This chapter describes how to use the IPX protocol on your 2212. It includes the following sections:
IBM's implementation of IPX allows the router to function as a Novell NetWare internetwork router. It has these characteristics:
The following sections describe IPX addressing.
An IPX network number specifies the location of a particular network in an internetwork. You can use multi-part addresses like the city-street-house address on a piece of mail. For example, IPX refers to network numbers (city), host numbers (street), and socket numbers (house). These addresses allow communication between two entities on different networks.
Each IPX circuit needs a 6-byte host (node) number.
Token-Ring and Ethernet circuits use their hardware MAC address as their host number, and you cannot change them.
Because serial lines have no hardware MAC addresses, you must specify a unique host number. IPXWAN uses the configured node id followed by x'0000'.
The IPX routing software models network interfaces as either a single IPX broadcast circuit, as one or more IPXWAN point-to-point circuits, or a combination of both types of circuits. The type of encapsulation, IPX addressing and routing protocols used on the circuit depend on the underlying DLC and whether the IPX circuit is configured as broadcast or IPXWAN point-to-point.
IPX broadcast circuits have the following characteristics:
IPXWAN point-to-point circuits have the following characteristics:
The following sections describe the modeling of each type of supported network interfaces.
The IPX routing software models a LAN interface as a single IPX broadcast circuit.
The circuit must be assigned a unique non-zero IPX network number.
The network interface's MAC address serves as the circuit's IPX node number.
The LAN all-stations address (x'FFFFFFFFFFFF') is used to receive and transmit broadcast packets, such as RIP and SAP updates.
The normal encapsulation types are supported for the appropriate type of LAN interface.
The IPX maximum packet size is derived from the MTU configured for the interface.
For token-ring interfaces, source-routing can be enabled on the interface to allow the IPX forwarder to reach end-stations (and other routers) across source-route bridges.
Any or all of the following routing types may be used on the circuit:
The IPX routing software models a PPP interface as either a single IPX broadcast circuit or a single IPXWAN point-to-point circuit.
The IPX maximum packet size is derived from the MTU negotiated by the underlying PPP DLC.
When configured as a broadcast circuit, the circuit must be assigned a unique non-zero network number.
Since there is no MAC address associated with a PPP interface, a configured host number is used as the circuit's IPX node number.
Any or all of the following routing types may be used on the circuit:
When configured as an IPXWAN point-to-point circuit, uses IPXWAN to negotiate routing parameters.
The IPXWAN numbered RIP routing type requires a unique non-zero network number to be assigned to the circuit. The other IPXWAN routing types (unnumbered RIP, static routing) do not require a network number (value 0).
Because there is no MAC address associated with the PPP interface, the IPXWAN node id followed by 0000 is used as the circuit's IPX node number.
The routing type to be negotiated on the circuit is configurable. If static routing is enabled, no other routing type will be negotiated. Any or all of the following remaining types can be enabled and will be negotiated down to a single routing type in descending order of preference:
The IPX routing software models a Frame Relay interface as:
The IPX maximum packet size is derived from the MTU configured for the interface.
The underlying Frame Relay DLC uses InARP to map destination IPX node addresses to the appropriate Frame Relay virtual circuit. Optionally, destination IPX node addresses can be statically configured for VCs connected to routers which do not support InArp.
All virtual circuits on the Frame Relay interface which are not configured as IPXWAN point-to-point circuits are grouped together and modeled as a single IPX broadcast circuit which must be assigned a unique non-zero network number. As such, the underlying virtual circuits defined by the user to interconnect routers on the Frame Relay network are transparent to the IPX routing software.
Because there is no MAC address associated with a Frame Relay interface, a configured host number is used as the circuit's IPX node number.
The LAN all-stations address (x'FFFFFFFFFFFF') serves as the IPX broadcast address on the circuit. Packets addressed to the broadcast address are transmitted on all VCs in the IPX broadcast circuit by the underlying Frame Relay DLC. This Frame Relay protocol-broadcast function is activated by enabling the following Frame Relay configuration options:
In order to support non-fully meshed Frame Relay topologies, split-horizon can be disabled on the IPX broadcast circuit. This allows RIP and SAP to propagate information to all virtual circuits in the IPX broadcast circuit so that intermediate routing between virtual circuits in the same IPX broadcast circuit can occur.
