Академический Документы
Профессиональный Документы
Культура Документы
ACL berfungsi sebagai packet filtering untuk menentukan apakah sebuah paket bisa dilewatkan atau tidak ACL standard hanya bisa melakukan filtering berdasarkan IP host atau IP Network source nya saja. ACL Standard menggunakan ACL number 1-99 Konfigurasikan sedekat mungkin dengan destination Direction in dan out nya ditentukan berdasarkan arah paket nya dari source menuju destination
lakukan tes ping lagi dari sisi router R1, tapi menggunakan source interface selain ip 10.10.10.0/24 dengan jumlah paket default yakni 5
R1#ping Protocol [ip]: Target IP address: 20.20.20.2 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 1.1.1.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 20.20.20.2, timeout is 2 seconds: Packet sent with a source address of 1.1.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/10 ms Kmudian cek di sisi router R2 dan terlihat ada 5 paket yang sesuai dgn rules permit any R2#sh ip access-lists Standard IP access list 1 deny 10.10.10.0 0.0.0.255 (4 match(es)) permit any (5 match(es)) Lakukan tes kembali dari sisi router R1 menggunakan source IP 10.10.10.0/24 dengan jumlah paket 11 R1#ping Protocol [ip]: Target IP address: 20.20.20.2 Repeat count [5]: 11 Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 10.10.10.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 11, 100-byte ICMP Echos to 20.20.20.2, timeout is 2 seconds: Packet sent with a source address of 10.10.10.1 UUUUUUUUUUU Success rate is 0 percent (0/11)
Kmudian cek di sisi router R2 lagi, ada tambahan 11 paket lagi yg match dgn rules deny 10.10.10.0/24 R2#sh access-lists Standard IP access list 1 deny 10.10.10.0 0.0.0.255 (15 match(es)) permit any (5 match(es))
berikutnya filtering terhadap satu host saja Konfigurasi ACL R2(config)#access-list 2 deny 10.10.10.2 0.0.0.0 R2(config)#access-list 2 permit any R2(config)#int fa0/0 R2(config-if)#ip access-group 2 out Untuk pengetesan, lakukan ping dari pc user ke ip server PC>ping 20.20.20.2 Cek ACLdi router R2 R2#sh access-lists Standard IP access list 1 deny 10.10.10.0 0.0.0.255 (15 match(es)) permit any (5 match(es)) Standard IP access list 2 deny host 10.10.10.2 (4 match(es)) permit any rubah ip pc user menjadi 10.10.10.3/24 PC>ipconfig IP Address......................: 10.10.10.3 Subnet Mask.....................: 255.255.255.0 Default Gateway.................: 10.10.10.1 Lakukan tes ping kembali ke server dan pastikan reply dengan sempurna PC>ping 20.20.20.2 Cek ACL nya kembali R2#sh access-lists Standard IP access list 1 deny 10.10.10.0 0.0.0.255 (15 match(es)) permit any (5 match(es)) Standard IP access list 2 deny host 10.10.10.2 (4 match(es)) permit any (4 match(es)) Kembalikan IP PC user menjadi semula yakni 10.10.10.2/24
ACL extended bisa melakukan filtering tidak hanya berdasarkan source saja, melainkan juga destination serta port dan protocol yang digunakan ACL Extended menggunakan ACL number 100-199 ACL Extended dipilih jika keperluannya spesifik ke aplikasi, missal membatasi telnet, atau akses web server atau email, ftp dst nya Konfigurasikan sedekat mungkin dengan source Direction in dan out nya ditentukan berdasarkan arah paket nya dari source menuju destination
INTERNET
Outside global
R1#sh ip route Gateway of last resort is 0.0.0.0 to network 0.0.0.0 1.0.0.0/32 is subnetted, 1 subnets 1.1.1.1 is directly connected, Loopback0 10.0.0.0/24 is subnetted, 1 subnets C 10.10.10.0 is directly connected, FastEthernet0/0 12.0.0.0/24 is subnetted, 1 subnets C 12.12.12.0 is directly connected, Serial2/0 S* 0.0.0.0/0 is directly connected, Serial2/0 C
NAT Overload akan menterjemahkan banyak ip private dengan cukup hanya satu atau beberapa ip public saja. NAT Overload ini bermanfaat bila ada user2 dengan ip private ingin mengakses ke internet Istilah lain untuk nat tipe ini adalah PAT (Port Address Translation) Selain Dynamic NAT with Overload, sebenarnya ada jg Dynamic NAT saja, namun dynamic NAT butuh jumlah ip private dan ip public yang sama sehingga tdk efektif utk digunakan.
