Standard IPX Access Lists

In the same way that access lists can be used to permit or deny IP-based traffic from passing through a router, IPX access lists control the flow of IPX traffic. A standard IPX access list is a little different that a standard IP access list. The standard IPX variety allows traffic to be filtered based on both source and destination addresses, rather than just source addresses alone.

To define a standard IPX access list, you can also use the access-list command from global configuration mode. Recall that the numeric range of standard IPX access lists is 800-899. While IPX access lists can also define individual hosts (or ranges of hosts with wildcard masks), they are more commonly implemented by specifying source and destination network numbers. Consider the figure below. The small network depicted consists of one router connecting three networks – 101A, 101B, and 101C. Our goal is to deny traffic originating from network 101A from reaching network 101B, while allowing all other traffic to pass. Our access list number for this example will be 850.

Figure: An outbound standard IPX access list applied to the router’s E1 interface denies traffic from network 101A from reaching network 101B.

RouterA(config)#access-list 850 deny 101A 101B

That was certainly simple enough. The statement above identifies the access list entry as belonging to standard IPX access list 850, which denies traffic from source network 101A from reaching the destination network (101B). Our next step involves permitting all other traffic, which is imperative since all access lists end with the implicit “deny all” statement. I have used the help function to demonstrate how the syntax of an IPX access list differs when you wish to specify that “any” traffic should be allowed to pass.

RouterA(config)#access-list 850 permit ?
-1 Any IPX net
<0-FFFFFFFF> Source net
N.H.H.H Source address
RouterA(config)#access-list 850 permit -1 -1

Notice that standard IPX access lists don’t use the any keyword to reference all hosts. Instead, their syntax differs in that –1 is used to represent any IPX network. The statement above would be the same as saying “permit any traffic from any network”. Again, this access list does nothing until applied to an interface using the access-group command. In this case, the syntax varies slightly, since it is an IPX access list that we’re dealing with.

RouterA(config)#int e1
RouterA(config-if)#ipx access-group 850 out

To view all IPX access lists defined on a router, use the show ipx access-list command. To view only a specific access list, follow the command with the access list number is question.

RouterA#sh ipx access-list
IPX standard access list 850
deny 101A 101B

The IPX access lists associated with a given interface can be viewed using both show run and show ipx int followed by the interface number. I’ve truncated the output below to show only the relevant information.

RouterA#show ipx int e1
Ethernet1 is up, line protocol is up
IPX address is 101B.0060.5cc4.f41b, NOVELL-ETHER [up]
Delay of this IPX network, in ticks is 1 throughput 0 link delay 0
IPXWAN processing not enabled on this interface.
IPX SAP update interval is 60 seconds
IPX type 20 propagation packet forwarding is disabled
Incoming access list is not set
Outgoing access list is 850

Remember that any given interface may have only one incoming and one outgoing access list assigned per protocol.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.