Fully-meshed Frame Relay topologies need not disable split-horizon.
Any or all of the following routing types may be used on the circuit:
IPX can be configured to operate as IPXWAN point-to-point circuits over individual Frame Relay PVCs and SVCs. IPXWAN is used to negotiate routing parameters.
The IPXWAN numbered RIP routing type requires a unique non-zero network number to be assigned to the circuit. The other IPXWAN routing types (unnumbered RIP, static routing) do not require a network number (value of 0).
Because there is no MAC address associated with the Frame Relay interface, the IPXWAN node id followed by 0000 is used as the circuit's IPX node number.
The routing type to be negotiated on the circuit is configurable. If static routing is enabled, no other routing type will be negotiated. Any or all of the following remaining types can be enabled and will be negotiated down to a single routing type in descending order of preference:
The IPX routing software models an X.25 interface as a single IPX broadcast circuit. As such, the underlying VCs defined by the user to interconnect routers on the X.25 network are transparent to the IPX routing software.
The circuit must be assigned a unique IPX non-zero network number.
Since there is no MAC address associated with an X.25 interface, a configured host number is used as the circuit's IPX node number.
The LAN all-stations address (x'FFFFFFFFFFFF') serves as the IPX broadcast address on the circuit. Packets addressed to the broadcast address are transmitted to all destination X.25 addresses in the IPX broadcast circuit by the underlying X.25 DLC.
The IPX maximum packet size is derived from the MTU configured for the interface.
In order to support non-fully meshed X.25 topologies, split-horizon can be disabled on the IPX broadcast circuit. This allows and SAP to propagate information to all destination X.25 addresses in the IPX broadcast circuit so that intermediate routing between VCs in the same IPX broadcast circuit can occur.
Fully-meshed X.25 topologies need not disable split-horizon.
Any or all of the following routing types may be used on the circuit:
Destination IPX node addresses must be statically configured for all destination X.25 addresses, since the X.25 DLC does not support InArp.
This section describes how to initially configure IPX. The following sections describe optional parameters you can set.
* talk 6 Config> protocol ipx IPX protocol user configuration IPX config>
IPX config> enable ipx
IPX Config>add broadcast-circuit Which interface [0]? 1 IPX circuit number[3]? 5 IPX network number in hex ('0' is only allowed on IPXWAN unnumbered circuits) [1]? 01
IPX Config>add ipxwan-circuit Which interface [0]? 2 IPX circuit number[4]? 6 IPX network number in hex ('0' is only allowed on IPXWAN unnumbered circuits) [1]? 40 Use Frame Relay PVC ? no Frame Relay SVC circuit name ? Indianapolis
Note: | IPX network number 0 is valid only on IPXWAN unnumbered RIP or static routing circuits. IPX network number FFFFFFFF is not a valid IPX network number. IPX network number FFFFFFFE is reserved for the IPX Default Route and may not be used as an IPX network number. |
IPX config>set host-number Host number for serial lines (in hex) []? 2
The default encapsulation formats are:
Use the frame command as shown here:
IPX config> frame ethernet_8023 IPX circuit number [1]? 2
IPX config> set ipxwan IPX circuit number [1]? 3 Routing type ('u'=Unnumbered, 'r'=RIP, 'b'=Both, 's'=Static) [u] r Connection Timeout (in sec) [60]? 90 Retry timer (in sec) [60]? 45
Optional settings that you can adjust are described in the following sections.
The IPX RIP network table contains information about each IPX network. The default table size is 32. You can configure the table size from 1 to 2048; however, there may be memory limitations on the router that can prevent the maximum table size from being used.
IPX config>set maximum networks New Network table size [32]? 32
IPX uses RIP to maintain routes in its routing tables. A route indicates the path a packet follows. The RIP update interval determines how often the router broadcasts its routing information tables to its circuits. It also determines how long a RIP entry remains before being aged-out.
Valid entries remain in the routing tables for a period of three multiples of the RIP update interval, and the router broadcasts its RIP tables once every update interval.
