-
Standard IPX access lists match against the source and destination networks and node numbers . -
Extended IPX access lists match against protocols, source and destination networks, node numbers, and sockets. A time range can also be given to match during a specific date and time period. -
IPX SAP filters match against the network, node, service type, and server names contained within service advertisements. -
NLSP route aggregation access lists can be used to match against NLSP summary routes. -
NetBIOS access lists can be used to match against NetBIOS names or data patterns (up to 16 bytes) contained within NetBIOS FindName packets. Configuration -
Define a standard IPX access list. -
Numbered access list: (global) access-list access-list-number { deny permit } source-network [ .source-node [ source-node-mask ]] [ destination-network [ .destination-node [ destination-node-mask ]]] -OR- -
Named access list: (global) ipx access-list standard name deny source-network [ .source-node [ source-node-mask ]] [ destination-network [ .destination-node [ destination-node-mask ]]] IPX traffic can be filtered based on the source and destination networks and node addresses. The access-list-number (800 to 899) can permit or deny the specified packets. Addresses are defined by source-network and destination-network (an eight-digit hex number, 1 to FFFFFFFE; 1 denotes all networks), source-node and destination-node (48-bit MAC addresses in dotted - triplet format), and source-node-mask and destination-node-mask (48-bit masks in dotted-triplet format; a 1 bit ignores or acts like a wildcard). -
Define an extended IPX access list. -
Numbered access list: (global) access-list access-list-number { deny permit } protocol [ source-network ][[[ .source-node ] source-node-mask ] [ .source-node source-network-mask.source-node-mask ]] [ source-socket ] [ destination.network ][[[ .destination-node] destination-node-mask ] [ .destination-node destination-network-mask . destination-node-mask ]] [ destination-socket ] [ log ] [ time-range time-range-name ] -OR- -
Named access list: (global) ipx access-list extended name (access-list) { permit deny } protocol [ source-network ][[[ .source-node ] source-node-mask ] [ .source-node source-network-mask.source- node-mask ]] [ source-socket ] [ destination-network ][[[ .destination- node ] destination-node-mask ] [ .destination-node destination- network-mask.destination-node-mask ]] [ destination-socket ] [ log ] [ time-range time-range-name ] IPX traffic can be filtered based on IPX protocol, source and destination networks, node, socket, and time range. The access list number (900 to 999) can permit or deny the specified packets. The protocol (name or number) can be one of -1 (any; matches any), 1 (rip), 4 (sap), 5 (spx), 17 (ncp), and 20 (netbios). Addresses are defined by source-network and destination-network (an eight-digit hex number, 1 to FFFFFFFE; 1 denotes all networks), source-node and destination-node (48-bit MAC addresses in dotted-triplet format), and source-node-mask and destination-node-mask (48-bit masks in dotted-triplet format; a 1 bit ignores or acts like a wildcard). The source-socket and destination-socket fields define the IPX socket (name or number) being used. Common socket values are (any; matches all sockets), 2 (cping, Cisco IPX ping), 451 (ncp), 452 (sap), 453 (rip), 455 (netbios), 456 (diagnostic), 457 (Novell serialization), 4000 to 7fff (dynamic assignments), 8000 to ffff (Novell assignments), 85be (eigrp), 9001 (nlsp), and 9086 (nping, Novell IPX ping). A permit or deny statement in an extended IPX access list can be applied during a time range using the time-range keyword. A time range must first be defined with a time-range-name using the following commands. The time-range-name must also be applied to the extended access list. (global) time-range time-range-name (time-range) periodic days-of-the-week hh: mm to [ days-of-the-week ] hh: mm (time-range) absolute [ start time date ] [ end time date ] Time ranges can be specified as one or more periodic definitions. The days-of-the-week field can be daily (Monday through Sunday), weekdays (Monday through Friday), weekend (Saturday and Sunday), Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, or Sunday. The time hh: mm is given in 24- hour format. The router should be configured with NTP or have its clock and calendar set accurately. Time ranges can also be specified as one absolute definition, with optional start and end times. The time is specified in hh: mm 24-hour format. The date fields must be formatted as day month year, as in 1 April 1963. -
Define a SAP filter. -
Numbered SAP filter: (global) access-list access-list-number { deny permit } network [ .node ] [ network-mask.node-mask ] [ service-type [ server-name ]] -OR- -
