Filter
Top Products
Configuring IPX
Configuring IPX SAP Access Control Lists (ACLs)
You can configure Access Control Lists (ACLs) for filtering Service Advertisement Protocol (SAP) replies sent on a
routing switch’s IPX interfaces. You configure IPX SAP access lists on a global basis, then apply them to the IPX
inbound or outbound filter group on specific interfaces. You can configure up to 32 access lists. The same access
list can be applied to multiple interfaces.
When you configure more than one access list on an IPX interface, the software applies the access lists in
numerical order. For example, if you configure access lists 1, 10, and 32 and apply them to an interface, the
software applies access list 1 first, then access list 10, then access list 32. This is true regardless of the order in
which you configure the access lists. At the first match, the software takes the action specified by the access list
(deny or permit) and stops comparing the update against the access lists.
IPX SAP access lists apply to SAP updates sent or received by the routing switch. You can apply them to a port’s
inbound or outbound IPX traffic.
NOTE: IPX access lists replace the IPX filter mechanism in software releases earlier than 06.x. The older
commands are supported for backward compatibility but are not listed in the on-line help. If the devices’ startup-
config file contains IPX filter commands of the older format, they are replaced by equivalent IPX ACL commands
when you save the device’s configuration while running 06.x or later.
Before you configure an access list on an IPX interface, all SAP updates are sent and received by default.
However, once you configure an access filter, the default action changes from permit to deny. Thus, SAP updates
that are not explicitly permitted are denied. To change the default action to permit, configure SAP access list 32 to
permit all updates on all networks.
NOTE: Each IPX SAP access list is a single filter. This is different from the system-wide ACLs, which each can
contain multiple individual filters. See
“Using Access Control Lists (ACLs)” on page 3-1.
To configure IPX access lists, use the following CLI method.
USING THE CLI
To configure three IPX access lists and apply them to IPX interfaces on port 1/1, enter the following commands:
HP9300(config)# router ipx
HP9300(config)# ipx sap-access-list 1 deny abcd
HP9300(config)# ipx sap-access-list 10 deny efef.1234.1234.1234
HP9300(config)# ipx sap-access-list 32 permit -1 0
HP9300(config)# exit
HP9300(config)# int e 1/1
HP9300(config-if-1/1)# ipx sap-filter-group out 1 10 32
HP9300(config-if-1/1)# write memory
In this example, access list 1 denies all SAP updates containing IPX network abcd. Access list 10 denies SAP
updates for print server “Prt1” from network efef, node 1234.1234.1234. Access list 32 ensures that all updates
that are not denied by the preceding access lists are permitted.
Syntax: [no] ipx sap-access-list <num> deny | permit <network>[.<node>] [<network-mask>.<node-mask>]
[<service-type> [<server-name>]]
Syntax: [no] ipx sap-filter-group in | out <num> [<num>…]
The <num> parameter specifies the access list number and can be from 1 – 32.
The deny | permit parameter specifies whether the routing switch allows the SAP update or denies it.
The <network>[.<node>] parameter specifies the IPX network. Optionally, you also can specify a specific node
(host) on the network. The <network> parameter can be an eight-digit hexadecimal number from 1 – FFFFFFFE.
To specify all networks (“any”), enter –1 as the network number. If the network number has leading zeros, you do
not need to specify them. For example, you can specify network 0000abab as “abab”.
The node is a 48-bit value represented by three four-digit numbers joined by periods; for example,
1234.1234.1234.
14 - 9