Cisco Commands Line




Cisco Commands Line


Index

Command:

access-list (IPX extended)


Mode:

Router(config)#


Syntax:

access-list access-list-number {deny | permit} {protocol} [source-network | source-net.node-address | source-net.node-address source-network.node-mask | source-net.node-address source-node-mask] [source-socket] [destination-network | destination-network.destination-node | destination-network.destination-node destination-node-mask | destination-network.destination-node destination-network-mask.destination-node-mask] 
[destination-socket] [log] [time-range time-range]

no access-list access-list-number {deny | permit} {protocol} [source-network | source-net.node-address | source-net node-address source-network.node-mask | source-net.node-address source-node-mask] [source-socket] [destination-network | destination-network.destination-node | destination-network.destination-node destination-node-mask | destination-network.destination-node destination-network-mask.destination-node-mask] [destination-socket] [log] [time-range time-range]


Syntax Description:

access-list-number

Number of the access list. This is a number from 900 to 999.

deny

Denies access if the conditions are matched.

permit

Permits access if the conditions are matched.

protocol

Name or number of an IPX protocol type. This is sometimes referred to as the packet type. The table in the "Usage Guidelines" section lists some IPX protocol names and numbers.

source-network

(Optional) Number of the network from which the packet is being sent. This is an eight-digit hexadecimal number that uniquely identifies a network cable segment. It can be a number in the range 1 to FFFFFFFE. A network number of 0 matches the local network. A network number of -1 matches all networks.

Leading zeros do not need to be specified in the network number. For example, for the network number 000000AA, simply enter AA.

source-node

(Optional) Node on source-network from which the packet is being sent. This is a 48-bit value represented by a dotted triplet of four-digit hexadecimal numbers (xxxx.xxxx.xxxx).

source-node-mask

(Optional) Mask to be applied to source-node. This is a 48-bit value represented as a dotted triplet of four-digit hexadecimal numbers (xxxx.xxxx.xxxx). Place ones in the bit positions to be masked.

source-network-mask

(Optional) Mask to be applied to source-network. This is an eight-digit hexadecimal mask. Place ones in the bit positions to be masked.

The mask must immediately be followed by a period, which must in turn immediately be followed by source-node-mask.

source-socket

(Optional) Socket name or number (hexadecimal) from which the packet is being sent. Table in the "Usage Guidelines" section lists some IPX socket names and numbers.

destination-network

(Optional) Number of the network to which the packet is being sent. This is an eight-digit hexadecimal number that uniquely identifies a network cable segment. It can be a number in the range 1 to FFFFFFFE. A network number of 0 matches the local network. A network number of -1 matches all networks.

Leading zeros do not need to be specified in the network number. For example, for the network number 000000AA, simply enter AA.

destination-node

(Optional) Node on destination-network to which the packet is being sent. This is a 48-bit value represented by a dotted triplet of four-digit hexadecimal numbers (xxxx.xxxx.xxxx).

destination-node-mask

(Optional) Mask to be applied to destination-node. This is a 48-bit value represented as a dotted triplet of four-digit hexadecimal numbers (xxxx.xxxx.xxxx). Place ones in the bit positions to be masked.

destination-network-mask.

(Optional) Mask to be applied to destination-network. This is an eight-digit hexadecimal mask. Place ones in the bit positions to be masked.

The mask must immediately be followed by a period, which must in turn immediately be followed by destination-node-mask.

destination-socket

(Optional) Socket name or number (hexadecimal) to which the packet is being sent. Table in the "Usage Guidelines" section lists some IPX socket names and numbers.

log

(Optional) Logs IPX access control list violations whenever a packet matches a particular access list entry. The information logged includes source address, destination address, source socket, destination socket, protocol type, and action taken (permit/deny).

 


Command Description:

To define an extended Novell IPX access list, use the extended version of the access-list global configuration command. To remove an extended access list, use the no form of this command.

Extended IPX access lists filter on protocol type. All other parameters are optional.

If a network mask is used, all other fields are required.

Use the ipx access-group command to assign an access list to an interface. Only one extended or one standard access list can be applied to an interface. The access list filters all outgoing packets on the interface.

 

Note   For some versions of NetWare, the protocol type field is not a reliable indicator of the type of packet encapsulated by the IPX header. In these cases, use the source and destination socket fields to make this determination. For additional information, contact Novell.

Table lists some IPX protocol names and numbers. Table lists some IPX socket names and numbers. For additional information about IPX protocol numbers and socket numbers, contact Novell.

 Table: Some IPX Protocol Names and Numbers

IPX Protocol Name IPX Protocol Number (Decimal) Protocol (Packet Type)

-1

any

Wildcard; matches any packet type in 900 lists

0

 

Undefined; refer to the socket number to determine the packet type

1

rip

Routing Information Protocol (RIP)

4

sap

Service Advertising Protocol (SAP)

5

spx

Sequenced Packet Exchange (SPX)

17

ncp

NetWare Core Protocol (NCP)

20

netbios

IPX NetBIOS

 

Table: Some IPX Socket Names and Numbers

IPX Socket Number (Hexadecimal) IPX Socket Name

Socket

 

0

all

All sockets, wildcard used to match all sockets

2

cping

Cisco IPX ping packet

451

ncp

NetWare Core Protocol (NCP) process

452

sap

Service Advertising Protocol (SAP) process

453

rip

Routing Information Protocol (RIP) process

455

netbios

Novell NetBIOS process

456

diagnostic

Novell diagnostic packet

457

 

Novell serialization socket

4000-7FFF

 

Dynamic sockets; used by workstations for interaction with file servers and other network servers

8000-FFFF

 

Sockets as assigned by Novell, Inc.

85BE

eigrp

IPX Enhanced Interior Gateway Routing Protocol (EIGRP)

9001

nlsp

NetWare Link Services Protocol

9086

nping

Novell standard ping packet

To delete an extended access list, specify the minimum number of keywords and arguments needed to delete the proper access list. For example, to delete the entire access list, use the following command:

  

Router(config)#no access-list access-list-number

To delete the access list for a specific protocol, use the following command:

     Router(config)#no access-list access-list-number {deny | permit} protocol


Examples:

The following example denies access to all RIP packets from the RIP process socket on source network 1 that are destined for the RIP process socket on network 2. It permits all other traffic. This example uses protocol and socket names rather than hexadecimal numbers.

Router(config)#access-list  900  deny  -1 1 rip 2 rip
 
Router(config)#access-list  900  permit  -1

The following example permits type 2 packets from any socket from host 10.0000.0C01.5234 to access any sockets on any node on networks 1000 through 100F. It denies all other traffic (with an implicit deny all):

 

Note   This type is chosen only as an example. The actual type to use depends on the specific application.

 

Router(config)#access-list 910 permit 2 10.0000.0C01.5234 0000.0000.0000 0 1000.0000.0000.0000 F.FFFF.FFFF.FFFF 0


Misconceptions:

 

None


Related Commands:

 

ipx access-group

 

ipx access-list

 

access-list (IPX standard)