© synergon informatika rt., 1999 chapter 5 managing appletalk traffic
TRANSCRIPT
2
Objectives
Upon completion of this chapter, you will be able to perform the following tasks:
Identify potential source of congestion in an AppleTalk network
Configure zone filters
Configure RTMP filters
Configure NBP filters
4
AppleTalk Traffic Management Overview
XX
I am looking for servers in
Campus Zone
I am server in Campus
ZoneAccess
Campus Zone
• Device location traffic is one source of overhead
•RTMP broadcasts table every 10 seconds
•Cisco IOS filters can reduce traffic or control access
5
AppleTalk Protocol Stack
Application
Presentation
Session
Transport
Network
Data Link
Physical
7
6
5
4
3
2
1
AppleTalk Higher Layres
7
6
5
4
3
2
1Ethernet Token
Ring FDDI Other
DDP
ZIP RTMP NBP
OSI Reference Model AppleTalk Architecture
7
Nonextended/Extended Networks
• 253 hosts/servers per network • Range of network number per wire
• 127 hosts, 127 servers per network • Single network number per wire
Extended
Nonextended
Network 100-105
Network 100
OR
8
Extended AppleTalk Internetwork
Cable Range 120-129
Zone BZone AZone B
Zone A
Cable Range 110-110 Cable Range 101-101
• Multiple zones per cable range
• Multiple cable ranges per zone
9
AppleTalk Zones
• Zones divide a network into manageable “communities of interest”
•Widespread zones experience more traffic
A
B
C
Network Growth
10
AppleTalk Filtering Options
• GetZoneList - Local router to Macintosh • ZIP reply - Hides zones between routers• Distribute list - Hides cable range, controls broadcasts • NBP - Hides service, control broadcasts
RTMP filtered
GetZoneList reply fiktered
GetZoneList Zip reply filtered
11
Filtering Configuration TasksTwo fundamental configuration tasks common to all filters:
Step 1 Create an access list
Step 2 Apply access list to interface
access-list 601 deny cable-range 100-100
access-list 601 permit other-access
access-list 601 deny cable-range 100-100
access-list 601 permit other-access
Interface Ethernet 2
AppleTalk access-group 601
Interface Ethernet 2
AppleTalk access-group 601
E1 E2
13
How Services and Zones Are Learned
Zone Bldg-17
Zone Users
Zone Bldg D 1st floor
GetZoneList (GZL) request to router
NBP broadcast
14
GZL Filter Hides Zones from User
E0
E1
• Requirement: Operation zone cannot access Accounting
• Solution: Use GZL filter
• Effect: Router does not include Accounting in GZL reply
E2
Zone: Executive
Cable-range: 101-200
Zone: Accounting
Cable-range: 201-300
Zone: Operation
Cable-range: 501-1000
15
GetZoneList Filter CommandsRouter (config) #
access-list access-list-number { permit | deny } zone zone-nameaccess-list access-list-number { permit | deny } zone zone-name
Defines default action for zones not specified
Creates access list
Router (config) #
access-list access-list-number { permit | deny } additional-zonesaccess-list access-list-number { permit | deny } additional-zones
Applies GZL filter to an interface
Router (config-if) #
Appletalk getzonelist-filter access-list-numberAppletalk getzonelist-filter access-list-number
16
GetZoneList Filtering Example
E0
E1 E2
Zone: Executive
Cable-range: 101-200
Zone: Accounting
Cable-range: 201-300
Zone: Operation
Cable-range: 501-1000
