¶ Overview
Pada halaman ini kita akan konfigurasi Access control list standard. ACL Standard Cisco adalah sebuah daftar akses kontrol yang digunakan untuk menyaring lalu lintas jaringan berdasarkan Source IP Address.
Langsung saja ke syntax dan topologi.
¶ Syntax
Berikut adallah syntax dalam menkongfigurasi standard ACL:
¶ Membuat Standard ACL (number)
Router(config)# access-list [ACL_NUMBER] [permit | deny] [SOURCE_IP] [WILDCARD_MASK]
- ACL_NUMBER : 1-99 atau 1300-1999
- permit: Mengizinkan lalu lintas dari alamat IP yang ditentukan.
- deny: Menolak lalu lintas dari alamat IP yang ditentukan.
- SOURCE_IP: source ip address yang ingin di filter.
- WILDCARD_MASK: Menentukan range network source ip.
Contoh:
Router(config)# access-list 10 permit 192.168.1.100 0.0.0.0
¶ Membuat Standard ACL (Named)
Router(config)# ip access-list standard [ACL_NAME]
Router(config-std-nacl)# permit [source] [wildcard-mask]
Router(config-std-nacl)# deny [source] [wildcard-mask]
contoh:
Router(config)# ip access-list standard BLOCK_LAN1
Router(config-std-nacl)# deny 192.168.1.0 0.0.0.255
Router(config-std-nacl)# permit any
Router(config-std-nacl)# exit
¶ Terapkan ACL ke interface
Router(config)# interface <nama_interface>
Router(config-if)# access-list <nomor_acl>/<named_acl> in/out
- in: Menerapkan ACL pada paket yang kearah interface.
- out: Menerapkan ACL pada paket yang keluar dari interface.
Contoh:
Router(config)# interface FastEthernet0/0
Router(config-if)# access-list 10 in
Router(config)# interface GigabitEthernet 0/0
Router(config-if)# ip access-group BLOCK_LAN1 in
¶ Troubleshot
Router# show access-lists
¶ Topologi
Tujuan:
- LAN 1 Dilarang mengakses Server-B
- LAN 2 Dilarang mengakses Server-C
¶ Konfigurasi
¶ Preconfiguration
hostname R1
!
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.2.1
!
ip dhcp pool LAN1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
ip dhcp pool LAN2
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
no shutdown
!
interface FastEthernet0/1
ip address 192.168.2.1 255.255.255.0
no shutdown
!
interface FastEthernet1/0
ip address 172.16.1.1 255.255.255.25
no shutdown
!
router ospf 1
network 172.16.1.0 0.0.0.3 area 0
network 192.168.1.0 0.0.0.255 area 0
network 192.168.2.0 0.0.0.255 area 0
!
hostname R2
!
interface FastEthernet0/0
ip address 10.0.1.1 255.255.255.0
no shutdown
!
interface FastEthernet0/1
ip address 10.0.2.1 255.255.255.0
no shutdown
!
interface FastEthernet1/0
ip address 172.16.1.2 255.255.255.252
no shutdown
!
router ospf 1
network 10.0.1.0 0.0.0.255 area 0
network 10.0.2.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.3 area 0
¶ Konfigurasi Standard ACL
Standar ACL umumnya - jika tidak selalu - ditempatkan paling dekat dengan tujuan. Sedangkan Extended ACL ditempatkan paling dekat dengan sumber.
¶ Blocking LAN1 untuk berkomunikasi dengan Server B
- Router terdekat dengan tujuan addlah R2, mari kita buat rulesnya
R2(config)#access-list 10 deny 192.168.1.0 0.0.0.255
R2(config)#access-list 10 permit any
- Terapkan pada interface menuju server B Fa0/1
R2(config)#interface f0/1
R2(config-if)#ip access-group 10 out
R2(config-if)#exit
¶ Blocking LAN2 untuk berkomunikasi dengan Server A
R2(config)#access-list 20 deny 192.168.2.0 0.0.0.255
R2(config)#access-list 20 permit any
- Terapkan pada interface menuju server A Fa1/1
R2(config)#interface fa0/0
R2(config-if)#ip access-group 20 out
R2(config-if)#exit
¶ Verify
¶ LAN1 To Server A dan Server B
PC-A1> show ip
NAME : PC-A1[1]
IP/MASK : 192.168.1.2/24
GATEWAY : 192.168.1.1
DNS :
MAC : 00:50:79:66:68:2c
LPORT : 20000
RHOST:PORT : 127.0.0.1:30000
MTU : 1500
PC-A1> ping 10.0.1.2
84 bytes from 10.0.1.2 icmp_seq=1 ttl=62 time=95.125 ms
84 bytes from 10.0.1.2 icmp_seq=2 ttl=62 time=65.038 ms
84 bytes from 10.0.1.2 icmp_seq=3 ttl=62 time=60.712 ms
84 bytes from 10.0.1.2 icmp_seq=4 ttl=62 time=63.358 ms
84 bytes from 10.0.1.2 icmp_seq=5 ttl=62 time=50.142 ms
PC-A1> ping 10.0.2.2
*172.16.1.2 icmp_seq=1 ttl=254 time=45.899 ms (ICMP type:3, code:13, Communication administratively prohibited)
*172.16.1.2 icmp_seq=2 ttl=254 time=32.774 ms (ICMP type:3, code:13, Communication administratively prohibited)
*172.16.1.2 icmp_seq=3 ttl=254 time=45.168 ms (ICMP type:3, code:13, Communication administratively prohibited)
*172.16.1.2 icmp_seq=4 ttl=254 time=34.268 ms (ICMP type:3, code:13, Communication administratively prohibited)
*172.16.1.2 icmp_seq=5 ttl=254 time=42.260 ms (ICMP type:3, code:13, Communication administratively prohibited)
¶ LAN2 To Server A dan Server B
PC-B1> show ip
NAME : PC-B1[1]
IP/MASK : 192.168.2.2/24
GATEWAY : 192.168.2.1
DNS :
DHCP SERVER : 192.168.2.1
DHCP LEASE : 67259, 86400/43200/75600
MAC : 00:50:79:66:68:2d
LPORT : 20000
RHOST:PORT : 127.0.0.1:30000
MTU : 1500
PC-B1> ping 10.0.1.2
*172.16.1.2 icmp_seq=1 ttl=254 time=46.086 ms (ICMP type:3, code:13, Communication administratively prohibited)
*172.16.1.2 icmp_seq=2 ttl=254 time=47.608 ms (ICMP type:3, code:13, Communication administratively prohibited)
*172.16.1.2 icmp_seq=3 ttl=254 time=47.629 ms (ICMP type:3, code:13, Communication administratively prohibited)
*172.16.1.2 icmp_seq=4 ttl=254 time=46.073 ms (ICMP type:3, code:13, Communication administratively prohibited)
*172.16.1.2 icmp_seq=5 ttl=254 time=46.126 ms (ICMP type:3, code:13, Communication administratively prohibited)
PC-B1> ping 10.0.2.2
84 bytes from 10.0.2.2 icmp_seq=1 ttl=62 time=83.063 ms
84 bytes from 10.0.2.2 icmp_seq=2 ttl=62 time=67.256 ms
84 bytes from 10.0.2.2 icmp_seq=3 ttl=62 time=61.611 ms
84 bytes from 10.0.2.2 icmp_seq=4 ttl=62 time=61.236 ms
84 bytes from 10.0.2.2 icmp_seq=5 ttl=62 time=62.238 ms