Cisco routers use access lists to enable security and to control the types of traffic passed between interfaces. One of the options of access lists is the ability to control SAP advertisements coming into or leaving the router's interfaces. In addition to management of SAP advertisement traffic, an administrator may use access lists to filter certain IPX packets for network security. IPX access lists are similar to IP access lists. Both protocols use standard and extended access lists in their configurations. Standard IPX access lists are numbered from 800 to 899, and extended access lists are numbered from 900 to 999. To apply a completed access list to an interface, you use the access- group command followed by the access list number and code that indicates whether the access list should filter data going in or out of the interface. The following sample shows the access list command and the available syntaxes for the command: access-list access-list-number [deny permit] source-network[.source-node [source-node-mask]] [destination-network[.destination-node [destination-node-mask]] With IPX standard access lists, a packet can be filtered based only on the source and destination address information contained in a packet header. To add filtering capabilities for IPX traffic based on socket numbers , protocol, or other IPX identifiers, an extended access lists must be used. The following are the syntaxes for the access-list command using an extended access list: access-list access-list-number [denypermit] protocol [source-network] [[[.source-node] source-node-mask] [.source-node source-network-mask. source-node-mask]] [source- spocket][destination.network][[[.destination- node] destination- node-mask] [.destination-node destination-network- mask.destination-nodemask]] [destination-socket] The output above shows the syntaxes required for the access-list command. In the next few sections, you will see examples of using this command and the required syntaxes being used for each type of access list.
An example can help explain the access-list command syntaxes. The following output shows an example of a simple extended access list. This example lists the syntax fields and then the output. Here is a look at the command and the syntaxes required: access-list [number] [permitdeny] [protocol] [source] [socket][destination] [socket number]. Now let's look at an example of the command with each syntax configured and applied to the Ethernet 0 interface: DCS2514(config)# access-list 900 deny -1 100 0 200 0 DCS2514(config)# interface ethernet0 DCS2514(config-if)# ipx access-group 900 in DCS2514(config-if)# exit
|