Title: DECbrouter90 V9.14/V10.x example of DECnet Phase IV access-lists on FR Product: DECbrouter90 V9.14/V10.x Question: How can I limit DECnet phase IV access to specific nodes? Solution: This is an example configuration which creates DECnet Phase IV access lists so that access is only granted to particular nodes across a Frame-Relay LAN-style (V9.14-style) interface. ------------------ | | | Frame-Relay | | cloud | | ----------- | | | | | | | | | ------------------ DCE | | DCE DLCI #101 | | DLCI #100 | | / \ / \ / \ DTE / \ DTE --------- --------- | S0 |---------------| S0 | | BRUTK | | BRUTL | | E0 | | E0 | --------- --------- | | 3.1022 | | 3.1023 ------------------------- --------- | | ---------- ---------- | DNAIV | | DNAIV | | HOST | | Host | | 3.60 | | 3.1 | ---------- ---------- ******************************************************************************** EXAMPLE DBR90 BRUTL CONFIGURATION ******************************************************************************** BRUTL#show config ! version 10.0 ! ! This is the version of the DECbrouter 90 code I used. ! decnet routing 3.1023 ! ! This enables the DECnet routing protocol. ! decnet node-type routing-iv ! ! This makes the router a DECnet level-1 router. ! interface Ethernet0 ! decnet cost 1 ! ! This command enables DECnet routing on this interface. ! interface Serial0 ! encapsulation frame-relay ! ! This command enables Frame Relay encapsulation running CHDLC ! keepalive 15 ! ! This is needed for LMI heart beat signals. ! decnet cost 2 ! ! This command enables DECnet routing on this interface. ! decnet in-routing-filter 301 ! ! This command implements the access list 301 to permit filtering. You need to ! use in-routing-filter here because this will block all routes from DECnet ! nodes it receives on its serial interface that are not permitted via the ! access-list 301 filter. You must allow packets to come from the BRUTK on the ! remote end or you will not receive any routing updates. ! frame-relay lmi-type ansi ! ! This command sets up the LMI type whether it be CISCO, ANSI or CCITT. You ! need to ask your frame relay service provide what this should be configured ! for ! frame-relay map decnet 3.1022 100 broadcast ! ! This is required to allow for routing updates to be exchanged between the ! two routers. The 3.1022 is the remote router and the 100 is the DLCI assigned ! to get to that router. ! access-list 301 permit 3.1022 0.0 ! ! This decnet access list along with the decnet in-routing-filter command on ! serial 0 permits this router to received routing updates from the remote ! BRUTK router 3.1022. The 0.0 is a binary mask and in this case we want to ! match on the entire 3.1022 address. ! access-list 301 permit 3.60 0.0 ! ! This decnet access list along with the decnet in-routing-filter command on ! serial 0 permits this router to place node 3.60 in its routing table, thus ! allowing access to it. All other nodes which you don't want customers to ! access from the DECbrouter 90 remote sites should not be put into an access ! list. The 0.0 is a binary mask and in this case we want to match on the ! entire 3.60 address. ! end BRUTL#ping decnet 3.1022 Type escape sequence to abort. Sending 5, DECnet echos to 3.1022, timeout is 5 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms BRUTL#ping decnet 3.60 Type escape sequence to abort. Sending 5, DECnet echos to 3.60, timeout is 5 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms BRUTL#ping decnet 3.1 Type escape sequence to abort. Sending 5, DECnet echos to 3.1, timeout is 5 seconds: Host unreachable+ Host unreachable+ Host unreachable+ Host unreachable+ Host unreachable+ Success rate is 0 percent (0/5) BRUTL#show decnet route Node Cost Hops Next Hop to Node Expires Prio *3.60 3 2 Serial0 -> 3.1022 *3.1022 2 1 Serial0 -> 3.1022 38 64 V+ *3.1023 0 0 (Local) -> 3.1023