Table Of Contents
Cisco IOS AppleTalk Commands
access-list additional-zones
access-list cable-range
access-list includes
access-list nbp
access-list network
access-list other-access
access-list other-nbps
access-list within
access-list zone
appletalk access-group
appletalk address
appletalk alternate-addressing
appletalk arp interval
appletalk arp retransmit-count
appletalk arp-timeout
appletalk aurp tickle-time
appletalk aurp update-interval
appletalk cable-range
appletalk checksum
appletalk client-mode
appletalk discovery
appletalk distribute-list in
appletalk distribute-list out
appletalk domain hop-reduction
appletalk domain name
appletalk domain remap-range
appletalk domain-group
appletalk eigrp active-time
appletalk eigrp log-neighbor-changes
appletalk eigrp-bandwidth-percentage
appletalk eigrp-splithorizon
appletalk eigrp-timers
appletalk event-logging
appletalk free-trade-zone
appletalk getzonelist-filter
appletalk glean-packets
appletalk ignore-verify-errors
appletalk iptalk
appletalk iptalk-baseport
appletalk lookup-type
appletalk macip dynamic
appletalk macip server
appletalk macip static
appletalk maximum-paths
appletalk name-lookup-interval
appletalk permit-partial-zones
appletalk pre-fdditalk
appletalk protocol
appletalk proxy-nbp
appletalk require-route-zones
appletalk route-cache
appletalk route-redistribution
appletalk routing
appletalk rtmp jitter
appletalk rtmp-stub
appletalk send-rtmps
appletalk static cable-range
appletalk static network
appletalk strict-rtmp-checking
appletalk timers
appletalk virtual-net
appletalk zip-query-interval
appletalk zip-reply-filter
appletalk zone
Cisco IOS AppleTalk Commands
AppleTalk is a LAN system designed and developed by Apple Computer, Inc. It runs over Ethernet, Token Ring, and FDDI networks, in addition to LocalTalk, Apple's proprietary twisted-pair media access system. AppleTalk specifies a protocol stack comprising several protocols that direct the flow of traffic over the network.
Apple Computer uses the name AppleTalk to refer to the Apple networking architecture. Apple refers to the actual transmission media used in an AppleTalk network as LocalTalk (Apple's proprietary twisted-pair transmission medium for AppleTalk), TokenTalk (AppleTalk over Token Ring), EtherTalk (AppleTalk over Ethernet), and FDDITalk (AppleTalk over FDDI).
Use the commands in this book to configure and monitor AppleTalk networks. For AppleTalk configuration information and examples, see the Cisco IOS AppleTalk and Novell IPX Configuration Guide, Release 12.2.
access-list additional-zones
To define the default action to take for access checks that apply to zones, use the access-list additional-zones command in global configuration mode. To remove an access list, use the no form of this command.
access-list access-list-number {deny | permit} additional-zones
no access-list access-list-number additional-zones
Syntax Description
access-list-number
|
Number of the access list. This is a decimal number from 600 to 699.
|
deny
|
Denies access if the conditions are matched.
|
permit
|
Permits access if the conditions are matched.
|
Defaults
No access lists are predefined.
Command Modes
Global configuration
Command History
Release
|
Modification
|
10.0
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
The access-list additional-zones command defines the action to take for access checks not explicitly defined with the access-list zone command. If you do not specify this command, the default action is to deny other access.
You apply access lists defined with the access-list additional-zones command to outgoing routing updates and GetZoneList (GZL) filters (using the appletalk distribute-list out, and appletalk getzonelist-filter commands). You cannot apply them to data-packet filters (using the appletalk access-group command) or to incoming routing update filters (using the appletalk distribute-list in command).
