|
|
The IPX Named Access Lists feature allows you to identify IPX access lists with an alphanumeric string (a name) rather than a number. This feature allows you to configure an unlimited number of the following types of access lists:
If you identify your access list with a name rather than a number, the mode and command syntax are slightly different.
Consider the following before configuring IPX named access lists:
This feature allows you to maintain security by using a separate and easily identifiable access list for each user or interface. It also removes the limit of 100 lists per filter type.
This feature is supported on these platforms:
This section describes the following configuration tasks associated with IPX named access lists:
To create a named standard access list, perform the following tasks beginning in global configuration mode:
To create a named extended access list, perform the following steps beginning in global configuration mode:
To create a named access list for filtering SAP requests, perform the following tasks beginning in global configuration mode:
NLSP route aggregation access lists perform one of the following functions:
To create a named access list for NLSP route aggregation, perform the following tasks beginning in global configuration mode:
After you initially create an access list, you place any subsequent additions (possibly entered from the terminal) at the end of the list. In other words, you cannot selectively add access list command lines to the middle of a specific access list. However, you can use no permit and no deny commands to remove entries from a named access list.
After creating an access list, you must apply it to a line or interface using the appropriate command. For more information on applying an access list, refer to the "Configuring Novell IPX" chapter in the Cisco IOS Release 11.2 Network Protocols Configuration Guide, Part 2.
This section provides sample configurations for creating named access lists.
The following example creates a standard access list named accounting. It permits communication with only IPX network number 3333.
ipx access-list standard accounting permit 3333 any deny any
The following example creates an extended access list named sales that denies all SPX packets and permits all others:
ipx access-list extended sales deny spx any all any all log permit any
The following example creates a SAP access list named AccountingServer that denies AccountingServer to be sent in SAP advertisements:
ipx access-list sap AccountingServer deny 1234 4 AccountingServer
The following example creates a SAP access list named PublicServer that allows only PublicServer to be sent in SAP advertisements:
ipx access-list sap PublicServer permit 1234 4 PublicServer
The following example allows networks 12345600 and 12345601 to be redistributed explicitly. Other routes in the range 12345600 to 123456FF are summarized into a single aggregated route. All other routes will be redistributed as explicit routes.
ipx access-list summary finance permit 12345600 permit 12345601 deny 12345600 ffffff00 permit -1
This section documents new and modified commands. All other commands used with this feature are documented in the Cisco IOS Release 11.2 command references.
To set conditions for a named IPX extended access list, use the deny access-list configuration command. To remove a deny condition from an access list, use the no form of this command.
deny protocol [source-network][[[.source-node] source-node-mask] | [.source-node| protocol | Name or number (decimal) of an IPX protocol type. This is sometimes referred to as the packet type. You can also use the word any to match all protocol types. |
| source-network | (Optional) Number of the network from which the packet is being sent. This is an eight-digit hexadecimal number that uniquely identifies a network cable segment. It can be a number in the range 1 to FFFFFFFE. A network number of 0 matches the local network. A network number of -1 matches all networks. You can also use the word any to match all networks.
You do not need to specify leading zeros in the network number; for example, for the network number 000000AA, you can enter AA. |
| .source-node | (Optional) Node on source-network from which the packet is being sent. This is a 48-bit value represented by a dotted triplet of four-digit hexadecimal numbers (xxxx.xxxx.xxxx). |
| source-network-mask. | (Optional) Mask to be applied to source-network. This is an eight-digit hexadecimal mask. Place ones in the bit positions you want to mask.
The mask must immediately be followed by a period, which must in turn immediately be followed by source-node-mask. |
| source-node-mask | (Optional) Mask to be applied to source-node. This is a 48-bit value represented as a dotted triplet of four-digit hexadecimal numbers (xxxx.xxxx.xxxx). Place ones in the bit positions you want to mask. |
| source-socket | (Optional) Socket name or number (hexadecimal) from which the packet is being sent. You can also use the word all to match all sockets. |
| destination-network | (Optional) Number of the network to which the packet is being sent. This is an eight-digit hexadecimal number that uniquely identifies a network cable segment. It can be a number in the range 1 to FFFFFFFE. A network number of 0 matches the local network. A network number of -1 matches all networks. You can also use the word any to match all networks.
You do not need to specify leading zeros in the network number. For example, for the network number 000000AA, you can enter AA. |
| .destination-node | (Optional) Node on destination-network to which the packet is being sent. This is a 48-bit value represented by a dotted triplet of four-digit hexadecimal numbers (xxxx.xxxx.xxxx). |
| destination-network-mask. | (Optional) Mask to be applied to destination-network. This is an eight-digit hexadecimal mask. Place ones in the bit positions you want to mask.
The mask must immediately be followed by a period, which must in turn immediately be followed by destination-node-mask. |
| destination-node-mask | (Optional) Mask to be applied to destination-node. This is a 48-bit value represented as a dotted triplet of four-digit hexadecimal numbers (xxxx.xxxx.xxxx). Place ones in the bit positions you want to mask. |
| destination-socket | (Optional) Socket name or number (hexadecimal) to which the packet is being sent. |
| log | (Optional) Logs IPX access control list violations whenever a packet matches a particular access list entry. The information logged includes source address, destination address, source socket, destination socket, protocol type, and action taken (permit/deny). |
No access lists are defined.
Access-list configuration
This command first appeared in Cisco IOS Release 11.2 F.
Use this command following the ipx access-list command to specify conditions under which a packet cannot pass the named access list.
For additional information on IPX protocol names and numbers, and IPX socket names and numbers, see the access-list (extended) command in the Cisco IOS Release 11.2 Network Protocols Command Reference, Part 2.
