How to Configure Standard Access Control List in a Packet Tracer
How to Configure Standard Access Control
List in a Packet Tracer and GNS 3
1 Access List, Standard 02:17
ACL-Access Control List (Named Access List and Number Access List).If we use numbers
to refer access list it is numbered access list.If we use Name to refer access list it is named
access list.
we are using access list to permit or deny ip packets based on our requirements.There are two
types,
1.Standard Access List
2.Extended Access List
Here we are going to see how to configure standard access list with a simple topology in a
packet tracer,
Step 1:Create a topology like this,
Step 2:Configure router with ip address that i have given in topolgy.Assign ip address to all
PC and server like in topology.
In Router,global configuration
Router(config)#interface fastethernet0/0
Router(config-if)#ip address 10.0.0.1 255.0.0.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface fastethernet1/0
Router(config-if)#ip address 20.0.0.1 255.0.0.0
Router(config-if)#no shutdown
Step 3:Three steps to configure access list on router,
1) Creating Standard Access List
2) Choosing an Interface for Binding
3) Choosing In/Out
Step 4:Create an Standard Ip access list to deny a host 10.0.0.3 to server.
In standard access list, it filters based on source ip address.we can't deny of permit packets to
destination or particular ports for that we have use extended access list later we see this,Now
lets we create a standard access list based on above statement i have given.
Create Access List:
Router(config)#access-list 1 deny host 10.0.0.3 (or)
Router(config)#access-list 1 deny 10.0.0.3 0.0.0.0
Router(config)#access-list 1 permit any
where '1' is a number.It refers, this as a Standard accesss control list.It can be '1 to 99' and
'1300 to 1999'.
'Deny' Allows router to deny the packet that matches this statement.
'Host 10.0.0.3' when we configure like this it refers 'Only this host will be permitted or
denied' or we should configure with wild card mask '0.0.0.0' it means router checks for entire
four octets if matched then it will process based on access list.
'Implict deny' at bottom of all access list so we have to give permit any command at last
otherwise ip addres that doesn't match above statement will be denied.Access list always
proccesed from top to bottom so we should configure access list in order.we should not
configure 'permit any' statement first and then deny,If we configure permit any statement
first, access list will check first statement if matches it will forward the packet and it won't go
for next statement that 'deny'.Always we should configure 'deny' statement first.
Choose Interface for Binding whether In or Out:
Always we have to choose an interface near to the source as much as possible.Sometime
based on some access list statement we need to choose interface that packets go out of the
router.we should try to use router interface that receives a packet from PC in a LAN.
So,I am going to choose 'interface fastethernet0/0' .Before that i am going to check access list
status for this interface.
In Privileged Mode,
Router#show ip interface fastethernet0/0
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 10.0.0.1/8
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP Fast switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
In global configuration,
Router(config)#interface fastethernet0/0
Router(config-if)#ip access-group 1 in
Router(config-if)#exit
where '1' refers access list 1 and packets that comes into the router will be filtered based on
access list.
Now,Check the access list status on this interface.
In Privileged Mode,
Router#show ip interface fastethernet0/0
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 10.0.0.1/8
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 1
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP Fast switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
Now , go to the host that configured with ip address 10.0.0.3 and try to ping 20.0.0.2.This is
the response i have got before and after configure access list.
This is the response for other host.
To deny whole network,
Router(config)#access-list 1 deny 10.0.0.0 0.255.255.255
Here we are permitting whole network that 1,67,77,216 ip address
To permit one host others should be denied,i am going to pemit 10.0.0.2
Router(config)#access-list 1 permit 10.0.0.2 0.0.0.0
(or)
Router(config)#access-list 1 permit host 10.0.0.2
Here,Implicit deny in all access list will deny other host.
To permit a series of ip address,i am going permit 10.0.0.0 to 10.0.0.3 other ip address others
should be blocked.