Examples
The following example creates an access list based on AppleTalk zones:
access-list 610 deny zone Twilight
access-list 610 permit additional-zones
Related Commands
Command
|
Description
|
access-list cable-range
|
Defines an AppleTalk access list for a cable range (for extended networks only).
|
access-list includes
|
Defines an AppleTalk access list that overlaps any part of a range of network numbers or cable ranges (for both extended and nonextended networks).
|
access-list nbp
|
Defines an AppleTalk access list entry for a particular NBP named entity, class of NBP named entities, NBP packet type, or NBP named entities belonging to a specific zone.
|
access-list network
|
Defines an AppleTalk access list for a single network number (that is, for a nonextended network).
|
access-list other-access
|
Defines the default action to take for subsequent access checks that apply to networks or cable ranges.
|
access-list other-nbps
|
Defines the default action to take for access checks that apply to NBP packets from named entities not otherwise explicitly denied or permitted.
|
access-list within
|
Defines an AppleTalk access list for an extended or a nonextended network whose network number or cable range is included entirely within the specified cable range.
|
access-list zone
|
Defines an AppleTalk access list that applies to a zone.
|
appletalk access-group
|
Assigns an access list to an interface.
|
appletalk distribute-list in
|
Filters routing updates received from other routers over a specified interface.
|
appletalk distribute-list out
|
Filters routing updates sent to other routers.
|
appletalk getzonelist-filter
|
Filters GZL replies.
|
appletalk permit-partial-zones
|
Permits access to the other networks in a zone when access to one of those networks is denied.
|
access-list cable-range
To define an AppleTalk access list for a cable range (for extended networks only), use the access-list cable-range command in global configuration mode. To remove an access list, use the no form of this command.
access-list access-list-number {deny | permit} cable-range cable-range
[broadcast-deny | broadcast-permit]
no access-list access-list-number [{deny | permit} cable-range cable-range
[broadcast-deny | broadcast-permit]]
Syntax Description
access-list-number
|
Number of the access list. This is a decimal number from 600 to 699.
|
deny
|
Denies access if the conditions are matched.
|
permit
|
Permits access if the conditions are matched.
|
cable-range
|
Cable range value. The argument specifies the start and end of the cable range, separated by a hyphen. These values are decimal numbers from 1 to 65279. The starting network number must be less than or equal to the ending network number.
|
broadcast-deny
|
(Optional) Denies access to broadcast packets if the conditions are matched.
|
broadcast-permit
|
(Optional) Permits access to broadcast packets if the conditions are met.
|
Defaults
No access lists are predefined.
Command Modes
Global configuration
Command History
Release
|
Modification
|
10.0
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
When used as a routing update filter, the access-list cable-range command affects matching on extended networks only. The conditions defined by this access list are used only when a cable range in a routing update exactly matches that specified in the access-list cable-range command. The conditions are never used to match a network number (for a nonextended network).
When used as a data-packet filter, the access-list cable-range command affects matching on any type of network number. The conditions defined by this access list are used only when the packet's source network lies in the range defined by the access list.
You apply access lists defined with the access-list cable-range command to data-packet and routing-update filters (using the appletalk access-group, appletalk distribute-list in, and appletalk distribute-list out commands). You cannot apply them to GZL filters (using the appletalk getzonelist-filter command).
To delete an access list, specify the minimum number of keywords and arguments needed to delete the proper access list. For example, to delete the entire access list, use the following command:
no access-list access-list-number
To delete the access list for a specific network, use the following command:
no access-list access-list-number {deny | permit} cable-range cable-range
Priority queuing for AppleTalk operates on the destination network number, not the source network number.
Examples
The following access list forwards all packets except those from cable range 10 to 20:
access-list 600 deny cable-range 10-20
access-list 600 permit other-access
Related Commands
Command
|
Description
|
access-list additional-zones
|
Defines the default action to take for access checks that apply to zones.
|
access-list includes
|
Defines an AppleTalk access list that overlaps any part of a range of network numbers or cable ranges (for both extended and nonextended networks).
|
access-list nbp
|
Defines an AppleTalk access list entry for a particular NBP named entity, class of NBP named entities, NBP packet type, or NBP named entities belonging to a specific zone.
|
access-list network
|
Defines an AppleTalk access list for a single network number (that is, for a nonextended network).
|
access-list other-access
|
Defines the default action to take for subsequent access checks that apply to networks or cable ranges.
|
access-list other-nbps
|
Defines the default action to take for access checks that apply to NBP packets from named entities not otherwise explicitly denied or permitted.
|
access-list within
|
Defines an AppleTalk access list for an extended or a nonextended network whose network number or cable range is included entirely within the specified cable range.
|
access-list zone
|
Defines an AppleTalk access list that applies to a zone.
|
appletalk access-group
|
Assigns an access list to an interface.