The following example creates an extended access list named sal that denies all SPX packets:
ipx access-list extended sal deny spx any all any all log permit any
access-list (extended)
ipx access-group
ipx access-list
permit (extended)
show ipx access-list
To filter explicit routes and generate an aggregated route for a named NLSP route aggregation access list, use the deny access-list configuration command. To remove a deny condition from an access list, use the no form of this command.
deny network network-mask [ticks ticks] [area-count area-count]| network | Network number to summarize. An IPX network number is an eight-digit hexadecimal number that uniquely identifies a network cable segment. It can be a number in the range 1 to FFFFFFFE. A network number of 0 matches the local network. A network number of -1 matches all networks.
You do not need to specify leading zeros in the network number. For example, for the network number 000000AA, you can enter AA. |
| network-mask | Specifies the portion of the network address that is common to all addresses in the route summary, expressed as an 8-digit hexadecimal number. The high-order bits of network-mask must be contiguous 1s, while the low-order bits must be contiguous zeros (0). An arbitrary mix of 1s and 0s is not permitted. |
| ticks ticks | (Optional) Metric assigned to the route summary. The default is 1 tick. |
| area-count area-count | (Optional) Maximum number of NLSP areas to which the route summary can be redistributed. The default is 6 areas. |
No access lists are defined.
Access-list configuration
This command first appeared in Cisco IOS Release 11.2 F.
Use this command following the ipx access-list command to prevent the redistribution of explicit networks that are denied by the access list entry and, instead, generate an appropriate aggregated (summary) route.
For additional information on creating access lists that deny or permit area addresses that summarize routes, see the access-list (NLSP route aggregation filtering) command in the Cisco IOS Release 11.2 Network Protocols Command Reference, Part 2.
The following example from a configuration file defines the named access list finance for NLSP route aggregation. This access list prevents redistribution of explicit routes in the range 12345600 to 123456FF and, instead, summarizes these routes into a single aggregated route. The access list allows explicit route redistribution of all other routes.
ipx access-list summary finance deny 12345600 ffffff00 permit -1
access-list (NLSP route aggregation filtering)
ipx access-group
ipx access-list
permit (NLSP route aggregation summarization)
show ipx access-list
To set conditions for a named IPX SAP filtering access list, use the deny access-list configuration command. To remove a deny condition from an access list, use the no form of this command.
deny network[.node] [network-mask.node-mask] [service-type [server-name]]| network | Network number. This is an eight-digit hexadecimal number that uniquely identifies a network cable segment. It can be a number in the range 1 to FFFFFFFE. A network number of 0 matches the local network. A network number of -1 matches all networks.
You do not need to specify leading zeros in the network number. For example, for the network number 000000AA, you can enter AA. |
| .node | (Optional) Node on network. This is a 48-bit value represented by a dotted triplet of four-digit hexadecimal numbers (xxxx.xxxx.xxxx). |
| network-mask.node-mask | (Optional) Mask to be applied to network and node. Place ones in the bit positions to be masked. |
| service-type | (Optional) Service type on which to filter. This is a hexadecimal number. A value of 0 means all services. |
| server-name | (Optional) Name of the server providing the specified service type. This can be any contiguous string of printable ASCII characters. Use double quotation marks (" ") to enclose strings containing embedded spaces. You can use an asterisk (*) at the end of the name as a wildcard to match one or more trailing characters. |
No access lists are defined.
Access-list configuration
This command first appeared in Cisco IOS Release 11.2 F.
Use this command following the ipx access-list command to specify conditions under which a packet cannot pass the named access list.
For additional information on IPX SAP service types, see the access-list (SAP filtering) command in the Cisco IOS Release 11.2 Network Protocols Command Reference, Part 2.
The following example creates a SAP access list named MyServer that denies MyServer to be sent in SAP advertisements:
ipx access-list sap MyServer deny 1234 4 MyServer
access-list (SAP filtering)
ipx access-group
ipx access-list
permit (SAP filtering)
show ipx access-list
To set conditions for a named IPX access list, use the deny access-list configuration command. To remove a deny condition from an access list, use the no form of this command.
deny source-network[.source-node [source-node-mask]]| source-network | Number of the network from which the packet is being sent. This is an eight-digit hexadecimal number that uniquely identifies a network cable segment. It can be a number in the range 1 to FFFFFFFE. A network number of 0 matches the local network. A network number of -1 matches all networks.
You do not need to specify leading zeros in the network number. For example, for the network number 000000AA, you can enter AA. |
| .source-node | (Optional) Node on source-network from which the packet is being sent. This is a 48-bit value represented by a dotted triplet of four-digit hexadecimal numbers (xxxx.xxxx.xxxx). |
| source-node-mask | (Optional) Mask to be applied to source-node. This is a 48-bit value represented as a dotted triplet of four-digit hexadecimal numbers (xxxx.xxxx.xxxx). Place ones in the bit positions you want to mask. |
| destination-network | (Optional) Number of the network to which the packet is being sent. This is an eight-digit hexadecimal number that uniquely identifies a network cable segment. It can be a number in the range 1 to FFFFFFFE. A network number of 0 matches the local network. A network number of -1 matches all networks.
You do not need to specify leading zeros in the network number. For example, for the network number 000000AA, you can enter AA. |
| .destination-node | (Optional) Node on destination-network to which the packet is being sent. This is a 48-bit value represented by a dotted triplet of four-digit hexadecimal numbers (xxxx.xxxx.xxxx). |
| destination-node-mask | (Optional) Mask to be applied to destination-node. This is a 48-bit value represented as a dotted triplet of four-digit hexadecimal numbers (xxxx.xxxx.xxxx). Place ones in the bit positions you want to mask. |
No access lists are defined.
Access-list configuration
This command first appeared in Cisco IOS Release 11.2 F.
Use this command following the ipx access-list command to specify conditions under which a packet cannot pass the named access list.
For additional information on creating IPX access lists, see the access-list (standard) command in the Cisco IOS Release 11.2 Network Protocols Command Reference, Part 2.
