120 likes | 273 Views
IGRP – Interior Gateway Routing Protocol Access Lists. What is IGRP?. Interior Gateway Routing Protocol (IGRP) is a distance vector interior routing protocol (IGP) invented by Cisco. It is used by routers to exchange routing data within an autonomous system.
E N D
What is IGRP? • Interior Gateway Routing Protocol (IGRP) is a distance vector interior routing protocol (IGP) invented by Cisco. It is used by routers to exchange routing data within an autonomous system. • IGRP is a proprietary protocol. IGRP was created in part to overcome the limitations of RIP (maximum hop count of only 15, and a single routing metric) when used within large networks. IGRP supports multiple metrics for each route, including bandwidth, delay, load, MTU, and reliability; to compare two routes these metrics are combined together into a single metric, using a formula which can be adjusted through the use of pre-set constants. The maximum hop count of IGRP-routed packets is 255 (default 100), and routing updates are broadcast every 90 seconds (by default). • IGRP is considered a classful routing protocol. Because the protocol has no field for a subnet mask, the router assumes that all interface addresses within the same Class A, Class B, or Class C network have the same subnet mask as the subnet mask configured for the interfaces in question. This contrasts with classless routing protocols that can use variable length subnet masks. Classful protocols have become less popular as they are wasteful of IP address space.
The Role of Metrics • IGRP is a protocol that allows gateways to build up their routing table by exchanging information with other gateways. A gateway starts out with entries for all of the networks that are directly connected to it. It gets information about other networks by exchanging routing updates with adjacent gateways. In the simplest case, the gateway will find one path that represents the best way to get to each network. A path is characterized by the next gateway to which packets should be sent, the network interface that should be used, and metric information. Metric information is a set of numbers that characterize how good the path is. This allows the gateway to compare paths that it has heard from various gateways and decide which one to use. There are often cases where it makes sense to split traffic between two or more paths. IGRP will do this whenever two or more paths are equally good. The user can also configure it to split traffic when paths are almost equally good. In this case more traffic will be sent along the path with the better metric. The intent is that traffic can be split between a 9600 bps line and a 19200 BPS line, and the 19200 line will get roughly twice as much traffic as the 9600 BPS line. • The metrics used by IGRP include the following: • Topological delay time • Bandwidth of the narrowest bandwidth segment of the path • Channel occupancy of the path • Reliability of the path
Multi-protocol Routing • As routing has evolved many different routing protocols have been developed. As such, the need to have multi-protocol routing has been forced. One of the earliest forms of routing, RIP, is still used, it has the limitations of 15 “hops”. RIP needs to work with IGRP but RIP can not be changed, as such IGRP has algorithms for working with RIP. Many different routing protocols have the tools to deal with other routing protocols.
Access Lists • Access Lists are filters on a specific port of a router or smart switch. An access list decides if a packet is to be routed or if it is to be dropped. • The access list is a group of statements. Each statement defines a pattern that would be found in an IP packet. As each packet comes through an interface with an associated access list, the list is scanned from top to bottom--in the exact order that it was entered--for a pattern that matches the incoming packet. A permit or deny rule associated with the pattern determines that packet's fate. You also can use a mask, which is like a wild card, to determine how much of an IP source or destination address to apply to the pattern match. The pattern statement also can include a TCP or UDP (User Datagram Protocol) port number. • Access list statements are entered one line at a time, and the list is scanned for a match in that same order. If you must make a change, you have to re-enter the entire list. Also, keep in mind that once you associate the list with an interface, any packet not processed by the list is dropped by default. • Once the access list is entered, you must associate it with the interface on the router where you want to apply the filtering. You can apply the list to incoming packets, (an "in" access list) or outgoing packets (an "out" access list). In most cases, either list will work. For out access lists, you need to set up the filter only on the one outgoing interface rather than on the individual incoming interfaces. This improves performance because only the network you are protecting will force a lookup on the access list.
