GNS3 Lab ICND2: Access Control List
Skenario 1: Gunakan ACL Standard untuk memblock mesin deddy mengakses mesin slax
Testing koneksi sebelum
Testing koneksi dari mesin deddy (192.168.10.10) ke mesin slax (192.168.3.2)
root@deddy:~# ping 192.168.3.2 PING 192.168.3.2 (192.168.3.2) 56(84) bytes of data. 64 bytes from 192.168.3.2: icmp_seq=1 ttl=62 time=39.0 ms 64 bytes from 192.168.3.2: icmp_seq=2 ttl=62 time=38.1 ms ^C — 192.168.3.2 ping statistics — 2 packets transmitted, 2 received, 0% packet loss, time 1007ms rtt min/avg/max/mdev = 38.115/38.579/39.044/0.504 ms
root@deddy:~# traceroute -n 192.168.3.2 traceroute to 192.168.3.2 (192.168.3.2), 30 hops max, 38 byte packets 1 192.168.10.1 36.388 ms 9.656 ms 11.367 ms 2 192.168.2.2 142.018 ms 27.276 ms 14.211 ms 3 192.168.3.2 49.256 ms 56.639 ms 15.629 ms
root@slax:~# ping 192.168.10.10 PING 192.168.10.10 (192.168.10.10) 56(84) bytes of data. 64 bytes from 192.168.10.10: icmp_seq=1 ttl=62 time=180 ms 64 bytes from 192.168.10.10: icmp_seq=2 ttl=62 time=18.2 ms ^C — 192.168.10.10 ping statistics — 2 packets transmitted, 2 received, 0% packet loss, time 1004ms rtt min/avg/max/mdev = 18.277/99.335/180.394/81.059 ms
root@slax:~# traceroute -n 192.168.10.10 traceroute to 192.168.10.10 (192.168.10.10), 30 hops max, 38 byte packets 1 192.168.3.1 46.144 ms 43.393 ms 10.337 ms 2 192.168.2.1 121.780 ms 58.601 ms 14.315 ms 3 192.168.10.10 20.425 ms 51.823 ms 14.468 ms
Konfigurasi access-list
Sekarang tambahkan access-list pada R3
R3#conf t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#access-list 10 deny 192.168.10.10 0.0.0.0 R3(config)#access-list 10 permit any R3(config)#^Z R3#
Sekarang telah kita buat access-list nya, tempat terbaik untuk menempatkan standard access-list adalah sedekat mungkin dengan tujuan (host slax). Karena itu kita akan menempatkan access-list ini pada interface e1/0 R3
R3#conf t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#int e1/0 R3(config-if)# ip access-group 10 out R3(config-if)#^Z R3#
Testing Koneksi sesudah
root@deddy:~# ping 192.168.3.2 PING 192.168.3.2 (192.168.3.2) 56(84) bytes of data. From 192.168.2.2 icmp_seq=1 Packet filtered From 192.168.2.2 icmp_seq=2 Packet filtered From 192.168.2.2 icmp_seq=3 Packet filtered From 192.168.2.2 icmp_seq=4 Packet filtered ^C — 192.168.3.2 ping statistics — 4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3022ms
root@deddy:~# traceroute -n 192.168.3.2 traceroute to 192.168.3.2 (192.168.3.2), 30 hops max, 38 byte packets 1 192.168.10.1 65.459 ms 44.589 ms 8.775 ms 2 192.168.2.2 55.425 ms 32.771 ms 28.148 ms 3 192.168.2.2 16.987 ms !A * 108.399 ms !A
Kita lihat paket berhenti pada router R3 (192.168.2.2), kita bisa mengecek log paket yang terfilter pada R3 dengan perintah berikut
R3#show access-lists Standard IP access list 10 10 deny 192.168.10.10 (13 matches) 20 permit any
Kita lihat bahwa R3 telah mem-filter 13 paket yang hendak keluar melalui interface e1/0 menuju host slax (192.168.3.2)
Skenario 2 : Gunakan ACL standard untuk mencegah deddy melakukan telnet atau SSH pada R1
Testing koneksi sebelum
root@deddy:~# ping 192.168.1.1 PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. 64 bytes from 192.168.1.1: icmp_seq=1 ttl=254 time=123 ms 64 bytes from 192.168.1.1: icmp_seq=2 ttl=254 time=26.0 ms 64 bytes from 192.168.1.1: icmp_seq=3 ttl=254 time=17.8 ms ^C — 192.168.1.1 ping statistics — 3 packets transmitted, 3 received, 0% packet loss, time 2011ms rtt min/avg/max/mdev = 17.802/55.835/123.697/48.102 ms
root@deddy:~# telnet 192.168.1.1 Trying 192.168.1.1… Connected to 192.168.1.1. Escape character is ‘^]’. User Access Verification Password: R1>exit
Konfigurasi access-list
