IGRP Access Listsx - Internetworking - home

reekydizzyNetworking and Communications

Oct 28, 2013 (3 years and 10 months ago)

73 views

Interior Gateway Routing Protocol (IGRP) is a distance vector interior routing
protocol (IGP) invented by Cisco. It is used by routers to exchange routing data
within an autonomous system.

IGRP is a proprietary protocol. IGRP was created in part to overcome the
limitations of RIP (maximum hop count of only 15, and a single routing metric)
when used within large networks. IGRP supports multiple metrics for each route,
including bandwidth, delay, load, MTU, and reliability; to compare two routes
these metrics are combined together into a single metric, using a formula which
can be adjusted through the use of pre
-
set constants. The maximum hop count
of IGRP
-
routed packets is 255 (default 100), and routing updates are broadcast
every 90 seconds (by default
).

IGRP is considered a
classful

routing protocol. Because the protocol has no field
for a subnet mask, the router assumes that all interface addresses within the
same Class A, Class B, or Class C network have the same subnet mask as the
subnet mask configured for the interfaces in question. This contrasts with
classless routing protocols that can use variable length subnet masks.
Classful

protocols have become less popular as they are wasteful of IP address space.

What is IGRP?

IGRP Network

IGRP is a protocol that allows gateways to build up their routing table by exchanging
information with other gateways. A gateway starts out with entries for all of the networks
that are directly connected to it. It gets information about other networks by exchanging
routing updates with adjacent gateways. In the simplest case, the gateway will find one
path that represents the best way to get to each network. A path is characterized by the
next gateway to which packets should be sent, the network interface that should be used,
and metric information. Metric information is a set of numbers that characterize how good
the path is. This allows the gateway to compare paths that it has heard from various
gateways and decide which one to use. There are often cases where it makes sense to split
traffic between two or more paths. IGRP will do this whenever two or more paths are
equally good. The user can also configure it to split traffic when paths are almost equally
good. In this case more traffic will be sent along the path with the better metric. The intent
is that traffic can be split between a 9600 bps line and a 19200 BPS line, and the 19200 line
will get roughly twice as much traffic as the 9600 BPS line.

The
metrics used by IGRP include the following:


Topological
delay time


Bandwidth
of the narrowest bandwidth segment of the
path


Channel occupancy of the
path


Reliability of the path

The Role of Metrics

As routing has evolved many different routing protocols have been
developed. As such, the need to have multi
-
protocol routing has been
forced. One of the earliest forms of routing, RIP, is still used, it has the
limitations of 15 “hops”. RIP needs to work with IGRP but RIP can not be
changed, as such IGRP has algorithms for working with RIP. Many different
routing protocols have the tools to deal with other routing protocols.

Multi
-
protocol Routing

Access Lists are filters on a specific port of a router or smart switch. An access list decides if
a packet is to be routed or if it is to be dropped.

The access list is a group of statements. Each statement defines a pattern that would be
found in an IP packet. As each packet comes through an interface with an associated access
list, the list is scanned from top to bottom
--
in the exact order that it was entered
--
for a
pattern that matches the incoming packet. A permit or deny rule associated with the
pattern determines that packet's fate. You also can use a mask, which is like a wild card, to
determine how much of an IP source or destination address to apply to the pattern match.
The pattern statement also can include a TCP or UDP (User Datagram Protocol) port
number.

Access list statements are entered one line at a time, and the list is scanned for a match in
that same order. If you must make a change, you have to re
-
enter the entire list. Also, keep
in mind that once you associate the list with an interface, any packet not processed by the
list is dropped by default.

Once the access list is entered, you must associate it with the interface on the router where
you want to apply the filtering. You can apply the list to incoming packets, (an "in" access
list) or outgoing packets (an "out" access list). In most cases, either list will work. For out
access lists, you need to set up the filter only on the one outgoing interface rather than on
the individual incoming interfaces. This improves performance because only the network
you are protecting will force a lookup on the access list.


Access Lists

Sample Access List Setup

Standard Access Lists

Access lists are generally broken into 2 major groups, standard and extended. Standard
access lists only operate on the Network layer of the OSI model. These are used to block
or permit networks from reaching other networks. For example, suppose I have a network
with a web server on it. I would like to have the router filter traffic going to that
webserver so that only a few home users and all users at work can access that machine. I
could use a standard access list to permit these allowed hosts and deny traffic from every
other host on the Internet
.

To enable an access list such as this for IP, we need to configure an access list in the range
of 1 to 99. For example
:

access
-
list 1 permit 206.50.17.0 0.0.0.255

The first part shows "access
-
list" which is what all access lists start with, regardless of
what network technology is used. The next part is "1" which specifies the # of the access
list. To add additional rules to this list, you would start each line with "access
-
list 1".
Permit indicates to the router that this is a rule specifying what should be allowed. Next is
the network and subnet mask pair. Notice, however, that the subnet mask is inversed.
Normally, for a /24 you would use a
netmask

of 255.255.255.0, but in access
-
lists, the
subnet masks are inversed so that 255.255.255.0 becomes 0.0.0.255. The 255 in this case
means ignore the last octet of the address when looking for a matching packet.

Standard ACLs

Extended
access lists function on both layer 3 and 4 of the OSI model. That is, they allow you to filter not
only by network address but also by the type of traffic that is being sent or received. Extended access lists
are much more flexible and allow for much greater control of traffic into and out of your network than
standard access lists.

Let's
go through an example to see how extended access
-
lists work.

fred
#
config

t

fred
(
config
)# access
-
list
udp

100 permit any 172.50.10.0 0.0.0.255
eq

53

fred
(
config
)# access
-
list
tcp

100 permit any 172.50.10.0 0.0.0.255
eq

25

fred
(
config
)# access
-
list
tcp

100 deny 172.50.12.0 0.0.0.255 172.50.10.0 0.0.0.255

fred
(
config
)# access
-
list
tcp

100 permit any
any

fred
(
config
)#
int

s1

fred
(
config
-
if)#
ip

access
-
group 100 in

fred
(
config
-
if)# exit

fred
(
config
)# exit

The first line takes into configuration mode so that we can setup our access list. The next line configures
access list 100 to permit any traffic from 172.50.10.0/24 to reach our network on port 53. I know that this is
for inbound traffic because of the line that says "
ip

access
-
group 100 in". When designing access lists, it is
important to know before hand how you are designing your access
-
list whether for inbound or outbound
traffic
.

The third line specifies that SMTP traffic from 172.50.10.0/24 is to be allowed into our network. Next, traffic
from 172.50.12.0/24 is not allowed to go to the network 172.50.10.0/24. Finally, any traffic that did not match
any of the above rules is allowed by the line that says "access
-
list
tcp

100 permit any
any
".

Extended ACLs

Named ACLs are much the same as Standard or Extended ACLs except that they give ACLs names
instead of
numbers.If

your router is running IOS 11.2 or higher, you can create named access lists.
Instead of choosing a number between 1
-
99 for standard IP access lists, you can use a custom
name allowing for more lists and more convenient management. The commands to create a
named access list are different for standard and extended access
lists.

To
create a named access list, use the following command in global configuration mode:

router(
config
)#
ip

access
-
list {standard | extended}
name

This command will take you into access
-
list configuration mode where you can define the deny
and permit rules. For example to create a named access list with the name
wwwfilter

and permit
only access from the networks 192.168.132.0, 172.17.0.0 and 10.0.0.0 use the following
commands:

router(
config
)#
ip

access
-
list standard
wwwfilter

router(
config
-
std
-
nacl
)#permit 192.168.132.0 0.0.0.255

router(
config
-
std
-
nacl
)#permit 172.17.0.0 0.0.255.255

router(
config
-
std
-
nacl
)#permit 10.0.0.0 0.255.255.255

Use
the exit command to exit access
-
list configuration mode.

A
named list is applied to an interface in the same way as with numbered lists:

router(
config
-
if)#
ip

access
-
group
wwwfilter

out

Named ACLs

Setting up Server 2003

We will be setting up Server 2003, beginning from the setup of Server 2003
and ending with the configuration of core Server 2003 roles.


Install Server 2003 as instructed.


Setup a static IP.


Setup Active Directory.


Setup DNS.


Setup DHCP.


Connect Windows XP computer to the domain.

Practical