02-24-2013 06:29 PM - edited 03-07-2019 11:54 AM
We have a lot of IPX traffic flowing through a switched network and we are being asked to filter it from a network standpoint. At one point they were using IPX in their network, but no longer need to, so they still have a lot of machines spewing out IPX traffic. We have removed the IPX routing commands from our distribution switches, (Cisco 6500), but after running a short 10 minute Wireshark capture I'm still getting a good bit of IPX traffic from a lot of different devices.
What would be the best way to filter out this traffic?
Solved! Go to Solution.
02-25-2013 03:09 AM
Hello Aalbrecht27,
once you have disabled IPX addresses and IPX routing on network devices you have already done most of the job: no IPX routing is possible between different Vlans.
As you have noted this does not mean that all IPX traffic has stopped as some end devices may still communicate within each Vlan/broadcast domain using IPX.
This traffic is ignored at OSI layer3 and it is just L2 switched within each Vlan.
Attempting to filter IPX traffic at each user port may be a waste of time and switch resources.
However, filtering on ethertype should be possible if desired as explained in the link below
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008019f647.shtml
CAUTION: IPX used multiple encapsulations over ethernet, I'm not sure these filters can block all types of IPX traffic over ethernet. Not all of these IPX over ethernet encapsulations have an ethertype to match.
Edit:
see also this thread with a nice approach at VACL level by Peter Paluch. This looks like the right tool for you
https://supportforums.cisco.com/thread/2156242
Hope to help
Giuseppe
02-25-2013 03:09 AM
Hello Aalbrecht27,
once you have disabled IPX addresses and IPX routing on network devices you have already done most of the job: no IPX routing is possible between different Vlans.
As you have noted this does not mean that all IPX traffic has stopped as some end devices may still communicate within each Vlan/broadcast domain using IPX.
This traffic is ignored at OSI layer3 and it is just L2 switched within each Vlan.
Attempting to filter IPX traffic at each user port may be a waste of time and switch resources.
However, filtering on ethertype should be possible if desired as explained in the link below
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008019f647.shtml
CAUTION: IPX used multiple encapsulations over ethernet, I'm not sure these filters can block all types of IPX traffic over ethernet. Not all of these IPX over ethernet encapsulations have an ethertype to match.
Edit:
see also this thread with a nice approach at VACL level by Peter Paluch. This looks like the right tool for you
https://supportforums.cisco.com/thread/2156242
Hope to help
Giuseppe
03-18-2013 11:08 PM
Hi Giuseppe, I didn't see your response until now and you just gave me the answer I've been looking for! I was able to create a filter almost identical to the link you referred to, but I was missing the last 2 permit statements so only some of the IPX traffic was being filtered, but now all of it is being filtered out in my test equipment.
Now the only question is how this may affect the switch resources. We are running 6500's so I think they should be fine, but I did notice my little 3550 hesitate once applying the filter
Thanks a ton for your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide