Using IPX Circuit Filters

This document describes how IPX filtering works and how to set up IPX filters. It includes the following sections:

Displaying the IPX Filtering Prompts

How Filters Work

You can create one input filter and one output filter for each IPX circuit. Filter criteria are called items. You assemble items into a filter list and then attach the filter list to a filter. Because you can attach a filter list to more than one filter, you do not have to enter the same filter criteria more than once. You can also attach more than one filter list to a filter.

There are two types of IPX filters: global filters and circuit filters. Global filters apply to all IPX circuits on the router. Circuit filters apply only to the IPX circuits that you specify.

Figure 4 shows how to set up a circuit filter.

Figure 4 Creating a Circuit Filter

Before the circuit receives or transmits an IPX packet, the filter software compares the packet against any input or output filter on the circuit. To do so, the software checks the packet against each filter list in order and, within a filter list, it checks each filter item in order.

If it finds a match, it takes the action specified for the filter list, either include or exclude.
If it does not find a match, it takes the default filter action specified for the filter, either include or exclude.

SAP Filters

SAP filters let you reduce SAP traffic on WANs by controlling the extent to which a circuit broadcasts information about services.

SAP filters act on the server entries of SAP response packets. They filter based on the maximum hop count for a service or group of services.

Setting up SAP filters to exclude server entries from a packet has the following effect:

On input filters, the router ignores server entries and does not enter them into the SAP table. This filter setup prevents all networks from learning about the selected service, at least through this router.
On output filters, the router does not advertise the service. This filter setup prevents some networks from learning about the selected service, at least through this circuit.

RIP Router Filters

RIP Router filters let you group IPX networks into distinct IPX internets by controlling which routers can exchange routing information. They also provide network security by allowing only authorized routers to communicate routing information.

RIP Router filters act on the IPX header of RIP response packets that the circuit receives. They filter based on the source node field.

You cannot set up RIP Router output filters.

Setting up RIP Router input filters to exclude packets means the router does not enter matching packets into the RIP routing table. This filter setup prevents all networks from learning about the selected network, at least through this router.

RIP Filters

RIP filters let you control the extent to which the circuit broadcasts routing information about selected networks.

RIP filters act on the network entries of RIP response packets. They filter based on the network address.

Setting up RIP filters to exclude network entries from a packet has the following effect:

On input filters, the router ignores network entries and does not enter them into the RIP routing table. This filter setup prevents all networks from learning about the selected network, at least through this router.
On output filters, the router does not advertise routing information. This filter setup prevents some networks from learning about the selected network, at least through this circuit.

IPX Filters

IPX filters provide security by letting you control the extent to which selected servers and end stations can communicate with each other.

IPX filters act on the IPX header of IPX packets. They filter based on source and destination network, node, and socket, as well as protocol type and hop count.

Note: Because IPX filters act on each packet the router receives, you should use them only when you require a high degree of specificity. That is, when you cannot use the RIP Router, RIP, or SAP filters.

Setting up IPX filters to exclude packets has the following effect:

On input filters, the router discards the packets and prevents them from being transmitted on all circuits.
On output filters, the router forwards packets that it receives out some circuits and not others.

To save processing time, IPX filters use a cache. When the IPX filter matches a packet, it saves the packet information in this cache. When the IPX filter receives a packet, it checks the packet against the entries in this cache before it compares the packet to the filter criteria. Use the set-cache command at the appropriate IPX filtering configuration prompt to set the number of entries the cache holds.

Displaying the IPX Filtering Prompts

Each type of circuit filter has its own prompt. Once you access the prompt, the commands to configure and monitor the filters are the same.

Configuration Prompts

Access IPX filtering configuration prompts from the IPX config> prompt as follows:

Filter Type How to Access the Configuration Prompt

IPX
IPX config>filter-lists ipx
IPX IPX-List Config>

RIP Router
IPX config>filter-lists router
IPX Router-List Config>

RIP
IPX config>filter-lists rip
IPX RIP-List Config>

SAP
IPX config>filter-lists sap
IPX SAP-List Config>

Filter Type	How to Access the Configuration Prompt
IPX	IPX config>filter-lists ipx IPX IPX-List Config>
RIP Router	IPX config>filter-lists router IPX Router-List Config>
RIP	IPX config>filter-lists rip IPX RIP-List Config>
SAP	IPX config>filter-lists sap IPX SAP-List Config>

Monitoring Prompts

Access IPX filtering monitoring prompts from the IPX> prompt as follows:

Filter Type How to Access the Monitoring Prompt

IPX
IPX>filter-lists ipx
IPX IPX-Lists>

RIP Router
IPX>filter-lists router
IPX Router-Lists>

RIP
IPX>filter-lists rip
IPX RIP-Lists>

SAP
IPX>filter-lists sap
IPX SAP-Lists>

Filter Type	How to Access the Monitoring Prompt
IPX	IPX>filter-lists ipx IPX IPX-Lists>
RIP Router	IPX>filter-lists router IPX Router-Lists>
RIP	IPX>filter-lists rip IPX RIP-Lists>
SAP	IPX>filter-lists sap IPX SAP-Lists>

Configuring Filters

Here is an overview of how to set up a filter using RIP filters as an example.

