AIS V3.3 Protocol Config Ref Vol 2

Using AppleTalk Phase 2

This chapter describes the AppleTalk Phase 2 (AP2) configuration commands and includes the following sections:

"Basic Configuration Procedures"
"AppleTalk 2 Zone Filters"
"Sample Configuration Procedures"

Basic Configuration Procedures

This section outlines the initial steps required to get the AppleTalk Phase 2 protocol up and running. Information on how to make further configuration changes will be covered in the command sections of this chapter. For the new configuration changes to take effect, the router must be restarted.

Enabling Router Parameters

When you configure a router to forward AppleTalk Phase 2 packets, you must enable certain parameters regardless of the number or type of interfaces in the router. If you have multiple routers transferring AppleTalk Phase 2 packets, specify these parameters for each router.

Globally Enable AppleTalk Phase 2 - To begin, you must globally enable the AppleTalk Phase 2 software using the AppleTalk Phase 2 configuration enable ap2 command. If the router displays an error in this step, there is no AppleTalk Phase 2 software present in your load. If this is the case, contact your customer service representative.
Enable Specific Interfaces - You must then enable the specific interfaces over which AppleTalk Phase 2 is to send the packets. Use the enable interface interface number command to do this.
Enable Checksumming - You can then determine whether the router will compute DDP checksums of packets it originates. Checksum software does not work correctly in some AppleTalk Phase 2 implementations, so you may not want to originate packets with checksums for compatibility with these implementations. Normally, however, you will want to enable the generation of checksums. Any packet forwarded with a checksum will have its checksum verified.

Setting Network Parameters

You must also specify certain parameters for each network and interface that sends and receives AppleTalk Phase 2 packets. After you have specified the parameters, use the AppleTalk Phase 2 list configuration command to view the results of the configuration.

Set the Network Range for Seed Routers - Coordinating network ranges and zone lists for all routers on a network is simplified by having specific routers designated as seed routers. Seed routers are configured with the network range and zone list while all other routers are given null values. Null values indicate that the router should query the network for values from the seed routers. For every network (segment) of your interconnected AppleTalk internet, at least one router interface must be configured as the seed router for that network. There are usually several seed routers on a network in case one of them fails. Also, a router can be a seed router for some or all of its network interfaces. Use the set net-range command to assign the network range in seed routers.
Set the Starting Node Number - Use the set node command to assign the starting node number for the router. The router will AARP for this node, but if it is already in use, a new node will be chosen.
Add a Zone Name - You can add one or more zone names for each network in the internetwork. You can add a zone name for a given network in any router connected to that network; however, only the seed router needs to contain the zone name information for a connected network. Attached routers dynamically acquire the zone name from adjacent routers using the ZIP protocol. Apple recommends that, for a given network, you choose the same seed router for the network number and the zone name. The zone name cannot be configured for a network unless the network number is also configured. To add a zone name for each network number, use the AppleTalk Phase 2 configuration add zone name command.

AppleTalk over PPP

There are two modes for AppleTalk over PPP, full-router and half-router. In full-router mode, the point-to-point network is visible to other AppleTalk routers. In half-router mode, the point-to-point network is invisible to other routers, but it still transmits AppleTalk routing information and data packets.

To set up your network for full-router mode, give each router on the PPP link a common network number, a common zone name, and a unique node number. If you configure one end of the PPP link with a non-zero network number, you must also configure that end to have a non-zero node number and to have a zone name. In this case, the other end of the link must have either:

The same network number and zone name and a different node number.
Network and node numbers set to zero. The router will learn network and node numbers from the configured router.

To set up your network for half-router mode, configure both routers on the PPP link so that network and node numbers are set to zero and no zone name is used.

AppleTalk 2 Zone Filters

ZoneName filtering, although not required for AppleTalk, is a very desirable feature for the security and administration of large AppleTalk Internetworks. There are also provisions for restricting access to networks by net numbers.

General Information

AppleTalk is structured so that every network is identified in two ways. The first is a network number or range of consecutive network numbers that must be unique throughout the internet. The network number combined with the node number uniquely identifies any end station in the internet.