Router(config)#access-list 1 permit 10.0.0.0 0.0.0.3
'0.0.0.3' by this router knows that the next ip address from 10.0.0.0 should be pemitted others
blocked.Total ip address 4.
Some more example for subnetted Networks,
Router(config)#access-list 1 permit 10.0.0.0 0.0.0.255
Here, From 10.0.0.0-10.0.0.255 will be permitted,Total ip address 256
Network 10.0.0.0/24 Range of ip's 10.0.0.0 -10.0.0.255
Router(config)#access-list 1 permit 10.0.0.0 0.0.1.255
Network 10.0.0.0/23 Range of ip's 10.0.0.0 -10.0.1.255
Here,From 10.0.0.0-10.0.1.255 will be permitted,Total ip address 512
Router(config)#access-list 1 permit 10.0.32.0 0.0.15.255
Here , From 10.0.0.0 -10.0.15.255 will be permitted,Total ip address 4096.This is the network
subnetted from Class A network.
Network 10.0.32.0/20, Range of Ip's 10.0.32.0-10.0.47.255
So, from 10.0.32.0- 10.0.47.255 ip address are belongs to this network.Here we are
permitting whole subnetted network.Now, we see how to pemit or deny some of the network
ip address from this subnet.
Router(config)#access-list 1 deny 10.0.32.0 0.0.3.255
Router(config)#access-list 1 permit any
Here ,Ip from 10.0.32.0 - 10.0.35.255 will be denied other ip address will be permitted.i.e
from 10.0.36.0-10.0.47.255 will be permitted.
Trouble Shooting Commands,
Router#show ip access-lists 1
Standard IP access list 1
deny host 10.0.0.3
permit any
Router#show access-lists
, 'To see all access list'.
Router#show access-lists , ' name we use for access list'.
Simulasi ACL Standard di Cisco Packet Tracer
Hai Teman ?? Kali ini saya akan memberikan penjelasan tentang cara Konfggrasi
ACL Standard pada Cisco Packet Tracer.Pada kesempatan sebelgmnya saya jgga
telah melakgkan konfggrasi Port Secgrity pada Switch yang dapat dilihat disini.
Ngomong-omong apa sih ACL Standart itg? Ygk simak penjelasan lebih
lengkapnya pada artikel dibawah ini.
A. Pengertian
Access Control List (ACL) merupakan daftar kondisi yang dirancang sedemikian rupa
oleh administrator jaringan untuk mengontrol akses-akses ke dan dari interface-interface
router, mencegah trafik-trafik tertentu untuk masuk ke jaringan atau sebaliknya,
mencegah trafik-trafik untuk keluar dari jaringan. Access list dapat mengizinkan host-host
tertentu mengakses bagian tertentu dalam jaringan, dan mencegah host lainnya
mengakses area yang sama.
Atau lebih mudahnya ACL (Access Control List) adalah firewall pada Router/switch Cisco
untuk mem-filter (men-deny atau meng-allow) packet yang masuk ataupun keluar.
Karakterisik ACL secara umum
Menentgkan tipe trafc yang akan di control
Menentgkan karakteristrik trafc
Mengidentifkasi trafc dengan permit atag deny
Dapat men-deny trafc spesifk atag secara keselgrghan
Terdapat implisit deny any pada akhir baris access list secara defaglt
Masing-masing baris hanya gntgk satg protokol spesifk
masing protocol, satg incoming trafc dan satg ogtgoing trafcMasing-
masing interface rogter maksimal hanya pgnya dga access list gntgk
masing-
Ketika access list di assign gntgk interface, tentgkan apakah gntgk
incoming atag ogtgoing
Access list sifatnya global di rogter, tapi flter trafc hanya berlakg di
interface yang di assign access list
Masing-masing access list dapat di assign ke beberapa interface
Akan tetapi tiap interface hanya boleh satg incoming dan satg ogtgoing
Access list dapat diggnakan gntgk nge-log trafc yang match dengan
access list statement
Access list yang di applied ke inbognd trafc dilakgkan sebelgm rogting
decision
Access list yang di applied ke ogtbognd trafc dilakgkan setelah rogting
decision
Ketikkan rgle access list secara bergrgtan, dengan statement paling
restrictive berada di atas
ACL Standard
1. Nomor ACL : 1- 99
2. Diggnakan gntgk flter sogrce IP address
3. Permit / Deny semga protocol sgite TCP/IP
4. Tips : assign pada rogter yang terdekat dengan destination (close to the
destination Rogter)
Konfigurasi ACL
Untgk melakgkan setting ACL di rogter, pertama setting rgle ACL terlebih
dahglg di mode global rogter, kemgdian langkah kedga assign rgle ACL tersebgt
di interface.
