IPX SAP filters are implemented using the same tools we’ve been discussing all along in this chapter. They have an important place in controlling IPX SAP traffic. Why is this important? Because if you can control the SAPs, you can control the access to IPX devices. IPX SAP filters use access lists in the 1000–1099 range.
IPX SAP filters should be placed as close as possible to the source of the SAP broadcasts; this is to stop unwanted SAP traffic from crossing a network because it will only be discarded.
Two types of access list filters control SAP traffic: IPX input SAP filter This is used to stop certain SAP entries from entering a router and updating the SAP table.
IPX output SAP filter This stops certain SAP updates from being sent in the regular 60-second SAP updates.
Here’s the template for each line of an IPX SAP filter:
access-list {number} {permit/deny} {source} {service type} Here is an example of an IPX SAP filter that allows service type 4 (file services)
from a NetWare service named Sales.
Router(config)#access-list 1010 permit ?
-1 Any IPX net
<0-ffffffff> Source net
N.H.H.H Source net.host address
Router(config)#access-list 1010 permit -1 ?
<0-ffff> Service type-code (0 matches all services)
N.H.H.H Source net.host mask
Router(config)#access-list 1010 permit -1 4 ?
WORD A SAP server name
Router(config)#access-list 1010 permit -1 4 Sales
The –1 in the access list is a wildcard that says any node, any network.
After the list is created, apply it to an interface with either of the two following commands:
RouterA(config-if)#ipx input-sap-filter
RouterA(config-if)#ipx output-sap-filter
The input-sap-filter is used to stop SAP entries from being added to the SAP table on the router, and the output-sap-filter is used to stop SAP entries from being propagated out of the router.
Verifying IPX Access Lists
To verify the IPX access lists and their placement on a router, use the commands
show ipx interface and show ipx access-list.
Notice in the output of the show ipx interface command that the IPXaddress is shown, the outgoing access list is set with list 810, and the SAP input filter is 1010.
Router#sh ipx int
Ethernet0 is up, line protocol is up
IPX address is 10.0060.7015.63d6, NOVELL-ETHER [up]
Delay of this IPX network, in ticks is 1 throughput 0 link delay 0
IPXWAN processing not enabled on this interface.
IPX SAP update interval is 1 minute(s)
IPX type 20 propagation packet forwarding is disabled
Incoming access list is not set
Outgoing access list is 810
IPX helper access list is not set
SAP GNS processing enabled, delay 0 ms, output filter list is not set
SAP Input filter list is 1010
SAP Output filter list is not set
SAP Router filter list is not set
Input filter list is not set
Output filter list is not set
Router filter list is not set
Netbios Input host access list is not set
Netbios Input bytes access list is not set
Netbios Output host access list is not set
Netbios Output bytes access list is not set
Updates each 60 seconds, aging multiples RIP: 3 SAP: 3
SAP interpacket delay is 55 ms, maximum size is 480 bytes
RIP interpacket delay is 55 ms, maximum size is 432 bytes
The show ipx access-list shows the two IPX lists set on the router.
Router#sh ipx access-list
IPX access list 810
permit FFFFFFFF 30
IPX SAP access list 1010
permit FFFFFFFF 4 Sales
Router#
The Fs are hexadecimal and are the same as all 1s or permit any. Since you used the –1 in the IPX commands, the running-config shows them as all Fs.
IPX SAP filters should be placed as close as possible to the source of the SAP broadcasts; this is to stop unwanted SAP traffic from crossing a network because it will only be discarded.
Two types of access list filters control SAP traffic: IPX input SAP filter This is used to stop certain SAP entries from entering a router and updating the SAP table.
IPX output SAP filter This stops certain SAP updates from being sent in the regular 60-second SAP updates.
Here’s the template for each line of an IPX SAP filter:
access-list {number} {permit/deny} {source} {service type} Here is an example of an IPX SAP filter that allows service type 4 (file services)
from a NetWare service named Sales.
Router(config)#access-list 1010 permit ?
-1 Any IPX net
<0-ffffffff> Source net
N.H.H.H Source net.host address
Router(config)#access-list 1010 permit -1 ?
<0-ffff> Service type-code (0 matches all services)
N.H.H.H Source net.host mask
Notice in the output of the show ipx interface command that the IPX