1. Display the appropriate configuration prompt.

IPX config>filter-list rip
IPX RIP-List Config>

2. Create a filter list and give it a name.

IPX RIP-List Config>create list
Enter a filter list name []? rip01

3. Display the configuration prompt for the filter list you created.

IPX RIP-List Config>update
Enter a filter list name []? rip01
IPX RIP-List 'rip01' Config>

4. Add filter criteria to the filter list.

IPX RIP-List 'rip01' Config>add
Network range start (in hex) [1]?
Network range end (in hex) [FFFFFFFE]?

The filter criteria vary according to the type of filter you are creating.

5. Set the action for the filter list to include or exclude.

IPX RIP-List 'rip01' Config>set-action include

When the software finds a match to an item in the filter list, it takes this action. See Table 7 and Table 8 for the results of including or excluding a packet.

6. Return to the filter configuration prompt.

IPX RIP-List 'rip01' Config>exit
IPX RIP-List Config>

7. Create an input or output filter for the desired circuit.

IPX RIP-List Config>create filter input
Enter an interface to filter [0]? 1

The software attaches a number to each filter. You use the number to configure the filter. To see a list of filter numbers, enter list all.

8. Set the default action for the filter to include or exclude.

IPX RIP-List Config>default exclude
Enter a filter number [1]? 1

If a packet does not match any of the filter criteria, the software takes the default action on the packet. See Table 7 and Table 8 for the results of including or excluding a packet.

9. Attach the filter list to a filter.

IPX RIP-List Config>attach
Enter a filter list name []? rip01
Enter a filter number [1]? 1

You can attach a filter list to more than one filter.

IPX Filter Commands

Table 6 lists and defines the IPX filter commands.

Enter Space after you type a command to display the available parameters for each command. Enter the help command for information about using the command line interface.

Enter these commands at the appropriate filtering prompt, shown in Displaying the IPX Filtering Prompts.

[C] means the command is available at the filtering configuration prompts.

[M] means the command is available at the filtering monitoring prompts.

Table 6 IPX Filter Commands

Command Function

Attach [C] Adds a filter list to a filter.

Cache [M] Displays the entries in the IPX filter cache.

Clear [M] Clears the statistics listed using the list filter command.

Create [C] Creates a filter list or an input or output filter.

Default [C] Sets the default action for a specified filter to include or exclude.

Delete [C] Deletes a filter list or a filter.

Detach [C] Deletes a filter list from a filter.

Disable [C] [M] Globally disables this type of filtering or disables a specified filter.

Enable [C] [M] Globally enables this type of filtering or enables a specified filter.

List [C] [M] Lists a summary of statistics and settings for each filter currently running in the router.

Move [C] Changes the order of filter lists within a specified filter.

Set-Cache [C] Changes the cache size for IPX filters.

Update [C] Displays the prompt that lets you configure a specific filter list.

Exit [C] [M] Returns to the previous prompt.

Table 6 IPX Filter Commands
Command	Function
Attach [C]	Adds a filter list to a filter.
Cache [M]	Displays the entries in the IPX filter cache.
Clear [M]	Clears the statistics listed using the list filter command.
Create [C]	Creates a filter list or an input or output filter.
Default [C]	Sets the default action for a specified filter to include or exclude.
Delete [C]	Deletes a filter list or a filter.
Detach [C]	Deletes a filter list from a filter.
Disable [C] [M]	Globally disables this type of filtering or disables a specified filter.
Enable [C] [M]	Globally enables this type of filtering or enables a specified filter.
List [C] [M]	Lists a summary of statistics and settings for each filter currently running in the router.
Move [C]	Changes the order of filter lists within a specified filter.
Set-Cache [C]	Changes the cache size for IPX filters.
Update [C]	Displays the prompt that lets you configure a specific filter list.
Exit [C] [M]	Returns to the previous prompt.

Attach [C]

Adds a filter list to a filter. You must have used the create command to create a filter list and a filter.

