Cisco : Standard Access Control List [IlyasaWiki]

This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong.
{{indexmenu_n>060}}
====== Cisco : Standard Access Control List ======
ACL Standard Cisco adalah sebuah daftar akses kontrol yang digunakan untuk menyaring lalu lintas jaringan berdasarkan Source IP Address.

===== Syntax =====
==== Membuat Standard ACL (number) ====

<code js>
Router(config)# access-list [ACL_NUMBER] [permit | deny] [SOURCE_IP] [WILDCARD_MASK]
</code>

  * ACL_NUMBER : 1-99 atau 1300-1999
  * permit: Mengizinkan lalu lintas dari alamat IP yang ditentukan.
  * deny: Menolak lalu lintas dari alamat IP yang ditentukan.
  * SOURCE_IP: source ip address yang ingin di filter.
  * WILDCARD_MASK: Menentukan range network source ip.

Contoh:

<code js>
Router(config)# access-list 10 permit  192.168.1.100 0.0.0.0
</code>

==== Membuat Standard ACL (Named) ====

<code js>
Router(config)# ip access-list standard [ACL_NAME]
Router(config-std-nacl)# permit [source] [wildcard-mask]
Router(config-std-nacl)# deny [source] [wildcard-mask]
</code>

contoh:

<code js>
Router(config)# ip access-list standard BLOCK_LAN1
Router(config-std-nacl)# deny 192.168.1.0 0.0.0.255
Router(config-std-nacl)# permit any
Router(config-std-nacl)# exit
</code>

==== Terapkan ACL ke interface ====

<code js>
Router(config)# interface <nama_interface>
Router(config-if)# access-list <nomor_acl>/<named_acl> in/out
</code>

  * in: Menerapkan ACL pada paket yang kearah interface.
  * out: Menerapkan ACL pada paket yang keluar dari interface.

Contoh:

<code js>
Router(config)# interface FastEthernet0/0
Router(config-if)# access-list 10 in
</code>

<code js>
Router(config)# interface GigabitEthernet 0/0
Router(config-if)# ip access-group BLOCK_LAN1 in
</code>

==== Troubleshot ====

<code js>
Router# show access-lists
</code>

===== Topologi =====
{{ :networking:cisco:cisco_standardacl.png?nolink |}}
Tujuan: 
  - LAN 1 Dilarang mengakses Server-B 
  - LAN 2 Dilarang mengakses Server-C

<hidden preconfig>
* **R1 : Preconfig**
<code js>
hostname R1
!
ip dhcp excluded-address 192.168.1.1 
ip dhcp excluded-address 192.168.2.1
!
ip dhcp pool LAN1
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
!
ip dhcp pool LAN2
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 no shutdown
!
interface FastEthernet0/1
 ip address 192.168.2.1 255.255.255.0
 no shutdown
!
interface FastEthernet1/0
 ip address 172.16.1.1 255.255.255.25
 no shutdown
!
router ospf 1
 network 172.16.1.0 0.0.0.3 area 0
 network 192.168.1.0 0.0.0.255 area 0
 network 192.168.2.0 0.0.0.255 area 0
!
</code>

* **R2 : Preconfig**

<code js>
hostname R2
!
interface FastEthernet0/0
 ip address 10.0.1.1 255.255.255.0
 no shutdown
!
interface FastEthernet0/1
 ip address 10.0.2.1 255.255.255.0
 no shutdown
!
interface FastEthernet1/0
 ip address 172.16.1.2 255.255.255.252
 no shutdown
!
router ospf 1
 network 10.0.1.0 0.0.0.255 area 0
 network 10.0.2.0 0.0.0.255 area 0
 network 172.16.1.0 0.0.0.3 area 0
</code>
</hidden>

===== Konfigurasi =====
<WRAP center round tip 90%>
Standar ACL umumnya - jika tidak selalu - ditempatkan paling dekat dengan tujuan. Sedangkan Extended ACL ditempatkan paling dekat dengan sumber.
</WRAP>

==== Blocking LAN1 untuk berkomunikasi dengan Server B ====

  * Router terdekat dengan tujuan addlah R2, mari kita buat rulesnya

<code js>
R2(config)#access-list 10 deny 192.168.1.0 0.0.0.255
R2(config)#access-list 10 permit any
</code>