Standard ACLs • Standard Access Lists • Access lists are generally broken into 2 major groups, standard and extended. Standard access lists only operate on the Network layer of the OSI model. These are used to block or permit networks from reaching other networks. For example, suppose I have a network with a web server on it. I would like to have the router filter traffic going to that webserver so that only a few home users and all users at work can access that machine. I could use a standard access list to permit these allowed hosts and deny traffic from every other host on the Internet. • To enable an access list such as this for IP, we need to configure an access list in the range of 1 to 99. For example: • access-list 1 permit 206.50.17.0 0.0.0.255 • The first part shows "access-list" which is what all access lists start with, regardless of what network technology is used. The next part is "1" which specifies the # of the access list. To add additional rules to this list, you would start each line with "access-list 1". Permit indicates to the router that this is a rule specifying what should be allowed. Next is the network and subnet mask pair. Notice, however, that the subnet mask is inversed. Normally, for a /24 you would use a netmask of 255.255.255.0, but in access-lists, the subnet masks are inversed so that 255.255.255.0 becomes 0.0.0.255. The 255 in this case means ignore the last octet of the address when looking for a matching packet.
Extended ACLs • Extended access lists function on both layer 3 and 4 of the OSI model. That is, they allow you to filter not only by network address but also by the type of traffic that is being sent or received. Extended access lists are much more flexible and allow for much greater control of traffic into and out of your network than standard access lists. • Let's go through an example to see how extended access-lists work. • fred# config t • fred(config)# access-list udp 100 permit any 172.50.10.0 0.0.0.255 eq 53 • fred(config)# access-list tcp 100 permit any 172.50.10.0 0.0.0.255 eq 25 • fred(config)# access-list tcp 100 deny 172.50.12.0 0.0.0.255 172.50.10.0 0.0.0.255 • fred(config)# access-list tcp 100 permit any any • fred(config)# int s1 • fred(config-if)# ip access-group 100 in • fred(config-if)# exit • fred(config)# exit • The first line takes into configuration mode so that we can setup our access list. The next line configures access list 100 to permit any traffic from 172.50.10.0/24 to reach our network on port 53. I know that this is for inbound traffic because of the line that says "ip access-group 100 in". When designing access lists, it is important to know before hand how you are designing your access-list whether for inbound or outbound traffic. • The third line specifies that SMTP traffic from 172.50.10.0/24 is to be allowed into our network. Next, traffic from 172.50.12.0/24 is not allowed to go to the network 172.50.10.0/24. Finally, any traffic that did not match any of the above rules is allowed by the line that says "access-list tcp 100 permit any any".
Named ACLs • Named ACLs are much the same as Standard or Extended ACLs except that they give ACLs names instead of numbers.Ifyour router is running IOS 11.2 or higher, you can create named access lists. Instead of choosing a number between 1-99 for standard IP access lists, you can use a custom name allowing for more lists and more convenient management. The commands to create a named access list are different for standard and extended access lists. • To create a named access list, use the following command in global configuration mode: • router(config)#ip access-list {standard | extended} name • This command will take you into access-list configuration mode where you can define the deny and permit rules. For example to create a named access list with the name wwwfilter and permit only access from the networks 192.168.132.0, 172.17.0.0 and 10.0.0.0 use the following commands: • router(config)#ip access-list standard wwwfilter • router(config-std-nacl)#permit 192.168.132.0 0.0.0.255 • router(config-std-nacl)#permit 172.17.0.0 0.0.255.255 • router(config-std-nacl)#permit 10.0.0.0 0.255.255.255 • Use the exit command to exit access-list configuration mode. • A named list is applied to an interface in the same way as with numbered lists: • router(config-if)#ip access-group wwwfilter out
Practical • Setting up Server 2003 • We will be setting up Server 2003, beginning from the setup of Server 2003 and ending with the configuration of core Server 2003 roles. • Install Server 2003 as instructed. • Setup a static IP. • Setup Active Directory. • Setup DNS. • Setup DHCP. • Connect Windows XP computer to the domain.