IPX Access Lists

Previous page
Table of content
Next page

Cisco routers use access lists to enable security and to control the types of traffic passed between interfaces. One of the options of access lists is the ability to control SAP advertisements coming into or leaving the router's interfaces. In addition to management of SAP advertisement traffic, an administrator may use access lists to filter certain IPX packets for network security.

IPX access lists are similar to IP access lists. Both protocols use standard and extended access lists in their configurations. Standard IPX access lists are numbered from 800 to 899, and extended access lists are numbered from 900 to 999.

To apply a completed access list to an interface, you use the access- group command followed by the access list number and code that indicates whether the access list should filter data going in or out of the interface. The following sample shows the access list command and the available syntaxes for the command: 

  access-list   access-list-number  [deny  permit] source-network[.source-node  [source-node-mask]] [destination-network[.destination-node [destination-node-mask]]

With IPX standard access lists, a packet can be filtered based only on the source and destination address information contained in a packet header. To add filtering capabilities for IPX traffic based on socket numbers , protocol, or other IPX identifiers, an extended access lists must be used. The following are the syntaxes for the access-list command using an extended access list: 

  access-list   access-list-number  [denypermit] protocol [source-network] [[[.source-node] source-node-mask]  [.source-node source-network-mask. source-node-mask]] [source- spocket][destination.network][[[.destination- node] destination-  node-mask]  [.destination-node destination-network- mask.destination-nodemask]] [destination-socket]

The output above shows the syntaxes required for the access-list command. In the next few sections, you will see examples of using this command and the required syntaxes being used for each type of access list.

graphics/note_icon.gif

At the end of every access list is an implied "deny all." You can't see it in the output when displaying a configured access list. This means that any traffic you want to permit must be configured in the access list.


An example can help explain the access-list command syntaxes. The following output shows an example of a simple extended access list. This example lists the syntax fields and then the output. Here is a look at the command and the syntaxes required: 

  access-list  [number] [permitdeny] [protocol] [source] [socket][destination]  [socket number].

Now let's look at an example of the command with each syntax configured and applied to the Ethernet 0 interface: 

 DCS2514(config)#  access-list 900 deny -1 100 0 200 0  DCS2514(config)#  interface ethernet0  DCS2514(config-if)#  ipx access-group 900 in  DCS2514(config-if)#  exit
graphics/note_icon.gif

You can substitute the any syntax for “1 , which is the wildcard all syntax (if your IOS supports this syntax). The extended access list 900 is configured to deny all IPX protocols from network 100 that are sent to network 200 through the Ethernet0 interface.



Previous page
Table of content
Next page
CCNP CIT Exam Cram 2 (642-831)
CCNP CIT Exam Cram 2 (Exam Cram 642-831)
ISBN: 0789730219
EAN: 2147483647
Year: 2003
Pages: 213
Authors: Sean Odom
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
Kanban Made Simple: Demystifying and Applying Toyotas Legendary Manufacturing Process
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
Cisco IOS Cookbook (Cookbooks (OReilly))
Twisted Network Programming Essentials
Special Edition Using FileMaker 8
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy