Differences

This shows you the differences between two versions of the page.

--- networking:cisco:std-acl [2026/02/04 22:38] – [Cisco : Standard Access Control List [U]] ilyasa
+++ networking:cisco:std-acl [2026/02/04 22:48] (current) – ilyasa
@@ Line 2: / Line 2: @@
 ====== Cisco : Standard Access Control List ======
 ACL Standard Cisco adalah sebuah daftar akses kontrol yang digunakan untuk menyaring lalu lintas jaringan berdasarkan Source IP Address.
 ===== Syntax =====
-==== Some acction ====
+==== Membuat Standard ACL (number) ====
-^ Command ^ Description ^
-| ''S1(config)#vlan [vlan-ID]'' | Membuat VLAN baru dan menetapkan nomor VLAN |
+<code js>
-| ''S1(config-vlan)#name [name]'' | Memberikan nama pada VLAN |
+Router(config)# access-list [ACL_NUMBER] [permit | deny] [SOURCE_IP] [WILDCARD_MASK]
+</code>
+  * ACL_NUMBER : 1-99 atau 1300-1999
+  * permit: Mengizinkan lalu lintas dari alamat IP yang ditentukan.
+  * deny: Menolak lalu lintas dari alamat IP yang ditentukan.
+  * SOURCE_IP: source ip address yang ingin di filter.
+  * WILDCARD_MASK: Menentukan range network source ip.
 Contoh:
-<code>
-vlan 10
+<code js>
- name VLAN-10
+Router(config)# access-list 10 permit  192.168.1.100 0.0.0.0
-vlan 20
+</code>
- name VLAN-20
-vlan 99
+==== Membuat Standard ACL (Named) ====
- name VLAN-Management
+<code js>
+Router(config)# ip access-list standard [ACL_NAME]
+Router(config-std-nacl)# permit [source] [wildcard-mask]
+Router(config-std-nacl)# deny [source] [wildcard-mask]
+</code>
+contoh:
+<code js>
+Router(config)# ip access-list standard BLOCK_LAN1
+Router(config-std-nacl)# deny 192.168.1.0 0.0.0.255
+Router(config-std-nacl)# permit any
+Router(config-std-nacl)# exit
+</code>
+==== Terapkan ACL ke interface ====
+<code js>
+Router(config)# interface <nama_interface>
+Router(config-if)# access-list <nomor_acl>/<named_acl> in/out
+</code>
+  * in: Menerapkan ACL pada paket yang kearah interface.
+  * out: Menerapkan ACL pada paket yang keluar dari interface.
+Contoh:
+<code js>
+Router(config)# interface FastEthernet0/0
+Router(config-if)# access-list 10 in
+</code>
+<code js>
+Router(config)# interface GigabitEthernet 0/0
+Router(config-if)# ip access-group BLOCK_LAN1 in
+</code>
+==== Troubleshot ====
+<code js>
+Router# show access-lists
 </code>
 ===== Topologi =====
-Gambar topology
+{{ :networking:cisco:cisco_standardacl.png?nolink |}}
-Goals Topology
+Tujuan:
+  - LAN 1 Dilarang mengakses Server-B
+  - LAN 2 Dilarang mengakses Server-C
+<hidden preconfig>
+* **R1 : Preconfig**
+<code js>
+hostname R1
+!
+ip dhcp excluded-address 192.168.1.1
+ip dhcp excluded-address 192.168.2.1
+!
+ip dhcp pool LAN1
+   network 192.168.1.0 255.255.255.0
+   default-router 192.168.1.1
+!
+ip dhcp pool LAN2
+   network 192.168.2.0 255.255.255.0
+   default-router 192.168.2.1
+interface FastEthernet0/0
+ ip address 192.168.1.1 255.255.255.0
+ no shutdown
+!
+interface FastEthernet0/1
+ ip address 192.168.2.1 255.255.255.0
+ no shutdown
+!
+interface FastEthernet1/0
+ ip address 172.16.1.1 255.255.255.25
+ no shutdown
+!
+router ospf 1
+ network 172.16.1.0 0.0.0.3 area 0
+ network 192.168.1.0 0.0.0.255 area 0
+ network 192.168.2.0 0.0.0.255 area 0
+!
+</code>
+* **R2 : Preconfig**
+<code js>
+hostname R2
+!
+interface FastEthernet0/0
+ ip address 10.0.1.1 255.255.255.0
+ no shutdown
+!
+interface FastEthernet0/1
+ ip address 10.0.2.1 255.255.255.0
+ no shutdown
+!
+interface FastEthernet1/0
+ ip address 172.16.1.2 255.255.255.252
+ no shutdown
+!
+router ospf 1
+ network 10.0.1.0 0.0.0.255 area 0
+ network 10.0.2.0 0.0.0.255 area 0
+ network 172.16.1.0 0.0.0.3 area 0
+</code>
+</hidden>
 ===== Konfigurasi =====
-  * **Step 1 : Pembuatan VLANs**
+<WRAP center round tip 90%>
-<code>
+Standar ACL umumnya - jika tidak selalu - ditempatkan paling dekat dengan tujuan. Sedangkan Extended ACL ditempatkan paling dekat dengan sumber.