The following example creates a standard access list named fred. It denies communication with only IPX network number 5678.
ipx access-list standard fred deny 5678 any permit any
access-list (standard)
ipx access-group
ipx access-list
permit (standard)
show ipx access-list
To filter networks received in updates, use the distribute-list in router configuration command. To change or cancel the filter, use the no form of this command.
distribute-list {access-list-number | name} in [interface-name]| access-list-number | Standard IPX access list number in the range 800 to 899 or NLSP access list number in the range 1200 to 1299. The list explicitly specifies which networks are to be received and which are to be suppressed. |
| name | Name of the access list. Names cannot contain a space or quotation mark and must begin with an alphabetic character to prevent ambiguity with numbered access lists. |
| in | Applies the access list to incoming routing updates. |
| interface-name | (Optional) Interface on which the access list should be applied to incoming updates. If no interface is specified, the access list is applied to all incoming updates. |
Disabled
Router configuration
This command first appeared in Cisco IOS Release 10.0.
The following example causes only two networks--network 2 and network 3--to be accepted by an Enhanced IGRP routing process:
access-list 800 permit 2 access-list 800 permit 3 access-list 800 deny -1 ! ipx router eigrp 100 network 3 distribute-list 800 in
access-list (NLSP route aggregation filtering)
access-list (standard)
deny (standard)
deny (NLSP route aggregation summarization)
distribute-list out
permit (standard)
permit (NLSP route aggregation summarization)
redistribute
To suppress networks from being advertised in updates, use the distribute-list out router configuration command. To cancel this function, use the no form of this command.
distribute-list {access-list-number | name} out [interface-name | routing-process]| access-list-number | Standard IPX access list number in the range 800 to 899 or NLSP access list number in the range 1200 to 1299. The list explicitly specifies which networks are to be sent and which are to be suppressed in routing updates. |
| name | Name of the access list. Names cannot contain a space or quotation mark and must begin with an alphabetic character to prevent ambiguity with numbered access lists. |
| out | Applies the access list to outgoing routing updates. |
| interface-name | (Optional) Interface on which the access list should be applied to outgoing updates. If no interface is specified, the access list is applied to all outgoing updates. |
| routing-process | (Optional) Name of a particular routing process as follows:
· eigrp autonomous-system-number · rip · nlsp [tag] |
Disabled
Router configuration
This command first appeared in Cisco IOS Release 10.0.
When redistributing networks, a routing process name can be specified as an optional trailing argument to the distribute-list out command. This causes the access list to be applied to only those routes derived from the specified routing process. After the process-specific access list is applied, any access list specified by a distribute-list out command without a process name argument is applied. Addresses not specified in the distribute-list out command are not advertised in outgoing routing updates.
The following example causes only one network--network 3--to be advertised by an Enhanced IGRP routing process:
access-list 800 permit 3 access-list 800 deny -1 ! ipx router eigrp 100 network 3 distribute-list 800 out
access-list (NLSP route aggregation filtering)
access-list (standard)
deny (standard)
deny (NLSP route aggregation summarization)
distribute-list in
permit (standard)
permit (NLSP route aggregation summarization)
redistribute
To filter services received in updates, use the distribute-list in router configuration command. To change or cancel the filter, use the no form of this command.
distribute-sap-list {access-list-number | name} in [interface-name]| access-list-number | SAP access list number in the range 1000 to 1099. The list explicitly specifies which services are to be received and which are to be suppressed. |
| name | Name of the access list. Names cannot contain a space or quotation mark and must begin with an alphabetic character to prevent ambiguity with numbered access lists. |
| in | Applies the access list to incoming routing updates. |
| interface-name | (Optional) Interface on which the access list should be applied to incoming updates. If no interface is specified, the access list is applied to all incoming updates. |
Disabled
Router configuration
This command first appeared in Cisco IOS Release 11.1.
In the following example, the router redistributes Enhanced IGRP into NLSP area1. Only services for network 2 and 3 are accepted by the NLSP routing process.
access-list 1000 permit 2 access-list 1000 permit 3 access-list 1000 deny -1 ! ipx router nlsp area1 redistribute eigrp distribute-sap-list 1000 in
access-list (SAP filtering)
deny (SAP filtering)
distribute-list out
permit (SAP filtering)
redistribute
To suppress services from being advertised in SAP updates, SAP (Service Advertising Protocol) use the distribute-sap-list out router configuration command. To cancel this function, use the no form of this command.
distribute-sap-list {access-list-number | name} out [interface-name | routing-process]| access-list-number | SAP access list number in the range 1000 to 1099. The list explicitly specifies which networks are to be sent and which are to be suppressed in routing updates. |
| name | Name of the access list. Names cannot contain a space or quotation mark and must begin with an alphabetic character to prevent ambiguity with numbered access lists. |
| out | Applies the access list to outgoing routing updates. |
| interface-name | (Optional) Interface on which the access list should be applied to outgoing updates. If no interface is specified, the access list is applied to all outgoing updates. |
| routing-process | (Optional) Name of a particular routing process as follows:
· eigrp autonomous-system-number · rip · nlsp [tag] |
Disabled
Router configuration
This command first appeared in Cisco IOS Release 11.1.
When redistributing networks, a routing process name can be specified as an optional trailing argument to the distribute-sap-list out command. This causes the access list to be applied to only those routes derived from the specified routing process. After the process-specific access list is applied, any access list specified by a distribute-sap-list out command without a process name argument is applied. Addresses not specified in the distribute-sap-list out command are not advertised in outgoing routing updates.
The following example causes only services from network 3 to be advertised by an Enhanced IGRP routing process:
access-list 1010 permit 3 access-list 1010 deny -1 ! ipx router eigrp 100 network 3 distribute-sap-list 1010 out
access-list (SAP filtering)
deny (SAP filtering)
distribute-sap-list in
permit (SAP filtering)
redistribute
To apply generic input and output filters to an interface, use ipx access-group interface configuration command. To remove filters, use the no form of this command.
ipx access-group {access-list-number | name} [in | out]| access-list-number | Number of the access list. For standard access lists, access-list-number is a decimal number from 800 to 899. For extended access lists, access-list-number is a decimal number from 900 to 999. |
| name | Name of the access list. Names cannot contain a space or quotation mark and must begin with an alphabetic character to prevent ambiguity with numbered access lists. |
| in | (Optional) Filters inbound packets. All incoming packets defined with either standard or extended access lists are filtered by the entries in this access list. |
| out | (Optional) Filters outbound packets. All outgoing packets defined with either standard or extended access lists and forwarded through the interface are filtered by the entries in this access list. This is the default when you do not specify an input (in) or output (out) keyword in the command line. |
No filters are predefined.
