I apologize if this question is inappropriate for this list, but I'm at my
wit's end. I've posted this to the comp.sys.cisco newsgroup and I've spoken
to 3 techs at Cisco. I've received many different answers, even from the
same person at Cisco.
SETUP: APPLETALK Network, Cisco routers in each office. Running APPLETALK
OFFICE B OFFICE C OFFICE E
|| || ||
Zone B-1---| Zone C-1 Zone E-1
Zone B-2*--|----Frame Relay------Zone C-2*---Frame Relay------Zone E-2*
Zone B-3---| Zone C-3 Zone E-3
Frame Relay Frame Relay
Zone A-1 Zone D-1
Zone A-2* Zone D-2*
Zone A-3 Zone D-3
OFFICE A OFFICE D
We wish to have all users in every zone have access to their local zones and
only Zone #2 in each office. For example, a user in the "B" office should see
Apple Zones B-1, B-2, B-3, A-2, C-2, D-2, and E-2. Users in the "D" office
should appletalk zones D-1, D-2, D-3, A-2, B-2, C-2, and E-2, etc.
What is the best way to implement filters for the above configuration? Some
of the answers I've received: 1) Use outbound appletalk zip-reply filters; 2)
use outbound appletalk distribute-list filters; 3) use the "apple
free-trade-zone" command (although no one knows quite how); and 4) Have each
office send ALL appletalk zone information to all of the other offices and
have each office filter INBOUND traffic.
The consensus at Cisco is that solution #4 is best because the other ways
will cause "zipreply storms" and other problems: While everyone can see the
#2 zones, the #2 zones cannot see back into the other zones. Therefore, those
packets will have problems getting back to those machines in the #2 zones.
However, we don't want the other offices to have control over *our* security.
If there are any Appletalk Cisco gurus or gods out there, or know of any
(commercial consultants included); please e-mail me privately since I know
the resulting discussion may well be inappropriate to the rest of the list.
I'll post a summary of the responses.
Thanks in advance,