ipx sap filtering
DESCRIPTION
IPX SAP Filtering. Improving your network health Ken Sallot [email protected]. Objectives:. Understand what a SAP is Why can SAPs be good? Why can SAPs be bad? Viewing your SAP table Determining what SAP types to filter Being a good neighbor - PowerPoint PPT PresentationTRANSCRIPT
2
Objectives:
• Understand what a SAP is• Why can SAPs be good?• Why can SAPs be bad?• Viewing your SAP table• Determining what SAP types to filter• Being a good neighbor• Requesting SAP filters
3
SAP is:
• A “Service Advertising Protocol” for IPX/SPX networks
• Used to advertise devices or services such as network printers, power management systems, and file servers
• Broadcast by default every 60 seconds on an IPX network in the form of a SAP packet
4
SAP is:
• Each SAP contains information about the SAP, the type of service, the name of the service, and IPX address for the service
• A SAP table consists of all devices that broadcast SAP on the network. Every router that routes IPX/SPX maintains a SAP table of all devices it sees.
5
SAP is:
• It takes 7 SAP entries to form one SAP packet
• A SAP packet is 512 bytes in size• 208K of SAP data is broadcast every 60
seconds on ALL IPX/SPX Networks to support a SAP table with 2900 entries
• There are currently over 2900 SAPs broadcasting on the UF Network
6
Why are SAPs good?
• Provide “Plug and Play” for IPX devices
• Allow clients to find services• Can be useful in monitoring
network health
7
Why are SAPs bad?
• Every router that routes IPX/SPX must maintain a SAP table
• Since every Netware 3.x/4.x server is also a router (even if it is just between the servers “internal network” and the outside world), each and every Netware 3.x/4.x server must also maintain a SAP table
8
Why are SAPs bad?
• SAP broadcasts are chatty. They consume bandwidth on IPX/SPX networks for services that may only be used by one or two clients. Our current SAP table would consume the entire bandwidth of a 28.8K modem connection and more then 50% of the bandwidth of a 56K WAN link
9
Why are SAPs bad?
• As SAP tables get larger Netware servers must have more horsepower
• Large SAP tables have been known to cause low powered (less then Pentium 100) Netware servers to exhibit strange behavior
• Some routers have a limit in how many SAP entries they can hold in a table
10
Why are SAPs bad?
• If there are more SAP entries then a router can hold in its SAP table, some devices may get “clipped” and a situation where devices “appear and disappear” from the network might occur
• For many services there is no need for SAP broadcasts
11
Why are SAPs bad?
• Services such as Remote Console and HP Jetdirect Administration can be done directly just by knowing the devices IPX network address; there is no need for these SAP types
• Quite often software developers fail to register their SAP types with Novell, making identification based on SAP type difficult
12
Viewing your SAP table
• You can use the utility IPXCON from a Netware 4.x (or 3.x with MPR) server
• From the console prompt type LOAD IPXCON
• Select “Services”• Use PgUp/PgDn to scroll through
the table
13
Viewing your SAP table
• You can use the utility LISTOBJ which comes with JRB Utilities
• The command line “LISTOBJ * /A/C/3/J/L=SAPS.TXT” will create a file (SAPS.TXT) with all of the SAP entries seen on your network
14
Determining SAP types to filter
• Two methods of SAP filtering; The “Indiana” Approach, The “Biggest Culprits” Approach
• The Indiana Approach is based on the idea of filtering all SAP broadcasts except certain “allowed types”
• Indiana University has a shared IPX network over 8 locations
15
Indiana Approach
• They had over 300 file servers on their IPX network
• They reached a “critical mass” when their SAP tables exceeded 3000 entries
• Their central computing department established reasonable guidelines based on how to determine if a type of SAP should be filtered or not
16
Indiana Approach Guidelines
• Try to keep the rules the same everywhere; filtering is done based on SAP types rather than an individual SAP
• Likely SAP types to filter fell under the following criteria:– It is less then a year old– There were very few of them– Could not identify the SAP type
17
Indiana Approach Guidelines
• If there’s an acceptable workaround for the SAP type (example RCONSOLE allows for specifying the server IPX address)
• Indiana finally came up with a list of SAP types they would allow which eliminated over 70% of the SAP entries broadcast on their network
18
Indiana University
• Indiana allows the following SAP types:– 0004 File Server– 0047 Advertising Print Server– 01D8 Castelle Fax-Express– 0152 Irmalan Gateway– 026B Netware 4.x timesync server – 0278 Netware directory server
19
Indiana University
• Indiana also allows the following SAP types until they decide if they can live without them:– 023F TSA service for Novell Backup– 0355 Backup Exec– 07A9 Backup Exec Job Service– 044C Arcserve 5.01– 03C4 Arcserve 4.0
20
Indiana University
• They filter all other SAP types. They will periodically remove the filter on SAP type 030C (HP JetDirect devices) to allow administration of these products, however with the new version of HP JetAdmin this is unnecessary.
