SAP Filters

 

The Cisco IOS permits a network administrator to filter on the basis of which SAP services a device sends from and receives into its SAP table. SAP filters are commonly used on an internetwork to limit the amount of SAP traffic sent and received by a router.

Many IPX networks use SAP filters to reduce the number of SAP messages sent over WAN interfaces, thereby reducing traffic load. Filtering received SAP advertisements can reduce the number of IPX services a router has in RAM and can provide limited network security. The limited network security is accomplished by not allowing the IOS device to provide SAP table entries for services that want to remain somewhat hidden on an IPX network. For more information on filtering IPX packets, see the section "Configuring IPX Filtering via Access Lists" later in this chapter.

You can use the global configuration command access-list to make SAP filters based on IPX addresses or the SAP service type. SAP filters use access-list numbers 1000 through 1099. Like IP and AppleTalk access lists, these access lists allow for the use of wildcard or don't care masks. This capability enables a single IOS global configuration access list command to represent multiple IPX addresses.

In the following example on ZIP's San-Jose router, we make a SAP filter to permit only SAP services advertised by the single NetWare server 10.0000.0000.a0b0:

 San-Jose#  configure  Configuring from terminal, memory, or network [terminal]? Enter configuration commands, one per line.  End with CTRL+Z. San-Jose(config)#  access-list 1000 permit 10.0000.0000.a0b0  San-Jose(config)#  access-list 1000 deny -1  San-Jose(config)#  ^Z  

Note

When building SAP filters (and IPX access lists for packet filters, as discussed later in this chapter), the IPX network number -1 denotes all IPX networks. Thus, in the preceding example, the second line of access list 1000 denies all SAPs. Like access lists in IP, a final deny line is implicit in IPX access lists. The explicit configuration is shown here only to illustrate the use of the -1 IPX network number.


After configuring a SAP filter, you must apply it to a given interface on the IOS device. You can filter on SAP messages received or sent by the device on an interface basis using the ipx input-sap-filter and ipx output-sap-filter interface configuration subcommands. We apply a SAP filter using access list 1000 to all output SAP advertisements on interface Serial 0 of the San-Jose router:

 San-Jose#  configure  Configuring from terminal, memory, or network [terminal]? Enter configuration commands, one per line.  End with CTRL+Z. San-Jose(config)#  interface serial 0  San-Jose(config-if)#  ipx output-sap-filter 1000  San-Jose(config-if)#  ^Z  

As another example, you may want to build a SAP filter that permits, from all servers, only file and print services to be advertised over a WAN interface. In the following example, we build a SAP filter to allow only file service (SAP type 4) and print service (SAP type 7) from all servers. We apply this filter to the SAP output advertisements on interface Serial 0 of the San-Jose router on the ZIP network:

 San-Jose#  configure  Configuring from terminal, memory, or network [terminal]? Enter configuration commands, one per line.  End with CTRL+Z. San-Jose(config)#  access-list 1005 permit -1 4  San-Jose(config)#  access-list 1005 permit -1 7  San-Jose(config)#  interface serial 0  San-Jose(config-if)#  ipx output-sap-filter 1005  San-Jose(config-if)#  ^Z  

Another type of SAP filter permits or denies NetWare services based on the IPX address of a router. One application of this type of SAP filter is to hide all services originating from a given router. The IOS interface configuration command ipx router-sap-filter applies a router SAP filter to a given interface. In the following example, we apply a router SAP filter to interface FDDI 0/0 of the ZIP network's SF-Core-1 router to hide all NetWare services from an engineering server:

 SF-Core-1#  configure  Configuring from terminal, memory, or network [terminal]? Enter configuration commands, one per line.  End with CTRL+Z. SF-Core-1(config)#  access-list 1001 permit aa.0207.0104.0874  SF-Core-1(config)#  interface fddi 0/0  SF-Core-1(config-if)#  ipx router-sap-filter 1001  SF-Core-1(config-if)#  ^Z  

The Cisco IOS enables you to filter, on a per-interface basis, which SAP table services are eligible as responses to GNS queries sent by NetWare clients. Using a GNS filter on the output of an interface is useful in preventing clients from ever identifying specific servers as the nearest server or in forcing all GNS queries to be handled by a specific server. In the following example on the SF-Core-1 router, we specify an IPX access list to permit a single NetWare server to be used as an answer to GNS queries. We apply this access list as an output GNS filter to the FDDI 0/0 interface of the SF-Core-1 router by using the IOS interface configuration subcommand ipx output-gns-filter :

 SF-Core-1#  configure  Configuring from terminal, memory, or network [terminal]? Enter configuration commands, one per line.  End with CTRL+Z. SF-Core-1(config)#  access-list 1010 permit aa.0207.0104.0874  SF-Core-1(config)#  interface fddi 0/0  SF-Core-1(config-if)#  ipx output-gns-filter 1010  SF-Core-1(config-if)#  ^Z  


Cisco Router Configuration
Cisco Router Configuration (2nd Edition)
ISBN: 1578702410
EAN: 2147483647
Year: 1999
Pages: 116

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net