For example, the default interval is 1 minute, which allows a valid entry to remain in the table for 3 minutes. After this time, if an entry is not refreshed by a RIP update, the route is marked with a hop count of infinity (16) and then it is deleted. Every 60 seconds the router broadcasts its RIP tables to corresponding circuits.
You can configure the RIP interval from 1 to 1440 minutes (24 hours). Increasing the RIP interval reduces traffic on WAN lines and dial circuits. It also prevents dial-on-demand circuits from dialing out as often.
Note: | While complete RIP advertisements are controlled by the interval, the router still propagates network topology changes as quickly as it learns them. |
The RIP interval is not configurable on the Novell file server.
IPX config>set rip-update-interval IPX circuit number [1]? 2 RIP timer value(minutes) [1]? 2
The IPX Service Advertising Protocol (SAP) services table is a distributed database used to find NetWare Services, such as file servers. Services are uniquely identified by a 2-byte numeric type and a 47-character name. Each service provider advertises its services, specifying service type, name, and address. The router accumulates this information in a table and sends it to other routers. The default table size is 32.
You can configure the table size from 1 to 2048; router memory constraints may prevent the maximum table size from being used.
IPX config>set maximum services New Service table size [32]? 32
The IPX Service Advertising Protocol (SAP) interval lets you configure the time between IPX SAP updates on a per-circuit basis. All router circuits on the same network must use the same SAP interval. This interval determines both the age-out time for table information, and the interval between broadcasts to router circuits.
Valid entries remain in the SAP services table for a period of three multiples of the SAP update interval, and the router broadcasts its SAP services table information once every update interval.
You can configure the SAP interval from 1 to 1440 minutes (24 hours). Increasing the SAP interval reduces traffic on WAN lines and dial circuits. It also prevents dial-on-demand circuits from dialing out as often.
Note: | While complete SAP advertisements are controlled by this interval, the router still propagates network topology changes as quickly as it learns them. |
The SAP interval is not configurable on the Novell file server.
IPX config>set sap-update IPX circuit number [1]? 2 SAP timer value(minutes) [1]? 4
You can configure IPX to prevent Keepalive and serialization packets from continually activating a dial-on-demand link or to minimize traffic over a dial-on-demand link.
In Figure 48, for example, if the Novell Client logs into the Novell Server and then remains idle, the server sends periodic Keepalive requests to the client and the client replies with Keepalive replies. Keepalive filtering causes the routers to enter the first Keepalive reply into their Keepalive tables and then forward the reply. After that, the routers do not forward Keepalive traffic for that client-server connection over the WAN link. Instead, Router A replies to Keepalive requests it receives from the server and Router B sends Keepalive requests to the Novell Client.
Keepalive filtering also prevents the routers from forwarding NetWare serialization packets over the WAN link.
Figure 48. Keepalive Filtering
To set up Keepalive filtering, enable it on the dial circuits.
IPX Config> enable keepalive-filtering IPX circuit number [1]? 5
You can configure IPX so that it keeps more than one routing table entry for the same destination network. The benefit of this feature is that if a route goes down, the alternate route is used immediately. The router does not have to wait for a RIP broadcast, which could take from a few seconds to a minute, to learn a new route. The router stores only equal-cost paths in the routing table.
Use the following command to configure the maximum number of routes that will be stored in the routing table for each destination. The range is 1 to 64. The default is 1.
IPX config>set maximum routes-per-destination New maximum number of routes per destination net [1]? 4
Use the following command to set the total number of entries kept in the routing table. The range is 1 to 4096. The default is 32. Set the number of entries to at least the same size as the RIP network table. (Configure the size of the RIP network table using the set maximum networks command explained in this chapter.)
IPX config> set maximum total-route-entries New route table size [32]? 40
On an IPX circuit basis, you may configure the RIP circuit cost (in ticks). The circuit cost is considered when calculating the total route cost in route advertisements. If multiple routes to the same destination exist, you can influence route selection by assigning a higher route cost to one IPX circuit than to another. Use the following command to set the circuit cost for a specific directly connected route.