Interface configuration
This command first appeared in Cisco IOS Release 10.0.
Generic filters control which data packets an interface receives or sends out based on the packet's source and destination addresses, IPX protocol type, and source and destination socket numbers. You use the standard access-list and extended access-list commands to specify the filtering conditions.
You can apply only one input filter and one output filter per interface or subinterface.
When you do not specify an input (in) or output (out) filter in the command line, the default is an output filter.
You cannot configure an output filter on an interface where autonomous switching is already configured. Similarly, you cannot configure autonomous switching on an interface where an output filter is already present.
You cannot configure an input filter on an interface if autonomous switching is already configured on any interface. Likewise, you cannot configure input filters if autonomous switching is already enabled on any interface.
In the following example, access list 801 is applied to Ethernet interface 1. Because the command line does not specify an input filter or output filter with the keywords in or out, the software assumes that it is an output filter.
interface ethernet 1 ipx access-group 801
In the following example, access list 901 is applied to Ethernet interface 0. The access list is an input filter access list as specified by the keyword in.
interface ethernet 0 ipx access-group 901 in
To remove the input access list filter in the previous example, you must specify the in keyword when you use the no form of the command. The following example correctly removes the access list:
interface ethernet 0 no ipx access-group 901 in
access-list (extended)
access-list (standard)
deny (extended)
deny (standard)
permit (extended)
permit (standard)
priority-list protocol
To define an IPX access list by name, use the ipx access-list global configuration command. To remove a named IPX access list, use the no form of this command.
ipx access-list {standard | extended | sap | summary} name | Caution Named access lists will not be recognized by any software release prior to Cisco IOS Release 11.2(4)F. |
| standard | Specifies a standard IPX access list. |
| extended | Specifies an extended IPX access list. |
| sap | Specifies a SAP access list. |
| summary | Specifies area addresses that summarize routes using NLSP route aggregation filtering. |
| name | Name of the access list. Names cannot contain a space or quotation mark, and must begin with an alphabetic character to prevent ambiguity with numbered access lists. |
There is no default named IPX access list.
Global configuration
This command first appeared in Cisco IOS Release 11.2 F.
Use this command to configure a named IPX access list as opposed to a numbered IPX access list. This command will take you into access-list configuration mode, where you must define the denied or permitted access conditions with the deny and permit commands.
Specifying standard, extended, sap, or summary with the ipx access-list command determines the prompt you get when you enter access-list configuration mode.
Named access lists are not compatible with Cisco IOS releases prior to Release 11.2(4)F.
The following example creates a standard access list named fred. It permits communication with only IPX network number 5678.
ipx access-list standard fred permit 5678 any deny any
The following example creates an extended access list named sal that denies all SPX packets:
ipx access-list extended sal deny spx any all any all log permit any
The following example creates a SAP access list named MyServer that allows only MyServer to be sent in SAP advertisements:
ipx access-list sap MyServer permit 1234 4 MyServer
The following example creates a summary access list named finance that allows the redistribution of all explicit routes every 64 ticks:
ipx access-list summary finance permit -1 ticks 64
access-list (extended)
access-list (NLSP route aggregation filtering)
access-list (SAP filtering)
access-list (standard)
deny (extended)
deny (NLSP route aggregation summarization)
deny (SAP filtering)
deny (standard)
permit (extended)
permit (NLSP route aggregation summarization)
permit (SAP filtering)
permit (standard)
show ipx access-list
To assign an access list to an interface to control broadcast traffic (including type 20 propagation packets), use the ipx helper-list interface configuration command. To remove the access list from an interface, use the no form of this command.
ipx helper-list {access-list-number | name}| access-list-number | Number of the access list. All outgoing packets defined with either standard or extended access lists are filtered by the entries in this access list. For standard access lists, access-list-number is a decimal number from 800 to 899. For extended access lists, it is a decimal number from 900 to 999. |
| name | Name of the access list. Names cannot contain a space or quotation mark and must begin with an alphabetic character to prevent ambiguity with numbered access lists. |
No access list is preassigned.
Interface configuration
This command first appeared in Cisco IOS Release 10.0.
The ipx helper-list command specifies an access list to use in forwarding broadcast packets. One use of this command is to prevent client nodes from discovering services they should not use.
Because the destination address of a broadcast packet is by definition the broadcast address, this command is useful only for filtering based on the source address of the broadcast packet.
The helper list, if present, is applied to both all-nets broadcast packets and type 20 propagation packets.
The helper list on the input interface is applied to packets before they are output via either the helper address or type 20 propagation packet mechanism.
The following example assigns access list 900 to Ethernet interface 0 to control broadcast traffic:
interface ethernet 0 ipx helper-list 900
access-list (extended)
access-list (standard)
deny (extended)
deny (standard)
ipx helper-address
ipx type-20-propagation
permit (extended)
permit (standard)
To control which networks are added to the Cisco IOS software's routing table, use the ipx input-network-filter interface configuration command. To remove the filter from the interface, use the no form of this command.
ipx input-network-filter {access-list-number | name}| access-list-number | Number of the access list. All incoming packets defined with either standard or extended access lists are filtered by the entries in this access list. For standard access lists, access-list-number is a decimal number from 800 to 899. For extended access lists, it is a decimal number from 900 to 999. |
| name | Name of the access list. Names cannot contain a space or quotation mark and must begin with an alphabetic character to prevent ambiguity with numbered access lists. |
No filters are predefined.