|
appletalk distribute-list in
|
Filters routing updates received from other routers over a specified interface.
|
appletalk distribute-list out
|
Filters routing updates sent to other routers.
|
appletalk getzonelist-filter
|
Filters GZL replies.
|
priority-list protocol
|
Establishes queueing priorities based on the protocol type.
|
access-list includes
To define an AppleTalk access list that overlaps any part of a range of network numbers or cable ranges (for both extended and nonextended networks), use the access-list includes command in global configuration mode. To remove an access list, use the no form of this command.
access-list access-list-number {deny | permit} includes cable-range
[broadcast-deny | broadcast-permit]
no access-list access-list-number {deny | permit} includes cable-range
[broadcast-deny | broadcast-permit]]
Syntax Description
access-list-number
|
Number of the access list. This is a decimal number from 600 to 699.
|
deny
|
Denies access if the conditions are matched.
|
permit
|
Permits access if the conditions are matched.
|
cable-range
|
Cable range or network number. The argument specifies the start and end of the cable range, separated by a hyphen. These values are decimal numbers from 1 to 65279. The starting network number must be less than or equal to the ending network number. To specify a network number, set the starting and ending network numbers to the same value.
|
broadcast-deny
|
(Optional) Denies access to broadcast packets if the conditions are matched.
|
broadcast-permit
|
(Optional) Permits access to broadcast packets if the conditions are met.
|
Defaults
No access lists are predefined.
Command Modes
Global configuration
Command History
Release
|
Modification
|
10.0
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
When used as a routing update filter, the access-list includes command affects matching on extended and nonextended AppleTalk networks. The conditions defined by this access list are used when a cable range or network number overlaps, either partially or completely, one (or more) of those specified in the access-list includes command.
When used as a data-packet filter, the conditions defined by this access list are used when the packet's source network lies in the range defined in the access-list includes command.
You apply access lists defined with the access-list includes command to data-packet and routing-update filters (using the appletalk access-group, appletalk distribute-list in, and appletalk distribute-list out commands). You cannot apply them to GZL filters (using the appletalk getzonelist-filter command).
To delete an access list, specify the minimum number of keywords and arguments needed to delete the proper access list. For example, to delete the entire access list, use the following command:
no access-list access-list-number
To delete the access list for a specific network, use the following command:
no access-list access-list-number {deny | permit} includes cable-range
Priority queuing for AppleTalk operates on the destination network number, not the source network number.
Examples
The following example defines an access list that permits access to any network or cable range that overlaps any part of the range 10 to 20. This means, for example, that cable ranges 13 to 16 and 17 to 25 will be permitted. This access list also permits all other ranges.
access-list 600 permit includes 10-20
access-list 600 permit other-access
Related Commands
Command
|
Description
|
access-list additional-zones
|
Defines the default action to take for access checks that apply to zones.
|
access-list cable-range
|
Defines an AppleTalk access list for a cable range (for extended networks only).
|
access-list nbp
|
Defines an AppleTalk access list entry for a particular NBP named entity, class of NBP named entities, NBP packet type, or NBP named entities belonging to a specific zone.
|
access-list network
|
Defines an AppleTalk access list for a single network number (that is, for a nonextended network).
|
access-list other-access
|
Defines the default action to take for subsequent access checks that apply to networks or cable ranges.
|
access-list other-nbps
|
Defines the default action to take for access checks that apply to NBP packets from named entities not otherwise explicitly denied or permitted.
|
access-list within
|
Defines an AppleTalk access list for an extended or a nonextended network whose network number or cable range is included entirely within the specified cable range.
|
access-list zone
|
Defines an AppleTalk access list that applies to a zone.
|
appletalk access-group
|
Assigns an access list to an interface.
|
appletalk distribute-list in
|
Filters routing updates received from other routers over a specified interface.
|
appletalk distribute-list out
|
Filters routing updates sent to other routers.
|
appletalk getzonelist-filter
|
Filters GZL replies.
|
priority-list protocol
|
Establishes queueing priorities based on the protocol type.
|
access-list nbp
To define an AppleTalk access list entry for a particular Name Binding Protocol (NBP) named entity, class of NBP named entities, NBP packet type, or NBP named entities that belong to a specific zone, use the access-list nbp command in global configuration mode. To remove an NBP access list entry from the access list, use the no form of this command.