INTERNET
Pro Inside global Inside local Outside local Outside global icmp 12.12.12.1:88 10.10.10.3:88 20.20.20.2:88 20.20.20.2:88 icmp 12.12.12.1:89 10.10.10.3:89 20.20.20.2:89 20.20.20.2:89 icmp 12.12.12.1:90 10.10.10.3:90 20.20.20.2:90 20.20.20.2:90 icmp 12.12.12.1:91 10.10.10.3:91 20.20.20.2:91 20.20.20.2:91 R1#sh ip nat statistics Total translations: 4 (0 static, 4 dynamic, 4 extended) Outside Interfaces: Serial2/0 Inside Interfaces: FastEthernet0/0 Hits: 16 Misses: 20
Lab 5. DHCP-Server
DHCP bisa dikonfigurasikan pada router atau switch Layer3 atau sebuah PC windows/linux Berfungsi memberikan alokasi IP kepada client, secara periodic akan direnew kembali. Bila terjadi konflik, maka ip tersebut dihapus dari pool IP dan tidak dialokasikan sampai waktu yang ditentukan.
R1(config)# ip dhcp pool DUAPULUH R1(dhcp-config)# default-router 20.20.20.20 R1(dhcp-config)# network 20.20.20.0 255.255.255.0 R1(dhcp-config)# dns-server 100.100.100.100 Rubah parameter IP address pada semua PC vlan 20 menjadi Obtain an IP Address automatically Jalankan command prompt, ketik ipconfig dan pastikan mendapat IP secara dynamic. Lakukan tes ping ke PC yang lain. Ip yang diperoleh akan dimulai dari 20.20.20.1 - 254 Misalkan IP 0-100 akan dialokasikan untuk kebutuhan khusus, sehingga user tidak boleh menggunakan IP tersebut, maka gunakan excluded-address R1(config)# ip dhcp excluded-address 20.20.20.1 20.20.20.100
Lab 6. HDLC
WAN protocol digunakan bila kita ingin menghubungkan network antar lokasi yang letaknya berjauhan, misalnya kantor Jakarta dan bandung. HDLC merupakan WAN protocol cisco proprietary dan merupakan enkapsulasi default untuk interface serialnya.
PPP merupakan salah satu WAN protocol selain HDLC (Default Cisco Proprietary) dan Frame Relay PPP sifatnya open standard sehingga bisa dipakai di banyak platform (windows, linux, modem 3G internet, router cisco dll) Merupakan protocol yang digunakan untuk mengkoneksikan antar dua perangkat jaringan. PPP support authentikasi PAP (tidak terenkripsi) dan CHAP (terenkripsi) Memiliki fitur kompresi, authentikasi, error detection
1 00:05:08.763: Se0/0 CHAP: I SUCCESS id 9 len 4 1 00:05:08.767: Se0/0 LCP: Received AAA AUTHOR Response PASS 1 00:05:08.767: Se0/0 IPCP: Received AAA AUTHOR Response PASS 1 00:05:08.771: Se0/0 CHAP: O SUCCESS id 13 len 4 1 00:05:08.775: Se0/0 PPP: Sent CDPCP AUTHOR Request 1 00:05:08.783: Se0/0 CDPCP: Received AAA AUTHOR Response PASS 1 00:05:08.803: Se0/0 PPP: Sent IPCP AUTHOR Request
R1#debug ppp authentication PPP authentication debugging is on R1# *Mar 1 00:08:44.083: Se0/0 PPP: Authorization required *Mar 1 00:08:44.095: Se0/0 CHAP: O CHALLENGE id 15 len 23 from "R1" *Mar 1 00:08:44.095: Se0/0 CHAP: I CHALLENGE id 11 len 23 from "R2" *Mar 1 00:08:44.103: Se0/0 CHAP: I RESPONSE id 15 len 23 from "R2" *Mar 1 00:08:44.111: Se0/0 CHAP: Using hostname from unknown source *Mar 1 00:08:44.111: Se0/0 CHAP: Using password from AAA *Mar 1 00:08:44.111: Se0/0 CHAP: O RESPONSE id 11 len 23 from "R1" *Mar 1 00:08:44.115: Se0/0 PPP: Sent CHAP LOGIN Request *Mar 1 00:08:44.119: Se0/0 PPP: Received LOGIN Response FAIL *Mar 1 00:08:44.123: Se0/0 CHAP: O FAILURE id 15 len 25 msg is "Authentication failed" *Mar 1 00:08:45.079: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down *Mar 1 00:08:46.163: Se0/0 PPP: Authorization required *Mar 1 00:08:48.211: Se0/0 CHAP: O CHALLENGE id 16 len 23 from "R1" *Mar 1 00:08:48.211: Se0/0 CHAP: I CHALLENGE id 12 len 23 from "R2" *Mar 1 00:08:48.219: Se0/0 CHAP: Using hostname from unknown source *Mar 1 00:08:48.223: Se0/0 CHAP: Using password from AAA *Mar 1 00:08:48.223: Se0/0 CHAP: O RESPONSE id 12 len 23 from "R1" *Mar 1 00:08:48.227: Se0/0 CHAP: I RESPONSE id 16 len 23 from "R2" *Mar 1 00:08:48.231: Se0/0 PPP: Sent CHAP LOGIN Request *Mar 1 00:08:48.235: Se0/0 PPP: Received LOGIN Response FAIL *Mar 1 00:08:48.239: Se0/0 CHAP: O FAILURE id 16 len 25 msg is "Authentication failed"