Interface configuration
This command first appeared in Cisco IOS Release 10.0.
The ipx input-network-filter command controls which networks are added to the routing table based on the networks learned in incoming IPX routing updates (RIP updates) on the interface.
You can issue only one ipx input-network-filter command on each interface.
In the following example, access list 876 controls which networks are added to the routing table when IPX routing updates are received on Ethernet interface 1. Routing updates for network 1b will be accepted. Routing updates for all other networks are implicitly denied and are not added to the routing table.
access-list 876 permit 1b interface ethernet 1 ipx input-network-filter 876
The following example is a variation of the preceding that explicitly denies network 1a and explicitly allows updates for all other networks:
access-list 876 deny 1a access-list 876 permit -1
access-list (extended)
access-list (standard)
deny (extended)
deny (standard)
ipx output-network-filter
ipx router-filter
permit (extended)
permit (standard)
To control which services are added to the Cisco IOS software's SAP table, use the ipx input-sap-filter interface configuration command. To remove the filter, use the no form of this command.
ipx input-sap-filter {access-list-number | name}| access-list-number | Number of the SAP access list. All incoming packets are filtered by the entries in this access list. The argument access-list-number is a decimal number from 1000 to 1099. |
| name | Name of the access list. Names cannot contain a space or quotation mark, and must begin with an alphabetic character to prevent ambiguity with numbered access lists. |
No filters are predefined.
Interface configuration
This command first appeared in Cisco IOS Release 10.0.
The ipx input-sap-filter command filters all incoming service advertisements received by the router. This is done prior to accepting information about a service.
You can issue only one ipx input-sap-filter command on each interface.
When configuring SAP filters for NetWare 3.11 and later servers, use the server's internal network and node number (the node number is always 0000.0000.0001) as its address in the access-list (SAP filtering) command. Do not use the network.node address of the particular interface board.
The following example denies service advertisements about the server at address 3c.0800.89a1.1527, but accepts information about all other services on all other networks:
access-list 1000 deny 3c.0800.89a1.1527 access-list 1000 permit -1 interface ethernet 0 ipx input-sap-filter 1000
access-list (SAP filtering)
deny (SAP filtering)
ipx output-sap-filter
ipx router-sap-filter
permit (SAP filtering)
To control which servers are included in the Get Nearest Server (GNS) responses sent by the Cisco IOS software, use the ipx output-gns-filter interface configuration command. To remove the filter from the interface, use the no form of this command.
ipx output-gns-filter {access-list-number | name}| access-list-number | Number of the SAP access list. All outgoing GNS packets are filtered by the entries in this access list. The argument access-list-number is a decimal number from 1000 to 1099. |
| name | Name of the access list. Names cannot contain a space or quotation mark, and must begin with an alphabetic character to prevent ambiguity with numbered access lists. |
No filters are predefined.
Interface configuration
This command first appeared in Cisco IOS Release 10.0.
You can issue only one ipx output-gns-filter command on each interface.
The following example excludes the server at address 3c.0800.89a1.1527 from GNS responses sent on Ethernet interface 0, but allows all other servers:
access-list 1000 deny 3c.0800.89a1.1527 access-list 1000 permit -1 ipx routing interface ethernet 0 ipx network 2B ipx output-gns-filter 1000
access-list (SAP filtering)
deny (SAP filtering)
ipx gns-round-robin
permit (SAP filtering)
To control the list of networks included in routing updates sent out an interface, use the ipx output-network-filter interface configuration command. To remove the filter from the interface, use the no form of this command.
ipx output-network-filter {access-list-number | name}| access-list-number | Number of the access list. All outgoing packets defined with either standard or extended access lists are filtered by the entries in this access list. For standard access lists, access-list-number is a decimal number from 800 to 899. For extended access lists, it is a decimal number from 900 to 999. |
| name | Name of the access list. Names cannot contain a space or quotation mark, and must begin with an alphabetic character to prevent ambiguity with numbered access lists. |
No filters are predefined.
Interface configuration
This command first appeared in Cisco IOS Release 10.0.
The ipx output-network-filter command controls which networks the Cisco IOS software advertises in its IPX routing updates (RIP updates).
You can issue only one ipx output-network-filter command on each interface.
In the following example, access list 896 controls which networks are specified in routing updates sent out the serial 1 interface. This configuration causes network 2b to be the only network advertised in Novell routing updates sent on the specified serial interface.
access-list 896 permit 2b interface serial 1 ipx output-network-filter 896
access-list (extended)
access-list (standard)
deny (extended)
deny (standard)
ipx input-network-filter
ipx router-filter
permit (extended)
permit (standard)
To control which services are included in SAP updates sent by the Cisco IOS software, use the ipx output-network-filter interface configuration command. To remove the filter, use the no form of this command.
ipx output-sap-filter {access-list-number | name}| access-list-number | Number of the SAP access list. All outgoing service advertisements are filtered by the entries in this access list. The argument access-list-number is a decimal number from 1000 to 1099. |
| name | Name of the access list. Names cannot contain a space or quotation mark, and must begin with an alphabetic character to prevent ambiguity with numbered access lists. |
No filters are predefined.
Interface configuration
This command first appeared in Cisco IOS Release 10.0.
The Cisco IOS software applies output SAP filters prior to sending SAP packets.
You can issue only one ipx output-sap-filter command on each interface.
When configuring SAP filters for NetWare 3.11 and later servers, use the server's internal network and node number (the node number is always 0000.0000.0001) as its address in the SAP access-list command. Do not use the network.node address of the particular interface board.
