Cisco : Standard Access Control List

Cisco : Standard Access Control List

ACL Standard Cisco adalah sebuah daftar akses kontrol yang digunakan untuk menyaring lalu lintas jaringan berdasarkan Source IP Address.

Syntax

Membuat Standard ACL (number)

Router(config)# access-list [ACL_NUMBER] [permit | deny] [SOURCE_IP] [WILDCARD_MASK]

ACL_NUMBER : 1-99 atau 1300-1999
permit: Mengizinkan lalu lintas dari alamat IP yang ditentukan.
deny: Menolak lalu lintas dari alamat IP yang ditentukan.
SOURCE_IP: source ip address yang ingin di filter.
WILDCARD_MASK: Menentukan range network source ip.

Contoh:

Router(config)# access-list 10 permit  192.168.1.100 0.0.0.0

Membuat Standard ACL (Named)

Router(config)# ip access-list standard [ACL_NAME]
Router(config-std-nacl)# permit [source] [wildcard-mask]
Router(config-std-nacl)# deny [source] [wildcard-mask]

contoh:

Router(config)# ip access-list standard BLOCK_LAN1
Router(config-std-nacl)# deny 192.168.1.0 0.0.0.255
Router(config-std-nacl)# permit any
Router(config-std-nacl)# exit

Terapkan ACL ke interface

Router(config)# interface <nama_interface>
Router(config-if)# access-list <nomor_acl>/<named_acl> in/out

in: Menerapkan ACL pada paket yang kearah interface.
out: Menerapkan ACL pada paket yang keluar dari interface.

Contoh:

Router(config)# interface FastEthernet0/0
Router(config-if)# access-list 10 in

Router(config)# interface GigabitEthernet 0/0
Router(config-if)# ip access-group BLOCK_LAN1 in

Troubleshot

Router# show access-lists

Topologi

Tujuan:

LAN 1 Dilarang mengakses Server-B
LAN 2 Dilarang mengakses Server-C

preconfig

* R1 : Preconfig

hostname R1
!
ip dhcp excluded-address 192.168.1.1 
ip dhcp excluded-address 192.168.2.1
!
ip dhcp pool LAN1
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
!
ip dhcp pool LAN2
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 no shutdown
!
interface FastEthernet0/1
 ip address 192.168.2.1 255.255.255.0
 no shutdown
!
interface FastEthernet1/0
 ip address 172.16.1.1 255.255.255.25
 no shutdown
!
router ospf 1
 network 172.16.1.0 0.0.0.3 area 0
 network 192.168.1.0 0.0.0.255 area 0
 network 192.168.2.0 0.0.0.255 area 0
!

* R2 : Preconfig

hostname R2
!
interface FastEthernet0/0
 ip address 10.0.1.1 255.255.255.0
 no shutdown
!
interface FastEthernet0/1
 ip address 10.0.2.1 255.255.255.0
 no shutdown
!
interface FastEthernet1/0
 ip address 172.16.1.2 255.255.255.252
 no shutdown
!
router ospf 1
 network 10.0.1.0 0.0.0.255 area 0
 network 10.0.2.0 0.0.0.255 area 0
 network 172.16.1.0 0.0.0.3 area 0

Konfigurasi

Standar ACL umumnya - jika tidak selalu - ditempatkan paling dekat dengan tujuan. Sedangkan Extended ACL ditempatkan paling dekat dengan sumber.

Blocking LAN1 untuk berkomunikasi dengan Server B

Router terdekat dengan tujuan addlah R2, mari kita buat rulesnya

R2(config)#access-list 10 deny 192.168.1.0 0.0.0.255
R2(config)#access-list 10 permit any

Terapkan pada interface menuju server B Fa0/1

R2(config)#interface f0/1
R2(config-if)#ip access-group 10 out
R2(config-if)#exit

Blocking LAN2 untuk berkomunikasi dengan Server A

R2(config)#access-list 20 deny 192.168.2.0 0.0.0.255
R2(config)#access-list 20 permit any

Terapkan pada interface menuju server A Fa1/1

R2(config)#interface fa0/0
R2(config-if)#ip access-group 20 out
R2(config-if)#exit

Testing

* Tets ping LAN1 ke Server A & B

PC-A1> show ip
 
NAME        : PC-A1[1]
IP/MASK     : 192.168.1.2/24
GATEWAY     : 192.168.1.1
DNS         :
MAC         : 00:50:79:66:68:2c
LPORT       : 20000
RHOST:PORT  : 127.0.0.1:30000
MTU         : 1500
 
PC-A1> ping 10.0.1.2
 
84 bytes from 10.0.1.2 icmp_seq=1 ttl=62 time=95.125 ms
84 bytes from 10.0.1.2 icmp_seq=2 ttl=62 time=65.038 ms
84 bytes from 10.0.1.2 icmp_seq=3 ttl=62 time=60.712 ms
84 bytes from 10.0.1.2 icmp_seq=4 ttl=62 time=63.358 ms
84 bytes from 10.0.1.2 icmp_seq=5 ttl=62 time=50.142 ms
 
PC-A1> ping 10.0.2.2
 
*172.16.1.2 icmp_seq=1 ttl=254 time=45.899 ms (ICMP type:3, code:13, Communication administratively prohibited)
*172.16.1.2 icmp_seq=2 ttl=254 time=32.774 ms (ICMP type:3, code:13, Communication administratively prohibited)
*172.16.1.2 icmp_seq=3 ttl=254 time=45.168 ms (ICMP type:3, code:13, Communication administratively prohibited)
*172.16.1.2 icmp_seq=4 ttl=254 time=34.268 ms (ICMP type:3, code:13, Communication administratively prohibited)
*172.16.1.2 icmp_seq=5 ttl=254 time=42.260 ms (ICMP type:3, code:13, Communication administratively prohibited)

* Tets ping LAN2 ke Server A & B

PC-B1> show ip
 
NAME        : PC-B1[1]
IP/MASK     : 192.168.2.2/24
GATEWAY     : 192.168.2.1
DNS         :
DHCP SERVER : 192.168.2.1
DHCP LEASE  : 67259, 86400/43200/75600
MAC         : 00:50:79:66:68:2d
LPORT       : 20000
RHOST:PORT  : 127.0.0.1:30000
MTU         : 1500
 
PC-B1> ping 10.0.1.2
 
*172.16.1.2 icmp_seq=1 ttl=254 time=46.086 ms (ICMP type:3, code:13, Communication administratively prohibited)
*172.16.1.2 icmp_seq=2 ttl=254 time=47.608 ms (ICMP type:3, code:13, Communication administratively prohibited)
*172.16.1.2 icmp_seq=3 ttl=254 time=47.629 ms (ICMP type:3, code:13, Communication administratively prohibited)
*172.16.1.2 icmp_seq=4 ttl=254 time=46.073 ms (ICMP type:3, code:13, Communication administratively prohibited)
*172.16.1.2 icmp_seq=5 ttl=254 time=46.126 ms (ICMP type:3, code:13, Communication administratively prohibited)
 
PC-B1> ping 10.0.2.2
 
84 bytes from 10.0.2.2 icmp_seq=1 ttl=62 time=83.063 ms
84 bytes from 10.0.2.2 icmp_seq=2 ttl=62 time=67.256 ms
84 bytes from 10.0.2.2 icmp_seq=3 ttl=62 time=61.611 ms
84 bytes from 10.0.2.2 icmp_seq=4 ttl=62 time=61.236 ms
84 bytes from 10.0.2.2 icmp_seq=5 ttl=62 time=62.238 ms

Table of Contents