IBM SC30-3865-04 Managing Traffic Using Access Control

vRouter NCP does not include the clear or purge commands, nor do the set

commands have an all argument. The permanent database is always copied to

the volatile database when the router starts, restarts, or boots.

vA router NCP command can have only one argument.

vNCP does not have the concept of lines. Tosee the data that a DECnet-VAX

NCP show line command displays, use the GWCON interface and network

commands.

vRouter NCP does not support cross-network commands:

– Router NCP does not include the tell command, which requests NCP

commands on other nodes.

– Similarly, router NCPdoes not support protocol requests from other DNA

routers to execute NCP commands at the router on their behalf.

Important

Before conﬁguring DNA IV,you need to be aware of the optional security

features discussed in:

v“Managing TrafficUsing Access Control”

– Provides additional security by limiting access within routers in the

network.

v“Managing TrafficUsing Area Routing Filters” on page 256

– Limits access to group of areas from other areas

– Allows blending of two DECnet address spaces

If you already are familiar with these topics, skip these two sections and begin

reading at “Conﬁguring DNA IV”on page 261.

Managing Traffic Using Access Control

Access control protects one group of nodes from other nodes on the network.

Routers make all nodes on a network accessible to each other. Usually,the main

forms of security are passwords and conservative use of DNA IV proxy access at

the host level.

However, due to differences in the security level of machines, you might need to

provide additional security by limiting access within the routers in the network. The

DNA forwarder enables you to do this using access controls.

Generally, access controls are not recommended due to the following liabilities:

vAccess controls affect performance of the router because every packet is tested.

The more complicated the access control conﬁguration, the greater the

performance impact.

vAccess controls are difficult to conﬁgure and errors in conﬁguration are difficult to

diagnose.

vAccess controls cannot hide a node from the routing protocols. The node

remains visible from all routers in its area.

Note: Access controls do not guarantee security; they only make intrusion more

difficult. The DNAIV routing protocols used on Ethernet and other

broadcast media do not have built-in security features.

Using DNA IV

Chapter7. Using DNA IV 253