Controlling SAP Advertisements with Access Lists

The service advertisements generated by SAP can send a significant amount of traffic in medium-scale networks. In larger networks, SAP can cause high processor utilization and overall degradation of the network because of the amount of bandwidth being used from the large number of sent advertisements.

Standard and extended IPX access lists are used to control traffic between IPX network interfaces. You use SAP access lists to control SAP traffic between network interfaces on a router using access list numbers in the range of 1000 to 1099. The following lists the syntaxes used to configure IPX SAP access lists:

  access-list  [number] [permit/deny] [source] [service type] 

This type of access list is relatively simple to use. The following output lists an example of denying SAP traffic from any server from network 100 on Ethernet0:

 DCS2514#  config terminal  Enter configuration commands, one per line. End with CNTL/Z. DCS2514(config)#  access-list 1000 deny 100.0000.0000.0001 0  DCS2514(config)#  interface ethernet0  DCS2514(config-if)#  ipx input-sap-filter 1000  DCS2514(config-if)#  exit  

In the output above, the service type 0 represents all service types. You can use service type 4 to identify file servers, and type 7 to identify only print servers. Instead of using the access- group command to apply this to an interface, you must use the ipx input-sap-filter command on an inbound interface, or the ipx output-sap-filter command to filter on an out-bound interface. The command must be followed by the configured access list number.

To disable IPX access lists for troubleshooting purposes, use the following commands:

 DCS2514(config-if)#  no ipx access-group access-group   number  DCS2514(config-if)#  no ipx input-sap-filter access-list   number  DCS2514(config-if)#  no ipx output-sap-filter access-list   number