IPX config> set rip-ticks IPX circuit number [1]? 2 RIP ticks value (in 55msec ticks [0]? 3
Static routes can be configured per destination network number. Each static route is associated with a circuit and is installed in the routing table when IPX is activated on the circuit. The static route is removed from the routing table when IPX is deactivated on the circuit, the circuit itself is taken down, or any dynamically-learned route to the destination network is learned. Dynamically-learned routes (via RIP) always override static routes. The static route will be reinstalled in the routing table when IPX is reactivated on the circuit, the circuit itself comes back up, or when all RIP routes to the destination network are lost.
Static routes are particularly useful over dial-on-demand circuits where RIP is disabled and routes to destination networks are statically configured on the dial-on-demand circuit.
Static routing may be used on a circuit by itself or in combination with RIP. The only exception to this is when static routing is enabled on an IPXWAN circuit. In this case, static routing is the only routing type negotiated by IPXWAN.
Static routes will be advertised by RIP, subject to split-horizon and applicable filters.
When multiple static routes per destination network are configured, the same rules used to choose RIP routes are used to determine which static routes are installed in the routing table. Multiple static routes to the same destination network will be installed in the routing table if they are of equal cost. Up to the configured routes per destination can be concurrently stored in the routing table.
The following example shows how to configure an IPX static route.
IPX Config> disable rip IPX circuit number [1]? 2 IPX Config> enable route-static IPX Config> add route-static IPX net address: (1-fffffffe) [1]? 30 IPX circuit number [1]? 2 Next-hop address, in hex [] ? 400000003000 Ticks: (0-30000) [0]? 4 Hops: (0-14) [0]? 4
Static services can be configured per service type or name pair. Each static service is associated with a circuit and is installed in the SAP services table when IPX is activated on the circuit, and a route to the service's network is known (either by static route or RIP advertisement). The static service is removed from the SAP table when IPX is deactivated on the circuit, the circuit itself is taken down, the route to the server's network is lost, or the same service is learned dynamically. As long as a route to the server's network is known, the static service will be reinstalled in the service table when IPX is reactivated on the circuit, the circuit itself comes back up, or when the SAP-learned service is lost. Dynamically-learned services (using SAP) always override static services.
Static services are particularly useful over dial-on-demand circuits where SAP is disabled and services are statically configured on the dial-on-demand circuit.
Static services may be used on a circuit by itself or in combination with RIP/SAP. The only exception to this is when static routing is enabled on a IPXWAN circuit. In this case, static routing is the only routing type negotiated by IPXWAN.
Static services will be advertised by SAP, subject to split-horizon and applicable filters.
When multiple static services per name or type are configured, the same rules used to choose SAP services are used to determine which static service is installed in the routing table. Note that if there are equal-cost static services configured, the one defined on the same circuit as the current route to the server's network will be installed in the service table.
The following example shows how to configure an IPX static service.
IPX Config> disable sap IPX circuit number [1]? 2 IPX Config> enable sap-static IPX Config> add sap-static Sap type: (0-ffff) [4]? Sap name: []? FILE_SERVER01 IPX circuit number [1]? 2 IPX net address: (1-fffffffe) [1]? 30 IPX node address, in hex: []? 400000202000 IPX socket: (0-ffff) [451]? Hops: (0-14) [0]? 4
The default route is a special case of a static route. It is used as a last resort as a next hop for unknown destination networks.
The default route is especially useful on dial-on-demand circuits when RIP is disabled. Configuring the default route on the dial-on-demand circuit allows clients to request routes and send packets to destination networks on the other side of the circuit without having to configure a static route for each destination.
For routers using RIP, the default route is designated by network number FFFFFFFE.
When advertising RIP routes, the default route (like any other static route) will be advertised, after being subjected to the RIP filters and split-horizon.
When responding to a RIP request for an unknown destination network, the router responds to the request only if it has a default route in the routing table.
When forwarding packets, if the route to the destination network is unknown, the forwarder will forward the packet to the next-hop router that is advertising the default route (or the next-hop router indicated by the local static default route definition in the case of static routing).
The following example shows how to configure a RIP default route.
