Advertisements
Home

Access List (ACL)

Leave a comment

Dahulu kala…(cieee dahulu kalaaaa)

Gw pernah posting artikel tentang standard access list dan extended nya…(link & link nya)

Hari ini gw mo lengkapin & gabungin PLUS dengan visualisasi2 dari CNAP (Cisco Network Academy Program)…biar lebih rapih juga

==============================================

Spoiler Alert (apa coba -_-;)…logika IP (subnetting/VLSM) mesti tau dulu nih untuk bisa belajar ACL

Wokeh let’s start…Apa sih itu ACL ???

ACL itu semacam filtering yang ditempatkan di Router untuk mem-filter paket yang datang atau keluar, sebenernya filtering ini bisa aja pake Firewall (software atau hardware….lebih mudah malah daripada ACL itu sendiri).

Network designers use firewalls to protect networks from unauthorized use. Firewalls are hardware or software solutions that enforce network security policies. Consider a lock on a door to a room inside a building. The lock only allows authorized users with a key or access card to pass through the door. Similarly, a firewall filters unauthorized or potentially dangerous packets from entering the network. On a Cisco router, you can configure a simple firewall that provides basic traffic filtering capabilities using ACL.

ACL agak sedikit susah dijelasin…make logika banget soalnya dan bisa sangat Rumit dan Komplek klo logika lo ga jalan (gw jg kadang2 ga jalan…hahahah)

ACL di implement di Router…which mean this is layer 3 application

Contoh: si boss punya statement sebagai berikut…

packet yang ke network A untuk akses web (berarti port 80), di persilahkan masuk…selain itu NO !!

dan packet untuk network B SELAIN dari akses web, dipersilakan masuk

Figure 1. Packet Filtering Diagram Example

==============================================

ACL Implementation Guideline

Contoh:

Ada 3 interface (1,2,3) dan 2 protocol (IP dan IPX)

Jadi…misal :

  • Bisa

    Di FastEthernet0/0 ada ACL untuk protocol IP (192.168.1.1) untuk Masuk

    Di FastEthernet0/0 ada ACL untuk protocol IP (192.168.5.1) untuk Keluar

    Beda direction walopun sama2 protocol IP

  • Bisa

    Di FastEthernet0/0 ada ACL untuk protocol IP (192.168.1.1) untuk Masuk

    Di FastEthernet0/0 ada ACL untuk protocol IPv6 (2001::6) untuk Masuk

    Beda Protocol walopun sama2 masuk

  • Ga Bisa

    Di FastEthernet0/0 ada ACL untuk protocol IP (192.168.1.1) untuk Masuk

    Di FastEthernet0/0 ada ACL untuk protocol IP (192.168.5.1) untuk Masuk

    Sama2 protocol IP dan sama2 Masuk

  1. Gunakan ACL di Router yang terhubung ke Internet (yang menghubungkan Internal dengan External)
  2. Gunakan ACL di Router untuk memfilter ke network2 yang didesain untuk tidak dimasuki, dimasuki oleh orang2 tertentu, atau hanya aplikasi2 tertentu (port)

Figure 2. Inbound ACL (memfilter packet2 yang mau masuk ke jaringan)

Figure 3. Outbound ACL (memfilter packet2 yang mau keluar dari jaringan)

Implicit Deny adalah rule yang tidak tertulis oleh ACL…

yaitu ketika semua list dari persyaratan (command2) ACL yang ada tidak terpenuhi (baik yang di allow/permit atau yang di blok/deny), maka akan di DROP (intinya…ujung2nya bakal di drop si packet klo ga match ama satupun command/persyaratan dari ACL itu)

Numbered ACL and Named ACL

Every ACL should be placed where it has the greatest impact on efficiency. The basic rules are:

  • Locate extended ACLs as close as possible to the source of the traffic denied. This way, undesirable traffic is filtered without crossing the network infrastructure.
  • Because standard ACLs do not specify destination addresses, place them as close to the destination as possible.

Figure 4. Standard ACL

Figure 5. Extended ACL (impact nya ga ngaru ke traffic yang lain jadinya)

Figure 6. ACL Best Practices

Contoh kakus (*ehem*…kasus maksudnya)

Jawabannya (klo lo jawabannya begini…berarti udah bener…congratulations !!!)