access-list access-list-number {deny | permit} nbp sequence-number {BrRq | FwdRq | Lookup |
LkReply | object string | type string | zone string}
no access-list access-list-number {deny | permit} nbp sequence-number {BrRq | FwdRq |
Lookup | LkReply | object string | type string | zone string}
Syntax Description
access-list-number
|
Number of the access list. This is a decimal number from 600 to 699.
|
deny
|
Denies access if conditions are matched.
|
permit
|
Permits access if conditions are matched.
|
sequence-number
|
Number used to tie together two or three portions of an NBP name tuple and to keep track of the number of access-list nbp entries in an access list. Each command entry must have a sequence number.
|
BrRq
|
Broadcast Request packet type.
|
FwdRq
|
Forward Request packet type.
|
Lookup
|
Lookup packet type.
|
LkReply
|
Lookup Reply packet type.
|
object
|
Characterizes string as the portion of an NBP name that identifies a particular object or named entity.
|
string
|
Portion of an NBP name identifying the object, type, or zone of a named entity. The name string can be up to 32 characters long, and it can include special characters from the Apple Macintosh character set. To include a special character, type a colon followed by two hexadecimal characters. For an NBP name with a leading space, enter the first character as the special sequence :20.
|
type
|
Characterizes string as the portion of an NBP name that identifies a category or type of named entity.
|
zone
|
Characterizes string as the portion of an NBP name that identifies an AppleTalk zone.
|
Defaults
No particular access list entry for an NBP named entity is defined, and the default filtering specified by the access-list other-nbps command takes effect.
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.0
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
The access-list nbp command defines the action to take for filtering NBP packets from a particular object (particular named entity), type (class of named entities), or zone (AppleTalk zone in which named entities reside), or for a particular NBP packet type, superseding the default action for NBP packets from all named entities specified by the access-list other-nbps command. For each command that you enter, you must specify a sequence number.
The sequence number serves two purposes:
•
Its principal purpose is to allow you to associate two or three portions of an NBP three-part name, referred to as an NBP tuple. To do this, you enter two or three commands having the same sequence number but each specifying a different keyword and NBP name portion: object, type, or zone. The same sequence number binds them together. This provides you with the ability to restrict forwarding of NBP packets at any level, down to a single named entity.
•Its second purpose is to allow you to keep track of the number of access-list nbp entries you have made. You must enter a sequence number even if you do not use it to associate portions of an NBP name.
Examples
The following example adds entries to access list number 607 to allow forwarding of NBP packets from specific sources and deny forwarding of NBP packets from all other sources. The first command adds an entry that allows NBP packets from all printers of type LaserWriter. The second command adds an entry that allows NBP packets from all AppleTalk file servers of type AFPServer. The third command adds an entry that allows NBP packets from all applications called HotShotPaint. For example, there might be an application with a zone name of Accounting and an application with a zone name of engineering, both having the object name of HotShotPaint. NBP packets forwarded from both applications will be allowed.
The access-list other-nbps command denies forwarding of NBP packets from all other sources.
access-list 607 permit nbp 1 type LaserWriter
access-list 607 permit nbp 2 type AFPServer
access-list 607 permit nbp 3 object HotShotPaint
access-list 607 deny other-nbps
access-list 607 permit other-access
The following example adds entries to access list number 608 to deny forwarding of NBP packets from two specific servers whose fully qualified NBP names are specified. It permits forwarding of NBP packets from all other sources.
access-list 608 deny nbp 1 object ServerA
access-list 608 deny nbp 1 type AFPServer
access-list 608 deny nbp 1 zone Bld3
access-list 608 deny nbp 2 object ServerB
access-list 608 deny nbp 2 type AFPServer
access-list 608 deny nbp 2 zone Bld3
access-list 608 permit other-nbps
access-list 608 permit other-access
The following example denies forwarding of NBP Lookup Reply packets for all named entities. It permits forwarding of other NBP packet types from all other sources.