Syntax: attach filter-list-name filter-number

Example: attach

Enter a filter list name []? atm_list
Enter a filter number [1]? 3

Cache [M]

Applies only to IPX filters. Displays the entries in the IPX filter cache. See the set-cache command.

Syntax: cache

filter

Example: cache filter

Enter a filter number [1]?
Hops Type Dst Net  Address      Sock Src Net  Address      Sock Action
---- ---- -------- ------------ ---- -------- ------------ ---- -------

Clear [M]

Clears the filter statistics listed using the list filter command.

Syntax: clear

all
filter

all

Clears all statistics listed using the list filter command for each filter and each filter list.

Example: clear all

filter filter-number

Clears the statistics displayed with the list filter command for this filter plus all the statistics listed for each filter list in this filter.

Example: clear filter

Enter a filter number [1]?6

Create [C]

Creates a filter list or a filter.

Syntax: create

list
filter

list

Creates a filter list. Give the list a unique name of up to 16 characters. Use this name to identify and configure the filter list.

Example: create list

Enter a filter list name []? newyork

filter input/output

Creates an input or output filter for a circuit. Give the filter a unique name of up to 16 characters. Use this name to attach filter lists to this filter name.

By default, a new filter has no attached filter lists, it has a default action of include, and it is enabled.

You cannot create output filters for RIP Router filters.

Example: create filter input

Enter an interface to filter [0]?2

Default [C]

Sets the default action for the filter to exclude or include.

Syntax: default

exclude
include

exclude

Sets the default action for the filter to exclude. If a packet does not match any items in this filter, the router excludes the packet. Table 7 shows the result of excluding a packet for each type of filter.

Table 7 Excluding a Packet

Filter Type When it excludes a packet, the software . . .

Input RIP Router Ignores the RIP entry and does not enter it into the RIP routing table.

Input RIP Ignores the RIP entry and does not enter it into the RIP routing table.

Output RIP Excludes RIP entries from packets that it transmits.

Input SAP Ignores the SAP entry and does not enter it into the SAP table.

Output SAP Excludes SAP entries from packets that it transmits.

Input IPX Discards the packet.

Output IPX Discards the packet.

Filter Type	When it excludes a packet, the software . . .
Input RIP Router	Ignores the RIP entry and does not enter it into the RIP routing table.
Input RIP	Ignores the RIP entry and does not enter it into the RIP routing table.
Output RIP	Excludes RIP entries from packets that it transmits.
Input SAP	Ignores the SAP entry and does not enter it into the SAP table.
Output SAP	Excludes SAP entries from packets that it transmits.
Input IPX	Discards the packet.
Output IPX	Discards the packet.

Example: default exclude

Enter a filter number [1]? 3

include

Sets the default action for the filter to include. If a packet does not match any items in this filter, the router includes the packet. Table 8 shows the result of including a packet for each type of filter.

Table 8 Including a Packet

Filter Type When it includes a packet, the software . . .

Input RIP Router Receives the packet for processing.

Input RIP Enters the network entries in the RIP routing table.

Output RIP Includes network entries in packets that it transmits.

Input SAP Enters the server entries in the SAP table.

Output SAP Includes server entries in packets that it transmits.

Input IPX Receives the packet for processing.

Output IPX Forwards the packet.

Filter Type	When it includes a packet, the software . . .
Input RIP Router	Receives the packet for processing.
Input RIP	Enters the network entries in the RIP routing table.
Output RIP	Includes network entries in packets that it transmits.
Input SAP	Enters the server entries in the SAP table.
Output SAP	Includes server entries in packets that it transmits.
Input IPX	Receives the packet for processing.
Output IPX	Forwards the packet.

Example: default include

Enter a filter number [1]? 2

Delete [C]

Deletes a filter list or a filter.

Syntax: delete

list
filter

list filter list

Deletes a filter list and all filter items in the list. If the filter list is attached to a filter, use the detach command before entering this command. Otherwise, this command displays an error message and does not delete anything.

Example: delete list

Enter a filter list name []? newyork

filter filter-number

Deletes a filter created using the create filter command.

Example: delete filter

Enter a filter number [1]?

Detach [C]

Detaches a filter list from a filter.

Note: If the filter that you delete is not the highest number, all other filter numbers that are higher change.

Syntax: detach

Example: detach

Enter a filter list name []? newyork
Enter a filter number [1]?

Disable [C] [M]

Globally disables this type of filtering or disables a specified filter.

Note: When you enter this command at the configuration prompt, the configuration is permanent and takes effect when you restart your router. When you enter this command at the monitoring prompt, the effect is immediate, but the configuration reverts to the configuration in SRAM when you restart your router.

