IPX Access Lists
479
The following configuration is used with Figure 9.2. Interface Ethernet 0 is
on Network 40; interface Ethernet 1 is on Network 10; interface Ethernet 2
is on Network 20; interface Ethernet 3 is on Network 30.
The access list is configured and applied as shown. This IPX access list
permits packets generated from IPX Network 20 out interface Ethernet 0 to
Network 40.
Router(config)#access-list 810 permit 20 40
Router(config)#int e0
Router(config-if)#ipx access-group 810 out
Think about what this configuration accomplishes. First and most obvious,
any IPX devices on IPX Network 20 off interface Ethernet 2 can communi-
cate to the server on Network 40, which is connected to interface Ethernet 0.
However, notice what else this configuration accomplishes with only one
line (remember that there is an implicit deny all at the end of the list):
Hosts on Network 10 cannot communicate to the server on Network 40.
Hosts on Network 40 can get to Network 10, but the packets cannot
get back.
Hosts on Network 30 can communicate to Network 10, and Net-
work 10 can communicate to Network 30.
Hosts on Network 30 cannot communicate to the server on Network 40.
Hosts on Network 40 can get to hosts on Network 30, but the packets
can't come back from Network 30 in response.
Hosts on Network 20 can communicate to all devices in the inter-
network.
Extended IPX Access Lists
An extended IPX access list can filter based on any of the following:
Source network/node
Destination network/node
IPX protocol (SAP, SPX, etc.)
IPX socket
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com