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)# access-list 70 remark INI AKAN MENCEGAH HOST DEDDY MELAKUKAN TELNET PADA R1 R1(config)#access-list 70 deny 192.168.10.10 0.0.0.0 R1(config)#access-list 10 permit any R1(config)#^Z R1#
Access-list diatas bisa kita letakkan pada interface e0/0 R1, tetapi dengan begitu access-list tidak hanya mencegah host deddy untuk melakukan telnet ke R1, tapi juga host deddy tidak bisa melakukan koneksi ke dunia luar (internet) karena setiap paket dari host deddy datang pada R1 akan terfilter. Access-list tidak hanya bisa diletakkan dibawah suatu interface, tapi juga bisa diletakkan pada access vty (akses telnet) seperti berikut
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#access-list 70 deny 192.168.10.10 0.0.0.0 R1(config)#access-list 70 permit any R1(config)#^Z R1#
Testing koneksi sesudah
root@deddy:~# telnet 192.168.1.1 Trying 192.168.1.1… telnet: connect to address 192.168.1.1: Connection refused
root@deddy:~# telnet 192.168.1.1 Trying 192.168.1.1… telnet: connect to address 192.168.1.1: Connection refused root@deddy:~#
kita lihat diatas telnet dari deddy kini akan ditolak oleh R1, testing pada host lain, misal teddy seharusnya masih bisa melakukan telnet ke R1
root@teddy:~# telnet 192.168.1.1 Trying 192.168.1.1… Connected to 192.168.1.1. Escape character is ‘^]’. User Access Verification Password: R1>exit Connection closed by foreign host.
Skenario 3 : Gunakan ACL extended untuk mencegah host Deddy mengakses link WAN R2
Testing koneksi sebelum
root@deddy:~# ping 192.168.2.1 PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data. 64 bytes from 192.168.2.1: icmp_seq=1 ttl=255 time=101 ms 64 bytes from 192.168.2.1: icmp_seq=2 ttl=255 time=47.0 ms ^C — 192.168.2.1 ping statistics — 2 packets transmitted, 2 received, 0% packet loss, time 1004ms rtt min/avg/max/mdev = 47.012/74.194/101.376/27.182 ms
root@deddy:~# ping 192.168.2.2 PING 192.168.2.2 (192.168.2.2) 56(84) bytes of data. 64 bytes from 192.168.2.2: icmp_seq=1 ttl=254 time=69.2 ms 64 bytes from 192.168.2.2: icmp_seq=2 ttl=254 time=25.9 ms ^C — 192.168.2.2 ping statistics — 2 packets transmitted, 2 received, 0% packet loss, time 1008ms rtt min/avg/max/mdev = 25.915/47.589/69.264/21.675 ms
Konfigurasi access-list
Bentuk access-list nya dapat kita buat pada R2 seperti berikut
R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#access-list 100 deny ip host 192.168.10.10 192.168.2.0 0.0.0.255 R2(config)#access-list 100 permit ip any any R2(config)#^Z R2#
Tempat terbaik untuk mengimplementasikan ACL extended berbeda dengan ACL standard, pada extended ACL semakin dekat dengan source maka semakin baik. Karena itu kita akan mengimplementasikan access-list diatas pada inter f0/0.10 pada R2
R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#int fa0/0.10 R2(config-subif)#ip access-group 100 in R2(config-subif)#^Z R2#
Testing koneksi sesudah
root@deddy:~# ping 192.168.2.1 PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data. From 192.168.10.1 icmp_seq=1 Packet filtered From 192.168.10.1 icmp_seq=2 Packet filtered ^C — 192.168.2.1 ping statistics — 2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1007ms
root@deddy:~# ping 192.168.2.2 PING 192.168.2.2 (192.168.2.2) 56(84) bytes of data. From 192.168.10.1 icmp_seq=1 Packet filtered From 192.168.10.1 icmp_seq=2 Packet filtered ^C — 192.168.2.2 ping statistics — 2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1005ms
Hehe. Blm mudeng.
Boleh tukeran link?
airyz.worpdress.com
hehe, aku juga gak mudeng2 amat nih
wah pelajaran yang belum saya alami dari kecil sampai sekarang, perlu peningkatan berati ini ya
tengkyu Mas infonya dan sharingnya …..
bisa minta file GNF nya Mas. Thx
wah, udah lama bikin posting ini, file-filenya ilang
Mangstab…. izin copas gan, tambah ilmu lagi…