The second identifier for the network is one or more ZoneNames. These ZoneName strings are not unique throughout the internet. The end station is uniquely identified by a combined object:type:ZoneName-string.

A router first learns about a network when the new net range appears in the RTMP routing update from a neighboring router. The router then queries the neighbor for the ZoneNames of the new network. Note that the net range is repeated in every new RTMP update but that the ZoneNames are requested only once.

The end stations obtain the network numbers from the broadcasted RTMP (routing information) packets and then choose a node number. This net/node pair is then AARP'd for (AARP Probe) to see if any other end station has already claimed its use. If another station responds, another net/node pair is chosen by the end station and the process repeated until no responses are received.

Why ZoneName Filters?

When the typical AppleTalk end station wants to use a service (printer, file server) on the Apple Internet, it first looks at all available Zones and selects one. It then chooses a service type and requests a list of all names advertising the type in the chosen Zone. Several problems arise from this mechanism.

A large internet may have many Zones. Presenting the user with a long list to choose from obscures the needed ones (thereby inhibiting usability of the list).
The server may not want to make itself available throughout the internet (for security reasons). If the Zone that the service is in is not visible to the client, security is enhanced.
Restricting the Zones that are visible from a department to the rest of the internet will allow the internet administration to let the department control (or not) its own domain while not increasing the overhead for the rest of the internet (reducing administration).

The filtering of network numbers further enhances the security and administration of the internet. Network access is only indirectly controlled by Zone filtering. An unregulated department could add networks with the same Zone names but new net numbers that conflict with other departments. Network number filtering can be used to prevent these random additions of zone names and net numbers from impacting the rest of the network.

How Do You Add Filters?

The router is configured with an exclusive (meaning block the specified zones) or inclusive (meaning allow only these zones) list of Zones for each direction on each interface. The specified interface will not readvertise filtered Zone information in the defined direction. If all Zones in a network's Zonelist are filtered, network information will also be filtered across the interface.

Use configuration commands add and delete, to create the filter list for an interface.
Use configuration commands enable and disable to specify how the filter list is applied.
Use similar commands to create network number filters.

Other Commands:

You can use the AP2 CONFIG> list command to display all filter information for the interfaces. In addition, the list command accepts an interface# as an argument so that you can list information for only an interface.

Sample Configuration Procedures

This section covers the steps required to get AP2 up and running. For information on how to make further configuration changes, see "AppleTalk Phase 2 Configuration Commands". For the configuration changes to take effect, you must restart the router.

To access the AP2 configuration environment, enter protocol ap2 at the Config> prompt.

Enabling AP2

When you configure a router to forward AP2 packets, you must enable certain parameters. If you have multiple routers transferring AP2 packets, specify these parameters for each router. To enable AP2:

Use the enable ap2 command to globally enable AP2 on the router. For example:
```
  AP2 config>enable ap2
```
Enable the specific interfaces over which AP2 is to send packets. For example:
```
  AP2 config>enable interface 1
```

Setting Network Parameters

To set up your router as a seed router, you must set the network range, a starting node number, and at least one zone name. You can configure some interfaces on a router as seed routers and leave other interfaces as non-seed routers. You must have at least one seed router for each AppleTalk network, and you should configure several seed routers on a network in case one of them fails.
Note: Do not set a network range or a node number for half routers.

Use the set net-range command to set the Network Range. For example:

  AP2 config>set net-range
  Interface #  [0]? 1
  First Network range number (1-65279, or 0 to delete) []? 1
  Last Network range number (1-165279) []? 5

Enter the same first and last values for a single-numbered network.

Use the set node-number command to set the Starting Node Number for the interface. The router will AARP for this node. If the number is already in use, the router will choose a new number. For example:
```
  AP2 config>set node-number
  Interface #  [0]? 1
  Node number (1-253, or 0 to delete) []? 1
```
Use the add zone command to add one or more zone names for the network attached to the interface. If you define a network range for an interface, you should also define the zone names for the interface. If you did not define a network number, do not define zone names. For example:
```
  AP2 config>add zone
  Interface # [0]? 1
  Zone name []? Finance
```

After you have specified the parameters, you can use the list command at the AP2 config> prompt to view your configuration.