The following example denies service advertisements about server 0000.0000.0001 on network aa from being sent on network 4d (via Ethernet interface 1). All other services are advertised via this network. All services, included those from server aa.0000.0000.0001, are advertised via networks 3c and 2b.
access-list 1000 deny aa.0000.0000.0001 access-list 1000 permit -1 interface ethernet 0 ipx net 3c interface ethernet 1 ipx network 4d ipx output-sap-filter 1000 interface serial 0 ipx network 2b
access-list (SAP filtering)
deny (SAP filtering)
ipx gns-round-robin
ipx input-sap-filter
ipx router-sap-filter
permit (SAP filtering)
To filter the routers from which packets are accepted, use the ipx router-filter interface configuration command. To remove the filter from the interface, use the no form of this command.
ipx router-filter {access-list-number | name}| access-list-number | Number of the access list. All incoming packets defined with either standard or extended access lists are filtered by the entries in this access list. For standard access lists, access-list-number is a decimal number from 800 to 899. For extended access lists, it is a decimal number from 900 to 999. |
| name | Name of the access list. Names cannot contain a space or quotation mark, and must begin with an alphabetic character to prevent ambiguity with numbered access lists. |
No filters are predefined.
Interface configuration
This command first appeared in Cisco IOS Release 10.0.
You can issue only one ipx router-filter command on each interface.
In the following example, access list 866 controls the routers from which packets are accepted. For Ethernet interface 0, only packets from the router at 3c.0000.00c0.047d are accepted. All other packets are implicitly denied.
access-list 866 permit 3c.0000.00c0.047d interface ethernet 0 ipx router-filter 866
access-list (extended)
access-list (standard)
deny (extended)
deny (standard)
ipx input-network-filter
ipx output-network-filter
permit (extended)
permit (standard)
To filter Service Advertising Protocol (SAP) messages received from a particular router, use the ipx router-sap-filter interface configuration command. To remove the filter, use the no form of this command.
ipx router-sap-filter {access-list-number | name}| access-list-number | Number of the access list. All incoming service advertisements are filtered by the entries in this access list. The argument access-list-number is a decimal number from 1000 to 1099. |
| name | Name of the access list. Names cannot contain a space or quotation mark, and must begin with an alphabetic character to prevent ambiguity with numbered access lists. |
No filters are predefined.
Interface configuration
This command first appeared in Cisco IOS Release 10.0.
You can issue only one ipx router-sap-filter command on each interface.
In the following example, the Cisco IOS software will receive service advertisements only from router aa.0207.0104.0874:
access-list 1000 permit aa.0207.0104.0874 access-list 1000 deny -1 interface ethernet 0 ipx router-sap-filter 1000
access-list (SAP filtering)
deny (SAP filtering)
ipx input-sap-filter
ipx output-sap-filter
ipx sap
permit (SAP filtering)
show ipx access-list
To set conditions for a named IPX extended access list, use the permit access-list configuration command. To remove a permit condition from an access list, use the no form of this command.
permit protocol [source-network][[[.source-node] source-node-mask] | [.source-node| protocol | Name or number (decimal) of an IPX protocol type. This is sometimes referred to as the packet type. You can also use the word any to match all protocol types. |
| source-network | (Optional) Number of the network from which the packet is being sent. This is an eight-digit hexadecimal number that uniquely identifies a network cable segment. It can be a number in the range 1 to FFFFFFFE. A network number of 0 matches the local network. A network number of -1 matches all networks. You can also use the word any to match all networks.
You do not need to specify leading zeros in the network number; for example, for the network number 000000AA, you can enter AA. |
| .source-node | (Optional) Node on source-network from which the packet is being sent. This is a 48-bit value represented by a dotted triplet of four-digit hexadecimal numbers (xxxx.xxxx.xxxx). |
| source-network-mask. | (Optional) Mask to be applied to source-network. This is an eight-digit hexadecimal mask. Place ones in the bit positions you want to mask.
The mask must immediately be followed by a period, which must in turn immediately be followed by source-node-mask. |
| source-node-mask | (Optional) Mask to be applied to source-node. This is a 48-bit value represented as a dotted triplet of four-digit hexadecimal numbers (xxxx.xxxx.xxxx). Place ones in the bit positions you want to mask. |
| source-socket | Socket name or number (hexadecimal) from which the packet is being sent. You can also use the word all to match all sockets. |
| destination-network | (Optional) Number of the network to which the packet is being sent. This is an eight-digit hexadecimal number that uniquely identifies a network cable segment. It can be a number in the range 1 to FFFFFFFE. A network number of 0 matches the local network. A network number of -1 matches all networks. You can also use the word any to match all networks.
You do not need to specify leading zeros in the network number. For example, for the network number 000000AA, you can enter AA. |
| .destination-node | (Optional) Node on destination-network to which the packet is being sent. This is a 48-bit value represented by a dotted triplet of four-digit hexadecimal numbers (xxxx.xxxx.xxxx). |
| destination-network-mask. | (Optional) Mask to be applied to destination-network. This is an eight-digit hexadecimal mask. Place ones in the bit positions you want to mask.
The mask must immediately be followed by a period, which must in turn immediately be followed by destination-node-mask. |
| destination-nodemask | (Optional) Mask to be applied to destination-node. This is a 48-bit value represented as a dotted triplet of four-digit hexadecimal numbers (xxxx.xxxx.xxxx). Place ones in the bit positions you want to mask. |
| destination-socket | (Optional) Socket name or number (hexadecimal) to which the packet is being sent. |
| log | (Optional) Logs IPX access control list violations whenever a packet matches a particular access list entry. The information logged includes source address, destination address, source socket, destination socket, protocol type, and action taken (permit/deny). |
There is no specific condition under which a packet passes the named access list.
Access-list configuration
This command first appeared in Cisco IOS Release 11.2 F.
Use this command following the ipx access-list command to specify conditions under which a packet passes the named access list.
For additional information on IPX protocol names and numbers, and IPX socket names and numbers, see the access-list (extended) command in the Cisco IOS Release 11.2 Network Protocols Command Reference, Part 2.
