IPX SAP Filtering
Improving your network health
Ken Sallot
kens@ufl.edu
1
Objectives:
•
•
•
•
•
•
•
Understand what a SAP is
Why can SAPs be good?
Why can SAPs be bad?
Viewing your SAP table
Determining what SAP types to filter
Being a good neighbor
Requesting SAP filters
2
SAP is:
• A “Service Advertising Protocol” for
IPX/SPX networks
• Used to advertise devices or services
such as network printers, power
management systems, and file servers
• Broadcast by default every 60 seconds
on an IPX network in the form of a SAP
packet
3
SAP is:
• Each SAP contains information about
the SAP, the type of service, the name
of the service, and IPX address for the
service
• A SAP table consists of all devices that
broadcast SAP on the network. Every
router that routes IPX/SPX maintains a
SAP table of all devices it sees.
4
SAP is:
• It takes 7 SAP entries to form one SAP
packet
• A SAP packet is 512 bytes in size
• 208K of SAP data is broadcast every 60
seconds on ALL IPX/SPX Networks to
support a SAP table with 2900 entries
• There are currently over 2900 SAPs
broadcasting on the UF Network
5
Why are SAPs good?
• Provide “Plug and Play” for IPX devices
• Allow clients to find services
• Can be useful in monitoring network
health
6
Why are SAPs bad?
• Every router that routes IPX/SPX must
maintain a SAP table
• Since every Netware 3.x/4.x server is
also a router (even if it is just between
the servers “internal network” and the
outside world), each and every Netware
3.x/4.x server must also maintain a SAP
table
7
Why are SAPs bad?
• SAP broadcasts are chatty. They
consume bandwidth on IPX/SPX
networks for services that may only be
used by one or two clients. Our current
SAP table would consume the entire
bandwidth of a 28.8K modem
connection and more then 50% of the
bandwidth of a 56K WAN link
8
Why are SAPs bad?
• As SAP tables get larger Netware
servers must have more horsepower
• Large SAP tables have been known to
cause low powered (less then Pentium
100) Netware servers to exhibit strange
behavior
• Some routers have a limit in how many
SAP entries they can hold in a table
9
Why are SAPs bad?
• If there are more SAP entries then a
router can hold in its SAP table, some
devices may get “clipped” and a
situation where devices “appear and
disappear” from the network might
occur
• For many services there is no need for
SAP broadcasts
10
Why are SAPs bad?
• Services such as Remote Console and
HP Jetdirect Administration can be done
directly just by knowing the devices IPX
network address; there is no need for
these SAP types
• Quite often software developers fail to
register their SAP types with Novell,
making identification based on SAP type
difficult
11
Viewing your SAP table
• You can use the utility IPXCON from a
Netware 4.x (or 3.x with MPR) server
• From the console prompt type LOAD
IPXCON
• Select “Services”
• Use PgUp/PgDn to scroll through the
table
12
Viewing your SAP table
• You can use the utility LISTOBJ which
comes with JRB Utilities
• The command line “LISTOBJ *
/A/C/3/J/L=SAPS.TXT” will create a file
(SAPS.TXT) with all of the SAP entries
seen on your network
13
Determining SAP types to filter
• Two methods of SAP filtering; The
“Indiana” Approach, The “Biggest
Culprits” Approach
• The Indiana Approach is based on the
idea of filtering all SAP broadcasts
except certain “allowed types”
• Indiana University has a shared IPX
network over 8 locations
14
Indiana Approach
• They had over 300 file servers on their
IPX network
• They reached a “critical mass” when
their SAP tables exceeded 3000 entries
• Their central computing department
established reasonable guidelines based
on how to determine if a type of SAP
should be filtered or not
15
Indiana Approach Guidelines
• Try to keep the rules the same
everywhere; filtering is done based on
SAP types rather than an individual SAP
• Likely SAP types to filter fell under the
following criteria:
– It is less then a year old
– There were very few of them
– Could not identify the SAP type
16
Indiana Approach Guidelines
• If there’s an acceptable workaround for
the SAP type (example RCONSOLE
allows for specifying the server IPX
address)
• Indiana finally came up with a list of
SAP types they would allow which
eliminated over 70% of the SAP entries
broadcast on their network
17
Indiana University
• Indiana allows the following SAP types:
– 0004 File Server
– 0047 Advertising Print Server
– 01D8 Castelle Fax-Express
– 0152 Irmalan Gateway
– 026B Netware 4.x timesync server
– 0278 Netware directory server
18
Indiana University
• Indiana also allows the following SAP
types until they decide if they can live
without them:
– 023F TSA service for Novell Backup
– 0355 Backup Exec
– 07A9 Backup Exec Job Service
– 044C Arcserve 5.01
– 03C4 Arcserve 4.0
19
Indiana University
• They filter all other SAP types. They will
periodically remove the filter on SAP
type 030C (HP JetDirect devices) to
allow administration of these products,
however with the new version of HP
JetAdmin this is unnecessary.
20
Biggest Culprits Approach
• Takes the approach of using the least
amount of SAP filters that will provide
the biggest amount of impact
• Determine the SAP types that make up
the largest percentage of SAPs that you
see and filter the ones that will not
impact you
21
Biggest Culprits Approach
• At UF the top 5 SAP types are:
– 030C HP JetDirect boards 35% of the SAPs
we see
– 0004 Netware 3.x/4.x Servers (9%)
– 0640 Windows NT IPX file sharing (7%)
– 0107 Netware Remote Console (7%)
– 8002 Intel Netport (7%)
22
Biggest Culprits Approach
• HP JetDirect boards:
– With the latest version of HP JetAdmin
software (version 3.0) you do not need to
see the SAP broadcasts to administer them
– Are good candidates for filtering
• Netware 3.x/4.x server:
– If you can not see them you will not be
able to use the service
– Are poor candidates for filtering
23
Biggest Culprits Approach
• Windows NT IPX File Sharing:
– With the use of NDS for NT this SAP type
could be filtered
– Filtering would not affect small workgroups
that are using NT file sharing on the same
IPX network
– Without knowing how many people use NT
IPX file sharing across campus, filtering
this SAP type is not a good idea at this
time
24
Biggest Culprits Approach
• Netware Remote Console
– The Remote Console client allows you to
specify the servers IPX address bypassing
the need to see the SAP
– The command line is RCONSOLE -A
<address>
– Is a great candidate for SAP filtering
25
Biggest Culprits Approach
• Intel Netport
– The client must be able to see the SAP
type to configure it
– After the device has been configured the
SAP could be filtered
– Filtering would require Netport
administrators to either be mobile, or
disable filters periodically for administration
26
Biggest Culprits Approach
• With the campus wide UF SAP table
rapidly approaching 3000 SAP entries,
(I predict 3500 by October), installing
only four filters (SAP types 030C, 0640,
0107, 8002) will cut down your SAP
traffic by 56%!
• CIRCA has been filtering SAP types
030C, 0107 and 8002 since March with
great success!
27
Being a good neighbor
• Departments should consider filtering
their outgoing SAP types to help reduce
campus IPX SAP traffic
• If all of your users are on the same IPX
network there is no reason for the
majority of your IPX SAP broadcasts to
be sent across the whole campus
28
Being a good neighbor
• Some “administrative” SAP types (such
as 0107) should be filtered regardless
of where your users reside
• Remember, you are responsible for the
SAPs you broadcast
• If you are not actively filtering your
outgoing SAP types you have no room
to complain about large SAP tables
29
Requesting SAP filters
• If you share your IPX subnet with other
departments make sure you clear it
with them before you request incoming
IPX SAP filters
• Take your time to plan your SAP filters
correctly. Remember, once the filter is in
place you will no longer be able to see
the service
30
Requesting SAP filters
• When choosing the outbound SAP types
to filter from your network remember
do not filter the following SAP types:
– 0004 Netware server
– 0278 Novell Directory server
– 026B Timesync server
• Remember when your outbound filter is
up, your service is unavailable to people
outside of your IPX network
31
Requesting SAP filters
• Make sure that you also request
outbound SAP filters from your IPX
network. If everyone on the campus
IPX network filtered their outbound
SAPs there would be no need for
inbound SAP filters
• Install only one or two SAP filters at a
time to help diagnose anything that
goes awry
32
Requesting SAP filters
• People on the UF Network requiring
filters be installed by UF Networking,
contact Dan or Bruce at 392-2061.
• People on the Healthnet Network
requiring SAP filters be installed by
Healthnet should contact Randy Martin
at 395-7979. Note: Because much of
Healthnet is shared within different
groups, filters may be impractical there.33
More information
• I wrote an essay titled “The Case for
SAP Filtering” which can be read at:
– http://peanut.nds.ufl.edu/sap
• On ftp.novell.com in the directory
pub\netwire\ndevsup\14 there is
DSAP1B.EXE. This self extracting file
contains SERVER.LST, which is a list of
all public IPX/SAP server types
34