access-list 600 deny nbp 1 LkReply
access-list 600 permit other-nbps
access-list 600 permit other-access
The following example creates an access list that denies forwarding of these packets:
•All NBP Lookup Reply packets
•NBP packets from the server named Bob's Server
•Packets from all AppleTalk file servers of type AFPServer
•All NBP Lookup Reply packets that contain the specified named entities belonging to the zone twilight
access-list 600 deny nbp 1 LkReply
access-list 600 deny nbp 1 object Bob's Server
access-list 600 deny nbp 1 type AFPServer
access-list 600 deny nbp 1 zone twilight
access-list 600 permit other-nbps
access-list 600 permit other-access
Related Commands
Command
|
Description
|
access-list additional-zones
|
Defines the default action to take for access checks that apply to zones.
|
access-list cable-range
|
Defines an AppleTalk access list for a cable range (for extended networks only).
|
access-list includes
|
Defines an AppleTalk access list that overlaps any part of a range of network numbers or cable ranges (for both extended and nonextended networks).
|
access-list network
|
Defines an AppleTalk access list for a single network number (that is, for a nonextended network).
|
access-list other-access
|
Defines the default action to take for subsequent access checks that apply to networks or cable ranges.
|
access-list other-nbps
|
Defines the default action to take for access checks that apply to NBP packets from named entities not otherwise explicitly denied or permitted.
|
access-list within
|
Defines an AppleTalk access list for an extended or a nonextended network whose network number or cable range is included entirely within the specified cable range.
|
access-list zone
|
Defines an AppleTalk access list that applies to a zone.
|
appletalk access-group
|
Assigns an access list to an interface.
|
appletalk distribute-list in
|
Filters routing updates received from other routers over a specified interface.
|
appletalk distribute-list out
|
Filters routing updates sent to other routers.
|
appletalk getzonelist-filter
|
Filters GZL replies.
|
priority-list protocol
|
Establishes queueing priorities based on the protocol type.
|
access-list network
To define an AppleTalk access list for a single network number (that is, for a nonextended network), use the access-list network command in global configuration mode. To remove an access list, use the no form of this command.
access-list access-list-number {deny | permit} network network
[broadcast-deny | broadcast-permit]
no access-list access-list-number {deny | permit} network network
[broadcast-deny | broadcast-permit]]
Syntax Description
access-list-number
|
Number of the access list. This is a decimal number from 600 to 699.
|
deny
|
Denies access if the conditions are matched.
|
permit
|
Permits access if the conditions are matched.
|
network
|
AppleTalk network number.
|
broadcast-deny
|
(Optional) Denies access to broadcast packets if the conditions are matched.
|
broadcast-permit
|
(Optional) Permits access to broadcast packets if the conditions are met.
|
Defaults
No access lists are predefined.
Command Modes
Global configuration
Command History
Release
|
Modification
|
10.0
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
When used as a routing-update filter, the access-list network command affects matching on nonextended networks only. The conditions defined by this access list are used only when the nonextended number in a routing update matches a network number specified in one of the access-list network commands. The conditions are never used to match a cable range (for an extended network) even if the cable range has the same starting and ending number.
When used as a data-packet filter, the conditions defined by this access list are used only when the packet's source network matches the network number specified in the access-list network command.
You apply access lists defined with the access-list network command to data-packet and routing-update filters (using the appletalk access-group, appletalk distribute-list in, and appletalk distribute-list out commands). You cannot apply access lists to GZL filters (using the appletalk getzonelist-filter command).
In software releases before 9.0, the syntax of this command was access-list access-list-number {deny | permit} network. The current version of the software is still able to interpret commands in this format if it finds them in a configuration or boot file. However, it is recommended that you update the commands in your configuration or boot files to match the current syntax.
Use the no access-list command with the access-list-number argument only to remove an entire access list from the configuration. Specify the optional arguments to remove a particular clause.
To delete an access list, specify the minimum number of keywords and arguments needed to delete the proper access list. For example, to delete the entire access list, use the following command:
no access-list access-list-number
To delete the access list for a specific network, use the following command:
no access-list access-list-number {deny | permit} network network
Priority queuing for AppleTalk operates on the destination network number, not the source network number.