IPX Config> enable route-static IPX Config> add route-static IPX net address: (1-fffffffe) [1]? fffffffe IPX circuit number [1]? 2 Next-hop address, in hex: []? 400000003030 Ticks: (0-30000) [0§? 4 Hops: (0-14) [0]? 4
Generally, SAP advertisements are accepted only if a route to the server's network is known. If the route to the server's network is not known, but a default route is known, the advertisement is also accepted (after being subjected to the SAP filters).
SAP advertisements that are accepted by virtue of the existence of the default route will be advertised on all IPX circuits other than the one from which the SAP advertisement was accepted (split-horizon). Of course, the advertisement will be subjected to the SAP filters before being advertised. The same rules apply to responses to SAP requests.
Global IPX filters are applied to all IPX circuits. They can be used to prevent the router from forwarding packets based on IPX addresses (network/host/socket). You can use global IPX filters to provide security or to stop the forwarding of packets from "noisy" applications beyond the area of interest.
Global IPX filters are based on the originating IPX source address and the ultimate destination IPX address. Intermediate hop addresses are not important.
An IPX address (source or destination) for a global filter consists of an IPX network number, an IPX host number, and a range of IPX socket numbers that are specified in hexadecimal. The network number and host number can be specified as 0, which is a wildcard that matches all network and host numbers, respectively. A range of 0 to FFFF is a wildcard for sockets.
The global filter list is an ordered list of entries. Each global filter entry can be configured as inclusive or exclusive. The router compares packets it receives against the global filter list.
When creating global filter lists, consider the following things about IPX:
Note: | All services on a Novell file server (version 3.0 or higher) are on the server's internal network, usually at host 000000000001. Because that internal network number is unique over an entire IPX network, you can protect it by blocking all packets to the internal network socket range 0-FFFF. To block only the file server, use a socket range of 0451-0451. |
Note: | The global filters and circuit filters are mutually-exclusive. If global SAP filtering is enabled, circuit SAP filters cannot be enabled (and vice versa). If global IPX filtering is enabled (access-controls), circuit IPX filters cannot be enabled (and vice versa). |
The router examines each IPX frame to see if it matches an entry in the global filter list. It applies the first match, therefore the order of global filters is critical. The router examines IPX packets for the following criteria:
The result of the following example would be to forward only those IPX packets from any client on IPX net 1871, destined for the NCP application, on the Novell File Server 0000 C93A 0912, on network 18730. All other traffic would be dropped.
IPX config>add access control Enter type [E]? I Destination network number (in hex) [ ]? 18730 Destination host number (in hex) [ ]? 0000C93A0912 Starting destination socket number (in hex) [ ]? 0451 Ending destination socket number (in hex) [ ]? 0451 Source network number (in hex) [ ]? 1871 Source host number (in hex) [ ]? 0 Starting source socket number (in hex) [ ]? 4000 Ending source socket number (in hex) [ ]? 7FFF
Global SAP filters apply to all circuits. They can be used to prevent service advertising information from being propagated through the router. There are four primary reasons to use global SAP filters:
Note: | None of these reasons explicitly mentions security. Global SAP filters cannot protect a service. All that SAP does is provide a name-to-address translation for services. If a potential intruder knows the address of the service, blocking its advertisement via global SAP filters will not protect the service. Only access controls can provide security. |
The global SAP filter is based on setting a maximum hop count for a particular service, or group of services. Any matching service advertisement received with the specified hop count (or less) is accepted into the SAP table. Others are ignored. Only those services in the SAP database are re-advertised or used to answer queries.
Note: | The router allows you to enter service names in 7-bit ASCII only. Some service names use binary data, in violation of Novell SAP specifications. You will not be able to filter those services by name. |
A global SAP filter can apply to all services of a type. Novell assigns 4-digit hexadecimal type numbers for each type of service. Alternately, a global SAP filter can apply to one particular service of a type. This is done by specifying the name of the service.
There can be several servers of the same service type, each with a unique service name. In this case, you can configure multiple global SAP filters with the same service type to filter unique service names, or you can configure a single SAP filter which filters the service type for all service names (wildcard filter).
To configure global SAP filters:
The following example shows the creation of a global SAP filter against a specific print server.