Interface Ethernet 1AppleTalk cable-range 501-1000AppleTalk zone OperationAppleTalk getzonelist-filter 601
access-list 601 deny zone Accountingaccess-list 601 permit additional-zones
Interface Ethernet 1AppleTalk cable-range 501-1000AppleTalk zone OperationAppleTalk getzonelist-filter 601
access-list 601 deny zone Accountingaccess-list 601 permit additional-zones
17
How Routers Learn Zones
Zone: Headquartes
Cable-range: 101-200
Zone: WAN
Cable-range: 800-800Zone: WAN
Cable-range: 700-700
Zone: London
Cable-range: 201-250
R1 Zone Information Table
Headquarters 101-200
WAN 700-700, 800-800
1
2
3
• 1 R1 sends RTMP update with network numbers• 2 R2 sends ZIP request asking for associated zones• 3 R1 sends Zone Information table (ZIT)
R2
R2R1
18
ZIP Reply Filters Hide Zones
• Requirement: Do not want R2 router to know about Paris_Acct Zone
• Solution: Use ZIP reply filter on R1
Zone Headquarters
Zone WAN Zone WAN
Zone London Default Zone: ParisAdditional zone:Paris_Acct
S0
S0 S0
S1
E0
E0 E0R2 R3
R1
19
Zip Reply Filter CommandsRouter (config) #
access-list access-list-number { permit | deny } zone zone-nameaccess-list access-list-number { permit | deny } zone zone-name
Defines default action to take for zones
Creates access list and defines zone access
Router (config) #
access-list access-list-number { permit | deny } additional-zonesaccess-list access-list-number { permit | deny } additional-zones
Applies zip-reply-filter to an interface
Router (config-if) #
Appletalk zip-reply-filter access-list-numberAppletalk zip-reply-filter access-list-number
20
ZIP Reply Filtering Example
Default Zone: ParisAdditional zone:Paris_Acct
Cable-range: 251-300
S0
S0 S0
S1
E0
E0 E0R2 R3
R1
R1interface Serial 0appletalk caple-range 700-700appletalk zone WANappletalk zip-reply-filter 602
access-list 602 deny zone Paris_Acctaccess-list 602 permit additional-zones
R1interface Serial 0appletalk caple-range 700-700appletalk zone WANappletalk zip-reply-filter 602
access-list 602 deny zone Paris_Acctaccess-list 602 permit additional-zones
Zone: Headquartes
Cable-range: 101-200
Zone: WAN
Cable-range: 800-800Zone: WAN
Cable-range: 700-700
Zone: London
Cable-range: 201-250
R1
21
Verifying Zone Filters
Tokyo# show appletalk zone
Name Network (s)
Ozone 12810-12819
Azone 3210-3219 3230-3230 3220-3220
Fzone 11250-11259
Total of 3 zones
Tokyo# show appletalk zone
Name Network (s)
Ozone 12810-12819
Azone 3210-3219 3230-3230 3220-3220
Fzone 11250-11259
Total of 3 zones
• Shows all zones know to the router
23
How Routers Learn Networks
Cable-range: 251-300
S0
S0 S0
S1
E0
E0 E0R2 R3
R1
Network Distance
101-200 0800-800 0700-700 0251-300 1201-250 1
Cable-range: 700-700
Cable-range: 201-250
R1
Cable-range: 800-800
Cable-range: 101-200
• RTMP broadcast full routing table every 10 seconds
24
How Routers Learn Networks
S0
S0 S0
S1
E0
E0 E0R2 R3
R1
Network Distance
101-200 0800-800 0700-700 0251-300 1201-250 1
R1
•Requirement: Do not want cable range 251-300 advertised to R2
• Solution: Use distribute-list filter so R1 does not advertise cable range 251-300
Zone: Headquartes
Cable-range: 101-200
Default Zone: ParisAdditional zone:Paris_Acct
Cable-range: 251-300
Zone: WAN
Cable-range: 700-700
Zone: London
Cable-range: 201-250
Zone: WAN
Cable-range: 800-800
25
RTMP Filter CommandsRouter (config) #
