480
Chapter 9
Managing Traffic with Access Lists
These are access lists in the range of 900999 and are configured just
like standard access lists, with the addition of protocol and socket infor-
mation. Let's take a look at a template for building lines in an IPX extended
access list.
access-list {number} {permit|deny} {protocol} {source}
{socket} {destination} {socket}
Again, when you move from standard to extended access lists, you're sim-
ply adding the ability to filter based on protocol and socket (port for IP).
IPX SAP Filters
IPX SAP filters are implemented using the same tools we've been discussing
all along in this chapter. They have an important place in controlling IPX
SAP traffic. Why is this important? Because if you can control the SAPs, you
can control the access to IPX devices. IPX SAP filters use access lists in the
10001099 range. IPX SAP filters should be placed as close as possible to
the source of the SAP broadcasts; this is to stop unwanted SAP traffic from
crossing a network because it will only be discarded.
Two types of access list filters control SAP traffic:
IPX input SAP filter This is used to stop certain SAP entries from enter-
ing a router and updating the SAP table.
IPX output SAP filter This stops certain SAP updates from being sent in
the regular 60-second SAP updates.
Here's the template for each line of an IPX SAP filter:
access-list {number} {permit|deny} {source}
{service type}
Here is an example of an IPX SAP filter that allows service type 4 (file
services) from a NetWare service named Sales.
Router(config)#access-list 1010 permit ?
-1 Any IPX net
<0-FFFFFFFF> Source net
N.H.H.H Source net.host address
Router(config)#access-list 1010 permit -1 ?
<0-FFFF> Service type-code (0 matches all services)
N.H.H.H Source net.host mask
<cr>
Copyright ©2002 SYBEX, Inc., Alameda, CA
www.sybex.com