Skip to content

Belajar Menambahkan Kemampuan Access-List (Time Based)

17 May 2010
tags: , ,
Hari ini si bos sedang mengevalusi kinerja dari anak buahnya,
dari statistik didapatkan bahwa kinerja menurun di waktu efektif
yaitu dari pukul 08:00-17:00, hal ini kemungkinan diakibatkan
oleh kebiasaan anak buahnya yang sering bermain facebook diwaktu
bekerjanya, akhirnya si bos mengadakan rapat untuk membahas hal ini,
dan hasil rapatnya adalah policy baru mengenai penggunaan internet,
si bos tidak mengizinkan penggunaan internet diwaktu kerja (weekdays)
dari pukul 08:00-12:00 dan 13:00-17:00, pengguanaan internet
selain waktu tersebut diperbolehkan (waktu lembur dan weekend).

Mari kita belajar bagaimana kita mengaplikasikan permintaan
si bos tersebut.

Kali ini kita mencoba dengan menambahkan kemampuan Access-list,
Langkah-langkahnya yaitu:
-----------------------------------------------------
1.Buat time-range dari acl, kali ini time range diberi
nama "iwing-based-time"
-----------------------------------------------------
cnc1(config)#time-range iwing-based-time
-----------------------------------------------------
cnc1(config-time-range)#?
Time range configuration commands:
 absolute  absolute time and date
 default   Set a command to its defaults
 exit      Exit from time-range configuration mode
 no        Negate a command or set its defaults
 periodic  periodic time and date

cnc1(config-time-range)#

cnc1(config-time-range)#periodic ?
 Friday     Friday
 Monday     Monday
 Saturday   Saturday
 Sunday     Sunday
 Thursday   Thursday
 Tuesday    Tuesday
 Wednesday  Wednesday
 daily      Every day of the week
 weekdays   Monday thru Friday
 weekend    Saturday and Sunday

cnc1(config-time-range)#periodic weekdays ?
 hh:mm  Starting time

cnc1(config-time-range)#periodic weekdays 08:00 ?
 to  ending day and time
-----------------------------------------------------
2. Tambahkan rule di time-range kita
kita ingin memberlakukan time-range pada waktu :
weekdays dari pukul 08:00 s/d 12:00 dan 13:00 s/d 17:00
untuk weekend hanya untuk pengujian (berhubung hari ini minggu)
-----------------------------------------------------
cnc1(config-time-range)#periodic weekdays 08:00 to 12:00
cnc1(config-time-range)#periodic weekdays 13:00 to 17:00
cnc1(config-time-range)#periodic weekend 16:35 to 16:40 (untuk pengujian @_@)
-----------------------------------------------------
3. Buat ACL dan tambahkan rule untuk ACL-nya, ACL Extended kita
bernomer 110, dan aplikasi yang di deny adalah icmp,http dan ftp.
hati-hati dan jangan lupa dengan adanya "explicit deny"
-----------------------------------------------------
cnc1(config)#access-list 110 deny icmp any any time-range iwing-based-time log
cnc1(config)#access-list 110 deny tcp any any eq www time-range iwing-based-time log
cnc1(config)#access-list 110 deny tcp any any eq ftp time-range iwing-based-time log
access-list 110 permit ip any any log
-----------------------------------------------------
4. Tambahkan ACL di interface yang kita inginkan, ACL kita
tambahkan di interface fastEthernet 0/0 dengan arah inbound.
-----------------------------------------------------
cnc1(config)#int fastEthernet 0/0
cnc1(config-if)#ip access-group 110 in
cnc1(config-if)#
-----------------------------------------------------
5. Cek konfigurasi "show time-range"
-----------------------------------------------------
cnc1#show time-range
time-range entry: iwing-based-time (active)
 periodic weekdays 8:00 to 12:00
 periodic weekdays 13:00 to 17:00
 periodic weekend 16:35 to 16:40
 used in: IP ACL entry
 used in: IP ACL entry
 used in: IP ACL entry
cnc1#

-----------------------------------------------------
6. Cek konfigurasi "sh ip access-lists 110"
-----------------------------------------------------

cnc1#show access-lists 110
Extended IP access list 110
 10 deny icmp any any time-range iwing-based-time (active) log (31 matches)
 20 deny tcp any any eq www time-range iwing-based-time (active) log
 30 deny tcp any any eq ftp time-range iwing-based-time (active) log
 40 permit ip any any log (47 matches)
cnc1#

-----------------------------------------------------
Pengujian:
gambar acl based on time 16:35 to 16:40


-----------------------------------------------------
-----------------------------------------------------
Cth: Konfigurasi Lengkapnya
-----------------------------------------------------
cnc1#sh run
Building configuration...

Current configuration : 2686 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cnc1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging userinfo
logging buffered 16384
enable secret 5 $1$qOZ9$tqEugGP41UyyBzB8ClCvw/
!
aaa new-model
!
aaa authentication login default local
!
!
aaa session-id common
ip source-route
ip cef
!
no ipv6 cef
!
multilink bundle-name authenticated
!
voice dsp waitstate 0
!
memory-size iomem 0
username iwing privilege 15 password 7 xxxx
username datakom privilege 0 password 7 xxxx
archive
 log config
 hidekeys
!
interface Loopback0
 ip address 10.10.10.1 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.60.1 255.255.255.0
 ip access-group 110 in
 duplex half
 speed auto
!
interface FastEthernet1/0
 ip address 192.168.10.65 255.255.255.252
 ip access-group WORM in
 ip access-group WORM out
 duplex auto
 speed auto
!
router ospf 1
 log-adjacency-changes
 network 10.10.10.1 0.0.0.0 area 0
 network 192.168.10.64 0.0.0.3 area 0
 network 192.168.60.0 0.0.0.255 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip access-list extended WORM
 deny   tcp any any eq 135 log
 deny   udp any any eq 135 log
 deny   udp any any eq netbios-ns log
 deny   udp any any eq netbios-dgm log
 deny   tcp any any eq 139 log
 deny   udp any any eq netbios-ss log
 deny   tcp any any eq 445 log
 deny   tcp any any eq 593 log
 deny   tcp any any eq 4444 log
 deny   tcp any any eq 2048 log
 deny   udp any any eq 2048 log
 deny   tcp any any eq 1433 log
 deny   udp any any eq 1434 log
 permit icmp any any log
 permit tcp any any gt 0 log
 permit udp any any gt 0 log
 permit ip any any log
!
logging alarm informational
logging 192.168.60.2
access-list 110 deny icmp any any time-range iwing-based-time log
access-list 110 deny tcp any any eq www time-range iwing-based-time log
access-list 110 deny tcp any any eq ftp time-range iwing-based-time log
access-list 110 permit ip any any log
snmp-server community iwing RO
snmp-server location dayeuhkolot
snmp-server contact iwing
snmp-server host 192.168.60.2 iwing
!
control-plane
!
mgcp fax t38 ecm
!
gatekeeper
 shutdown
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 password 7 xxxx
!
time-range iwing-based-time
 periodic weekdays 8:00 to 12:00
 periodic weekdays 13:00 to 17:00
 periodic weekend 16:35 to 16:40
!
end

cnc1#

-----------------------------------------------------
Sekian, Semoga Bermanfaat, and "CMIIW"

ref:
[1]. http://www.cisco.com, (mei 2010)
[2]. Simulasi basic Access-list,URL: http://
 iwing.wordpress.com, (mei 2010)
About these ads
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 28 other followers

%d bloggers like this: