Configuring IPX

Configuring IPX SAP Access Control Lists (ACLs)

You can configure Access Control Lists (ACLs) for filtering Service Advertisement Protocol (SAP) replies sent on a routing switch’s IPX interfaces. You configure IPX SAP access lists on a global basis, then apply them to the IPX inbound or outbound filter group on specific interfaces. You can configure up to 32 access lists. The same access list can be applied to multiple interfaces.

When you configure more than one access list on an IPX interface, the software applies the access lists in numerical order. For example, if you configure access lists 1, 10, and 32 and apply them to an interface, the software applies access list 1 first, then access list 10, then access list 32. This is true regardless of the order in which you configure the access lists. At the first match, the software takes the action specified by the access list (deny or permit) and stops comparing the update against the access lists.

IPX SAP access lists apply to SAP updates sent or received by the routing switch. You can apply them to a port’s inbound or outbound IPX traffic.

NOTE: IPX access lists replace the IPX filter mechanism in software releases earlier than 06.x. The older commands are supported for backward compatibility but are not listed in the on-line help. If the devices’ startup­ config file contains IPX filter commands of the older format, they are replaced by equivalent IPX ACL commands when you save the device’s configuration while running 06.x or later.

Before you configure an access list on an IPX interface, all SAP updates are sent and received by default. However, once you configure an access filter, the default action changes from permit to deny. Thus, SAP updates that are not explicitly permitted are denied. To change the default action to permit, configure SAP access list 32 to permit all updates on all networks.

NOTE: Each IPX SAP access list is a single filter. This is different from the system-wide ACLs, which each can contain multiple individual filters. See “Using Access Control Lists (ACLs)” on page 3-1.

To configure IPX access lists, use the following CLI method.

USING THE CLI

To configure three IPX access lists and apply them to IPX interfaces on port 1/1, enter the following commands:

HP9300(config)# router ipx

HP9300(config)# ipx sap-access-list 1 deny abcd HP9300(config)# ipx sap-access-list 10 deny efef.1234.1234.1234 HP9300(config)# ipx sap-access-list 32 permit -1 0 HP9300(config)# exit

HP9300(config)# int e 1/1

HP9300(config-if-1/1)# ipx sap-filter-group out 1 10 32 HP9300(config-if-1/1)# write memory

In this example, access list 1 denies all SAP updates containing IPX network abcd. Access list 10 denies SAP updates for print server “Prt1” from network efef, node 1234.1234.1234. Access list 32 ensures that all updates that are not denied by the preceding access lists are permitted.

Syntax: [no] ipx sap-access-list <num> deny permit <network>[.<node>] [<network-mask>.<node-mask>] [<service-type> [<server-name>]]

Syntax: [no] ipx sap-filter-group in out <num> [<num>…]

The <num> parameter specifies the access list number and can be from 1 – 32.

The deny permit parameter specifies whether the routing switch allows the SAP update or denies it.

The <network>[.<node>] parameter specifies the IPX network. Optionally, you also can specify a specific node (host) on the network. The <network> parameter can be an eight-digit hexadecimal number from 1 – FFFFFFFE. To specify all networks (“any”), enter –1 as the network number. If the network number has leading zeros, you do not need to specify them. For example, you can specify network 0000abab as “abab”.

The node is a 48-bit value represented by three four-digit numbers joined by periods; for example, 1234.1234.1234.

14 - 9