==============================================

Implementasi ACL

Gw pake gambar aja…uda merepresentasikan semuanya

Konfigurasi dibawah ini di global config mode…Router(config)#

0.0.0.255 itu adalah wildcard mask…gampangnya adalah….yang angka 0 harus sama persis dengan ip tujuan…sedang 255 bukan

Contoh….ip 192.168.30.0 dengan wildcard mask 0.0.0.255 (contoh yang diatas)

Jadi mo 192.168.10.15…192.168.10.200…192.168.10.75….boleh masuk

Tapi misal….ACL dengan ip 192.168.30.1 dengan wildcard mask 0.0.0.0…gimana nih jadinya ??

(Klo bisa…berarti udah nangkep)..HANYA IP 192.168.30.1 yang boleh masuk…sisanya ga boleh

Contoh lain :

Misal lo mau permit network access for the 14 users in the subnet 192.168.3.32 /28. The subnet mask for the IP subnet is 255.255.255.240, therefore take the 255.255.255.255 and subtract from the subnet mask 255.255.255.240. The solution this time produces the wildcard mask 0.0.0.15.

==============================================

Standard ACL Logic and Configuration

Figure 7. Contoh Skema Jaringan

Figure 8. contoh command ACL

Contoh command ACL diatas ada 2…dan 2-2 nya punya effect sama…yaitu sama2 membolehkan network 192.168.10.0 untuk mengakses network 192.168.30.0

Bedanya dimana ? bedanya adalah:

  • 101 = terdapat implicit deny…(inget…baca lagi diatas…implicit deny adalah peraturan tidak tertulis dari ACL…)
  • 102 = secara langsung disebutin…”deny ip any any”….ini sama aja effect nya kek implicit deny
  • JADIIII…klo logika lo jalan dan lagi encer2nya…*haha*…lo bisa hemat tulisan/ketikan buat ACL….tapi klo lagi mumet otak lo…mending pilih cara manual…bener2 diinput satu2..biar ga salah langkah/logika

Klo mau permit/blok 1 IP/host aja…kita bisa kasi keyword host

==============================================

Prosedur implementasi standard ACL di router

Figure 9. JANGAN LUPA NIH….kita sering banget (terutama gw)…udah capek2 setting ACL…koq ga jalan2 ???..taunya blum di applied ke interface nya pake access-group >_<

==============================================

===============================================================================

Extended ACL

Trus misalnya lo ga tau nih…ato lupa misalkan..port berapa yah…tinggal ketik aja “?

  • Extended ACL Command List





=============================================================

Complex ACL (apaan lagi inih?!?!)

  • Dynamic ACL

Dynamic ACLs have the following security benefits over standard and static extended ACLs:

  • Use of a challenge mechanism to authenticate individual users
  • Simplified management in large internetworks
  • In many cases, reduction of the amount of router processing that is required for ACLs
  • Reduction of the opportunity for network break-ins by network hackers
  • Creation of dynamic user access through a firewall, without compromising other configured security restrictions
  • DAN YANG PASTI LEBIH SUSAH DAN RIBETS…*HIKS*

Implementasinya (contohnya pake gambar diatas)

Figure 10. create username dan pass dulu di router 3

Figure 11. (update…harusnya access-list 101 permit TCP any host…) bikin ACL buat bisa telnet dan maksimum 15 menit (dalam menit defaultnya) untuk telnetan (mau ada aktifitas ato engga)

Figure 12. ACL yang dibuat dipasang di serial 0/0/1 (yang konek ke R2)..keyword “in” karena memfilter yang mau masuk kan!??!

Figure 13. ketika konek telnet sukses…PC1 bisa akses network 30.0…jika dalam rentang waktu 5 menit ga ada aktifitas…di close dari network dan balik ke telnet

  • Reflexive ACL

Inti dari ACL ini adalah… gw bisa konek ke elo dan saling tuker2an data…tapi klo elo yang mau konek keg w…GA BISA…jadi mesti gw dulu yg konek

Reflexive ACLs can be defined only with extended named IP ACLs. They cannot be defined with numbered or standard named ACLs or with other protocol ACLs. Reflexive ACLs can be used with other standard and static extended ACLs.

