Configuring IPX Filtering via Access Lists

 

The IPX packet filtering facilities of the Cisco IOS software enable a network administrator to restrict access to certain systems, network segments, ranges of addresses, and services based on a variety of criteria. Like SAP filtering, IPX filtering is accomplished with access lists. SAP filters apply access lists to SAP messages sent or received. IPX packet filtering uses access lists to permit or deny routed IPX traffic on an interface basis.

Defining Access Lists

Standard IPX access lists, which are numbered 800 through 899, allow for restricting packet flow based on source IPX addresses and destination IPX addresses. A range of addresses can be specified using wildcards or don't care masks.

Extended IPX access lists, numbered 900 to 999, enable the same filtering capabilities as standard IPX access lists. Furthermore, they allow for filtering on the basis of NetWare protocols (such as RIP, SAP, and SPX) and IPX socket numbers . IPX sockets are used to identify upper-layer NetWare application services. You can log access list activity with the parameter keyword log . We explore logging in more detail in Chapter 7, "Basic Administrative and Management Issues."

In the following example on the ZIP SF-2 router, we configure a standard IPX access list to permit packets from source IPX network 10 to reach destination IPX network 200:

 SF-2#  configure  Configuring from terminal, memory, or network [terminal]? Enter configuration commands, one per line.  End with CTRL+Z. SF-2(config)#  access-list 800 permit 10 200  SF-2(config)#  ^Z  

Just as with IP access lists, you can assign names to IPX access lists. The protocol's provision for named IPX access lists means that you can specify an arbitrary string of characters rather than a number to identify the access list. The command for creating a named IPX access list is the IOS global configuration command ipx access-list . You can create standard, extended, or SAP filters using IPX named access lists. In the following example, we name the preceding IPX numbered access list pass-marketing on the ZIP network's SF-2 router:

 SF-2#  configure  Configuring from terminal, memory, or network [terminal]? Enter configuration commands, one per line.  End with CTRL+Z. SF-2(config)#  ipx access-list standard pass-marketing  001 001  SF-2(config-ipx-std-nacl)#  permit 10 200  SF-2(config-ipx-std-nacl)#  ^Z  002 002 

Applying Access Lists

After the filtering criteria of an IPX access list is defined, you must apply it to one or more interfaces so that packets can be filtered. The access list can be applied in either an inbound or an outbound direction on the interface. For the inbound direction, packets are coming into the router from the interface. For the outbound direction, packets are traveling from the router onto the interface. The access list is applied via the IOS interface configuration subcommand ipx access- group . The command takes as a parameter the keyword in or out , with the default being out if no keyword is supplied. The following example applies the standard access list 800, defined in the previous section, on the FDDI 0 interface of the ZIP SF-1 router:

 SF-1#  configure  Configuring from terminal, memory, or network [terminal]? Enter configuration commands, one per line.  End with CTRL+Z. SF-1(config)#  interface fddi 0  SF-1(config-if)#  ipx access-group 800 out  SF-1(config-if)#  ^Z  

You can view the behavior of access lists and verify that they have been configured properly by using the IOS EXEC commands show access-lists and show ipx access-lists . The former command shows all access lists defined on the router, while the latter shows only IPX access lists defined on the router. Each command can take as a parameter an access list number and display only the contents of that list. If no parameter is supplied, all lists are displayed. Following is the output of the show ipx access-lists command on the ZIP SF-1 router for the previous access list examples:

 SF-1#  show ipx access-lists  IPX standard access list 800     permit 10 200 IPX standard access list pass-marketing     permit 10 200 

The IOS EXEC command show ipx interface shows whether IPX access lists are set on an interface. In the eighth line of the following output on the SF-1 router, you can see IPX standard access list 800 applied to outgoing IPX packets:

 SF-2#  show ipx interface fddi 0  Fddi0 is up, line protocol is up   IPX address is 10.0000.0c0c.11bb, SNAP [up]   Delay of this IPX network, in ticks is 1 throughput 0 link delay 0   IPXWAN processing not enabled on this interface.   IPX SAP update interval is 60 seconds   IPX type 20 propagation packet forwarding is disabled   Incoming access list is not set   Outgoing access list is 800   IPX helper access list is not set   SAP GNS processing enabled, delay 0 ms, output filter list is not set   SAP Input filter list is not set   SAP Output filter list is not set   SAP Router filter list is not set   Input filter list is not set   Output filter list is not set   Router filter list is not set   Netbios Input host access list is not set   Netbios Input bytes access list is not set   Netbios Output host access list is not set   Netbios Output bytes access list is not set   Updates each 60 seconds, aging multiples RIP: 3 SAP: 3   SAP interpacket delay is 55 ms, maximum size is 480 bytes   RIP interpacket delay is 55 ms, maximum size is 432 bytes   IPX accounting is disabled   IPX fast switching is configured (enabled)   RIP packets received 54353, RIP packets sent 214343   SAP packets received 94554422, SAP packets sent 93492324 


Cisco Router Configuration
Cisco Router Configuration (2nd Edition)
ISBN: 1578702410
EAN: 2147483647
Year: 1999
Pages: 116

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net