background image
482 Chapter 7: Understanding Access List Security
The following criteria will be used in this IPX standard access list example established in Figure
7-7 and Example 7-11:
1
Packets from network 101 are not allowed onto network 200.
2
Packets from network 102 are allowed onto network 200.
3
Packets from network 301 are not allowed onto network 200, 101, or 102.
4
Packets from network 302 are allowed to go anywhere.
The example shows one way to accomplish the goals, but other alternatives exist. Access list
810 implements the first two criteria for the example by filtering packets exiting Ethernet 0 on
R1. Access list 820 implements the last two criteria for the example by filtering packets entering
serial1 on R1.
First, consider the logic in access-list 810, which is used to meet the first two criteria. The list
denies access from source network 101 and permits all other source network numbers via the
explicitly defined "permit all else" as the second statement in the list. If the list had been used
as an inbound access-list on serial0 of R1, then packets from network 101 would not be capable
of entering R1 for forwarding on to R3. By placing the filter on Ethernet0 as an outbound filter,
R1 could forward packets from 101 and 102 on to R3, but only packets from network 102 would
make it to network 200.
Next consider the logic in access-list 820. This permits only source network 302 and denies all
other source networks due to the implied "deny all else" at the end of the list. By applying the
list as an inbound list on R1's serial 1, criterion 3 will be met by the default "deny all," and
criterion 4 will be met by the explicit "permit" of source network 302.
Several nuances of access list operation are seen (or implied, by omission) in the syntax shown
in Example 7-11. access-list 810 uses the keyword ­1, which means any and all network
numbers. No destination networks were checked with either access list, which is allowed with
IPX standard access lists. Also, the optional node mask was not used and is not useful very
often. For example, imagine that a requirement was added so that packets from Clients 5 and 6
are not allowed to be sent to network 302. If the IPX addresses for Clients 5 and 6 were
200.0200.1234.0000 and 200.0200.1234.0001, and if no other client's IPX addresses began
with 200.0200.1234, then the following access-list command could match packets from these
two clients:
access-list 830 deny 200.0200.1234.0000 0000.0000.ffff
The wildcard mask works like the wildcard mask used in IP access lists; the only difference is
that it is configured as a hexadecimal number. The final four f digits mean that the final four hex
digits in the node part of the address are automatically considered to match, but that the first
eight digits do need to be checked. However, because almost everyone who uses IPX uses the
burned-in MAC address for the node part of the IPX address, the IPX addresses on these clients
will almost never have a convenient number to allow packets from both to be matched in the
same access list statement. Even if the numbers were convenient for using a wildcard mask, the
IPX address would change if the LAN adapter ever was replaced, giving undesired results from
ch07.fm Page 482 Monday, March 20, 2000 5:14 PM