The following example creates an extended access list named sal that denies all SPX packets and permits all others:
ipx access-list extended sal deny spx any all any all log permit any
access-list (extended)
deny (extended)
ipx access-group
ipx access-list
show ipx access-list
To allow explicit route redistribution in a named NLSP route aggregation access list, use the permit access-list configuration command. To remove a permit condition, use the no form of this command.
permit network network-mask [ticks ticks] [area-count area-count]| network | Network number to summarize. An IPX network number is an eight-digit hexadecimal number that uniquely identifies a network cable segment. It can be a number in the range 1 to FFFFFFFE. A network number of 0 matches the local network. A network number of -1 matches all networks.
You do not need to specify leading zeros in the network number. For example, for the network number 000000AA, you can enter AA. |
| network-mask | Specifies the portion of the network address that is common to all addresses in the route summary, expressed as an 8-digit hexadecimal number. The high-order bits of network-mask must be contiguous 1s, while the low-order bits must be contiguous zeros (0). An arbitrary mix of 1s and 0s is not permitted. |
| ticks ticks | (Optional) Metric assigned to the route summary. The default is 1 tick. |
| area-count area-count | (Optional) Maximum number of NLSP areas to which the route summary can be redistributed. The default is 6 areas. |
No access lists are defined.
Access-list configuration
This command first appeared in Cisco IOS Release 11.2 F.
Use this command following the ipx access-list command to specify conditions under which networks that are permitted by the access list entry can be redistributed as explicit networks, without summarization.
For additional information on creating access lists that deny or permit area addresses that summarize routes, see the access-list (NLSP route aggregation filtering) command in the Cisco IOS Release 11.2 Network Protocols Command Reference, Part 2.
The following example allows networks 12345600 and 12345601 to be redistributed explicitly. Other routes in the range 12345600 to 123456FF are summarized into a single aggregated route. All other routes will be redistributed as explicit routes.
ipx access-list summary finance permit 12345600 permit 12345601 deny 12345600 ffffff00 permit -1
access-list (NLSP route aggregation filtering)
deny (NLSP route aggregation summarization)
ipx access-group
ipx access-list
show ipx access-list
To set conditions for a named IPX SAP filtering access list, use the permit access-list configuration command. To remove a permit condition from an access list, use the no form of this command.
permit network[.node] [network-mask.node-mask] [service-type [server-name]]| network | Network number. This is an eight-digit hexadecimal number that uniquely identifies a network cable segment. It can be a number in the range 1 to FFFFFFFE. A network number of 0 matches the local network. A network number of -1 matches all networks.
You do not need to specify leading zeros in the network number. For example, for the network number 000000AA, you can enter AA. |
| .node | (Optional) Node on network. This is a 48-bit value represented by a dotted triplet of four-digit hexadecimal numbers (xxxx.xxxx.xxxx). |
| network-mask.node-mask | (Optional) Mask to be applied to network and node. Place ones in the bit positions to be masked. |
| service-type | (Optional) Service type on which to filter. This is a hexadecimal number. A value of 0 means all services. |
| server-name | (Optional) Name of the server providing the specified service type. This can be any contiguous string of printable ASCII characters. Use double quotation marks (" ") to enclose strings containing embedded spaces. You can use an asterisk (*) at the end of the name as a wildcard to match one or more trailing characters. |
No access lists are defined.
Access-list configuration
This command first appeared in Cisco IOS Release 11.2 F.
Use this command following the ipx access-list command to specify conditions under which a packet passes the named access list.
For additional information on IPX SAP service types, see the access-list (SAP filtering) command in the Cisco IOS Release 11.2 Network Protocols Command Reference, Part 2.
The following example creates a SAP access list named MyServer that allows only MyServer to be sent in SAP advertisements:
ipx access-list sap MyServer permit 1234 4 MyServer
access-list (SAP filtering)
deny (SAP filtering)
ipx access-group
ipx access-list
show ipx access-list
To set conditions for a named IPX access list, use the permit access-list configuration command. To remove a permit condition from an access list, use the no form of this command.
permit source-network[.source-node [source-node-mask]]| source-network | Number of the network from which the packet is being sent. This is an eight-digit hexadecimal number that uniquely identifies a network cable segment. It can be a number in the range 1 to FFFFFFFE. A network number of 0 matches the local network. A network number of -1 matches all networks.
You do not need to specify leading zeros in the network number. For example, for the network number 000000AA, you can enter AA. |
| .source-node | (Optional) Node on source-network from which the packet is being sent. This is a 48-bit value represented by a dotted triplet of four-digit hexadecimal numbers (xxxx.xxxx.xxxx). |
| source-node-mask | (Optional) Mask to be applied to source-node. This is a 48-bit value represented as a dotted triplet of four-digit hexadecimal numbers (xxxx.xxxx.xxxx). Place ones in the bit positions you want to mask. |
| destination-network | (Optional) Number of the network to which the packet is being sent. This is an eight-digit hexadecimal number that uniquely identifies a network cable segment. It can be a number in the range 1 to FFFFFFFE. A network number of 0 matches the local network. A network number of -1 matches all networks.
You do not need to specify leading zeros in the network number. For example, for the network number 000000AA, you can enter AA. |
| .destination-node | (Optional) Node on destination-network to which the packet is being sent. This is a 48-bit value represented by a dotted triplet of four-digit hexadecimal numbers (xxxx.xxxx.xxxx). |
| destination-node-mask | (Optional) Mask to be applied to destination-node. This is a 48-bit value represented as a dotted triplet of four-digit hexadecimal numbers (xxxx.xxxx.xxxx). Place ones in the bit positions you want to mask. |
No access lists are defined.
Access-list configuration
This command first appeared in Cisco IOS Release 11.2 F.
Use this command following the ipx access-list command to specify conditions under which a packet passes the named access list.
For additional information on creating IPX access lists, see the access-list (standard) command in the Cisco IOS Release 11.2 Network Protocols Command Reference, Part 2.