Syntax: disable

all
filter

all

Globally disables this type of filtering.

Example: disable all

filter filter-number

Disables a specified filter. Enter list filters to see a list of filter numbers.

Example: disable filter

Enter a filter number [1]? 3

Enable [C] [M]

Globally enables this type of filtering or enables a specified filter.

Syntax: enable

all
filter

all

Globally enables this type of filtering, although specific filters can still be disabled.

Example: enable all

filter filter-number

Enables a specified filter. Enter list filters to see a list of filter numbers.

Example: enable filter

Enter a filter number [1]? 3

List [C] [M]

Lists all of the filter lists and filters that you have configured or it lists a specified filter.

Syntax: list

all
filter

all

Displays all filter lists and filters.

Example: list all

Filtering: DISABLED
Filter Lists:
Name                           Action
------------------------------ ----------
smkipxlist                     EXCLUDE

Filters:
Id   Default    State      Direction  Cache Circuit
---- ---------- ---------- ---------- ----- -------
1    INCLUDE    ENABLED    INPUT      10    1:hotstuff

filter filter-number

Displays the filter configuration and the filter lists that are attached to the filter. At the monitoring prompt, this command also shows a count of how many packets have matched each filter list.

Example: list filter

Enter a filter number (1-1) [1]?
Filters:
Id   Default    State      Direction  Cache Circuit
---- ---------- ---------- ---------- ----- -------
1    INCLUDE    ENABLED    INPUT      10    1:hotstuff

Filter Lists:
Name                           Action     Count
------------------------------ ---------- ------------
smkipxlist                     EXCLUDE    0

Move [C]

Changes the order of filter lists within a specified filter.

Syntax: move

Example: move

Enter filter list name to move []? ipx03
Enter filter list name before which to move []? ipx01
Enter a filter number [1]? 3

Set-Cache [C]

Sets the size of the filter cache. Only IPX filters have a cache. When the IPX filter matches a packet, it saves the packet information in this cache. When the IPX filter receives a packet, it checks the packet against the entries in this cache before it compares them to the filter criteria. This saves processing time for IPX filters. Use the cache monitoring command to display entries in the cache. The range is 4 to 64. The default is 10.

Syntax: set-cache cache-size filter-number

Example: set-cache

Number of cache entries [10]?16
Enter a filter number [1]? 3

Update [C]

Displays a prompt that lets you configure a specific filter list. The actual prompt varies according to the type of filter list you are configuring. Update Commands describes the commands that are available at this prompt.

Syntax: update filter list-name

Example: update

Enter a filter list name []? newyork
IPX SAP-List 'newyork' Config>

Exit [C] [M]

Returns to the previous prompt.

Syntax: exit

Example: exit

Update Commands

Table 9 lists the filtering update commands. Enter these commands at the filter list configuration prompt that you displayed using the update command.

[C] means the command is available at the configuration prompt.

Table 9 Update Commands

Command Function

Add [C] Adds filter items to a filter list.

Delete [C] Deletes filter items from a filter list.

List [C] Lists a summary of all the filter lists and filters. Also generates a list of attached filter lists for this filter.

Move [C] Changes the order of filter items within the filter list.

Set-Action [C] Sets a filter item to include or exclude.

Exit [C] Returns to the previous prompt.

Table 9 Update Commands
Command	Function
Add [C]	Adds filter items to a filter list.
Delete [C]	Deletes filter items from a filter list.
List [C]	Lists a summary of all the filter lists and filters. Also generates a list of attached filter lists for this filter.
Move [C]	Changes the order of filter items within the filter list.
Set-Action [C]	Sets a filter item to include or exclude.
Exit [C]	Returns to the previous prompt.

Add [C]

Adds filter items to a filter list. The software attaches numbers to the filter items in order as you add them.

The order in which you add filter items is important because the router applies the filter items in order. The router stops comparing the packet to a filter when it finds the first match. Entering the most common filter items first makes the filtering process more efficient because the software is more likely to find a match at the beginning of the list. Use the move command to change the order of filter items after you have added them.

The following are examples of how to add each type of filter.

Syntax: add

Example: IPX SAP-List 'saplist' Config>add

Hop count comparator [<=]?
Hop count [16]?
Service type (in hex) [4]?
Server Name []?