Rogter(confg)# access-list 1 permit/deny sogrce hostname/ip/network
Rogter(confg)# access-list 1 permit/deny any
Rogter(confg)# interface fa///
Rogter(confg)# ip access-grogp 1 in/ogt
Untuk menyatakan match sebuah host bisa menggunakan 2 cara :
Dengan wildcard mask “/./././”, misal 192.168.1.1 /./././
Dengan keyword “host”, misal host 192.168.1.1
Untuk menyatakan match semua host bisa menggunakan 2 cara :
Dengan wildcard mask “255.255.255.255”, misal /./././ 255.255.255.255
Dengan keyword “any”, misal any sogrce atag destination
B. Latar Belakang
C. Alat dan Bahan
- Seperangkat PC / Laptop
- Cisco Packet Tracer
D. Maksud dan Tujuan
E. Tahap Pelaksanaan
1. Pertama - tama bgat dglg topologinya seperti dibawah ini
2. Selanjgtnya bgat Rgle/Atgran dari ACL Standard yang akan dibgat.Misal
seperti dibawah ini.
1. Deny host 192.168.1.1 berkomunikasi dengan network 192.168.2.0
2. Deny network 1.1.1.1 berkomunikasi dengan network 192.168.2.0
3. Permit semua trafk ainnya
3. Kemgdian atgr IP address dari kedga PC pada Topologi tsb.
PC /
PC 1
4. Selanjgtnya atgr jgga IP dari setiap interface pada setiap Rogter di Topologi
diatas.
Router 1
Rogter>en
Rogter#conf t
Rogter(confg)#int lo /
Rogter(confg-if)#ip add 1.1.1.1 255.255.255.255
Rogter(confg-if)#ex
Rogter(confg)#int fa///
Rogter(confg-if)#ip add 192.168.1.254 255.255.255./
Rogter(confg-if)#no sh
Rogter(confg-if)#ex
Rogter(confg)#int fa//1
Rogter(confg-if)#ip add 12.12.12.1 255.255.255./
Rogter(confg-if)#no sh
Rogter(confg-if)#ex
Rogter(confg)#
Router 2
Rogter>en
Rogter#conf t
Rogter(confg)#int lo /
Rogter(confg-if)#ip add 2.2.2.2 255.255.255.255
Rogter(confg-if)#ex
Rogter(confg)#int fa///
Rogter(confg-if)#ip add 192.168.2.254 255.255.255./
Rogter(confg-if)#no sh
Rogter(confg-if)#ex
Rogter(confg)#int fa//1
Rogter(confg-if)#ip add 12.12.12.2 255.255.255./
Rogter(confg-if)#no sh
Rogter(confg-if)#ex
Rogter(confg)#
5. Kemgdian lakgkan Rogting OSPF area / pada topologi diatas.berikgt
konfggrasinya :
Router 1
Rogter(confg)#rogter ospf 1/
Rogter(confg-rogter)#network 1.1.1.1 /./././ area /
Rogter(confg-rogter)#network 192.168.1./ /././.255 area /
Rogter(confg-rogter)#network 12.12.12./ /././.255 area /
Rogter(confg-rogter)#ex
Rogter(confg)#
Router 2
Rogter(confg)#rogter ospf 1/
Rogter(confg-rogter)#network 2.2.2.2 /./././ area /
Rogter(confg-rogter)#network 192.168.2./ /././.255 area /
Rogter(confg-rogter)#network 12.12.12./ /././.255 area /
Rogter(confg-rogter)#ex
Rogter(confg)#