Examples
The following example defines an access list that forwards all packets except those destined for networks 1 and 2:
access-list 650 deny network 1
access-list 650 deny network 2
access-list 650 permit other-access
Related Commands
Command
|
Description
|
access-list additional-zones
|
Defines the default action to take for access checks that apply to zones.
|
access-list cable-range
|
Defines an AppleTalk access list for a cable range (for extended networks only).
|
access-list includes
|
Defines an AppleTalk access list that overlaps any part of a range of network numbers or cable ranges (for both extended and nonextended networks).
|
access-list nbp
|
Defines an AppleTalk access list entry for a particular NBP named entity, class of NBP named entities, NBP packet type, or NBP named entities belonging to a specific zone.
|
access-list other-access
|
Defines the default action to take for subsequent access checks that apply to networks or cable ranges.
|
access-list other-nbps
|
Defines the default action to take for access checks that apply to NBP packets from named entities not otherwise explicitly denied or permitted.
|
access-list within
|
Defines an AppleTalk access list for an extended or a nonextended network whose network number or cable range is included entirely within the specified cable range.
|
access-list zone
|
Defines an AppleTalk access list that applies to a zone.
|
appletalk access-group
|
Assigns an access list to an interface.
|
appletalk distribute-list in
|
Filters routing updates received from other routers over a specified interface.
|
appletalk distribute-list out
|
Filters routing updates sent to other routers.
|
appletalk getzonelist-filter
|
Filters GZL replies.
|
priority-list protocol
|
Establishes queueing priorities based on the protocol type.
|
access-list other-access
To define the default action to take for subsequent access checks that apply to networks or cable ranges, use the access-list other-access command in global configuration mode. To remove an access list, use the no form of this command.
access-list access-list-number {deny | permit} other-access
no access-list access-list-number other-access
Syntax Description
access-list-number
|
Number of the access list. This is a decimal number from 600 to 699.
|
deny
|
Denies access if the conditions are matched.
|
permit
|
Permits access if the conditions are matched.
|
Defaults
No access lists are predefined.
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.0
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
The access-list other-access command defines the action to take for access checks not explicitly defined with an access-list network, access-list cable-range, access-list includes, or access-list within command. If you do not specify this command, the default action is to deny other access.
You apply access lists defined with the access-list other-access command to data-packet and routing-update filters (using the appletalk access-group, appletalk distribute-list in, and appletalk distribute-list out commands). You cannot apply them to GZL filters (using the appletalk getzonelist-filter command).
In software releases before 9.0, the syntax of this command was access-list access-list-number {deny | permit} -1. The current version of the software is still able to interpret commands in this format if it finds them in a configuration or boot file. However, it is recommended that you update the commands in your configuration or boot files to match the current syntax.
Priority queuing for AppleTalk operates on the destination network number, not the source network number.
Examples
The following example defines an access list that forwards all packets except those destined for networks 1 and 2:
access-list 650 deny network 1
access-list 650 deny network 2
access-list 650 permit other-access
Related Commands
Command
|
Description
|
access-list additional-zones
|
Defines the default action to take for access checks that apply to zones.
|
access-list cable-range
|
Defines an AppleTalk access list for a cable range (for extended networks only).
|
access-list includes
|
Defines an AppleTalk access list that overlaps any part of a range of network numbers or cable ranges (for both extended and nonextended networks).
|
access-list nbp
|
Defines an AppleTalk access list entry for a particular NBP named entity, class of NBP named entities, NBP packet type, or NBP named entities belonging to a specific zone.
|
access-list network
|
Defines an AppleTalk access list for a single network number (that is, for a nonextended network).
|
access-list other-nbps
|
Defines the default action to take for access checks that apply to NBP packets from named entities not otherwise explicitly denied or permitted.
|
access-list within
|
Defines an AppleTalk access list for an extended or a nonextended network whose network number or cable range is included entirely within the specified cable range.
|
access-list zone
|
Defines an AppleTalk access list that applies to a zone.
|
appletalk access-group
|
Assigns an access list to an interface.
|
appletalk distribute-list in
|
Filters routing updates received from other routers over a specified interface.
|
appletalk distribute-list out
|
Filters routing updates sent to other routers.
|
priority-list protocol
|
Establishes queueing priorities based on the protocol type.
|
access-list other-nbps
To define the default action to take for access checks that apply to Name Binding Protocol (NBP) packets from named entities not otherwise explicitly denied or permitted, use the access-list other-nbps command in global configuration mode. To remove an access list, use the no form of this command.
access-list access-list-number {deny | permit} other-nbps
no access-list access-list-number {deny | permit} other-nbps
Syntax Description
access-list-number
|
Number of the access list for AppleTalk. This is a decimal number from 600 to 699.
|
deny
|
Denies access if conditions are matched.
|
permit
|
Permits access if conditions are matched.
|
Defaults
Access is denied.