Hop count comparator	The comparator to use against the hop count. Enter <, <=, =, >=, >. This parameter does not apply to output filters.
Hop count	The number of hops to use with the comparator. If you do not want to filter based on hop count, enter <=16 for the comparator and hop count. The range is 0 to 16. This parameter does not apply to output filters.
Service type	Type of service to filter. Enter 0000 for all service types.
Server name	Name of the service to filter. Server name entries are case-sensitive. You must enter them in the case that the server expects. You can use the following wildcards in the name: * - Represents any portion of the service name. ? - Any single character in the service name.

Example: IPX RIP-List 'riplist' Config>add

Network range start (in hex) [1]?
Network range end (in hex) [FFFFFFFE]?


Network range start Network range end	The start and end of a range of destination IPX network numbers to filter. To filter a single network number, set the start and end range to that network number. To filter all network numbers, set the start to 00000001 and the end to FFFFFFFE.

Example: IPX Router-List 'routerlist' Config>add

Node number []? 0000000000f4
Node number mask [ffffffffffff]?


Node number Node number mask	Along with the node number mask, a value to compare against the source node address of the router that sent the RIP response packet. To filter a single address, set the mask to FFFFFFFFFFFF. To filter all addresses, set the mask to 000000000000.

Example: IPX IPX-List 'ipx' Config>add

Hop count comparator [<=]?
Hop count [16]?
Packet type (in hex) [0]?
Destination network range start (in hex) [1]?
Destination network range end (in hex) [FFFFFFFE]?
Destination node number []? 0000000000F4
Destination node number mask [ffffffffffff]?
Destination socket range start (in hex) [0]?
Destination socket range end (in hex) [FFFF]?
Source network range start (in hex) [1]?
Source network range end (in hex) [FFFFFFFE]?
Source node number []? 0000000000F1
Source node number mask [ffffffffffff]?
Source socket range start (in hex) [0]?
Source socket range end (in hex) [FFFF]?


Hop count comparator	The comparator to use against the hop count. Enter <, <=, =, >=, >. This parameter does not apply to output filters.
Hop count	Along with the comparator, sets the number of hops on which to filter. If you do not want to filter based on hop count, enter <=16 for the comparator and hop count. The range is 0 to 16. This parameter does not apply to output filters.
Packet type	Type of IPX packet to filter. Enter 00 to filter all packet types.
Destination network range start Destination network range end	The start and end of a range of destination IPX network numbers to filter. To filter a single network number, set the start and end range to that network number. To filter all network numbers, set the start to 00000001 and the end to FFFFFFFE.
Destination node number	Along with the destination node mask, a value to compare against the destination node address.
Destination node number mask	To filter a single address, set the mask to FFFFFFFFFFFF. To filter all addresses, set the mask to 000000000000.
Destination socket range start Destination socket range end	The start and end of a range of destination IPX sockets to filter. To filter a single socket, set the start and end range to that socket. To filter all sockets, set the start to 0000 and the end to FFFF.
Source network range start Source network range end	The start and end of a range of source IPX networks to filter. To filter a single network, set the start and end range to that network number. To filter all source IPX networks, set the start to 00000001 and the end to FFFFFFFE.
Source node number	Along with the source node mask, a value to compare against the source node address.
Source node number mask	To filter a single address, set the mask to FFFFFFFFFFFF. To filter all addresses, set the mask to 000000000000.
Source socket range start Source socket range end	The start and end of a range of source IPX sockets to filter. To filter a single socket, set the start and end range to that socket. To filter all sockets, set the start to 0000 and the end range to FFFF.

Delete [C]

Deletes a filter item from the filter list. To see a list of item numbers, enter list.

Syntax: delete item-number

Example: delete

Enter an item number [1]? 2

List [C]

Lists all the filter items and the default action for the filter list. The display varies depending on the type of filter you are updating. The following example shows an IPX filter list.

Syntax: list

Example: list

Action: EXCLUDE
Id  Hops Type  Net Range     Address      Mask         Sock Range
--- ---- ----  ----------  ----------- ------------   -----------
1   <=16  0   1 - FFFFFFFE 0000000000F4 FFFFFFFFFFFF  0 - FFFF (Dest)
              1 - FFFFFFFE 0000000000F1 FFFFFFFFFFFF  0 - FFFF (Sourc)

Move [C]

Changes the order of filter items within the filter list.

Syntax: move

Example: move

Item number to move [1]?2
Item number before which to insert item [1]?4

Set-Action [C]

Sets the action to take when the software finds a match to an item in the filter list. See Table 7 for the results of excluding a packet. See Table 8 for the results of including a packet.

Syntax: set-action include or exclude

Example: set-action exclude

Exit [C]

Returns to the previous prompt.

Syntax: exit

Example: exit

[Top] [Prev] [Next] [Bottom]