  * Terapkan pada interface menuju server B Fa0/1

<code js>
R2(config)#interface f0/1
R2(config-if)#ip access-group 10 out
R2(config-if)#exit
</code>

==== Blocking LAN2 untuk berkomunikasi dengan Server A ====

<code js>
R2(config)#access-list 20 deny 192.168.2.0 0.0.0.255
R2(config)#access-list 20 permit any
</code>

  * Terapkan pada interface menuju server A Fa1/1

<code js>
R2(config)#interface fa0/0
R2(config-if)#ip access-group 20 out
R2(config-if)#exit
</code>

===== Testing =====

* **Tets ping LAN1 ke Server A & B**
<code js>
PC-A1> show ip

NAME        : PC-A1[1]
IP/MASK     : 192.168.1.2/24
GATEWAY     : 192.168.1.1
DNS         :
MAC         : 00:50:79:66:68:2c
LPORT       : 20000
RHOST:PORT  : 127.0.0.1:30000
MTU         : 1500

PC-A1> ping 10.0.1.2

84 bytes from 10.0.1.2 icmp_seq=1 ttl=62 time=95.125 ms
84 bytes from 10.0.1.2 icmp_seq=2 ttl=62 time=65.038 ms
84 bytes from 10.0.1.2 icmp_seq=3 ttl=62 time=60.712 ms
84 bytes from 10.0.1.2 icmp_seq=4 ttl=62 time=63.358 ms
84 bytes from 10.0.1.2 icmp_seq=5 ttl=62 time=50.142 ms

PC-A1> ping 10.0.2.2

*172.16.1.2 icmp_seq=1 ttl=254 time=45.899 ms (ICMP type:3, code:13, Communication administratively prohibited)
*172.16.1.2 icmp_seq=2 ttl=254 time=32.774 ms (ICMP type:3, code:13, Communication administratively prohibited)
*172.16.1.2 icmp_seq=3 ttl=254 time=45.168 ms (ICMP type:3, code:13, Communication administratively prohibited)
*172.16.1.2 icmp_seq=4 ttl=254 time=34.268 ms (ICMP type:3, code:13, Communication administratively prohibited)
*172.16.1.2 icmp_seq=5 ttl=254 time=42.260 ms (ICMP type:3, code:13, Communication administratively prohibited)
</code>

* **Tets ping LAN2 ke Server A & B**

<code js>
PC-B1> show ip

NAME        : PC-B1[1]
IP/MASK     : 192.168.2.2/24
GATEWAY     : 192.168.2.1
DNS         :
DHCP SERVER : 192.168.2.1
DHCP LEASE  : 67259, 86400/43200/75600
MAC         : 00:50:79:66:68:2d
LPORT       : 20000
RHOST:PORT  : 127.0.0.1:30000
MTU         : 1500

PC-B1> ping 10.0.1.2

*172.16.1.2 icmp_seq=1 ttl=254 time=46.086 ms (ICMP type:3, code:13, Communication administratively prohibited)
*172.16.1.2 icmp_seq=2 ttl=254 time=47.608 ms (ICMP type:3, code:13, Communication administratively prohibited)
*172.16.1.2 icmp_seq=3 ttl=254 time=47.629 ms (ICMP type:3, code:13, Communication administratively prohibited)
*172.16.1.2 icmp_seq=4 ttl=254 time=46.073 ms (ICMP type:3, code:13, Communication administratively prohibited)
*172.16.1.2 icmp_seq=5 ttl=254 time=46.126 ms (ICMP type:3, code:13, Communication administratively prohibited)

PC-B1> ping 10.0.2.2

84 bytes from 10.0.2.2 icmp_seq=1 ttl=62 time=83.063 ms
84 bytes from 10.0.2.2 icmp_seq=2 ttl=62 time=67.256 ms
84 bytes from 10.0.2.2 icmp_seq=3 ttl=62 time=61.611 ms
84 bytes from 10.0.2.2 icmp_seq=4 ttl=62 time=61.236 ms
84 bytes from 10.0.2.2 icmp_seq=5 ttl=62 time=62.238 ms
</code>