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.0
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
The access-list other-nbps command defines the action to take for filtering of NBP packets from named entities not explicitly defined by an access-list nbp command. It allows you to implement the default AppleTalk network security state at the named entity level. Any access-list nbp commands you enter affect a particular named entity object, class of named entities, or all named entities within a zone. This command sets the security state for all other NBP named entities. If you do not specify this command, the default action is to deny access.
You can use this command to create an entry in an access list before or after you issue access-list nbp commands. The order of the command in the access list is irrelevant.
Examples
The following example permits forwarding of all NBP packets from all sources except AppleTalk file servers of type AFPServer:
access-list 607 deny nbp 2 type AFPServer
access-list 607 permit other-nbps
Related Commands
Command
|
Description
|
access-list additional-zones
|
Defines the default action to take for access checks that apply to zones.
|
access-list cable-range
|
Defines an AppleTalk access list for a cable range (for extended networks only).
|
access-list includes
|
Defines an AppleTalk access list that overlaps any part of a range of network numbers or cable ranges (for both extended and nonextended networks).
|
access-list nbp
|
Defines an AppleTalk access list entry for a particular NBP named entity, class of NBP named entities, NBP packet type, or NBP named entities belonging to a specific zone.
|
access-list network
|
Defines an AppleTalk access list for a single network number (that is, for a nonextended network).
|
access-list other-access
|
Defines the default action to take for subsequent access checks that apply to networks or cable ranges.
|
access-list within
|
Defines an AppleTalk access list for an extended or a nonextended network whose network number or cable range is included entirely within the specified cable range.
|
access-list zone
|
Defines an AppleTalk access list that applies to a zone.
|
appletalk access-group
|
Assigns an access list to an interface.
|
appletalk distribute-list in
|
Filters routing updates received from other routers over a specified interface.
|
appletalk distribute-list out
|
Filters routing updates sent to other routers.
|
appletalk getzonelist-filter
|
Filters GZL replies.
|
priority-list protocol
|
Establishes queueing priorities based on the protocol type.
|
access-list within
To define an AppleTalk access list for an extended or a nonextended network whose network number or cable range is included entirely within the specified cable range, use the access-list within command in global configuration mode. To remove this access list, use the no form of this command.
access-list access-list-number {deny | permit} within cable-range
no access-list access-list-number [{deny | permit} within cable-range]
Syntax Description
access-list-number
|
Number of the access list. This is a decimal number from 600 to 699.
|
deny
|
Denies access if the conditions are matched.
|
permit
|
Permits access if the conditions are matched.
|
cable-range
|
Cable range or network number. The argument specifies the start and end of the cable range, separated by a hyphen. These values are decimal numbers from 1 to 65279. The starting network number must be less than or equal to the ending network number. To specify a network number, set the starting and ending network numbers to the same value.
|
Defaults
No access lists are predefined.
Command Modes
Global configuration
Command History
Release
|
Modification
|
10.0
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
When used as a routing update filter, the access-list within command affects matching on extended and nonextended AppleTalk networks. The conditions defined by this access list are used when a cable range or network number overlaps, either partially or completely, one (or more) of those specified in the access-list within command.
When used as a data-packet filter, the conditions defined by this access list are used when the packet's source network lies in the range defined in the access-list within command.
You apply access lists defined with the access-list within command to data-packet and routing-update (using the appletalk access-group, appletalk distribute-list in, and appletalk distribute-list out). You cannot apply them to GZL filters (using the appletalk getzonelist-filter command).
To delete an access list, specify the minimum number of keywords and arguments needed to delete the proper access list. For example, to delete the entire access list, use the following command:
no access-list access-list-number
To delete the access list for a specific network, use the following command:
no access-list access-list-number {deny | permit} within cable-range
Priority queuing for AppleTalk operates on the destination network number, not the source network number.
