Guide membuat access-list (ACL)

1. Deny dulu baru permit. Denying the network traffic from accessing another network comes before permitting all other traffic.
2. Selalu tempatkan access-list standard dekat ke network/host yang mau di deny
3. Selalu tempatkan/urutkan most specific ke least specific.
4. Kalau tidak ada mention port, mending pakai access-list standard
5. Kalau ada mention port, pakai access-list extended
6. Numbered atau named terserah, kalau yang lebih mudah di edit named.
7. Untuk nge-view atau examine access-list jangan pakai show run tapi lebih enak pakai show access-list atau show ip access-list

Contoh:
• For the 192.168.10.0/24 network, block Telnet access to all locations and TFTP access to the corporate Web/TFTP server at 192.168.20.254. All other access is allowed.
• For the192.168.11.0/24 network, allow TFTP access and web access to the corporate Web/TFTP server at 192.168.20.254. Block all other traffic from the 192.168.11.0/24 network to the 192.168.20.0/24 network. All other access is allowed.

Terjemahan:

• Untuk network 192.168.10.0/24, blok akses Telnet ke semua lokasi dan akses TFTP ke corporate Web/TFTP server di 192.168.20.254. Semua akses lain diperbolehkan.
• Untuk network 192.168.11.0/24, izinkan/bolehkan akses TFTP dan akses web ke corporate Web/TFTP server. Blok semua trafik lain dari 192.168.11.0/24 (network ini) ke network 192.168.20.0/24. Semua akses lain diperbolehkan.

Dengan bahasa lain / yang lebih sederhana:
Network 192.168.10.0/24 bisa akses ke semua kecuali telnet ke semua lokasi dan akses TFTP ke corporate Web/TFTP server.
Network 192.168.11.0/24

Penjabaran:
For 192.168.10.0/24
Block:

• Telnet access to all locations
• TFTP access to the corporate Web/TFTP server 192.168.20.254

Permit

• All other access (Mail, Database, Ping/ICMP)

For 192.168.11.0/24

Block:

• Block all other traffic from the 192.168.11.0/24 to the 192.168.20.0/24 network

Permit:

• TFTP access and web access to the corporate Web/TFTP server at 192.168.20.254

Access-list

R1(config)#access-list 100 

Acitivty: Mengamankan jaringan dengan menggunakan ACL

Activity 1

1. An access Control List (ACL) is a router configuration script that controls whether a router will ____ or ___ packets based on criteria found in the packet header.

2. ACL are often used in ___ routers that are positioned between your internal network and external network.

3. A router with three active interface and two network protocols (IP and IPX) can have as many as ___ active ACLs.

4. For inbound ACLs, incoming packets are processed ___ they are routed to an outbound interface.

5. For outbound ACLs, incoming packets are processed ___ they are routed to an outbound interface.

6. At the end of every access-list is an implied ___ all traffic criteria statement. Therefore, if a packet does not match any of your criteria statements, the packet will be ___

permit, six, before, blocked, allowed, while, deny, firewall, after, three, twelve.

Answer:
1. Permit, Deny
2. Firewall
3. Twelve
4. Before
5. After
6. Deny, Blocked

Activity 2
1. Can filter traffic based on source IP address: Standard dan Extended
2. Can filter traffic based on destination IP address: hanya Extended saja
3. Can filter traffic based on protocol type: hany Extended saja
4. Uses number 1 - 99: Standard
5. Uses number 100 - 199: Extended
6. Uses number 1300 - 1999: Standard
7. Can use a name insted of a number: Standard and Extended

Activity 3
Network policy #1: Use a standard ACL to stop the 192.168.1.0/24 network from accessing the Internet via ISP
Network policy #2: Use an extended ACL to stop the 192.168.30.0/24 network from accessing the Web/TFTP server.

URL must not have a path (example.com/path) or subdomain (subdomain.example.com).<a href='//support.google.com/adsense/answer/2784438?hl=en_US&utm_source=aso&utm_medium=link&utm_campaign=ww-ww-et-asfe_' target='_blank'> Learn more</a

If you wish to show ads on your non-host websites, you will need to submit a one-time application via the form below.
Important: In order for your application to be reviewed, you must place your ad code on one or more webpages at the URL you enter below. Note that blank ads will be shown until your application is approved.
Once your application has been approved, you may place your ad code on any website that you own without any further approvals. If your application is not approved, you will still be able to show ads on host sites and may apply again in the future.

Beberapa tips and trick Cisco switch dan router

1. Routing tabel bisa digunakan sebagai alat pensumerisasi nomor jaringan
1. Create 1 atau 2 buah interface loopback
2. Assign nomor jaringan yang ingin disumerisasi ke interface loopback yang baru saja di create
3. Asssign show ip route

2. Menentukan reference bandwidth cost dari fitur OSPF pada router-router jaringan
Interface cost = reference bandwith /  interface bandwidth


2. Access-list sebagai menentukan


4. Cara menentukan root id dari fitur spanning-tree pada switch - switch jaringan
1. Telnet ke semua switch
2. Assign command: show spanning-tree brief di semua switch
3. Look for VLAN yang ingin dicari/diamati (VLAN target)
4. Lihat apakah semua portnya forward.
5.

5. Cara menentukan switch berhasil memforward atau tidak paket host

Comparing 802.d and 802.w

Membandingkan kecepatan spanning-tree and pvst

Spanning-tree 802.1d
Algoritma:
1. show spanning-tree di semua switch
S1# show spanning-tree
S2# show spanning-tree
S3# show spanning-tree

2. Dari output / keluaran / hasil perintah-perintah diatas, tentukan switch mana yg jadi root bridge.

3. Dari output / keluaran / hasil perintah S2#show spanning-tree vlan 99 tentukan port mana yang blocking dan forwarding.

