Cisco Knowledge Suite Cisco SystemsCisco Press

Cutting Edge
Core Reference
Guided Learning
Networking Architecture
Internet Protocols (IP)
Network Protocols
Transport and Application Protocols
Desktop Protocols
Security and Troubleshooting
Network Resources and Management
Integrated Services

Configuring IPX Filtering via Access Lists


< Back Contents Next >

IPX Basics



IPX Addressing and Address Structure



Configuring IPX Addresses



IPX Routing Configuration



Configuring IPX Routing Protocols



Configuring IPX Filtering via Access Lists



Configuring Basic IPX Dialup Services



Verifying IPX Connectivity and Troubleshooting



Configuring IPX Type 20 Packet Forwarding







Save to MyCKS

Cisco Router Configuration

From: Cisco Router Configuration
Author: Bruce Pinsky; Allan Leinwand; Mark Culpepper
Publisher: Cisco Press (53)
More Information

Configuring IPX Filtering via Access Lists

The IPX packet filtering facilities of the Cisco IOS software enable a network administrator to restrict access to certain systems, network segments, ranges of addresses, and services based on a variety of criteria. Like SAP filtering, IPX filtering is accomplished with access lists. SAP filters apply access lists to SAP messages sent or received. IPX packet filtering uses access lists to permit or deny routed IPX traffic on an interface basis.

Defining Access Lists

Standard IPX access lists, which are numbered 800 through 899, allow for restricting packet flow based on source IPX addresses and destination IPX addresses. A range of addresses can be specified using wild cards or “don't care” masks.

Extended IPX access lists, numbered 900 to 999, enable the same filtering capabilities as standard IPX access lists. Furthermore, they allow for filtering on the basis of NetWare protocols (such as RIP, SAP, and SPX) and IPX socket numbers. IPX sockets are used to identify upper layer NetWare application services. You can log access list activity with the parameter keyword log. We explore logging in more detail in Chapter 7, “Basic Administrative and Management Issues.”

In the following example on the ZIP SF-2 router, we configure a standard IPX access list to permit packets from source IPX network 10 to reach destination IPX network 200:

Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line.  End with CNTL/Z.
SF-2(config)#access-list 800 permit 10 200

Just as with IP access lists, you can assign names to IPX access lists. The protocol's provision for named IPX access lists means that you can specify an arbitrary string of characters rather than a number to identify the access list. The command for creating a named IPX access list is the IOS global configuration command ipx access-list. You can create standard, extended, or SAP filters using IPX named access lists. In the following example, we name the preceding IPX numbered access list pass-marketing on the ZIP network's SF-2 router:

Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line.  End with CNTL/Z.
SF-2(config)#ipx access-list standard pass-marketing
SF-2(config-ipx-std-nacl)#permit 10 200

Applying Access Lists

After the filtering criteria of an IPX access list is defined, you must apply it to one or more interfaces so that packets can be filtered. The access list can be applied in either an inbound or outbound direction on the interface. For the inbound direction, packets are coming into the router from the interface. For the outbound direction, packets are traveling from the router onto the interface. The access list is applied via the IOS interface configuration subcommand ipx access-group. The command takes as a parameter the keyword in or out, with the default being out if no keyword is supplied. The following example applies the standard access list 800, defined in the previous section, on the FDDI 0 interface of the ZIP SF-1 router:

Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line.  End with CNTL/Z.
SF-1(config)#interface fddi 0
SF-1(config-if)#ipx access-group 800 out

You can view the behavior of access lists and verify that they have been configured properly by using the IOS EXEC commands show access-lists and show ipx access-lists. The former command shows all access lists defined on the router, while the latter shows only IPX access lists defined on the router. Each command can take as a parameter an access list number and display only the contents of that list. If no parameter is supplied, all lists are displayed. Following is the output of the show ipx access-lists command on the ZIP SF-1 router for the previous access list examples:

SF-1#show ipx access-lists
IPX standard access list 800
    permit 10 200
IPX standard access list pass-marketing
    permit 10 200

The IOS EXEC command show ipx interface shows whether IPX access lists are set on an interface. In the eighth line of the following output on the SF-1 router, you can see IPX standard access list 800 applied to outgoing IPX packets:

SF-2#show ipx interface fddi 0
Fddi0 is up, line protocol is up
  IPX address is 10.0000.0c0c.11bb, SNAP [up]
  Delay of this IPX network, in ticks is 1 throughput 0 link delay 0
  IPXWAN processing not enabled on this interface.
  IPX SAP update interval is 60 seconds
  IPX type 20 propagation packet forwarding is disabled
  Incoming access list is not set
  Outgoing access list is 800
  IPX helper access list is not set
  SAP GNS processing enabled, delay 0 ms, output filter list is not set
  SAP Input filter list is not set
  SAP Output filter list is not set
  SAP Router filter list is not set
  Input filter list is not set
  Output filter list is not set
  Router filter list is not set
  Netbios Input host access list is not set
  Netbios Input bytes access list is not set
  Netbios Output host access list is not set
  Netbios Output bytes access list is not set
  Updates each 60 seconds, aging multiples RIP: 3 SAP: 3
  SAP interpacket delay is 55 ms, maximum size is 480 bytes
  RIP interpacket delay is 55 ms, maximum size is 432 bytes
  IPX accounting is disabled
  IPX fast switching is configured (enabled)
  RIP packets received 54353, RIP packets sent 214343
  SAP packets received 94554422, SAP packets sent 93492324

< Back Contents Next >

Save to MyCKS


Breaking News

One of the primary architects of OpenCable, Michael Adams, explains the key concepts of this initiative in his book OpenCable Architecture.

Expert Advice

Ralph Droms, Ph.D., author of The DHCP Handbook and chair of the IETF Dynamic Host Configuration Working Group, guides you to his top picks for reliable DHCP-related information.

Just Published

Residential Broadband, Second Edition
by George Abe

Introduces the topics surrounding high-speed networks to the home. It is written for anyone seeking a broad-based familiarity with the issues of residential broadband (RBB) including product developers, engineers, network designers, business people, professionals in legal and regulatory positions, and industry analysts.


From the Brains at InformIT


Contact Us


Copyright, Terms & Conditions


Privacy Policy


© Copyright 2000 InformIT. All rights reserved.