Examples
The following example defines an access list that permits access to any network or cable range that is completely included in the range 10 to 20. This means, for example, that cable range 13 to 16 will be permitted, but cable range 17 to 25 will not be. The second line of the access list permits all other packets.
access-list 600 permit within 10-20
access-list 600 permit other-access
Related Commands
Command
|
Description
|
access-list additional-zones
|
Defines the default action to take for access checks that apply to zones.
|
access-list cable-range
|
Defines an AppleTalk access list for a cable range (for extended networks only).
|
access-list includes
|
Defines an AppleTalk access list that overlaps any part of a range of network numbers or cable ranges (for both extended and nonextended networks).
|
access-list nbp
|
Defines an AppleTalk access list entry for a particular NBP named entity, class of NBP named entities, NBP packet type, or NBP named entities belonging to a specific zone.
|
access-list network
|
Defines an AppleTalk access list for a single network number (that is, for a nonextended network).
|
access-list other-access
|
Defines the default action to take for subsequent access checks that apply to networks or cable ranges.
|
access-list other-nbps
|
Defines the default action to take for access checks that apply to NBP packets from named entities not otherwise explicitly denied or permitted.
|
access-list zone
|
Defines an AppleTalk access list that applies to a zone.
|
appletalk access-group
|
Assigns an access list to an interface.
|
appletalk distribute-list in
|
Filters routing updates received from other routers over a specified interface.
|
appletalk distribute-list out
|
Filters routing updates sent to other routers.
|
appletalk getzonelist-filter
|
Filters GZL replies.
|
priority-list protocol
|
Establishes queueing priorities based on the protocol type.
|
access-list zone
To define an AppleTalk access list that applies to a zone, use the access-list zone command in global configuration mode. To remove an access list, use the no form of this command.
access-list access-list-number {deny | permit} zone zone-name
no access-list access-list-number [{deny | permit} zone zone-name]
Syntax Description
access-list-number
|
Number of the access list. This is a decimal number from 600 to 699.
|
deny
|
Denies access if the conditions are matched.
|
permit
|
Permits access if the conditions are matched.
|
zone-name
|
Name of the zone. The name can include special characters from the Apple Macintosh character set. To include a special character, type a colon followed by two hexadecimal characters. For zone names with a leading space character, enter the first character as the special sequence :20.
|
Defaults
No access lists are predefined.
Command Modes
Global configuration
Command History
Release
|
Modification
|
10.0
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
You apply access lists defined with the access-list zone command to outgoing routing update and GZL filters (using the appletalk distribute-list out and appletalk getzonelist-filter commands). You cannot apply them to data-packet filters (using the appletalk access-group command) or to incoming routing update filters (using the appletalk distribute-list in command).
To delete an access list, specify the minimum number of keywords and arguments needed to delete the proper access list. For example, to delete the entire access list, use the following command:
no access-list access-list-number
To delete the access list for a specific network, use the following command:
no access-list access-list-number {deny | permit} zone zone-name
Use the access-list additional-zones command to define the action to take for access checks not explicitly defined with the access-list zone command.
Note AppleTalk zone access lists on an Enhanced Internet Gateway Routing Protocol (Enhance IGRP) interface will not filter the distribution of Enhanced IGRP routes. When the appletalk distribute-list out command is applied to an Enhanced IGRP interface, any access-list zone commands in the specified access list will be ignored.
Examples
The following example creates an access list based on AppleTalk zones:
access-list 610 deny zone Twilight
access-list 610 permit additional-zones
Related Commands
Command
|
Description
|
access-list additional-zones
|
Defines the default action to take for access checks that apply to zones.
|
access-list cable-range
|
Defines an AppleTalk access list for a cable range (for extended networks only).
|
access-list includes
|
Defines an AppleTalk access list that overlaps any part of a range of network numbers or cable ranges (for both extended and nonextended networks).
|
access-list nbp
|
Defines an AppleTalk access list entry for a particular NBP named entity, class of NBP named entities, NBP packet type, or NBP named entities belonging to a specific zone.
|
access-list network
|
Defines an AppleTalk access list for a single network number (that is, for a nonextended network).
|
access-list other-access
|
Defines the default action to take for subsequent access checks that apply to networks or cable ranges.
|
access-list other-nbps
|
Defines the default a |
