NetWare(R) IPX(TM) RIP/SAP Filtering Software

Introduction

The NetWare Internetwork Packet Exchange(TM) (IPX) RIP/SAP (Routing 
Information Protocol/Service Advertising Protocol) Filtering product must be 
used in conjuction with the NetWare MultiProtocol Router(TM) 2.1 or NetWare 
MultiProtocol Router Plus(TM) 2.1 software.

README File

Please read the NetWare IPX RIP/SAP Filtering README file that is included 
with the product. The information in the README file can assist you in 
configuring and troubleshooting the product.

Installing the Software

Before installing the NetWare IPX RIP/SAP Filtering product, you must first 
have the NetWare 3.11 or NetWare Runtime(TM) 3.11 software installed on your 
server or router. You must also have the NetWare MultiProtocol Router 
Plus 2.1 software installed. Refer to the NetWare documentation for 
installation instructions. If you are also installing any other Novell(R) 
products, do so before installing the NetWare IPX RIP/SAP Filtering product.

Use the following procedure to install the software on your machine:

  1.    Insert the first NetWare IPX RIP/SAP Filtering diskette (that you 
        made from the NetWire(R) electronic bulletin board) into the disk 
        drive.

  2.    At the server or router console prompt, type:

                LOAD INSTALL <Enter>

        The Installation Options menu appears.

  3.    Select System Options, then press <Enter>.

  4.    Select Edit STARTUP.NCF File, then press <Enter>.

        Warning: Be sure you select Edit, and not Create, because a 
        STARTUP.NCF file already exists. If you select Create, all 
        information in your existing file is lost.

        A new window displays the full path name of STARTUP.NCF.

  5.    Press <Enter> to view the contents of the file.

        Add the following line (with the appropriate value) to the end of 
        the file:

                SET MAXIMUM PHYSICAL RECEIVE PACKET SIZE=<value>

        The value of this parameter should be set to the largest value used 
        by your LAN media or the largest value used by your applications, 
        whichever is less. Typical minimum values for different media types 
        are shown in Table 1. To use a value greater than 4202, you must 
        apply the MPRPSFIX.EXE file to your SERVER.EXE file. See the README 
        file for more information. 

Table 1 
Minimum Values for the Maximum Physical Receive Packet Size
---------------------------------
Media Type              Value
Ethernet                1514
4 MB token ring         4530    
16 MB token ring        4530
FDDI                    4530
ARCnet*                 4202
LocalTalk*              600
----------------------------------

  6.    Press <Esc> and select Yes to save your changes.

  7.    Press <Esc> to return to the main menu.

  8.    Select Product Options and press <Enter>.

        A new window displays the currently installed products.

  9.    Press <Ins> to insert a new product.

        A new window displays a prompt with drive A: as the default.

  10.   If you are installing the software from drive A:, just press 
        <Enter>. If you are installing the software from drive B:, replace 
        "A:" with "B:," then press <Enter>.

        The Installed Product menu appears after a few moments.

  11.   Select Install on this Server and press <Enter>.

  12.   Insert the remaining diskettes into the drive as prompted; press 
        <Esc> after you insert each diskette.

        All product options contained on the diskettes are installed. The 
        screen displays each filename as it is copied to the hard disk.

  13.   When the installation is complete, select No to return to the 
        Product Options menu; or select Yes to view the INSTALL.LOG file.

        If you chose to view the INSTALL.LOG file, press <Esc> to continue.

  14.   Press <Esc> until you exit INSTALL.

        The software is installed.  
      
  15.   Configure your software as described in this document.

IPX RIP/SAP Filtering

The IPX RIP/SAP filter enables you to control IPX RIP, SAP, and NetBIOS 
Broadcast Packet Type 20 traffic on your WAN/LAN internetwork by controlling 
the following:

  o     Which network addresses and services advertised in RIP and SAP 
        packets are stored in the router's database.

  o     Which network addresses and services are advertised to the LANs and 
        WANs attached to the router (and can be seen by them).

  o     Whether NetBIOS broadcast packets are propagated by the router.

