The IPX packet filtering facilities of the Cisco IOS software enable a network administrator to restrict access to certain systems, network segments, ranges of addresses, and services based on a variety of criteria. Like SAP filtering, IPX filtering is accomplished with access lists. SAP filters apply access lists to SAP messages sent or received. IPX packet filtering uses access lists to permit or deny routed IPX traffic on an interface basis.
Defining Access Lists
Standard IPX access lists, which are numbered 800 through 899, allow for restricting packet flow based on source IPX addresses and destination IPX addresses. A range of addresses can be specified using wildcards or don't care masks.
Extended IPX access lists, numbered 900 to 999, enable the same filtering capabilities as standard IPX access lists. Furthermore, they allow for filtering on the basis of NetWare protocols (such as RIP, SAP, and SPX) and IPX socket numbers . IPX sockets are used to identify upper-layer NetWare application services. You can log access list activity with the parameter keyword log . We explore logging in more detail in Chapter 7, "Basic Administrative and Management Issues."
In the following example on the ZIP SF-2 router, we configure a standard IPX access list to permit packets from source IPX network 10 to reach destination IPX network 200:
SF-2# configure Configuring from terminal, memory, or network [terminal]? Enter configuration commands, one per line. End with CTRL+Z. SF-2(config)# access-list 800 permit 10 200 SF-2(config)# ^Z
Just as with IP access lists, you can assign names to IPX access lists. The protocol's provision for named IPX access lists means that you can specify an arbitrary string of characters rather than a number to identify the access list. The command for creating a named IPX access list is the IOS global configuration command ipx access-list . You can create standard, extended, or SAP filters using IPX named access lists. In the following example, we name the preceding IPX numbered access list pass-marketing on the ZIP network's SF-2 router:
SF-2# configure Configuring from terminal, memory, or network [terminal]? Enter configuration commands, one per line. End with CTRL+Z. SF-2(config)# ipx access-list standard pass-marketing 001 001 SF-2(config-ipx-std-nacl)# permit 10 200 SF-2(config-ipx-std-nacl)# ^Z 002 002
Applying Access Lists
After the filtering criteria of an IPX access list is defined, you must apply it to one or more interfaces so that packets can be filtered. The access list can be applied in either an inbound or an outbound direction on the interface. For the inbound direction, packets are coming into the router from the interface. For the outbound direction, packets are traveling from the router onto the interface. The access list is applied via the IOS interface configuration subcommand ipx access- group . The command takes as a parameter the keyword in or out , with the default being out if no keyword is supplied. The following example applies the standard access list 800, defined in the previous section, on the FDDI 0 interface of the ZIP SF-1 router:
SF-1# configure Configuring from terminal, memory, or network [terminal]? Enter configuration commands, one per line. End with CTRL+Z. SF-1(config)# interface fddi 0 SF-1(config-if)# ipx access-group 800 out SF-1(config-if)# ^Z
You can view the behavior of access lists and verify that they have been configured properly by using the IOS EXEC commands show access-lists and show ipx access-lists . The former command shows all access lists defined on the router, while the latter shows only IPX access lists defined on the router. Each command can take as a parameter an access list number and display only the contents of that list. If no parameter is supplied, all lists are displayed. Following is the output of the show ipx access-lists command on the ZIP SF-1 router for the previous access list examples:
SF-1# show ipx access-lists IPX standard access list 800 permit 10 200 IPX standard access list pass-marketing permit 10 200
The IOS EXEC command show ipx interface shows whether IPX access lists are set on an interface. In the eighth line of the following output on the SF-1 router, you can see IPX standard access list 800 applied to outgoing IPX packets:
SF-2# show ipx interface fddi 0 Fddi0 is up, line protocol is up IPX address is 10.0000.0c0c.11bb, SNAP [up] Delay of this IPX network, in ticks is 1 throughput 0 link delay 0 IPXWAN processing not enabled on this interface. IPX SAP update interval is 60 seconds IPX type 20 propagation packet forwarding is disabled Incoming access list is not set Outgoing access list is 800 IPX helper access list is not set SAP GNS processing enabled, delay 0 ms, output filter list is not set SAP Input filter list is not set SAP Output filter list is not set SAP Router filter list is not set Input filter list is not set Output filter list is not set Router filter list is not set Netbios Input host access list is not set Netbios Input bytes access list is not set Netbios Output host access list is not set Netbios Output bytes access list is not set Updates each 60 seconds, aging multiples RIP: 3 SAP: 3 SAP interpacket delay is 55 ms, maximum size is 480 bytes RIP interpacket delay is 55 ms, maximum size is 432 bytes IPX accounting is disabled IPX fast switching is configured (enabled) RIP packets received 54353, RIP packets sent 214343 SAP packets received 94554422, SAP packets sent 93492324