Home | Networking | Computer HWare/SWare | NOS: Unix/Linux | Favorites | Contact Me | RCC Home

IPX Access Lists

 

I PX access lists are configured the same way as any other list. You use the access-list command to create your access list of packet tests and then apply the list to an interface with the access-group command. I will discuss the following IPX access lists:

 

IPX standard These access lists filter on IPX source and destination host or network number. They use the access-list numbers 800–899. IPX standard access lists are similar to IP standard access lists, except that IP standards only filter on source IP addresses, whereas IPX standards filter on source and destination IPX addresses.

 

IPX extended These access lists filter on IPX source and destination host or network number, IPX protocol field in the Network layer header, and socket number in the Transport layer header. They use the access list numbers 900–999.

 

IPX SAP filter These filters are used to control SAP traffic on LANs and WANs. IPX SAP filters use the access list numbers 1000–1099. Network administrators can set up IPX access lists to control the amount of IPX traffic, including IPX SAPs across low WAN links.

 

Standard IPX Access Lists

Standard IPX access lists use the source or destination IPX host or network address to filter the network. This is configured much the same way IP stan-dard access lists are. The parameter to configure IPX standard access lists is access-list 800-899 deny or permit source_Address destination_address

Wildcards can be used for the source and destination IPX addresses; however the wildcard is –1, which means it is equal to any host and network.

 

 

In the picture Interface Ethernet 0 is on Network 40; interface Ethernet 1 is on Network 10; interface Ethernet 2 is on Network 20; interface Ethernet 3 is on Network 30.

 

The access list is configured and applied as shown. This IPX access list

permits packets generated from IPX Network 20 out interface Ethernet 0 to Network 40.

Router(config)#access-list 810 permit 20 40

Router(config)#int e0

Router(config-if)#ipx access-group 810 out

 

Think about what this configuration accomplishes. First and most obvious, any IPX devices on IPX Network 20 off interface Ethernet 2 can com-municate to the server on Network 40, which is connected to interface Ethernet 0. However, notice what else this configuration accomplishes with only one line (remember that there is an implicit deny all at the end of

the list):

_ Hosts on Network 10 cannot communicate to the server on Network 40.

_ Hosts on Network 40 can get to Network 10, but the packets cannot get back.

_ Hosts on Network 30 can communicate to Network 10, and Network 10 can communicate        to Network 30.

_ Hosts on Network 30 cannot communicate to the server on Network 40.

_ Hosts on Network 40 can get to hosts on Network 30, but the packets can’t come back from Network 30 in response.

_ Hosts on Network 20 can communicate to all devices in the internetwork.

 

Extended IPX Access Lists

 

Extended IPX access lists can filter based on any of the following:

_ Source network/node

_ Destination network/node

_ IPX protocol (SAP, SPX, etc.)

_ IPX socket

These are access lists in the range of 900–999 and are configured just like standard access lists, with the addition of protocol and socket information.

 

Let’s take a look at a template for building lines in an IPX extended access list.

access-list {number}{permit/deny}{protocol}{source} {socket}{destination}{socket}

Again, when you move from standard to extended access lists, you’re sim-ply adding the ability to filter based on protocol and socket (port for IP).

 

IPX SAP Filters

 

IPX SAP filters are implemented using the same tools we’ve been discussing all along in this chapter. They have an important place in controlling IPX SAP traffic. Why is this important? Because if you can control the SAPs, you can control the access to IPX devices. IPX SAP filters use access lists in the 1000–1099 range. IPX SAP filters should be placed as close as possible to the source of the SAP broadcasts; this is to stop unwanted SAP traffic from crossing a network because it will only be discarded.

 

Two types of access list filters control SAP traffic:

 

IPX input SAP filter This is used to stop certain SAP entries from enter-ing a router and updating the SAP table.

IPX output SAP filter This stops certain SAP updates from being sent in the regular 60-second SAP updates.

 

Here’s the template for each line of an IPX SAP filter:

access-list {number}{permit/deny}{source}{service type}

Here is an example of an IPX SAP filter that allows service type 4 (file ser-vices) from a NetWare service named Sales.

Router(config)#access-list 1010 permit ?

-1 Any IPX net

<0-FFFFFFFF>Source net

N.H.H.H Source net.host address

Router(config)#access-list 1010 permit -1 ?

<0-FFFF>Service type-code (0 matches all services)

N.H.H.H Source net.host mask

<cr>

Router(config)#access-list 1010 permit -1 4 ?

WORD A SAP server name

<cr>

Router(config)#access-list 1010 permit -1 4 Sales

The –1 in the access list is a wildcard that says any node, any network. After the list is created, apply it to an interface with either of the two following commands:

RouterA(config-if)#ipx input-sap-filter

RouterA(config-if)#ipx output-sap-filter

The input-sap-filter is used to stop SAP entries from being added to the SAP table on the router, and the output-sap-filter is used to stop SAP entries from being propagated out of the router.

 

Verifying IPX Access Lists

 

To verify the IPX access lists and their placement on a router, use the com-mands show ipx interface and show ipx access-list . Notice in the output of the show ipx interface command that the IPX address is shown, the outgoing access list is set with list 810, and the SAP input filter is 1010.

Router#sh ipx int

Ethernet0 is up,line protocol is up

IPX address is 10.0060.7015.63d6,NOVELL-ETHER [up ]

Delay of this IPX network,in ticks is 1 throughput 0 link delay 0

IPXWAN processing not enabled on this interface.

IPX SAP update interval is 1 minute(s)

IPX type 20 propagation packet forwarding is disabled

Incoming access list is not set

Outgoing access list is 810

IPX helper access list is not set

SAP GNS processing enabled,delay 0 ms,output filter list is not set

SAP Input filter list is 1010

SAP Output filter list is not set

SAP Router filter list is not set

Input filter list is not set

Output filter list is not set

Router filter list is not set

Netbios Input host access list is not set

Netbios Input bytes access list is not set

Netbios Output host access list is not set

Netbios Output bytes access list is not set

Updates each 60 seconds,aging multiples RIP:3 SAP:3

SAP interpacket delay is 55 ms,maximum size is 480 bytes

RIP interpacket delay is 55 ms,maximum size is 432 bytes

 

--More —

The show ipx access-list shows the two IPX lists set on the router.

Router#sh ipx access-list

IPX access list 810

permit FFFFFFFF 30

IPX SAP access list 1010

permit FFFFFFFF 4 Sales

Router#

The Fs are hexadecimal and are the same as all 1s or permit any . Since you used the –1 in the IPX commands, the running-config shows them as all Fs.


Home | Networking | Computer HWare/SWare | NOS: Unix/Linux | Favorites | Contact Me | RCC Home