access-list access-list-number { permit | deny } network network access-list access-list-number { permit | deny } network network
Defines access for a single cable range
Defines access for a single network number
Router (config) #
access-list access-list-number { permit | deny } cable-range cable-rangeaccess-list access-list-number { permit | deny } cable-range cable-range
Defines the default action to take for network number or cable
range not specified in list
Router (config) #
access-list access-list-number { permit | deny } other--accessaccess-list access-list-number { permit | deny } other--access
26
RTMP Filter Commands (cont.)Router (config-if) #
Appletalk distribute-list access-list-number inAppletalk distribute-list access-list-number in
Controls which router are advertised
Controls which routes are accepted into the routing table
Router (config-if) #
Appletalk distribute-list access-list-number OutAppletalk distribute-list access-list-number Out
27
RTMP Filtering Example
Default Zone: ParisAdditional zone:Paris_Acct
Cable-range: 251-300
S0
S0 S0
S1
E0
E0 E0R2 R3
R1
R1interface Serial 0appletalk caple-range 700-700appletalk zone WANappletalk zip-reply-filter 603 out
access-list 603 deny cable-range 251-300access-list 603 permit other-accessaccess-list 603 permit additional-zones
R1interface Serial 0appletalk caple-range 700-700appletalk zone WANappletalk zip-reply-filter 603 out
access-list 603 deny cable-range 251-300access-list 603 permit other-accessaccess-list 603 permit additional-zones
Zone: Headquartes
Cable-range: 101-200
Zone: WAN
Cable-range: 800-800Zone: WAN
Cable-range: 700-700
Zone: London
Cable-range: 201-250
R1
28
RTMP Filtering Considerations R1interface Ethernet 0appletalk caple-range 101-101appletalk zone Accountingappletalk distribute-list 603 in
appletalk permit-partial-zonesaccess-list 603 deny cable-range 301-301access-list 603 permit other-accessaccess-list 603 permit additional-zones
R1interface Ethernet 0appletalk caple-range 101-101appletalk zone Accountingappletalk distribute-list 603 in
appletalk permit-partial-zonesaccess-list 603 deny cable-range 301-301access-list 603 permit other-accessaccess-list 603 permit additional-zones
Zone: Accounting
Cable-range: 101-101
Zone: Operation
Cable-range: 301-301Zone: Operation
Cable-range: 201-201
R1R1R2
E0E0 E1 E1
If access to any network in a zone is denied, access to that zone is also denied by default use appletalk permit-partial-zones to allow access to other networks in that zone
29
Verifying RTMP Filters
Tokyo# show appletalk route
Codes: R - RTMP derived, E - EIGRP derived, C - connected, A - AURP, S - static, P - proxy
5 routes in Internet
he first zone listed for each entry is its default (primary) zone.
C Net 3210-3219 directly connected, Ethernet0, zone Azone
C Net 3220-3220 directly connected, Serial0, zone Azone
C Net 32300-3230 directly connected, Serial1, zone Azone
R Net 11250-11259 [1/G] via 3211.4, 7 sec, Ethernet0, zone Fzone
C Net 12810-12819 directly connected, Ethernet1, zone Ozone
Tokyo# show appletalk route
Codes: R - RTMP derived, E - EIGRP derived, C - connected, A - AURP, S - static, P - proxy
5 routes in Internet
he first zone listed for each entry is its default (primary) zone.