6. Selanjgtnya coba tes koneksi dengan melakgkan ping dari PC / (192.168.1.1)
ke PC 1 (192.168.2.1)
7. Kemgdian kita coba setting ACL standartnya di Rogter 2, mengapa kok di
Rogter 2 ?? karena agar rgle yang kita bgat tadi bisa berjalan normal,maka kita
targh di rogter yang terdekat dgn tgjgan.Ingat ya prinsip ACL Standard yaitg
"assign pada router yang terdekat dengan destination"
Rogter(confg)#access-list 1 deny 192.168.1.1 /./././
Rogter(confg)#access-list 1 deny 1.1.1.1 /./././
Rogter(confg)#access-list 1 permit any
8. Selanjgtnya tempatkan ACL tersebgt di interface ogtgoing mengjg network
192.168.2./, agar ACL bisa bekerja efektif.
Apply ACL Interface di fa0/0 Router 2
Rogter(confg)#int fa///
Rogter(confg-if)#ip access-grogp 1 ogt
9. Lalg coba tampilkan Acces List Standard yang sgdah dibgat di Rogter 2
ketikkan "show access-list"
Pengujian
1/. Kemgdian coba test lagi, lakgkan ping lagi dari PC/ ke PC1.Dan hasilnya
tidak berhasil,hal ini menandakan konfggrasi ACL Standard pada Rgle nomor 1
sgdah berhasil.Host 192.168.1.1 tidak diperbolehkan gntgk berkomgnikasi
dengan network 192.168.2.1
12. Selanjgtnya kita akan coba test ping ke 192.168.2.1 mengggnakan IP selain
192.168.1.1.Ubah IP Address PC / menjadi 192.168.1.3
13. Coba lakgkan ping ke PC1 dan berhasil. Rgle ACL nomor 1 sgdah benar-benar
berhasil mem-flter host 192.168.1.1 saat mengakses network 192.168.2.1.
14. Test ping dari Loopback / (1.1.1.1) R1 ke PC1 (192.168.2.1)
Rogter>en
Rogter#ping
Protocol [ip]:enter
Target IP address: 192.168.2.1
Repeat cognt [5]: enter
Datagram size [1//]: enter
Timeogt in seconds [2]: enter
Extended commands [n]: y
Sogrce address or interface: loopback/
Type of service [/]: enter
Set DF bit in IP header? [no]: enter
Validate reply data? [no]: enter
Data pattern [/xABCD]: enter
Loose, Strict, Record, Timestamp, Verbose[none]: enter
Sweep range of sizes [n]: enter
Type escape seqgence to abort.
Sending 5, 1//-byte ICMP Echos to 192.168.2.1, timeogt is 2 seconds:
Packet sent with a sogrce address of 1.1.1.1
UUUUU
Success rate is 0 percent (0/5)
Rogter#
Tes Ping dari Loopback1 ke Laptop2 hasilnya / percent dan ditampilkan kode U
(gnreachable).Berarti rgle ACL baris ke-2 sgdah berhasil.
15. Untgk verifkasi rgle ACL baris ke-3 yaitg permit semga trafk lainnya, kita
akan mencoba menambahkan Host barg dengan IP selain 192.168.1.1 seperti
gambar dibawah
Beri IP Laptop : 192.168.1.2/24
16. Lalg coba test ping ke 192.168.2.1 dan hasilnya berhasil,Rgle nomor 3 sgdah
sgkses.