DLCI : 102
DLCI : 103
DLCI : 201
DLCI : 301
FR.SW(config-if)# frame-relay intf-type dce FR.SW(config-if)# frame-relay route 102 interface Serial0/1 201 FR.SW(config-if)# frame-relay route 103 interface Serial0/2 301 FR.SW(config)#int s0/1 FR.SW(config-if)#description #### koneksi ke kantor Bandung (R2) #### FR.SW(config-if)# encapsulation frame-relay FR.SW(config-if)# clock rate 115200 FR.SW(config-if)# frame-relay lmi-type cisco FR.SW(config-if)# frame-relay intf-type dce FR.SW(config-if)# frame-relay route 201 interface Serial0/0 102 FR.SW(config)#int s0/2 FR.SW(config-if)#description #### koneksi ke kantor Surabaya (R3) #### FR.SW(config-if)# encapsulation frame-relay FR.SW(config-if)# clock rate 115200 FR.SW(config-if)# frame-relay lmi-type cisco FR.SW(config-if)# frame-relay intf-type dce FR.SW(config-if)# frame-relay route 301 interface Serial0/0 103 Konfigurasi tahap 1, Frame Relay Multipoint =================== R1#sh run =================== hostname R1 ! interface Serial0/0 no ip address encapsulation frame-relay ! interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface Serial0/0.123 multipoint ip address 123.123.123.1 255.255.255.0 frame-relay map ip 123.123.123.3 103 broadcast frame-relay map ip 123.123.123.2 102 broadcast no ip split-horizon ! router rip network 1.0.0.0 network 123.0.0.0 =================== R2#sh run =================== hostname R2 ! interface Serial0/0 ip address 123.123.123.2 255.255.255.0 encapsulation frame-relay
frame-relay map ip 123.123.123.1 201 broadcast frame-relay map ip 123.123.123.3 201 ! interface Loopback0 ip address 2.2.2.2 255.255.255.255 ! router rip network 2.0.0.0 network 123.0.0.0 =================== R3#sh run =================== hostname R3 ! interface Serial0/0 ip address 123.123.123.3 255.255.255.0 encapsulation frame-relay frame-relay map ip 123.123.123.1 301 broadcast frame-relay map ip 123.123.123.2 301 ! interface Loopback0 ip address 3.3.3.3 255.255.255.255 ! router rip network 3.0.0.0 network 123.0.0.0 ================================================================================ Pada frame relay switch FR.SW#show frame-relay route FR.SW#show frame-relay lmi ================================================================================ R1#sh frame-relay map R1#sh ip route R1#ping 123.123.123.2 R1#ping 123.123.123.3 R1#ping 2.2.2.2 R1#ping 3.3.3.3 ================================================================================ R2#sh frame-relay map R2#sh ip route rip R2#ping 123.123.123.1 R2#ping 123.123.123.3 R2#ping 1.1.1.1 R2#ping 3.3.3.3 ================================================================================ R3#sh frame-relay map
R3#sh ip route rip R3#ping 123.123.123.1 R3#ping 123.123.123.2 R3#ping 1.1.1.1 R3#ping 2.2.2.2 ================================================================================
R2.BDG(config)#int Lo0 R2.BDG(config-if)#ip address 2.2.2.2 255.255.255.255 R2.BDG(config)#router eigrp 10 R2.BDG(config-router)#network 2.2.2.2 R2.BDG(config-router)#network 10.10.10.2 R3.SBY(config)#int s0/0 R3.SBY(config-if)#en fr R3.SBY(config-if)#frame-relay interface-dlci 301 R3.SBY(config-if)#ip add 20.20.20.2 255.255.255.252 R3.SBY(config-if)#no shut R3.SBY(config)#int Lo0 R3.SBY(config-if)#ip add 3.3.3.3 255.255.255.255 R3.SBY(config)#router eigrp 10 R3.SBY(config-router)#network 3.3.3.3 R3.SBY(config-router)#network 20.20.20.2