IPX config> add filter Maximum number of hops allowed [1]? 2 Service type [4]? 0047 Optional service name [ ]? rem-ptr1 IPX config> set filter on
This global SAP filter causes the router to ignore SAP advertisements from any print server (service type 0047) named rem-ptr1 that is more than two hops away. The filter prevents the router from propagating advertisements that match these criteria.
To determine the SAP type for a filter you want to establish, follow these steps:
At the IPX> prompt enter slist. Note the entry for the services you want to filter.
The IPX routing feature supports four types of circuit-based filters: ROUTER, RIP, SAP, and IPX. One input and one output filter can be defined per circuit. Filter criteria, referred to as items, are assembled into filter-lists and are then attached to the input and/or output filters. A filter-list can be attached to more than one filter. This prevents you from having to configure the same filter criteria on multiple circuits.
Note: | The global filters and circuit filters are mutually-exclusive. If global SAP filtering is enabled, circuit SAP filters cannot be enabled (and vice versa). If global IPX filtering is enabled (access-controls), circuit IPX filters cannot be enabled (and vice versa). |
To configure IPX circuit Filters:
There are also commands to delete a filter on an IPX circuit, disable a filter on an IPX circuit (or all IPX circuits), detach a filter-list from a filter, move the filter-lists within the filter (because the filter-lists are ordered), list a filter, and set the size of the filter cache (for IPX Filtering only).
The ROUTER Filter operates on the IPX header of all received RIP response packets. Output ROUTER filtering is not supported. ROUTER filtering can be used to group individual IPX networks into several distinct IPX internets by controlling which routers are allowed to exchange routing information.
RIP ROUTER Filters are kept in ordered lists of items by circuit. The items are applied in order to each received RIP response packet. If a match is found, the action specified in the matching filter-list is performed (Exclude = discard packet, Include = receive packet for processing). Because Excluded packets are discarded, the information contained in their network entries is not entered into the RIP routing tables. If no match is found, the specified default filter action is performed.
The RIP filter operates on the network entries of RIP response packets. It can be used to control the extent to which routing information about selected networks is disseminated. As an input filter, this filter can prevent the storing of routing information about selected networks. This prevents all other networks from learning about the selected networks (at least through this router).
RIP filters (input) are kept in ordered lists of items by circuit. The items are applied in order to each network entry in each received RIP response packet. If a match is found, the action specified in the matching filter-list is performed (Exclude = ignore network entry, Include = process network entry). Because Excluded network entries are ignored, they are not entered into the RIP routing tables. If no match is found, the specified default filter action is performed.
As an output filter, this filter can prevent the advertising (as opposed to the storing) of routing information about selected networks. It prevents some (as opposed to all) networks from learning about the selected networks (at least through this router).
RIP filters (output) are kept in ordered lists of items by circuit. The items are applied in order to each network entry to be transmitted in a RIP response packet. If a match is found, the action specified in the matching filter-list is performed (Exclude = exclude network entry from packet, Include = include network entry in packet). This filter has no effect on the contents of the RIP routing tables. If no match is found, the specified default filter action is performed.
The SAP filter operates on the server entries of all SAP response packets. It can be used to control the extent to which information about services is disseminated, and can reduce the amount of SAP traffic on lower speed WANs.
As an input filter, this filter can prevent the storing of service information about selected servers. This prevents all other networks from learning about the selected servers (at least through this router).
SAP filters (input) are kept in ordered lists of items by circuit. The items are applied in order to each server entry in each received SAP response packet. If a match is found, the action specified in the matching filter-list is performed (Exclude = ignore server entry, Include = process server entry). Because Excluded server entries are ignored, they are not entered into the SAP services table. If no match is found, the specified default filter action is performed.
As an output filter, this filter can prevent the advertising (as opposed to the storing) of service information about selected servers. This prevents some (as opposed to all) networks from learning about the selected servers (at least through this router).
SAP filters (output) are kept in ordered lists of items by circuit. The items are applied in order to each server entry in each SAP response packet to be transmitted. If a match is found, the action specified in the matching filter-list is performed (Exclude = exclude server entry, Include = include server entry in packet). This filter has no effect on the contents of the SAP services table. If no match is found, the specified default filter action is performed.