The IPX RIP/SAP filter operates on NetWare MultiProtocol Router 2.1 or 
NetWare MultiProtocol Router Plus 2.1, and is compatible with NetWare 3.1x. 
The IPX RIP/SAP filtering is provided by the SAHANDLE NetWare Loadable 
Module (NLM) file and includes the following global filters:

  o     Outbound RIP filtering, restricting the propagation of IPX topology 
        data over WAN connections.

  o     Outbound SAP filtering for all LANs and WANs connected to the router.

  o     Inbound RIP and SAP packet filtering, allowing the removal of routes 
        or service advertisements from the router database. Inbound route 
        filtering limits the topology and services known to the router and, 
        therefore, available to network users.

  o     NetBIOS broadcast packet filtering (Packet Type 20).

Note:   See the README file for more information about configuring global 
filters.

The IPX RIP/SAP filter is composed of four NLM files-SAHANDLE, LHANDLE, 
WHANDLE, and SAPCFG. The filter function is active whenever SAHANDLE is 
loaded. The SAHANDLE NLM automatically loads either LHANDLE.NLM or 
WHANDLE.NLM (depending on whether you are installing on top of the NetWare 
MultiProtocol Router 2.1 software or the NetWare MultiProtocol Router Plus 
2.1 software). These NLM files provide filtering of SAP packets by 
interaction with the bindery. Both RIP packet and Packet Type 20 filtering 
are provided by interception of inbound IPX packets and outbound IPX WAN 
packets.
 
The SAP filter links into the NetWare operating system at a registered entry 
point. All Service Names are passed by the operating system to the SAP 
filter. The SAP filter then uses the direction of the request and its SAP 
filter database to determine whether the Service Name and Service Type 
should be kept or discarded. The decision is returned to the operating 
system and the appropriate action is taken.

The RIP filter links into the NetWare operating system in two places. 
Outbound RIP packets are captured as they flow through IRWASM. The RIP 
filter must register with IRWASM to handle RIP route filtering. All inbound 
IPX packets are captured by the RIP filter. The RIP filter NLM examines the 
RIP packets and filters any routes that are to be removed from the RIP 
packets. In addition, the RIP filter scans the inbound packet stream for 
NetBIOS packets and removes them.

The SAPCFG NLM interacts with the SAHANDLE NLM. SAPCFG allows the creation 
and deletion of filter definitions for all the SAHANDLE filters. SAPCFG 
generates a configuration file called FILTER.BIN containing the filter 
specifications. It places this filter specification file in the SYS\ETC 
router directory. SAPCFG automatically loads SAHANDLE if SAHANDLE has not 
been loaded previously.

RIP

Routers use RIP to inform one another of which networks can be reached by 
creating and maintaining a dynamic database of internetwork routing 
information. This database is the router's view of the network topology. 
Only networks included in the router's database can be reached through the 
router.

As a router becomes aware of a change in the internetwork topology, it 
broadcasts this information to neighboring routers. Routers also send 
periodic RIP broadcast packets containing all routing information known to 
the router. These broadcasts keep all routers on the internetwork 
synchronized and provide a means of "aging" (removing after a certain 
timeout) those networks that might become inaccessible because of a router 
failure. Networks are typically aged from the routing database in three 
minutes.

The view of the network created from RIP broadcast packets can be configured 
by removing network address entries from RIP packets. This aids in 
controlling network access by limiting services that are reachable from 
different sections of the internetwork.

On a very large internetwork, the amount of traffic generated by RIP 
broadcasts can become quite noticeable, especially on slower WAN 
connections. Additionally, large amounts of unnecessary RIP information can 
pass to a router from remote portions of the network. The IPX RIP/SAP filter 
allows reduction of this RIP traffic.

SAP

Servers and routers use the SAP information to inform potential clients of 
the services present on the network. Each IPX server uses SAP to create and 
maintain a dynamic database of network services.