-Switch(config)#vlan 10
+</WRAP>
-Switch(config-vlan)#name BIRU
-Switch(config-vlan)#exit
-Switch(config)#vlan 20
+==== Blocking LAN1 untuk berkomunikasi dengan Server B ====
-Switch(config-vlan)#name MAGENTA
-Switch(config-vlan)#exit
+  * Router terdekat dengan tujuan addlah R2, mari kita buat rulesnya
+<code js>
+R2(config)#access-list 10 deny 192.168.1.0 0.0.0.255
+R2(config)#access-list 10 permit any
 </code>
-  * **Step 2 : Assign VLANs ke Ports**
-<code>
-Switch(config)#interface f0/1
-Switch(config-if)#switchport mode access
-Switch(config-if)#switchport access vlan 10
-Switch(config-if)#exit
-Switch(config)#interface f0/2
+  * Terapkan pada interface menuju server B Fa0/1
-Switch(config-if)#switchport mode access
-Switch(config-if)#switchport access vlan 10
+<code js>
-Switch(config-if)#exit
+R2(config)#interface f0/1
+R2(config-if)#ip access-group 10 out
+R2(config-if)#exit
+</code>
+==== Blocking LAN2 untuk berkomunikasi dengan Server A ====
+<code js>
+R2(config)#access-list 20 deny 192.168.2.0 0.0.0.255
+R2(config)#access-list 20 permit any
+</code>
+  * Terapkan pada interface menuju server A Fa1/1
+<code js>
+R2(config)#interface fa0/0
+R2(config-if)#ip access-group 20 out
+R2(config-if)#exit
 </code>
 ===== Testing =====
+* **Tets ping LAN1 ke Server A & B**
+<code js>
+PC-A1> show ip
+NAME        : PC-A1[1]
+IP/MASK     : 192.168.1.2/24
+GATEWAY     : 192.168.1.1
+DNS         :
+MAC         : 00:50:79:66:68:2c
+LPORT       : 20000
+RHOST:PORT  : 127.0.0.1:30000
+MTU         : 1500
+PC-A1> ping 10.0.1.2
+bytes from 10.0.1.2 icmp_seq=1 ttl=62 time=95.125 ms
+bytes from 10.0.1.2 icmp_seq=2 ttl=62 time=65.038 ms
+bytes from 10.0.1.2 icmp_seq=3 ttl=62 time=60.712 ms
+bytes from 10.0.1.2 icmp_seq=4 ttl=62 time=63.358 ms
+bytes from 10.0.1.2 icmp_seq=5 ttl=62 time=50.142 ms
+PC-A1> ping 10.0.2.2
+*172.16.1.2 icmp_seq=1 ttl=254 time=45.899 ms (ICMP type:3, code:13, Communication administratively prohibited)
+*172.16.1.2 icmp_seq=2 ttl=254 time=32.774 ms (ICMP type:3, code:13, Communication administratively prohibited)
+*172.16.1.2 icmp_seq=3 ttl=254 time=45.168 ms (ICMP type:3, code:13, Communication administratively prohibited)
+*172.16.1.2 icmp_seq=4 ttl=254 time=34.268 ms (ICMP type:3, code:13, Communication administratively prohibited)
+*172.16.1.2 icmp_seq=5 ttl=254 time=42.260 ms (ICMP type:3, code:13, Communication administratively prohibited)
+</code>
+* **Tets ping LAN2 ke Server A & B**
+<code js>
+PC-B1> show ip
+NAME        : PC-B1[1]
+IP/MASK     : 192.168.2.2/24
+GATEWAY     : 192.168.2.1
+DNS         :
+DHCP SERVER : 192.168.2.1
+DHCP LEASE  : 67259, 86400/43200/75600
+MAC         : 00:50:79:66:68:2d
+LPORT       : 20000
+RHOST:PORT  : 127.0.0.1:30000
+MTU         : 1500
+PC-B1> ping 10.0.1.2
+*172.16.1.2 icmp_seq=1 ttl=254 time=46.086 ms (ICMP type:3, code:13, Communication administratively prohibited)
+*172.16.1.2 icmp_seq=2 ttl=254 time=47.608 ms (ICMP type:3, code:13, Communication administratively prohibited)
+*172.16.1.2 icmp_seq=3 ttl=254 time=47.629 ms (ICMP type:3, code:13, Communication administratively prohibited)
+*172.16.1.2 icmp_seq=4 ttl=254 time=46.073 ms (ICMP type:3, code:13, Communication administratively prohibited)
+*172.16.1.2 icmp_seq=5 ttl=254 time=46.126 ms (ICMP type:3, code:13, Communication administratively prohibited)
+PC-B1> ping 10.0.2.2
+bytes from 10.0.2.2 icmp_seq=1 ttl=62 time=83.063 ms
+bytes from 10.0.2.2 icmp_seq=2 ttl=62 time=67.256 ms
+bytes from 10.0.2.2 icmp_seq=3 ttl=62 time=61.611 ms
+bytes from 10.0.2.2 icmp_seq=4 ttl=62 time=61.236 ms
+bytes from 10.0.2.2 icmp_seq=5 ttl=62 time=62.238 ms
+</code>