The following example creates a standard access list named fred. It permits communication with only IPX network number 5678.
ipx access-list standard fred permit 5678 any deny any
access-list (standard)
deny (standard)
ipx access-group
ipx access-list
show ipx access-list
To redistribute from one routing domain into another, and vice versa, use one of the following redistribute router configuration commands. To disable this feature, use the no form of the commands.
For Enhanced IGRP or RIP environments, use the following command to redistribute from one routing domain into another, and vice versa:
redistribute {connected | eigrp autonomous-system-number | floating-static | nlsp [tag] | ripFor NLSP environments, use the following command to redistribute from one routing domain into another, and vice versa:
redistribute {eigrp autonomous-system-number | nlsp [tag] | rip | static}| connected | Specifies connected routes. |
| eigrp autonomous-system-number | Specifies the Enhanced IGRP protocol and the Enhanced IGRP autonomous system number. It can be a decimal integer from 1 to 65535. |
| floating-static | Specifies a floating static route. This is a static route that can be overridden by a dynamically learned route. |
| nlsp [tag] | Specifies the NLSP protocol and, optionally, names the NLSP process (tag). The tag can be any combination of printable characters. |
| rip | Specifies the RIP protocol. You can configure only one RIP process on the router. Thus, you cannot redistribute RIP into RIP. |
| static | Specifies static routes. |
| access-list access-list-number | Specifies an NLSP route summary access list. The access-list-number is a decimal number from 1200 to 1299. |
| access-list name | Name of the access list. Names cannot contain a space or quotation mark, and must begin with an alphabetic character to prevent ambiguity with numbered access lists. |
Redistribution is enabled between all routing domains except between separate Enhanced IGRP processes.
Redistribution of floating static routes is disabled.
Redistribution between NLSP and Enhanced IGRP is disabled.
Router configuration
This command first appeared in Cisco IOS Release 11.1.
Redistribution provides for routing information generated by one protocol to be advertised in another.
The only connected routes affected by this redistribute command are the routes not specified by the network command.
If you have enabled floating static routes by specifying the floating keyword in the ipx route global configuration command and you redistribute floating static routes into a dynamic IPX routing protocol, any nonhierarchical topology causes the floating static destination to be redistributed immediately via a dynamic protocol back to the originating router, causing a routing loop. This occurs because dynamic protocol information overrides floating static routes. For this reason, automatic redistribution of floating static routes is off by default. If you redistribute floating static routes, you should specify filters to eliminate routing loops.
For NLSP environments, you can use the NLSP redistribute command to configure IPX route aggregation with customized route summarization. Configure IPX route aggregation with customized route summarization in
An NLSP process is a router's databases working together to manage route information about an area. NLSP version 1.0 routers are always in the same area. Each router has its own adjacencies, link-state, and forwarding databases. These databases operate collectively as a single process to discover, select, and maintain route information about the area. NLSP version 1.1 routers that exist within a single area also use a single process.
NLSP version 1.1 routers that interconnect multiple areas use multiple processes to discover, select, and maintain route information about the areas they interconnect. These routers manage an adjacencies, link-state, and area address database for each area to which they attach. Collectively, these databases are still referred to as a process. The forwarding database is shared among processes within a router. The sharing of entries in the forwarding database is automatic when all processes interconnect NLSP version 1.1 areas.
In the following example, RIP routing information is not redistributed:
ipx router eigrp 222 no redistribute rip
In the following example, Enhanced IGRP routes from autonomous system 100 are redistributed into Enhanced IGRP autonomous system 300:
ipx router eigrp 300 redistribute eigrp 100
In the following example, Enhanced IGRP routes from autonomous system 300 are redistributed into the NLSP process area3:
ipx router nlsp area3 redistribute eigrp 300
The following example enables route summarization and redistributes routes learned from one NLSP instance to another. Any routes learned via NLSP a1 that are subsumed by route summary aaaa0000 ffff0000 are not redistributed into NLSP a2. Instead, an aggregated route is generated. Likewise, any routes learned via NLSP a2 that are subsumed by route summary bbbb0000 ffff0000 are not redistributed into NLSP a1--an aggregated route is generated.
ipx routing ipx internal-network 2000 ! interface ethernet 1 ipx network 1001 ipx nlsp a1 enable ! interface ethernet 2 ipx network 2001 ipx nlsp a2 enable ! access-list 1200 deny aaaa0000 ffff0000 access-list 1200 permit -1 access-list 1201 deny bbbb0000 ffff0000 access-list 1201 permit -1 ! ipx router nlsp a1 area-address 1000 fffff000 route-aggregation redistribute nlsp a2 access-list 1201 ! ipx router nlsp a2 area-address 2000 fffff000 route-aggregation redistribute nlsp a1 access-list 1200
access-list (NLSP route aggregation filtering)
deny (NLSP route aggregation summarization)
ipx router
permit (NLSP route aggregation summarization)
To display the contents of all current IPX access lists, use the show ipx access-list EXEC command.
show ipx access-list [access-list-number | name]| access-list-number | (Optional) Number of the IPX access list to display. This is a decimal number from 800 to 899, 900 to 999, 1000 to 1099, or 1200 to 1299. |
| name | (Optional) Name of the IPX access list to display. |
Displays all standard, extended, SAP, and NLSP route aggregation summary IPX access lists.
EXEC
This command first appeared in Cisco IOS Release 11.2 F.
The show ipx access-list command provides output identical to the show access-lists command, except that it is IPX specific and allows you to specify a particular access list.
The following is sample output from the show ipx access-list command when all access lists are requested:
Router# show ipx access-list
IPX extended access list 900
deny any 1
IPX sap access list London
deny FFFFFFFF 107
deny FFFFFFFF 301C
permit FFFFFFFF 0
The following is sample output from the show ipx access-list command when the name of a specific access list is requested:
Router# show ipx access-list London
IPX sap access list London
deny FFFFFFFF 107
deny FFFFFFFF 301C
permit FFFFFFFF 0
For more information on IPX access lists and filters, see the Cisco IOS Release 11.2 Network Protocols Configuration Guide, Part 2.
|
|