In the same way that extended IP access lists give you a more granular level of control over IP traffic, extended IPX access lists allow you a finer level of control over IPX traffic. Extended IPX access lists not only allow you to filter traffic based on source and destination IPX addresses, but also IPX protocols and socket numbers. A variety of different IPX protocols and sockets exist, many of which were looked at in Chapter 4. The following example shows an extended IPX access list that denies all standard IPX ping traffic from moving from network 101A to network 101B. Recall that extended IPX access lists use the numerical range 900-999.
RouterA(config)#access-list 900 deny ?
<0-255> Protocol type number (DECIMAL)
any Any IPX protocol type
ncp NetWare Core Protocol
netbios IPX NetBIOS
rip IPX Routing Information Protocol
sap Service Advertising Protocol
spx Sequenced Packet Exchange
After the deny statement, an extended IPX access list expects an IPX protocol type to be entered. For the purpose of illustration, I have chosen the entry for any, which would be similar to choosing ip in an extended IP access list.
RouterA(config)#access-list 900 deny any ?
<0-FFFFFFFF> Source net
N.H.H.H Source net.host address
any Any IPX net
log Log matches against this entry
RouterA(config)#access-list 900 deny any 101A ?
<0-FFFFFFFF> Source Socket HEXIDECIMAL
all All sockets
cping Cisco ipx ping
diagnostic Diagnostic packet
eigrp IPX Enhanced Interior Gateway Routing Protocol
log Log matches against this entry
ncp NetWare Core Protocol
netbios IPX NetBIOS
nlsp NetWare Link State Protocol
nping Standard IPX ping
rip IPX Routing Information Protocol
sap Service Advertising Protocol
trace Trace Route packet
After the source address has been entered, the access list expects a source socket to be specified. An IPX socket is similar to a TCP or UDP port. In this case, I want to deny standard IPX pings from network 101A to network 101B, so I chose nping (which is socket number 9086, incidentally), as shown below.
RouterA(config)#access-list 900 deny any 101A nping ?
<0-FFFFFFFF> Destination net
N.H.H.H Destination net.host address
any Any IPX net
log Log matches against this entry
The destination network is specified next, followed by the destination socket number.
RouterA(config)#access-list 900 deny any 101A nping 101B ?
<0-FFFFFFFF> Destination Socket HEXIDECIMAL
all All sockets
cping Cisco ipx ping
diagnostic IPX Diagnostic packet
eigrp IPX Enhanced Interior Gateway Routing Protocol
log Log matches against this entry
ncp NetWare Core Protocol
netbios IPX NetBIOS
nlsp NetWare Link State Protocol
nping Standard IPX ping
rip IPX Routing Information Protocol
sap Service Advertising Protocol
trace IPX Trace Route packet
RouterA(config)#access-list 900 deny any 101A nping 101B nping
After the command has been entered, this access list consists of one deny statement. Recall that we’ll still need some type of permit statement to allow all other traffic to pass. The statement below will allow all other traffic to pass through the access list.
RouterA(config)#access-list 900 permit any any all any all
If you take a look at the previous example, the meaning of the statement above should become clearer. The first two any statements represent protocols and source networks. The first all statement represents all sockets. The final any all statement is equivalent to saying “any destination network, all sockets”. Don’t forget to apply the access list to an interface – in this case, we’ll apply it close to the source network (that’s how extended access lists are usually applied), as an inbound access list on interface E0.
RouterA(config-if)#ipx access-group 900 in
To view all of the ipx access lists defined on the router, use the show ipx access-list command.
RouterA#show ipx access-list
IPX standard access list 850
deny 101A 101B
permit FFFFFFFF FFFFFFFF
IPX extended access list 900
deny any 101A 9086 101B 9086
permit any any all any all
For the most part, you probably shouldn’t concentrate on memorizing the syntax of extended IPX access lists. However, you should be familiar with the ways in which they are capable of filtering traffic (source address, destination address, protocol, and socket numbers) and the numeric range (900-999) that they are identified by.