Servers/routers using SAP broadcast their names and types every 60 seconds. 
NetWare servers/routers rebroadcast SAP information over each of their 
directly connected networks to ensure that it is properly dispersed. These 
broadcasts provide distribution of service names throughout the network and 
provide a means of "aging" service names that might become inaccessible 
because of a system failure. Service names are typically aged in three 
minutes.

The primary clients of all this information are file servers, which store 
the data in the bindery for easy access. They create a bindery object using 
the advertised name and type for each advertising entity not residing on the 
server. The object created is dynamic, and is deleted when the file server 
is taken down. These are the bindery objects seen when a user runs a utility 
such as SYSCON, SLIST, or PCONSOLE to look at the list of known services.

The IPX RIP/SAP filter enables you to determine what services are visible at 
any given point in an internetwork, and reduce the amount of network traffic 
generated by the SAP broadcasts. Additionally, the filter removes services 
from the bindery that are unreachable because of route filtering. This 
facilitates restricting network access by preventing the dissemination of 
service names that are not reachable.

On a large internetwork, the amount of traffic generated by SAP broadcasts 
can become quite noticeable, especially on slower links. Additionally, large 
amounts of SAP information can pass to a file server from remote portions of 
the network that local users never (or rarely) access.

Using the SAP filter setting, routers and file servers can be placed into 
one of the following categories:

  o     Open-a standard NetWare server or router without a SAP filter NLM.

  o     Gate-allows all incoming, but no outgoing SAP information. This 
        allows for a controlled crossover point between two otherwise 
        independent networks.

  o     Exchange-does not allow SAP traffic in either direction. Because the 
        router continues to advertise  itself, it is visible to two separate 
        networks, but provides no means of exchanging service information 
        from one to the other.

        The Exchange configuration is created by specifying inbound RIP 
        filtering for all networks. This eliminates all services from the 
        bindery except those on the attached network. Typical WAN 
        configurations are hybrid configurations with some routes removed 
        along with the corresponding services.

  o     Other-a hybrid of the three other categories, generally a Gate 
        configuration with some routers or servers allowed to be seen as if 
        they were an Open configuration.

NetBIOS Packets

For certain protocol implementations, such as NetBIOS, to function in the 
NetWare environment, routers must allow a broadcast packet to be propagated 
throughout an internetwork. The IPX Packet Type 20 is used specifically for 
this purpose.

The IPX RIP/SAP filter provides the capability of stopping the propagation 
of these internetwork broadcasts, which is particularly useful for 
preventing NetBIOS packets broadcasting over WANs from being used as LAN to 
LAN interconnections.

Use of the Packet Type 20 filter only applies to NetBIOS packets sent using 
the IPX protocol, not affecting packets that are bridged or routed using 
other protocols.

Enabling IPX RIP/SAP Filtering

Use the following command to load the IPX RIP/SAP filter along with the 
SAPCFG.NLM configuration utility:

        LOAD SAPCFG <Enter>

To load only the IPX RIP/SAP filter, without SAPCFG, use the following 
command:

        LOAD SAHANDLE <Enter>

The filter enable switch (which is accessible in INETCFG by successively 
selecting Protocol Parameters, IPX, and IPX WAN Support) enables loading of 
the IPX RIP/SAP filter NLM SAHANDLE. Use this switch to load the SAHANDLE 
IPX RIP/SAP filter NLM automatically whenever the NetWare MultiProtocol 
Router 2.1 or NetWare MultiProtocol Router Plus 2.1 software is started.

When using SAHANDLE with the NetWare MultiProtocol Router Plus 2.1 software, 
it is necessary to have at least one WAN network number defined using 
INETCFG. This is done by successively selecting Protocol Parameters, IPX, 
IPX WAN Support, and Network Numbers for WAN Links. Add at least one number 
to the WAN network list. This number allows the WAN support software to be 
used by SAHANDLE. If you do not define at least one network number, SAHANDLE 
fails to load properly.

