MCM_Dorenbos@pttrnl.nl (M.C.M. Dorenbos, +31 70 332 5127, PTT Research, NL) (06/12/90)
Our laboratory considers the use of a CISCO router to make a WAN
connection. We have tested a CISCO router (model MGS) with software version
8.0 (10). The CISCO router should be the entrance of our network, so the
security should be arranged on the router. Basically, we want the users on
our LAN to be able to do whatever they like (within certain limits, of
course), the users who are not on our LAN should have a limited access to
our network (for eg MAIL). On page 5-21,22 in the 'Gateway System Manual'
(april 1990) is an example of how to accomplish this for a TCP/IP network.
However, it is not clear to me how to accomplish this with DECnet. Consider
the following network:
+-----+
--+-----|CISCO|-----+--
| +-----+ |
DECnet DECnet
station station
1.4 1.20
Suppose I want to restrict the communication from 1.20 to 1.4, but I do not
want to restrict 1.4 in any way. The following access-list should
accomplish this:
access-list 301 deny 1.20 0.0 1.4 0.0
access-list 301 permit 0.0 63.1023 0.0 63.1023
So, node 1.4 can do anything he wants to....
Suppose node 1.4 wants to make a DECnet connection to 1.20 (CTERM, NCP tell
1.20, etc..). A part of the communication is that node 1.20 sends DECnet
messages to 1.4. The first line in the access-list forbids this, so a nasty
side effect of the above access-list is that node 1.4 cannot communicate
with node 1.20!
So the diode function which you can create with TCP/IP does not seem
possible with DECnet. I hope that somebody can tell me how to configure the
CISCO in such a way that the diode function with DECnet is accomplished.
Marcel Dorenbos, PTT Research Neher Laboratory, The Netherlands.
EARN/BITnet : DORENBOS@HLSDNL5
INTERnet : DORENBOS%HLSDNL5@CUNYVM.CUNY.EDU
eMail : MCM_Dorenbos@PTTRNL.NL