F. Referensi
Ebook CCNA Lab Ggide Nixtrain_1st Edition_Fgll Version.pdf
http://myconfggre.blogspot.co.id/2/14//3/konfggrasi-access-control-list-di.html
List in a Packet Tracer and GNS 3
1 Access List, Standard 02:17
ACL-Access Control List (Named Access List and Number Access List).If we use numbers
to refer access list it is numbered access list.If we use Name to refer access list it is named
access list.
we are using access list to permit or deny ip packets based on our requirements.There are two
types,
1.Standard Access List
2.Extended Access List
Here we are going to see how to configure standard access list with a simple topology in a
packet tracer,
Step 1:Create a topology like this,
Step 2:Configure router with ip address that i have given in topolgy.Assign ip address to all
PC and server like in topology.
In Router,global configuration
Router(config)#interface fastethernet0/0
Router(config-if)#ip address 10.0.0.1 255.0.0.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface fastethernet1/0
Router(config-if)#ip address 20.0.0.1 255.0.0.0
Router(config-if)#no shutdown
Step 3:Three steps to configure access list on router,
1) Creating Standard Access List
2) Choosing an Interface for Binding
3) Choosing In/Out
Step 4:Create an Standard Ip access list to deny a host 10.0.0.3 to server.
In standard access list, it filters based on source ip address.we can't deny of permit packets to
destination or particular ports for that we have use extended access list later we see this,Now
lets we create a standard access list based on above statement i have given.
Create Access List:
Router(config)#access-list 1 deny host 10.0.0.3 (or)
Router(config)#access-list 1 deny 10.0.0.3 0.0.0.0
Router(config)#access-list 1 permit any
where '1' is a number.It refers, this as a Standard accesss control list.It can be '1 to 99' and
'1300 to 1999'.
'Deny' Allows router to deny the packet that matches this statement.
'Host 10.0.0.3' when we configure like this it refers 'Only this host will be permitted or
denied' or we should configure with wild card mask '0.0.0.0' it means router checks for entire
four octets if matched then it will process based on access list.
'Implict deny' at bottom of all access list so we have to give permit any command at last
otherwise ip addres that doesn't match above statement will be denied.Access list always
proccesed from top to bottom so we should configure access list in order.we should not
configure 'permit any' statement first and then deny,If we configure permit any statement
first, access list will check first statement if matches it will forward the packet and it won't go
for next statement that 'deny'.Always we should configure 'deny' statement first.
Choose Interface for Binding whether In or Out:
Always we have to choose an interface near to the source as much as possible.Sometime
based on some access list statement we need to choose interface that packets go out of the
router.we should try to use router interface that receives a packet from PC in a LAN.
So,I am going to choose 'interface fastethernet0/0' .Before that i am going to check access list
status for this interface.
In Privileged Mode,
Router#show ip interface fastethernet0/0
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 10.0.0.1/8
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP Fast switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
In global configuration,
Router(config)#interface fastethernet0/0
Router(config-if)#ip access-group 1 in
Router(config-if)#exit
where '1' refers access list 1 and packets that comes into the router will be filtered based on
access list.
Now,Check the access list status on this interface.
In Privileged Mode,
Router#show ip interface fastethernet0/0
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 10.0.0.1/8
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 1
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP Fast switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
Now , go to the host that configured with ip address 10.0.0.3 and try to ping 20.0.0.2.This is
the response i have got before and after configure access list.
This is the response for other host.
To deny whole network,
Router(config)#access-list 1 deny 10.0.0.0 0.255.255.255
Here we are permitting whole network that 1,67,77,216 ip address
To permit one host others should be denied,i am going to pemit 10.0.0.2
Router(config)#access-list 1 permit 10.0.0.2 0.0.0.0
(or)
Router(config)#access-list 1 permit host 10.0.0.2
Here,Implicit deny in all access list will deny other host.
To permit a series of ip address,i am going permit 10.0.0.0 to 10.0.0.3 other ip address others
should be blocked.
Router(config)#access-list 1 permit 10.0.0.0 0.0.0.3
'0.0.0.3' by this router knows that the next ip address from 10.0.0.0 should be pemitted others
blocked.Total ip address 4.
