[ Pobierz całość w formacie PDF ]
.Local session termination allows routers to act as proxies for remote systems that represent sessionendpoints.(A proxy is a device that acts on behalf of another device.) Figure 2-12 illustrates anexample of local session termination in an IBM environment.Figure 2-12 Local session termination over multiprotocol backbone.MultiprotocolToken TokenRouter RouterbackboneRing RingTCP/IP session3745" Reliable transport 3x74 controller" TCP flow control" Error recoveryAcknowledgments AcknowledgmentsLLC2 session LLC2 sessionT1 timer T1 timerIn Figure 2-12, the routers locally terminate Logical Link Control type 2 (LLC2) data-link controlsessions.Instead of end-to-end sessions, during which all session control information is passed overthe multiprotocol backbone, the routers take responsibility for acknowledging packets that comefrom hosts on directly attached LANs.Local acknowledgment saves WAN bandwidth (and,therefore, WAN utilization costs), solves session timeout problems, and provides faster response tousers.Area and Service FilteringTraffic filters based on area or service type are the primary distribution service tools used to providepolicy-based access control into backbone services.Both area and service filtering are implementedusing access lists.An access list is a sequence of statements, each of which either permits or deniescertain conditions or addresses.Access lists can be used to permit or deny messages from particularnetwork nodes and messages sent using particular protocols and services.Area or network access filters are used to enforce the selective transmission of traffic based onnetwork address.You can apply these on incoming or outgoing ports.Service filters use access listsapplied to protocols (such as IP s UDP), applications such as the Simple Mail Transfer Protocol(SMTP), and specific protocols.Suppose you have a network connected to the Internet, and you want any host on an Ethernet to beable to form TCP connections to any host on the Internet.However, you do not want Internet hoststo be able to form TCP connections to hosts on the Ethernet except to the SMTP port of a dedicatedmail host.SMTP uses TCP port 25 on one end of the connection and a random port number on the other end.The same two port numbers are used throughout the life of the connection.Mail packets coming infrom the Internet will have a destination port of 25.Outbound packets will have the port numbersInternetworking Design Basics 2-17 Identifying and Selecting Internetworking Capabilitiesreversed.The fact that the secure system behind the router always accepts mail connections onport 25 is what makes it possible to separately control incoming and outgoing services.The accesslist can be configured on either the outbound or inbound interface.In the following example, the Ethernet network is a Class B network with the address 128.88.0,and the mail host s address is 128.88.1.2.The keyword established is used only for the TCP protocolto indicate an established connection.A match occurs if the TCP datagram has the ACK or RST bitsset, which indicate that the packet belongs to an existing connection.access-list 102 permit tcp 0.0 255.255.255.255 128.88.0 0.255.255 establishedaccess-list 102 permit tcp 0.0 255.255.255.255 128.88.1.2 0.0 eq 25interface ethernet 0ip access-group 102Policy-Based DistributionPolicy-based distribution is based on the premise that different departments within a commonorganization might have different policies regarding traffic dispersion through the organization-wideinternetwork.Policy-based distribution aims to meet the differing requirements withoutcompromising performance and information integrity.A policy within this internetworking context is a rule or set of rules that governs end-to-enddistribution of traffic to (and subsequently through) a backbone network.One department might sendtraffic representing three different protocols to the backbone, but might want to expedite oneparticular protocol s transit through the backbone because it carries mission-critical applicationinformation.To minimize already excessive internal traffic, another department might want toexclude all backbone traffic except electronic mail and one key custom application from entering itsnetwork segment.These examples reflect policies specific to a single department.However, policies can reflect overallorganizational goals.For example, an organization might want to regulate backbone traffic to amaximum of 10 percent average bandwidth during the work day and 1-minute peaks of 30 percentutilization.Another corporate policy might be to ensure that communication between two remotedepartments can freely occur, despite differences in technology.Different policies frequently require different workgroup and department technologies.Therefore,support for policy-based distribution implies support for the wide range of technologies currentlyused to implement these policies.This in turn allows you to implement solutions that support a widerange of policies, which helps to increase organizational flexibility and application availability.In addition to support for internetworking technologies, there must be a means both to keep separateand integrate these technologies, as appropriate.The different technologies should be able to coexistor combine intelligently, as the situation warrants.Consider the situation depicted in Figure 2-13.Assume that a corporate policy limits unnecessarybackbone traffic.One way to do this is to restrict the transmission of Service Advertisement Protocol(SAP) messages.SAP messages allow NetWare servers to advertise services to clients.Theorganization might have another policy stating that all NetWare services should be provided locally.If this is the case, there should be no reason for services to be advertised remotely [ Pobierz całość w formacie PDF ]

  • zanotowane.pl
  • doc.pisz.pl
  • pdf.pisz.pl
  • szamanka888.keep.pl