21
Biggest Culprits Approach
• Takes the approach of using the least amount of SAP filters that will provide the biggest amount of impact
• Determine the SAP types that make up the largest percentage of SAPs that you see and filter the ones that will not impact you
22
Biggest Culprits Approach
• At UF the top 5 SAP types are:– 030C HP JetDirect boards 35% of the
SAPs we see– 0004 Netware 3.x/4.x Servers (9%)– 0640 Windows NT IPX file sharing
(7%)– 0107 Netware Remote Console (7%)– 8002 Intel Netport (7%)
23
Biggest Culprits Approach
• HP JetDirect boards:– With the latest version of HP JetAdmin
software (version 3.0) you do not need to see the SAP broadcasts to administer them
– Are good candidates for filtering
• Netware 3.x/4.x server:– If you can not see them you will not be
able to use the service– Are poor candidates for filtering
24
Biggest Culprits Approach
• Windows NT IPX File Sharing:– With the use of NDS for NT this SAP type
could be filtered– Filtering would not affect small
workgroups that are using NT file sharing on the same IPX network
– Without knowing how many people use NT IPX file sharing across campus, filtering this SAP type is not a good idea at this time
25
Biggest Culprits Approach
• Netware Remote Console– The Remote Console client allows you
to specify the servers IPX address bypassing the need to see the SAP
– The command line is RCONSOLE -A <address>
– Is a great candidate for SAP filtering
26
Biggest Culprits Approach
• Intel Netport– The client must be able to see the
SAP type to configure it– After the device has been configured
the SAP could be filtered– Filtering would require Netport
administrators to either be mobile, or disable filters periodically for administration
27
Biggest Culprits Approach
• With the campus wide UF SAP table rapidly approaching 3000 SAP entries, (I predict 3500 by October), installing only four filters (SAP types 030C, 0640, 0107, 8002) will cut down your SAP traffic by 56%!
• CIRCA has been filtering SAP types 030C, 0107 and 8002 since March with great success!
28
Being a good neighbor
• Departments should consider filtering their outgoing SAP types to help reduce campus IPX SAP traffic
• If all of your users are on the same IPX network there is no reason for the majority of your IPX SAP broadcasts to be sent across the whole campus
29
Being a good neighbor
• Some “administrative” SAP types (such as 0107) should be filtered regardless of where your users reside
• Remember, you are responsible for the SAPs you broadcast
• If you are not actively filtering your outgoing SAP types you have no room to complain about large SAP tables
30
Requesting SAP filters
• If you share your IPX subnet with other departments make sure you clear it with them before you request incoming IPX SAP filters
• Take your time to plan your SAP filters correctly. Remember, once the filter is in place you will no longer be able to see the service
31
Requesting SAP filters
• When choosing the outbound SAP types to filter from your network remember do not filter the following SAP types:– 0004 Netware server– 0278 Novell Directory server– 026B Timesync server
• Remember when your outbound filter is up, your service is unavailable to people outside of your IPX network
32
Requesting SAP filters
• Make sure that you also request outbound SAP filters from your IPX network. If everyone on the campus IPX network filtered their outbound SAPs there would be no need for inbound SAP filters
• Install only one or two SAP filters at a time to help diagnose anything that goes awry
33
Requesting SAP filters
• People on the UF Network requiring filters be installed by UF Networking, contact Dan or Bruce at 392-2061.
• People on the Healthnet Network requiring SAP filters be installed by Healthnet should contact Randy Martin at 395-7979. Note: Because much of Healthnet is shared within different groups, filters may be impractical there.
34
More information
• I wrote an essay titled “The Case for SAP Filtering” which can be read at:– http://peanut.nds.ufl.edu/sap
• On ftp.novell.com in the directory pub\netwire\ndevsup\14 there is DSAP1B.EXE. This self extracting file contains SERVER.LST, which is a list of all public IPX/SAP server types