Some more example for subnetted Networks,
Router(config)#access-list 1 permit 10.0.0.0 0.0.0.255
Here, From 10.0.0.0-10.0.0.255 will be permitted,Total ip address 256
Network 10.0.0.0/24 Range of ip's 10.0.0.0 -10.0.0.255
Router(config)#access-list 1 permit 10.0.0.0 0.0.1.255
Network 10.0.0.0/23 Range of ip's 10.0.0.0 -10.0.1.255
Here,From 10.0.0.0-10.0.1.255 will be permitted,Total ip address 512
Router(config)#access-list 1 permit 10.0.32.0 0.0.15.255
Here , From 10.0.0.0 -10.0.15.255 will be permitted,Total ip address 4096.This is the network
subnetted from Class A network.
Network 10.0.32.0/20, Range of Ip's 10.0.32.0-10.0.47.255
So, from 10.0.32.0- 10.0.47.255 ip address are belongs to this network.Here we are
permitting whole subnetted network.Now, we see how to pemit or deny some of the network
ip address from this subnet.
Router(config)#access-list 1 deny 10.0.32.0 0.0.3.255
Router(config)#access-list 1 permit any
Here ,Ip from 10.0.32.0 - 10.0.35.255 will be denied other ip address will be permitted.i.e
from 10.0.36.0-10.0.47.255 will be permitted.
Trouble Shooting Commands,
Router#show ip access-lists 1
Standard IP access list 1
deny host 10.0.0.3
permit any
Router#show access-lists
, 'To see all access list'.
Router#show access-lists , ' name we use for access list'.
Simulasi ACL Standard di Cisco Packet Tracer
Hai Teman ?? Kali ini saya akan memberikan penjelasan tentang cara Konfggrasi
ACL Standard pada Cisco Packet Tracer.Pada kesempatan sebelgmnya saya jgga
telah melakgkan konfggrasi Port Secgrity pada Switch yang dapat dilihat disini.
Ngomong-omong apa sih ACL Standart itg? Ygk simak penjelasan lebih
lengkapnya pada artikel dibawah ini.
A. Pengertian
Access Control List (ACL) merupakan daftar kondisi yang dirancang sedemikian rupa
oleh administrator jaringan untuk mengontrol akses-akses ke dan dari interface-interface
router, mencegah trafik-trafik tertentu untuk masuk ke jaringan atau sebaliknya,
mencegah trafik-trafik untuk keluar dari jaringan. Access list dapat mengizinkan host-host
tertentu mengakses bagian tertentu dalam jaringan, dan mencegah host lainnya
mengakses area yang sama.
Atau lebih mudahnya ACL (Access Control List) adalah firewall pada Router/switch Cisco
untuk mem-filter (men-deny atau meng-allow) packet yang masuk ataupun keluar.
Karakterisik ACL secara umum
Menentgkan tipe trafc yang akan di control
Menentgkan karakteristrik trafc
Mengidentifkasi trafc dengan permit atag deny
Dapat men-deny trafc spesifk atag secara keselgrghan
Terdapat implisit deny any pada akhir baris access list secara defaglt
Masing-masing baris hanya gntgk satg protokol spesifk
masing protocol, satg incoming trafc dan satg ogtgoing trafcMasing-
masing interface rogter maksimal hanya pgnya dga access list gntgk
masing-
Ketika access list di assign gntgk interface, tentgkan apakah gntgk
incoming atag ogtgoing
Access list sifatnya global di rogter, tapi flter trafc hanya berlakg di
interface yang di assign access list
Masing-masing access list dapat di assign ke beberapa interface
Akan tetapi tiap interface hanya boleh satg incoming dan satg ogtgoing
Access list dapat diggnakan gntgk nge-log trafc yang match dengan
access list statement
Access list yang di applied ke inbognd trafc dilakgkan sebelgm rogting
decision
Access list yang di applied ke ogtbognd trafc dilakgkan setelah rogting
decision
Ketikkan rgle access list secara bergrgtan, dengan statement paling
restrictive berada di atas
ACL Standard
1. Nomor ACL : 1- 99
2. Diggnakan gntgk flter sogrce IP address
3. Permit / Deny semga protocol sgite TCP/IP
4. Tips : assign pada rogter yang terdekat dengan destination (close to the
destination Rogter)
Konfigurasi ACL
Untgk melakgkan setting ACL di rogter, pertama setting rgle ACL terlebih
dahglg di mode global rogter, kemgdian langkah kedga assign rgle ACL tersebgt
di interface.