The IPX Filter operates on the IPX header of IPX packets. It can be used to control the extent to which selected servers and workstations are allowed to communicate with other selected servers and workstations, based on source and destination network, node, and socket fields, as well as protocol type and hop count.
As an input filter, a match that indicates that the packet should be discarded prevents the packet from being transmitted on all circuits.
IPX Filters (input) are kept in ordered lists of items by circuit. The items are applied in order to each received IPX packet. If a match is found, the action specified in the matching filter-list is performed (Exclude = discard packet, Include = receive packet for processing or forwarding). If no match is found, the specified default filter action is performed.
As an output filter, the decision whether to forward the packet is made based on the output circuit, and therefore might allow a received packet to be forwarded out on one circuit but not out on some other circuit.
IPX filters (output) are kept in ordered lists of items by circuit. The items are applied in order to each IPX packet to be transmitted. If a match is found, the action specified in the matching filter-list is performed (Exclude = discard packet, Include = transmit packet). If no match is found, the specified default filter action is performed.
Because IPX filters are invoked for each received packet, it is recommended that they be used only where a high degree of specificity is required (that is, where the ROUTER, RIP and SAP filters cannot be used). Generally, the RIP filters deal with internetworking between all stations on a particular set of networks; the SAP filters control which servers are reachable by workstations throughout the internetwork; the IPX filters deal with internetworking between individual workstations (or individual applications on individual workstations).
"IPX circuit Circuit-Filter Configuration Commands" describes in more detail the commands used to configure IPX circuit Filters.
The IPX router implements a dual path for packet forwarding, a fast path and a slow path, to route traffic more efficiently.
The fast path forwards only data packets, while a slower path handles administration packets, such as RIP and SAP packets. Fast path uses an address cache that enables the router to forward a packet quickly.
The slower routing table lookups are performed only during the creation of a cache entry. The cache has an aging mechanism that allows overflows to be dealt with intelligently. You can configure the cache size through the IPX configuration menu.
The IPX fast path cache includes two entries: local and remote. Each entry can handle the requirements of that type of addressing.
The cache commands are used to set a limit on the maximum number of entry types allowed in the cache.
The size of the local cache should equal the total number of clients on each router's local or client network plus a 10% buffer to prevent excessive purge requests. Using the example in Figure 49, router 5 (RTR R5) has 9 clients (C) plus the server (S) for a total of 10. Based on this total:
For example:
IPX config>set local-cache size New IPX local node cache size [32]? 11
When all cache entries are in use, the least frequently used entries are purged.
The size of the remote cache should equal the total number of remote networks used by the router plus a 10% buffer to prevent excessive purge requests. In Figure 49, there are 10 IPX networks that RTR R5 can read via IPX network 5. Therefore, RTR/R5 has a total of 10 clients. Based on this total:
For example:
IPX config>set remote-cache size New IPX remote network cache size [32]? 11
You can view the cache entries using the IPX monitoring sizes command.
IPX>sizes Current IPX cache size: Remote network cache size (max entries): 45 0 entries now in use Local node cache size (max entries): 86 0 entries now in use
Split-horizon is a method of routing that avoids broadcasting RIP and SAP updates to the router from which they were learned.
Generally, split-horizon should be enabled on every circuit to prevent packets from counting to infinity and to avoid unnecessary RIP and SAP advertisements. However, there are some cases, such as partially-meshed frame-relay, and X.25 configurations, where it may be necessary to disable split-horizon.
A Partially-meshed RFC 1483-Supported IPX Routing configuration is another case where it may be necessary to disable split-horizon.
In a partially-meshed frame-relay network, as shown in Figure 50, the routers at the branches cannot communicate with each other unless the router at headquarters broadcasts all routing information to all other routers. In this case, split-horizon should be disabled on the frame-relay circuit at headquarters, and enabled at each of the branches to keep them from generating unnecessary traffic.
Figure 50. Partially Meshed Frame-Relay Network
If you do need to change the split-horizon setting, use the set split-horizon command as follows:
IPX Config>set split-horizon enabled Which circuit [1]? 2 IPX Config>set split-horizon disabled Which circuit [1]? 2 IPX Config>set split-horizon heuristic Which circuit [1]? 2