Setting Up Zone Filters

Zone filtering lets you filter zones in each direction on each interface. To filter incoming packets, set up an input filter. To filter outgoing packets, set up an output filter. The interface will not readvertise filtered zone information in the direction that you define. Follow these steps to set up a zone filter:

Add zone filters to an interface. Use the add zfilter in command to add an input zone filter to an interface. Use the add zfilter out command to add an output zone filter to an interface. For example:
```
  AP2 config>add zfilter in
  Interface # [0]? 1
  Zone name []? Admin
```
Enable the zone filters that you added. This turns on the filter and controls whether the filter is inclusive or exclusive. Inclusive filters forward only the zone information in that filter. Exclusive filters block only the zone information in that filter. For example:
```
  AP2 config>enable zfilter in exc
  Interface # [0]? 1
```

The following are some examples that explain how to set up zone filters in the internet shown in Figure 12.

Figure 12. Example of Zone Filtering

Example 1

The following is an example of how to filter the Manufacturing zone from all other networks. To do this, you would set up an input filter on Interface 1 of Router A to exclude the Manufacturing zone.

On Router A, add an input zone filter to Interface 1.

  AP2 config>add zfilter in
  Interface # [0]? 1
  Zone name []? Manufacturing

Enable the input zone filter and make the filter exclusive.
```
  AP2 config>enable zfilter in exc
  Interface # [0]? 1
```
This excludes Manufacturing zone information from entering Router A, thereby filtering the zone from the rest of the internet.

Example 2

The following example shows how to filter the Manufacturing zone from Network 11-15, but still allow the Manufacturing zone to be visible on Network 1-5. To do this, you would set up an output filter on Interface 3 of Router A to exclude Manufacturing zone information from being forwarded out of Interface 3. The interface will continue to advertise Manufacturing zone information over interfaces 1 and 2 on Router A, making it visible on Network 1-5.

Add an output zone filter to Interface 3.

  AP2 config>add zfilter out
  Interface # [0]? 3
  Zone name []? Manufacturing

Enable the output zone filter and make the filter exclusive.
```
  AP2 config>enable zfilter out exc
  Interface # [0]? 3
```
This filter excludes Manufacturing zone information from the output of Interface 3.

Example 3

The next example shows how to set up a filter so that the Admin zone is visible on all networks, but the Finance zone is not visible to the rest of the internet.

Add an input zone filter to Interface 2 on Router A.

  AP2 config>add zfilter in
  Interface # [0]? 2
  Zone name []? Admin

Enable the input zone filter and make it inclusive.
```
  AP2 config>enable zfilter in inc
  Interface # [0]? 2
```
By setting up this input filter as inclusive, only Admin zone information is forwarded through Interface 2 to the rest of the internet.

Setting Up Network Filters

Network filters are similar to zone filters, except they let you filter an entire network. To set up a network filter:

Add a network filter. Use the add nfilter in command to add an input network filter to an interface. Use the add nfilter out command to add an output network filter to an interface. For example:
```
  AP2 config>add nfilter out
  Interface # [0]? 2
  First Network range number (decimal) [0]? 11
  Last Network range number (decimal) [0]? 15
```
The network range you enter here must match the range that you assigned to that network.
Enable the network filter that you added and make it either inclusive or exclusive. Inclusive filters forward only network information in that filter. Exclusive filters block only network information in a filter, and they allow all other network information to be forwarded.
```
  AP2 config>enable nfilter in exc
  Interface # [0]? 2
```

Following are some examples that explain how to set up network filters in the internet, as shown in Figure 13.

Figure 13. Example of Network Filtering

The following steps show how to filter Network 6-10 so that it is not visible to Network 16-20 as shown in Figure 13.

Add an output network filter for Network 6-10 to Interface 2 on Router B.

  AP2 config>add nfilter out
  Interface # [0]? 2
  First Network range number (decimal) [0]? 6
  Last Network range number (decimal) [0]? 10

Enable the output network filter as exclusive.
```
  AP2 config>enable nfilter out exc
  Interface # [0]? 2
```
This filter excludes all information on Network 6-10 from being forwarded through Interface 2 to Network 16-20.

[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]