Rogter(confg)# access-list 1 permit/deny sogrce hostname/ip/network
Rogter(confg)# access-list 1 permit/deny any
Rogter(confg)# interface fa///
Rogter(confg)# ip access-grogp 1 in/ogt
Untuk menyatakan match sebuah host bisa menggunakan 2 cara :
Dengan wildcard mask “/./././”, misal 192.168.1.1 /./././
Dengan keyword “host”, misal host 192.168.1.1
Untuk menyatakan match semua host bisa menggunakan 2 cara :
Dengan wildcard mask “255.255.255.255”, misal /./././ 255.255.255.255
Dengan keyword “any”, misal any sogrce atag destination
B. Latar Belakang
C. Alat dan Bahan
- Seperangkat PC / Laptop
- Cisco Packet Tracer
D. Maksud dan Tujuan
E. Tahap Pelaksanaan
1. Pertama - tama bgat dglg topologinya seperti dibawah ini
2. Selanjgtnya bgat Rgle/Atgran dari ACL Standard yang akan dibgat.Misal
seperti dibawah ini.
1. Deny host 192.168.1.1 berkomunikasi dengan network 192.168.2.0
2. Deny network 1.1.1.1 berkomunikasi dengan network 192.168.2.0
3. Permit semua trafk ainnya
3. Kemgdian atgr IP address dari kedga PC pada Topologi tsb.
PC /
PC 1
4. Selanjgtnya atgr jgga IP dari setiap interface pada setiap Rogter di Topologi
diatas.
Router 1
Rogter>en
Rogter#conf t
Rogter(confg)#int lo /
Rogter(confg-if)#ip add 1.1.1.1 255.255.255.255
Rogter(confg-if)#ex
Rogter(confg)#int fa///
Rogter(confg-if)#ip add 192.168.1.254 255.255.255./
Rogter(confg-if)#no sh
Rogter(confg-if)#ex
Rogter(confg)#int fa//1
Rogter(confg-if)#ip add 12.12.12.1 255.255.255./
Rogter(confg-if)#no sh
Rogter(confg-if)#ex
Rogter(confg)#
Router 2
Rogter>en
Rogter#conf t
Rogter(confg)#int lo /
Rogter(confg-if)#ip add 2.2.2.2 255.255.255.255
Rogter(confg-if)#ex
Rogter(confg)#int fa///
Rogter(confg-if)#ip add 192.168.2.254 255.255.255./
Rogter(confg-if)#no sh
Rogter(confg-if)#ex
Rogter(confg)#int fa//1
Rogter(confg-if)#ip add 12.12.12.2 255.255.255./
Rogter(confg-if)#no sh
Rogter(confg-if)#ex
Rogter(confg)#
5. Kemgdian lakgkan Rogting OSPF area / pada topologi diatas.berikgt
konfggrasinya :
Router 1
Rogter(confg)#rogter ospf 1/
Rogter(confg-rogter)#network 1.1.1.1 /./././ area /
Rogter(confg-rogter)#network 192.168.1./ /././.255 area /
Rogter(confg-rogter)#network 12.12.12./ /././.255 area /
Rogter(confg-rogter)#ex
Rogter(confg)#
Router 2
Rogter(confg)#rogter ospf 1/
Rogter(confg-rogter)#network 2.2.2.2 /./././ area /
Rogter(confg-rogter)#network 192.168.2./ /././.255 area /
Rogter(confg-rogter)#network 12.12.12./ /././.255 area /
Rogter(confg-rogter)#ex
Rogter(confg)#
6. Selanjgtnya coba tes koneksi dengan melakgkan ping dari PC / (192.168.1.1)
ke PC 1 (192.168.2.1)
7. Kemgdian kita coba setting ACL standartnya di Rogter 2, mengapa kok di
Rogter 2 ?? karena agar rgle yang kita bgat tadi bisa berjalan normal,maka kita
targh di rogter yang terdekat dgn tgjgan.Ingat ya prinsip ACL Standard yaitg
"assign pada router yang terdekat dengan destination"
Rogter(confg)#access-list 1 deny 192.168.1.1 /./././
Rogter(confg)#access-list 1 deny 1.1.1.1 /./././
Rogter(confg)#access-list 1 permit any
8. Selanjgtnya tempatkan ACL tersebgt di interface ogtgoing mengjg network
192.168.2./, agar ACL bisa bekerja efektif.
