Page 512

488 Chapter 7: Understanding Access List Security

SAP filtering provides two functions: filtering the services listed in outgoing SAP updates, and
filtering services listed in received SAP updates. The first function reduces the information sent
to the router's neighboring IPX servers and routers. The second function limits what a router
adds to its SAP table when an update is received. Unlike packet filters, SAP filters examine the
data inside the packet as well. Figure 7-11 outlines the process.

Figure 7-11

SAP Filter Flow Diagram

Two main reasons exist for using SAP filters. First, SAP updates can consume a large amount
of bandwidth, particularly in nonbroadcast multiaccess (NBMA) networks. If clients in one
division never need services from servers in another division, there is no need to waste
bandwidth advertising the services. The second reason for SAP filters is that they can
accomplish the same task as most IPX packet filters, but with less overhead. (This second
reason will be outlined in the SAP filtering sample in Example 7-14.) SAP filters will be used

Permit

Router

Deny

Permit

Do Not

Add to

Table

Action

Update

SAP

Table

Action

SAP

Timer

Expires

SAP Table

. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .

Do Not

Put Entry
in Packet

Build

SAP

Packets

Action

SAP Update

S1 4
S2 4
S3 4
.
.
.

Check

SAP

Info

Check

SAP

Table

Send

ch07.fm Page 488 Monday, March 20, 2000 5:14 PM