Named SAP filter: (global) ipx access-list sap name (access-list) { permit deny } network [ .node ] [ network-mask.node-mask ] [ service-type [ server-name ]] Service Advertising Protocol (SAP) messages can be filtered based on the network, node, IPX service type, and server name. The access list number (1000 to 1099) can permit or deny the specified advertisements. The network (1 to FFFFFFFE; 1 matches any network) refers to the network where the server is connected. The node refers to the server's node address (a 48-bit MAC address in dotted-triplet format). The network-mask.node-mask (the same format as network.node, with 1 bits that ignore or act as wildcards) can be used to specify a range of matching values. NOTE For Novell NetWare 3.11 or later, the network and node must be the internal network and node numbers used by the server (not the physical IPX network and network adapter MAC address). These numbers can be obtained from the show ipx server command. The server-type (a hex number; 0 matches all services) and an optional server-name (a character string; use double quotes to enclose embedded spaces and use an asterisk to wildcard part of the name) identify the specific advertisement from the server. Acceptable server-type values are listed in Appendix J, "Well-Known IPX SAP Type Codes." -
Define an NLSP route aggregation access list. -
Numbered access list: (global) access-list access-list-number { deny permit } network network-mask [ ticks ticks ] [ area-count area-count ] -OR- -
Named access list: (global) ipx access-list summary name (access-list) { permit deny } network network-mask [ ticks ticks ] [ area-count area-count ] NLSP area summary routes can be filtered based on the network number, the number of ticks, and the number of NLSP areas. The access list number (1200 to 1299) can permit or deny the redistribution of specified routes. The network (1 to FFFFFFFE; 1 matches all networks) specifies a network number to summarize. The network-mask (use Fs and 0s, where an F matches a network number digit and a 0 matches anything) is used to show the portion of the network address that is common to all networks in the summary route. The metric for the summarized route is given as ticks (the default is 1). The summary route can be advertised to a maximum of area-count (the default is six areas) NLSP areas. -
Define a NetBIOS access list. -
Filter by node name: (global) netbios access-list host name { deny permit } string NetBIOS names can be filtered with a NetBIOS host access list named name (a text string). The access list will permit or deny NetBIOS names matching the string (up to 14 characters ; use ? to match any single character and * to match the rest of the string). NetBIOS names are case-sensitive and apply only to IPX NetBIOS FindName packets. -
Filter by byte pattern: (global) netbios access-list bytes name { deny permit } offset byte-pattern Byte patterns within an IPX NetBIOS FindName packet can be filtered with a NetBIOS byte access list named name (text string). The access list will permit or deny NetBIOS packets that have a matching byte-pattern (a hex string up to 32 hex digits or 16 bytes; use ** to match any contents of one byte) located at offset (the number of bytes into the packet; 0 is the beginning of the NetBIOS packet header). Examples Standard IPX access list 830 keeps traffic from any address from reaching the destination network 55ad. In addition, all traffic from MAC address 0101.0202.0303 on IPX network 55ad is denied to the IPX network 6001. Finally, all other traffic from any network to any network is permitted. access-list 830 deny -1 55ad access-list 830 deny 55ad.0101.0202.0303 6001 access-list 830 permit -1 -1 Extended IPX access list 901 denies all SAP traffic from network 55ad to anywhere else. All other SAP traffic is then permitted. Finally, SPX traffic from network 55ad to network 6001 is permitted. access-list 901 deny -1 55ad sap -1 access-list 901 permit -1 -1 sap -1 access-list 901 permit spx 55ad 6001 IPX SAP filter access list 1001 permits only a file-server service type (4) to be advertised from servers named RADIOLOGY* on the IPX network 4550410A. Because these servers run Novell NetWare 4.1, network 4550410A is the internal network number. access-list 1001 permit 4550410A 4 RADIOLOGY* The IPX NetBIOS host filter named DenyStrange is used to filter out odd or unregistered server names. The NetBIOS name HowdyDoody is denied, along with all names beginning with Bogus. All other names are permitted. netbios access-list host DenyStrange deny HowdyDoody netbios access-list host DenyStrange deny Bogus* netbios access-list host DenyStrange permit * |
![Cisco Field Manual[c] Router Configuration](/icons/blank_book.jpg "Cisco Field Manual[c] Router Configuration"){kind=icon}