C Net 3210-3219 directly connected, Ethernet0, zone Azone
C Net 3220-3220 directly connected, Serial0, zone Azone
C Net 32300-3230 directly connected, Serial1, zone Azone
R Net 11250-11259 [1/G] via 3211.4, 7 sec, Ethernet0, zone Fzone
C Net 12810-12819 directly connected, Ethernet1, zone Ozone
• Display routing table entries
31
How Names Are Learned
4
321
I am looking for file server
in Campus Zone
I am a file server in
Campus Zone
Campus Zone
NBP Messages
• 1 broadcast request Unicast to local router
• 2 Forward request Unicast to either routers
• 3 Lookup Multicast on cable in zone
• 4 Reply Unicast back to originator
32
NBP Filters Hide Services
Fred’s Mac Main Server
Cable Range 200-200
• NBP filters can deny access to a single device or to all devices within a zone
•NBP filters are based on entity names
Cable Range 300-300 Cable Range 100-100
Campus ZoneUsers ZoneE0 R2R1
33
Entity Names
Fred’s Mac Main Server
• A network-visible-entity (NVE) is any entity that is accessible over an AppleTalk network
• Entity names are character strings of form: object:type@zone
Campus ZoneUsers Zone
R2R1
Fred’s MAC: Workstation@Users Zone Main Server: AFPServer@Campus Zone
34
NBP Filter CommandsRouter (config) #
access-list access-list-number { permit | deny } nbp seq { type | object | zone} string
access-list access-list-number { permit | deny } nbp seq { type | object | zone} string
Defines the default action for all other NBPs
Creates access listRouter (config) #
access-list access-list-number { permit | deny } other-nbpsaccess-list access-list-number { permit | deny } other-nbps
Apples the NBP filter to the interface
Router (config) #
appletalk access-group access-list-numberappletalk access-group access-list-number
35
NBP Filtering Example 1
Fred’s MacMain Server
Cable Range 200-200 Cable Range 300-300 Cable Range 100-100
Campus ZoneUsers ZoneE0 R2R1
R1interface Serial 0appletalk caple-range 300-300appletalk zone Users Zoneappletalk access-group 603
access-list 603 deny nbp 1 object Color Laseraccess-list 603 deny nbp 1 type LaserWriteraccess-list 603 deny nbp 1 zone Campus Zoneaccess-list 603 permit other-nbpsaccess-list 603 permit other-access
R1interface Serial 0appletalk caple-range 300-300appletalk zone Users Zoneappletalk access-group 603
access-list 603 deny nbp 1 object Color Laseraccess-list 603 deny nbp 1 type LaserWriteraccess-list 603 deny nbp 1 zone Campus Zoneaccess-list 603 permit other-nbpsaccess-list 603 permit other-access
Denying a Single Device
Color LAser
36
NBP Filtering Example 2
Fred’s MacMain Server
Cable Range 200-200 Cable Range 300-300 Cable Range 100-100
Campus ZoneUsers ZoneE0 R2R1
R1interface Serial 0appletalk caple-range 300-300appletalk zone Users Zoneappletalk access-group 603
access-list 603 deny nbp 1 zone Campus Zoneaccess-list 603 permit other-nbpsaccess-list 603 permit other-access
R1interface Serial 0appletalk caple-range 300-300appletalk zone Users Zoneappletalk access-group 603
access-list 603 deny nbp 1 zone Campus Zoneaccess-list 603 permit other-nbpsaccess-list 603 permit other-access
Denying All Services within a Zone
Color LAser
37
Verifying NBP Filters
Tokyo# show appletalk nbp
Net Adr Skt Name Type Zone
3220 1 254 Tokyo.Serial0 ciscoRouter Azone
3230 1 254 Tokyo.Serial1 ciscoRouter Azone
3213 84 254 Toky.Ethernet0 ciscoRouter Azone
12813 205 254 Toky.Ethernet1 ciscoRouter Ozone
Tokyo# show appletalk nbp
Net Adr Skt Name Type Zone
3220 1 254 Tokyo.Serial0 ciscoRouter Azone
3230 1 254 Tokyo.Serial1 ciscoRouter Azone
3213 84 254 Toky.Ethernet0 ciscoRouter Azone
12813 205 254 Toky.Ethernet1 ciscoRouter Ozone
Display the contents of the name registration table
38
Summary
Locating services and routing updates cause overhead in an AppleTalk network
Understanding communities of interest is key to controlling service location traffic
Filtering strategies must assure that routing information needed for service location is accessible to routers
Cisco’s IOS software provides many features for reducing the volume of service location and routing traffic, and for controlling access