3. Test ping dari PC3 ke PC server

4. Cabut kabel fa0/1 switch 1 dan fa0/3 switch 1. Btw apakah status port fa0/1 pada switch 1 ini, dan apakah status fa0/3 pada switch 1 ini?

5. Kembali ke window PC3, berapa kali terjadi timeout?

6. Kembalikan kabel fa0/1 ke switch dan fa0/3 ke switch 1. Apakah terjadi timeout lagi?

Configuring RSTP

Task 8: Configure PVST Rapid Spanning Tree Protocol
Cisco has developed several features to address the slow convergence times associated with standard STP. PortFast, UplinkFast, and BackboneFast are features that, when properly configured, can dramatically reduce the time required to restore connectivity dramatically. Incorporating these features requires manual configuration, and care must be taken to do it correctly. The longer term solution is Rapid STP (RSTP), 802.1w, which incorporates these features among others. RSTP-PVST is configured as follows:
S1(config)#spanning-tree mode rapid-pvst
Configure all three switches in this manner.
S2(config)#spanning-tree mode rapid-pvst
S3(config)#spanning-tree mode rapid-pvst
Use the command show spanning-tree summary to verify that RSTP is enabled.

Swith kondisi baru/fresh/out-of-box/belum dikonfigurasi apa-apa
Gak ada/tersedia/punya kabel console.

1. 1 buah laptop
2. 3 buah switch seri 890

Target: setting LAB kamu sama dengan topologi jaringan
mengkonfigurasi masing-masing switch

Langkah percobaan:
1. set ip komputer/laptop ke ip 10.10.10.2 255.255.255.0
2. Nyalakan / power-up switch
2. tes ping dari laptop/komputer ke switch 10.10.10.1
3. telnet ke 10.10.10.1 (ini ip default switch)
4. Setting switch 1:

1. Nyalakan / power-up switch
2. Hubung kabel LAN antara port fa0/1 switch ke colokan LAN PC/laptop
3. Telnet dari PC/laptop ke 10.10.10.1 (ini ip default switch baru)

Basic setting
set hostname switch 1 : S1
set password line console 0: cisco, mode loginnya local.
set password line vty 0 15 cisco, mode loginnya local.
set enable secretnya: class

SVI
set interface vlan 99: 172.17.99.1 255.255.255.0

VTP
set vtp mode switch 1: server
set vtp domain name switch 1: Lab5
set vtp password switch 1: cisco

Tambahkan VLAN-VLAN
Tambahkan VLAN-VLAN berikut beserta namanya ke switch 1:
VLAN 10
VLAN 20
VLAN 30
VLAN 99

Trunking
Set mode interface fa0/1 - fa0/4 switch 1: trunking bukan access
Set native vlan untuk trunking interface fa0/1-fa0/4 switch 1: vlan 99




switch 2 : S2
set hostname switch 2: S2
set password line console 0: cisco, mode loginnya local.
set password line vty 0 15 cisco, mode loginnya local.
set enable secretnya: class

SVI 
set interface vlan 99: 172.17.99.1 255.255.255.0

Set trunking
Set mode interfae fa0/1 - fa0/4 switch 2: trunking
Set native vlan untuk trunking interae fa0/1 - fa0/4 switch 2: vlan 99

Set access
Set access buat host PC
Set mode interface fa0/6 switch 2: access

VTP
set vtp mode switch 2: client
set vtp domain name switch 2: Lab5
set vtp password switch 2: cisco

switch 3 :  S3
set hostname switch 3 : S3
set password line console 0: cisco, mode loginnya local.
set password line vty 0 15 cisco, mode loginnya local.
set enable secretnya: class
set interface vlan 99: 172.17.99.1 255.255.255.0

Set trunking
Set mode interface fa0/1 - fa0/4 switch 3: trunking
Set native vlan untuk trunking interface fa0/1-fa0/4 switch 3: vlan 99

Set VTP
set vtp mode switch 3: client
set vtp domain name switch 3: Lab5
set vtp password switch 3: cisco

Wipe/erase access-list 23 pada switch
S3(config)#no access-list 23

S2(config)#no access-list 23

S1(config)# no access-list 23


Pengkabelan
S1 fa0/1 ke S3 fa0/1
S1 fa0/2 ke S3 fa0/2

S1 fa0/3 ke S2 fa0/3
S1 fa0/4 ke S2 fa0/4

S2 fa0/2 ke S3 fa0/4
S2 fa0/1 ke S3 fa0/3

Menggambar topologi spanning-tree tiap VLAN dan menandai siapa root
Biasanya kalau priority tiap switch tidak berubah, yang jadi root adalah sama untuk setiap vlan topologi spanning-tree.

Ini menyebabkan jalur/path yang dipakai/diterapkan setiap vlan itu sama. Sehingga menyebabkan jalur redudansi idle / tidak terpakai / tidak termanfaatkan.

Ini bisa dilihat di show spanning-tree brief
S1# show spanning-tree brief
S2# show spanning-tree brief
S3# show spanning-tree brief

Jika semua vlan root bridge id nya sama, maka semua spanning-tree vlan menggunakan root switch yang sama.
Contoh:
spanning-tree vlan 1, root switchnya switch 1,
spanning-tree vlan 10 root switchnya switch 1 juga,
spanning-tree vlan 20 root switchnya switch 1 juga,
spanning-tree vlan 30 root switchnya switch 1 juga.

VLAN 1


VLAN 10


VLAN 20


VLAN 30