 IP in use

Table 1-8 describes the fields shown in the display.

The STATE field of the show appletalk macip-servers command indicates the current state of each configured MacIP server. Each server operates according to the finite-state machine table described in Table 1-9. Table 1-10 describes the state functions listed in
Table 1-9. These are the states that are displayed by the show appletalk macip-servers command.

Related Commands

appletalk macip dynamic
appletalk macip server
appletalk macip static
show appletalk interface
show appletalk traffic

show appletalk macip-traffic

To display statistics about MacIP traffic through the communication server, use the show appletalk macip-traffic EXEC command.

Syntax Description

This command has no arguments or keywords.

Command Mode

EXEC

Usage Guidelines

Use the show appletalk macip-traffic command to obtain a detailed breakdown of MacIP traffic that is sent through a communication server from an AppleTalk to an IP network. The output from this command differs from that of the show appletalk traffic command, which shows normal AppleTalk traffic generated, received, or routed by the communication server.

Sample Display

The following is sample output from the show appletalk macip-traffic command:

CS# show appletalk macip-traffic
 -- MACIP Statistics
                  MACIP_DDP_IN:    11062
              MACIP_DDP_IP_OUT:    10984
   MACIP_DDP_NO_CLIENT_SERVICE:       78
                   MACIP_IP_IN:     7619
              MACIP_IP_DDP_OUT:     7619
               MACIP_SERVER_IN:       62
              MACIP_SERVER_OUT:       52
          MACIP_SERVER_BAD_ATP:       10
        MACIP_SERVER_ASSIGN_IN:       26
       MACIP_SERVER_ASSIGN_OUT:       26
          MACIP_SERVER_INFO_IN:       26
         MACIP_SERVER_INFO_OUT:       26

Table 1-11 describes the fields shown in the display.

Related Command

show appletalk traffic

show appletalk traffic

To display statistics about AppleTalk traffic, including MacIP traffic, use the show appletalk traffic EXEC command.

Syntax Description

This command has no arguments or keywords.

Command Mode

EXEC

Usage Guidelines

For MacIP traffic, an IP alias is established for each MacIP client and for the IP address of the MacIP server if it does not match an existing IP interface address. To display the client aliases, use the show ip aliases command.

Sample Display

The following is sample output from the show appletalk traffic command:

CS# show appletalk traffic
AppleTalk statistics:
  Rcvd:  357471 total, 0 checksum errors, 264 bad hop count
         321006 local destination, 0 access denied
         0 for MacIP, 0 bad MacIP, 0 no client
         13510 port disabled, 2437 no listener
         0 ignored, 0 martians
  Bcast: 191881 received, 270406 sent
  Sent:  550293 generated, 66495 forwarded, 1840 fast forwarded
         0 forwarded from MacIP, 0 MacIP failures
         436 encapsulation failed, 0 no route, 0 no source
  DDP:   387265 long, 0 short, 0 macip, 0 bad size
  NBP:   302779 received, 0 invalid, 0 proxies
         57875 replies sent, 59947 forwards, 418674 lookups, 432 failures
  RTMP:  108454 received, 0 requests, 0 invalid, 40189 ignored
         90170 sent, 0 replies
  ATP:   0 received
  ZIP:   13619 received, 33633 sent, 32 netinfo
  Echo:  0 received, 0 discarded, 0 illegal
         0 generated, 0 replies sent
  Responder:  0 received, 0 illegal, 0 unknown
         0 replies sent, 0 failures
  AARP:  85 requests, 149 replies, 100 probes
         84 martians, 0 bad encapsulation, 0 unknown
         278 sent, 0 failures, 29 delays, 315 drops
  Lost:  0 no buffers
  Unknown: 0 packets
  Discarded: 130475 wrong encapsulation, 0 bad SNAP discriminator

Table 1-12 describes the fields shown in the display.

Related Commands

show appletalk macip-traffic
show ip aliases (See the Communication Server Configuration and Reference publication.)

show appletalk zone

To display the entries in the zone information table, use the show appletalk zone EXEC command.

Syntax Description

Command Mode

EXEC

Usage Guidelines

You can use this command on extended and nonextended networks.

A zone name can be associated with multiple network addresses or cable ranges, or both. This means that a zone name will effectively replace multiple network addresses in zone filtering. This is reflected in the output of the show appletalk zone command. For example, the zone named Mt. View 1 in the sample display below is associated with two network numbers and four cable ranges.

Sample Display

The following is sample output from the show appletalk zone command:

CS# show appletalk zone
Name                   Network(s)
Gates of Hell          666-666
Engineering            3 29-29 4042-4042
customer eng           19-19
CISCO IP               4140-4140
Dave's House           3876 3924 5007
Narrow Beam            4013-4013 4023-4023 4037-4037 4038-4038
Low End SW Lab         6160 4172-4172 9555-9555 4160-4160
Tir'n na'Og            199-199
Mt. View 1             7010-7010 7122 7142 7020-7020 7040-7040 7060-7060
Mt. View 2             7152 7050-7050
UDP                    1112-12
Empty Guf              69-69
Light                  80
europe                 2010 3010 3034 5004
Bldg-13                4032 5026 61669 3012 3025 3032 5025 5027
Bldg-17                3004 3024 5002 5006

Table 1-13 describes the fields shown in the display.

CS# show appletalk zone CISCO IP
AppleTalk Zone Information for CISCO IP:
  Valid for nets: 4140-4140
  Not associated with any interface.
  Not associated with any access list.

Table 1-14 describes the fields shown in the display.

Related Command

appletalk zone

show arap

To display information about a running ARAP connection, use the show arap command.

Syntax Description

Default

Disabled

Type

User-level EXEC

Usage Guidelines

Use the show arap command with no arguments to display a summary of the ARAP traffic since the communication server was last booted.

Example

The following example will result in a display of information about ARAP activity on line 3:

CS> enable
Password:
CS# show arap 3