Apply ACL Interface di fa0/0 Router 2
Rogter(confg)#int fa///
Rogter(confg-if)#ip access-grogp 1 ogt
9. Lalg coba tampilkan Acces List Standard yang sgdah dibgat di Rogter 2
ketikkan "show access-list"
Pengujian
1/. Kemgdian coba test lagi, lakgkan ping lagi dari PC/ ke PC1.Dan hasilnya
tidak berhasil,hal ini menandakan konfggrasi ACL Standard pada Rgle nomor 1
sgdah berhasil.Host 192.168.1.1 tidak diperbolehkan gntgk berkomgnikasi
dengan network 192.168.2.1
12. Selanjgtnya kita akan coba test ping ke 192.168.2.1 mengggnakan IP selain
192.168.1.1.Ubah IP Address PC / menjadi 192.168.1.3
13. Coba lakgkan ping ke PC1 dan berhasil. Rgle ACL nomor 1 sgdah benar-benar
berhasil mem-flter host 192.168.1.1 saat mengakses network 192.168.2.1.
14. Test ping dari Loopback / (1.1.1.1) R1 ke PC1 (192.168.2.1)
Rogter>en
Rogter#ping
Protocol [ip]:enter
Target IP address: 192.168.2.1
Repeat cognt [5]: enter
Datagram size [1//]: enter
Timeogt in seconds [2]: enter
Extended commands [n]: y
Sogrce address or interface: loopback/
Type of service [/]: enter
Set DF bit in IP header? [no]: enter
Validate reply data? [no]: enter
Data pattern [/xABCD]: enter
Loose, Strict, Record, Timestamp, Verbose[none]: enter
Sweep range of sizes [n]: enter
Type escape seqgence to abort.
Sending 5, 1//-byte ICMP Echos to 192.168.2.1, timeogt is 2 seconds:
Packet sent with a sogrce address of 1.1.1.1
UUUUU
Success rate is 0 percent (0/5)
Rogter#
Tes Ping dari Loopback1 ke Laptop2 hasilnya / percent dan ditampilkan kode U
(gnreachable).Berarti rgle ACL baris ke-2 sgdah berhasil.
15. Untgk verifkasi rgle ACL baris ke-3 yaitg permit semga trafk lainnya, kita
akan mencoba menambahkan Host barg dengan IP selain 192.168.1.1 seperti
gambar dibawah
Beri IP Laptop : 192.168.1.2/24
16. Lalg coba test ping ke 192.168.2.1 dan hasilnya berhasil,Rgle nomor 3 sgdah
sgkses.
F. Referensi
Ebook CCNA Lab Ggide Nixtrain_1st Edition_Fgll Version.pdf
http://myconfggre.blogspot.co.id/2/14//3/konfggrasi-access-control-list-di.html