'Re: Atalk filtering/Cisco (very'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: Atalk filtering/Cisco (very
From:       Marc Mosko <marc () tear ! com>
Date:       1996-09-24 9:31:29
[Download RAW message or body]

Really, what you want is a variant of solution 4.  You can just as
easily filter on the serial lines.  Just have each site distribute only
it's -2 zone OUT the serial lines.  This will flood your internetwork
with all the -2's.  Since there are no Ethernet restrictions, all
ethernet ports will see all the local ethernets plus all the -2's.

Note that for simplicity I would use the same access-list on each
router.  True, some sites could use a "slim-down" access list.  You can
also do both in-bound and out-bound restrictions.  This makes sure that
each site only sends what it should and only accepts what it should (in
case another site gets screwed up).

Life would be much easier if all the sites connected to, say, Office C. 
You could then do a "Free-Trade Zone" variant.  It would also mean that
you only had to run access-lists on site C.  As it is now, you really
only need access lists on A,B,C, since D and E would only take what C
gave them.

for site A:
	access-list 601 permit zone A-2
	access-list 601 permit zone B-2
	access-list 601 permit zone C-2
	access-list 601 permit zone D-2
	access-list 601 permit zone E-2
	access-list 601 deny additional-zones

	int s0
	description Frame Relay to office B
	apple zone WAN-A-B
	apple distribute-list 601 out
	apple distribute-list 601 in

Office B:
	access-list 601 permit zone A-2
	access-list 601 permit zone B-2
	access-list 601 permit zone C-2
	access-list 601 permit zone D-2
	access-list 601 permit zone E-2
	access-list 601 deny additional-zones

	int s0
	description Frame Relay to office A
	apple zone WAN-A-B
	apple distribute-list 601 out
	apple distribute-list 601 in

	int s1
	description Frame Relay to office C
	apple zone WAN-B-C
	apple distribute-list 601 out
	apple distribute-list 601 in


David Glosser wrote:
> 
> SETUP: APPLETALK Network, Cisco routers in each office. Running APPLETALK
> 
> 
> 
>    OFFICE B                        OFFICE C                     OFFICE E
>       ||                              ||                           ||
>   Zone B-1---|                     Zone C-1                     Zone E-1
>   Zone B-2*--|----Frame Relay------Zone C-2*---Frame Relay------Zone E-2*
>   Zone B-3---|                     Zone C-3                     Zone E-3
>        |                              |
>        |                              |
>   Frame Relay                    Frame Relay
>        |                              |
>        |                              |
>    Zone A-1                         Zone D-1
>    Zone A-2*                        Zone D-2*
>    Zone A-3                         Zone D-3
>       ||                              ||
>    OFFICE A                         OFFICE D
> 
> The zones are on separate interfaces on the cisco, with separate cable
> ranges.
> 
> We wish to have all users in every zone have access to their local zones and
> only Zone #2 in each office. For example, a user in the "B" office should see
> Apple Zones B-1, B-2, B-3, A-2, C-2, D-2, and  E-2. Users in the "D" office
> should appletalk zones  D-1, D-2, D-3, A-2, B-2, C-2, and E-2, etc.

[snip]

> 
> However, scenaro 4 indicates that we will be filtering on the USER
> (ethernet) interfaces.  This means that we will have to send
> *all zones* to the other offices and then rely on them to filter
> at *their* user interface for us.
> 
> What I really need a way for each *user zone* to have full
> access to their own local zones and the "shared" zones.
> For example,  a user in the "B" office should see all of
> the Apple "B" Zones B-1, B-2, B-3,and the number "2" appletalk
> zones from the other offices. But I don't want to send all the "B"
> zones to everyone unfiltered.
> 
> Right now I have a "distribute-list out" filter on the outbound
> FRAME RELAY connection consisting of all of the "2" zones.
> This allows the "2" zones to see each  other (allowing for e-mail,
> since that's where the quickmail servers live).
> 
> However, since the "2" zones do not have access to the other
> "1" and "3" zones (except their local ones),  information from
> the "2" zones doesn't make it back to the "1" and "3" zones.
> For example,  users in the "A1" and "A3" zones cannot access
> anything in the "B2" or "C2" zones because  the "B2" and "C2" zones
> do not have any access to the "A1" and  "A3" zones.
> 
> So, in summary, I still have no solution to my problem. I hate the
> idea opening up all of our zones to outside offices but I may not
> have any choice.  If anyone has any suggestions or wishes to
> continue this conversation, please contact me directly. Sorry for the
> length of this message. (If I would have included the responses from
> the Cisco reps, it would have been twice as long---and their responses
> were confusing, contradictory, and just plain wrong!)
> 
> Thanks to all (too numerious to mention)
> 
> David Glosser
> glosser@bbdo.com

-- 
   Marc Mosko                   Email: marc@tear.com
                                Web:   http://www.tear.com/

   "If anyone knocks out another's eye, he shall pay him
   sixty-six shillings, six pence, and a third of a penny."
   -- Leges Henrici Primi (13th century)

           PGP Key available via Public Servers and
               http://www.tear.com/pgp-key.html

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic