IBM SC30-3865-04 Network Router User Manual


 
Area routing filters allow you to configure a router to control the information about
DECnet areas that are sent or accepted in level 2 routing messages. You may
configure separate incoming and outgoing filters for each interface. Each filter
specifies which areas routing information will be passed to or accepted from.
When a network sends a level 2 routing update and there is a routing filter, the
entry (RTGINFO) for any area not in the filter has the cost of 1023 and a hop count
of 63. Any area in the filter has the correct cost and hops placed in the entry.
When the network receives a level 2 routing message and there is a routing filter,
any entry for an area not in the filter is treated as if the cost is 1023 and the hop
count is 63 (unreachable). Any routing entry from the packet that is in the filter is
processed normally.
The routing filters affect the processing of level 2 routing messages only. There are
no filters for level 1 routing messages. Routing filters have no effect on router hello
processing, and do not prevent area routers from developing adjacencies. They
affect the area routing database. If the filters prevent an area router from learning
about another area, they would prevent the router from becoming attached, and
then the router could not advertise as an area router.
Security by Area Filtering
Like access controls, routing filters provide security. However, routing filters have
some disadvantages compared to access controls:
v Area filtering is less flexible than access controls because it requires the
assignment of areas to correspond to the desired security architecture.
v Area filtering is more difficult to understand and configure.
v The level of security is lower because a host that ignores the lack of routing
information can send the packets to the correct router anyway.
However, area filtering is more efficient because there is no need to check every
packet. In the following example area filtering occurs in an area that contains
workstations that are part of a large network that contains machines with
confidential information. There might be one machine outside the area that the
confidential machines need to reach for information.
In Figure 18 on page 258, area 13 contains workstations that need to be able to
reach area 7. Node 13.1 is the router, and the other nodes are the workstations.
Node 13.1 has a filter to accept only routes to area 7. Therefore, if node 13.1
receives a packet from any node in area 13 not destined for area 7, node 13.1
cannot forward the packet and sends the sending node an error message.
To configure router 13.1 in Figure 18 on page 258, enter the following NCP
commands and parameters:
NCP> def mod routing-filter circ eth/1 incoming area 7
NCP> def mod routing-filter circ eth/1 incoming state on
Using DNA IV
Chapter 7. Using DNA IV 257