IPX SAP Access Lists

You might recall from Chapter 8 that the ipx routing command also initiates the broadcasting of IPX SAP updates between routers. The information contained in SAP updates can be filtered using IPX SAP access lists, which use the numerical range 1000-1099. By properly implementing these access lists you can control the extent to which certain SAP broadcasts are propagated through an IPX network. Much like standard access lists, IPX SAP access lists should usually be implemented close to the source of SAP updates, in order to reduce unnecessary network traffic.

IPX SAP access lists are implemented using the access-list command. They specify the source network from which the broadcasts originate, the type of SAP broadcast we want to filter, and optionally, the name of the server whose broadcasts we wish to filter. Let’s walk through an example step-by-step to see how these access lists are implemented. The figure below outlines a network that includes three IPX networks – 101A, 101B, and 101C. Our goal is to stop print server updates from ServerB from being added to the SAP table on RouterA.

Figure: An inbound IPX SAP access list will ultimately deny ServerB’s print services broadcasts from being added to the router’s SAP table.

RouterA(config)#access-list 1099 deny ?
-1 Any IPX net
<0-FFFFFFFF> Source net
N.H.H.H Source net.host address
RouterA(config)#access-list 1099 deny 101B ?
<0-FFFF> Service type-code (0 matches all services)
N.H.H.H Source net.host mask

The command above specifies that we wish to deny IPX SAP traffic from network 101B. If we had pressed enter here, all IPX SAP broadcast traffic from network 101B would be denied. Instead, we’ll carry on to specify the service type code that we wish to deny. Recall from previous chapters that the type code associated with print servers is 7.

RouterA(config)#access-list 1099 deny 101B 7 ?
WORD A SAP server name
RouterA(config)#access-list 1099 deny 101B 7 ServerB

By specifying ServerB, we only deny SAP updates announcing print services from that particular server, as opposed to all servers on network 101B. After the command is issued, remember that the access list still ends in an implicit “deny all” statement, and still needs to be applied to an interface.

We’ll add a permit statement that allows all other IPX SAP traffic. This statement is fairly simple, as shown below.

RouterA(config)#access-list 1099 permit -1

The –1 in the permit entry is the equivalent to saying “allow all IPX SAP traffic from any network”.

The syntax to apply an IPX SAP filter to an interface is different than the access-group command that we used previously. Two different statements can be used to apply an IPX SAP access list to an interface, each with different results.

  • ipx input-sap-filter. This command will apply an IPX SAP access list to an interface, and stops incoming SAP updates from being added to a router’s SAP table.
  • ipx output-sap-filter. This command also applies an IPX SAP access list to an interface, but stops filtered entries from being broadcast from that interface.

In this case, since we only have a single router and don’t want the information about ServerB’s print services added to the router’s SAP table , we’ll use an input filter on interface E1. If we had wanted the SAP broadcasts about print services on ServerB to be denied to only network 101A, an output filter on interface E0 would have been more appropriate.

RouterA(config-if)#ipx input-sap-filter 1099

To view the IPX SAP access lists associated with an interface, use the show ipx interface command, as shown below. The output has been truncated to show only relevant information.

RouterA#sh ipx int e1
Ethernet0 is up, line protocol is up
IPX address is 101B.0060.5cc4.f41b, NOVELL-ETHER [up]
Delay of this IPX network, in ticks is 1 throughput 0 link delay 0
IPXWAN processing not enabled on this interface.
IPX SAP update interval is 60 seconds
IPX type 20 propagation packet forwarding is disabled
Incoming access list is 900
Outgoing access list is 850
IPX helper access list is not set
SAP GNS processing enabled, delay 0 ms, output filter list is not set
SAP Input filter list is 1099
SAP Output filter list is not set

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of 2000Trainers.com. He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.