A router using inbound RIP and SAP filters restricts users from accessing 
some or all network services that would be advertised to that router. It is 
usually desirable to prevent routers that are restricted (by IPX RIP/SAP 
filters) from responding to the "get nearest server request," so that 
clients that require access to many servers do not attach to them. Clients 
that require unrestricted access should also be configured with a "preferred 
server" command in their NET.CFG file (before the driver commands). This is 
particularly true for LAN segments that have a single point of entry that is 
restricted by filters. An example of the "preferred server" is shown next:

        PREFERRED SERVER=SERVERNAME <Enter>

The WHANDLE filter NLM relies on the WAN support NLM to allow outbound RIP 
filtering on WANs. When WHANDLE is loaded, the WAN support NLM IRWASM is 
loaded automatically. 

To automate the filter load sequence during the startup phase of the NetWare 
MultiProtocol Router 2.1 or NetWare MultiProtocol Router Plus 2.1 software, 
place the LOAD SAHANDLE command in the AUTOEXEC.NCF file or enable the 
filter parameter. Complete one of the following procedures to configure the 
remote server:

To place the LOAD SAHANDLE command in the AUTOEXEC.NCF file:

  1.    Load INETCFG at the server prompt.

  2.    Select General Node Information.

  3.    Select View Configuration Information.

  4.    Select AUTOEXEC.NCF file from the list that appears.

  5.    Add the following line at the end of the AUTOEXEC.NCF file:

                LOAD SAHANDLE

  6.    Press <Esc> and select Yes at the prompt to save changes.

  7.    Press <Esc> three times to exit INETCFG.

To enable the filter parameter:

  1.    Load INETCFG at the server prompt.

  2.    Select Protocol Parameters.

  3.    Select IPX.

  4.    Select Route and Service Filtering.

  5.    Select Enabled.

  6.    Press <Esc> and select Yes to save your changes.

  7.    Press <Esc> twice to exit INETCFG.

Disabling IPX RIP/SAP Filtering

To disable IPX RIP/SAP filtering, remove SAHANDLE from the system by 
entering the following command at the server prompt:

        UNLOAD SAHANDLE <Enter>

If SAPCFG is loaded when you want to disable the IPX RIP/SAP filter, it must 
be unloaded before you unload the filter. The command sequence for unloading 
both SAPCFG and the IPX RIP/SAP filter is as follows:

        UNLOAD SAPCFG <Enter>
        UNLOAD SAHANDLE <Enter>

Using the SAPCFG NLM

Use the SAPCFG NLM to configure the IPX RIP/SAP filters. If a SAP filter 
database has already been created, SAPCFG allows you to read and modify the 
existing SAP filters. Using SAPCFG, you can remove any RIP or NetBIOS 
filters from the filter database.

To configure RIP and SAP filters, load SAPCFG using the following command:

        LOAD SAPCFG <Enter>

The initial menu provides options for the following:

  o     Display Known NetWare Services

  o     Display No Pass Service List

  o     Display Pass Service List

  o     Save Filter Report To File

  o     Set NetBIOS Broadcast Filter

  o     Set RIP Filter Mode

  o     Set RIP Filters

  o     Set SAP Filter Mode

  o     Set SAP Filters

SAPCFG provides several function keys, as described in Table 2. The bottom 
two lines of each SAPCFG display show command keys and context-sensitive 
"fast help."

The RIP/SAP configuration options that can be set using SAPCFG are described 
in Table 3.

