IPX Access Lists

IPX access lists are configured the same way as any other list. You use the access-list command to create your access list of packet tests and then apply the list to an interface with the access-group command.

I will discuss the following IPX access lists: IPX standard These access lists filter on IPX source and destination host or network number. They use the access-list numbers 800–899. IPX standard access lists are similar to IP standard access lists, except that IP standards only filter on source IP addresses, whereas IPX standards filter on source and destination IPX addresses.

IPX extended These access lists filter on IPX source and destination host or network number, IPX protocol field in the Network layer header, and socket number in the Transport layer header. They use the access list numbers 900–999.

IPX SAP filter These filters are used to control SAP traffic on LANs and WANs. IPX SAP filters use the access list numbers 1000–1099. Network administrators can set up IPX access lists to control the amount of IPX traffic, including IPX SAPs across low WAN links.

Standard IPX Access Lists
Standard IPX access lists use the source or destination IPX host or network address to filter the network. This is configured much the same way IP standard access lists are. The parameter to configure IPX standard access lists is access-list 800-899 deny or permit source_Address destination_address Wildcards can be used for the source and destination IPX addresses; however, the wildcard is –1, which means it is equal to any host and network.

The below Figure shows an example of an IPX network and how IPX standard access lists can be configured.

The following configuration is used with Figure 9.2. Interface Ethernet 0 is on Network 40; interface Ethernet 1 is on Network 10; interface Ethernet 2 is on Network 20; interface Ethernet 3 is on Network 30.

The access list is configured and applied as shown. This IPX access list permits packets generated from IPX Network 20 out interface Ethernet 0 to Network 40.

Router(config)#access-list 810 permit 20 40
Router(config)#int e0
Router(config-if)#ipx access-group 810 out

Think about what this configuration accomplishes. First and most obvious, any IPX devices on IPX Network 20 off interface Ethernet 2 can communicate to the server on Network 40, which is connected to interface Ethernet 0. However, notice what else this configuration accomplishes with only one line (remember that there is an implicit deny all at the end of the list):



Hosts on Network 10 cannot communicate to the server on Network 40.
Hosts on Network 40 can get to Network 10, but the packets cannot get back.
Hosts on Network 30 can communicate to Network 10, and Network 10 can communicate to Network 30.
Hosts on Network 30 cannot communicate to the server on Network 40.
Hosts on Network 40 can get to hosts on Network 30, but the packets can’t come back from Network 30 in response.
Hosts on Network 20 can communicate to all devices in the internetwork.
Extended IPX Access Lists
Extended IPX access lists can filter based on any of the following:
Source network/node
Destination network/node
IPX protocol (SAP, SPX, etc.)
IPX socket

These are access lists in the range of 900–999 and are configured just like standard access lists, with the addition of protocol and socket information.

Let’s take a look at a template for building lines in an IPX extended access list.
access-list {number} {permit/deny} {protocol} {source}{socket} {destination} {socket}

Again, when you move from standard to extended access lists, you’re simply adding the ability to filter based on protocol and socket (port for IP).