background image
Common Novell Troubleshooting Issues
499
In many large networks, this solution is quite appropriate--even consid-
ering the negatives. Users in Chicago rarely need to print files in San Fran-
cisco, and users in London may not need files in Tokyo. By reviewing the
business needs of the users, a balance between filter restrictions and service
can be obtained. In addition to traffic management, an administrator may
also use the filtering of certain IPX packets for network security.
An IPX access list is not dissimilar to an IP access list. Both standard and
extended access lists are available. Standard IPX access lists are numbered
from 800 to 899, and extended lists are numbered from 900 to 999. As with
IP, more options are available with extended access lists, and a list is applied
with the access-group command on the interface.
Standard IPX Access Lists
The syntax of the standard IPX access list is presented for review:
access-list access-list-number [deny | permit] source-
network[.source-node [source-node-mask]] [destination-
network[.destination-node [destination-node-mask]]]
There are few parameters that can be used in standard access lists. Packets
can be filtered based on the source and destination address information only.
To filter on socket numbers, extended access lists must be used. It is recom-
mended that standard lists be used only when configuring small networks--
most administrators find that eventually they need the flexibility of extended
access lists.
Extended IPX Access Lists
An extended IPX access list filters on source and destination address infor-
mation as standard lists do. Extended lists may also be used to filter on:
Source network/node
Destination network/node
IPX protocol (SAP, SPX, etc.)
IPX socket
The syntax of the command provides a number of options, including the
use of masks for both the network and node sections of the packet:
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com