Table 2  
SAPCFG Function Keys
----------------------------------------------------------------------------
Key             Function
<Enter>         Views or modifies the selected option's configuration.
<Ins>           Adds a new configuration. Might bring up a list of items 
                from which to select.
<F3>            Expands the definition of a service name containing a 
                wildcard. The wildcard is represented by a "*" or "?" in the 
                service name. The wildcard can be defined to represent a 
                subset of all the possible services that fit the wildcard 
                description.
<Del>           Deletes or removes a configured option.
<F5>            Marks multiple entries for deletion.
<Esc>           Exits the current configuration window and returns to the 
                opening screen and the command options. Press <Esc> from the 
                main screen to exit the program and save configuration 
                changes.
<F1>            Displays full context-sensitive help while a menu or 
                parameter screen is displayed. It provides more 
                comprehensive help about the currently selected menu option 
                or parameter line than the fast help lines appearing at the 
                bottom of each SAPCFG display.
-----------------------------------------------------------------------------

Table 3  
SAPCFG Configuration Options
----------------------------------------------------------------------------
Display Known NetWare Services

Displays the Service Name, Service Type, and Status (Pass/No Pass) of all 
known servers. Any service that has been filtered due to an inbound RIP 
filter setting is unknown to the router and is not displayed.

Display No Pass Service List

Shows the Service Name and Service Type of each service that is configured 
for removal from outbound SAP packets.

Display Pass Service List

Shows the Service Name and Service Type of each service that is allowed in 
outbound SAP packets.

Set NetBIOS Broadcast Filter

Specifies whether Packet Type 20 IPX packets (internetwork broadcasts) are 
filtered.

Set RIP Filters

Determines whether networks are allowed to pass through the filter. Any 
RIP filter also removes the associated services. The Set RIP Filter Mode 
setting determines whether entries that you configure specify networks to 
pass.

Enter a list of network filters, indicating whether the filter is to be 
applied to inbound packets, outbound packets, or both. 

Each filter specification comprises a network number and a network mask. 
The network mask specifies which bits of the network number are wild 
matches. For each one bit in the network mask, the corresponding network 
number bit must exactly match the network number. For each zero bit in the 
network mask, the corresponding network number bit can take any value. 

In addition to network filters, you can also specify network filter 
exclusions, an exception to the specified filter rules. An exclusion can be 
used to allow one network number within a bank of network numbers that are 
being filtered out.

Set RIP Filter Mode

Determines whether the RIP filters specified in the Set RIP Filters list 
indicate network numbers that are allowed (Pass) or disallowed (No Pass) in 
RIP packets. In Pass mode, all networks not specified by a RIP filter are 
removed from RIP packets. In No Pass mode, only those networks specified by 
a RIP filter are removed from RIP packets.

If the RIP Filter Mode is Pass and no RIP filters are defined, then all 
networks are filtered. If you want to use the filter in Pass mode for 
limiting outbound traffic, define an inbound wildcard to allow all inbound 
networks. All networks filtered inbound are also removed outbound.

The Set RIP Filter Mode also affects operation of exclusions specified in 
the Set RIP Filters list. When the RIP filter is in Pass mode, filter 
exclusions are removed from RIP packets even though a RIP filter would allow 
the network to remain in RIP packets. When the RIP filter is in No Pass 
mode, filter exclusions are allowed in RIP packets even though a RIP filter 
would remove the network from RIP packets. The behavior of RIP exclusions 
is opposite to the behavior of RIP filters.

The default setting of the Set RIP Filter Mode is No Pass. In this 
configuration, the router allows all inbound and outbound networks in RIP 
packets. Configuration changes take effect immediately. 

Set SAP Filters

Determines which services are allowed to pass through the filter. The Set 
SAP Filter Mode determines whether the entries that you configure will pass 
services. Accordingly, entries made in the Set SAP Filters list are added to 
the Pass or No Pass lists.

Enter a list of services, indicating a service type for each. Wildcard 
characters "*" and "?" can be used to define Service Names. Wildcards in the 
Service Type field are converted by code into FFFF, which means all types. 

A wildcard definition can be modified to include only a limited list of 
services (instead of all services that match the wildcard name). When adding 
a new service to the list or modifying an existing filter, all available 
Service Names and Service Types are displayed.

Set SAP Filter Mode

Determines whether the SAP filters specified in the Set SAP Filters list 
indicate Service Names and Service Types that are allowed (Pass) or removed 
(No Pass) from SAP packets. The SAP Filter can only operate in Pass or in No 
Pass mode. 

In Pass mode, only services matching the filters specified in the Set SAP 
Filters list are transmitted in SAP packets by the router. All other 
services are filtered out. All Service Names and Service Types matching the 
SAP Filters Configuration list are displayed by the Display Pass Service 
List. All other Service Names and Service Types known to the router can be 
displayed by the Display No Pass Service List.

In No Pass mode, all services matching the filters specified in the Set SAP 
Filters list are removed from transmitted SAP packets.

The default configuration of the Set SAP Filter Mode is Pass. In this 
configuration, the router removes all outbound services from SAP packets. 
Configuration changes take effect immediately.

Save Filter Report To File

Saves the current IPX RIP/SAP filter configuration to an ASCII text file 
(RSFILTER.TXT) for printing, debugging, and historical reference purposes. 
The file can only be viewed by using an ASCII text editor, or a word 
processor capable of reading ASCII text.

SAPCFG creates the RSFILTER.TXT file from the information stored in the 
configuration file (FILTER.BIN). The FILTER.BIN file is a binary format file 
accessed by the SAHANDLE NLM to read the active filter specifications.

Both the RSFILTER.TXT and the FILTER.BIN files are located in the SYS\ETC 
directory of the router. They can be accessed from the network by attaching 
to the router and retrieving the files through the network.
-----------------------------------------------------------------------------

Limiting Network Access

The IPX RIP/SAP filter can restrict inbound RIP and SAP traffic. Any network 
addresses and services removed inbound to the router are not placed in the 
network information database. Because it is not possible to send packets 
through a router to a destination that is not included in the router's 
network address database, removing inbound network addresses deters users 
from accessing the filtered networks.

The names of services located on the filtered networks are removed before 
entering the router's database. Therefore, configuring an inbound RIP filter 
automatically filters the associated inbound SAP packets.

Both RIP and SAP filtering rely on aging the database entries to remove old 
routes and service names from the internetwork. For that reason, setting a 
RIP filter requires about three minutes to take effect. Once a filter is set 
and the aging time has expired, the result of an inbound RIP filter can be 
observed on the router when you enter the display servers (SLIST) command. 
The router reports the new limited network view.

Attaching to a Remote Server with SAP Filtering

A common configuration for the IPX RIP/SAP filter is to block the 
transmission of SAP information from most (or all) of the servers or routers 
on the remote LAN, only passing information from the router directly 
attached to the other end of the WAN link. This configuration greatly 
reduces the problem caused by a high traffic load on the WAN. However, a new 
problem is created: you cannot see all the file server names on both sides 
of the WAN link. Therefore, workstations on the local LAN cannot attach to 
services on the remote LAN unless the following method is used. A 
prerequisite for using the following method is that at least one of the 
remote file servers is allowed to pass packets through both of the routers 
on the WAN link.

Use the following procedure to attach to a remote server:

  1.    Log in from your workstation (WS) to a file server (FS1 or FS2) on 
        your local LAN. 
        
  2.    Attach to a file server on the remote LAN (FS3 or FS4, whichever is 
        allowed to pass SAP information). 
        
  3.    Map a drive to the remote server, FS3 or FS4. 
  
  4.    Select that drive, and use the SLIST command to see the other file 
        servers (FS3 and FS4) on the remote LAN. You can also attach or map 
        drives to them.


Novell, NetWare, the N-Design, and the NetWare Logotype (teeth logo) are 
registered trademarks and Internetwork Packet Exchange, IPX, NetWare Loadable 
Module, NetWare MultiProtocol Router, NetWare MultiProtocol Router Plus, 
NetWare Runtime, and NLM are trademarks of Novell, Inc. LocalTalk is a 
registered trademark of Apple Computer, Inc. AST is a registered trademark 
of AST Research, Inc. ARCnet is a registered trademark of Datapoint 
Corporation. 

Published: October 1993. Copyright  1993 Novell, Inc. All rights reserved.

Novell, Inc.
F6-91-2 
2180 Fortune Dr.        
San Jose, CA 95131      