Benefits of Reflexive ACLs

  • Help secure your network against network hackers and can be included in a firewall defense.
  • Provide a level of security against spoofing and certain DoS attacks. Reflexive ACLs are much harder to spoof because more filter criteria must match before a packet is permitted through. For example, source and destination addresses and port numbers, not just ACK and RST bits, are checked.
  • Simple to use and, compared to basic ACLs, provide greater control over which packets enter your network.




  • TIME BASED ACL








==============================================================================

  • Naming ACL

  • Monitoring ACL Statements

  • Removing ACL


  • Remark (semacam description buat ACL )


======================================================================

Common ACL Error

(update..yang diatas itu harusnya Extended ACL…access-list 100..bukan 10…nol nya ilang atu ^_^V)

Liat apa masalahnya ?!?!

Jelas di statement pertama ada 10 deny tcp 192.168.10.0

Walaupun di statement kedua ada permit…tapi klo yang pertama UDAH MATCH…ROUTER GA AKAN LIAT STATEMENT2 BAWAHNYA

Masalahnya disini apa coba?!?!

TFTP itu pake UDP…distatement ACL ga disebutin UDP…statement pertama TIDAK MATCH, kedua?? TIDAK MATCH, ketiga ?? TIDAK MATCH…ada statement ke empat yang tidak tertulis….yaitu implicit deny…di drop de

Advertisements

Cisco Voice Solution (my notes when taking CCNA Voice)

2 Comments

Figure 1. Cisco Unified Communication Architecture

Cisco Smart Business Communication System (Cisco SBCS)

Apaan ni ?? ini jualannya Cisco…semacam program paket..yang isi nya macem2 (ya IP Phone, Cisco IOS nya, Server…digabung dinamakan Cisco blablabla itu)

Taken from CCNA Voice Quick Reference: “Smart Business Communications System is a group of specially designed, integrated devices that can provide high quality routing, firewall, intrusion prevention, Power over Ethernet, wireless, and many WAN and PSTN connectivity options.”

Cisco SBCS ini typically pake:

  1. Switch: 500-series switches (gambarnya dibawah…yang Cuma ada kira2 8 port….switch kecil)
  2. Software & Application: Call Agent Software (ditanem di router..jadi bisa di configure dari CLI Router ato dari Web-Based kek SDM) can support up to 48 phones dan Voice mail and Auto-Attendant functions are provided by the integrated Cisco Unity Express (CUE) application (di Router)

Cisco provides several options for call agents, matched to the size and requirements of the customer (paket yang ditawarin ada 4 nih):

Figure 2. Cisco Smart Business Comm. System

  • Cisco Smart Business Communications System: up to 48 users (untuk small office). The system runs on the Cisco Unified Communications 500 Series for Small Business devices (alatnya liat diatas tuh…ada gambarnya)
  • Cisco Unified Communications Manager Express: up to 240 users and runs on the ISR platforms (Integrated Services Router…Router yang IOS nya uda ada fitur2 Voice nya…nambah biaya lagi untuk beli pastinya…wkwkwk)
  • Cisco Unified Communications Manager Business Edition: up to 500 users and runs as a standalone installation on a 7800-series Media Convergence server (MCS). Isi MCS-nya aplikasi Cisco Unified CM dan Cisco Unity Connection (CUC itu ya isinya fitur mail, voice, messaging, dll…baik hardware maupun softwarenya…satu kesatuan)

Figure 3. Cisco MCS 7845I-3000

  • Cisco Unified Communications Manager(ga pake embel2): can handle 30,000 or more users and runs on clusters of 7800-series Media Convergence servers. (1 business edition = 1 cluster / 1 MCS…banyak cluster = Cisco Unified Communications Manager ^_^V)

———————————–

Apa aja sih aplikasi2 yang bisa kita pake di Cisco Unified Communication ??


Cisco Unified Communication Manager Express (Cisco Unified CM Express)

Apa ini Cisco Unified CM Express ?? ini adalah fitur dari software yang jalan di ISR-series router platforms (including the 800, 1800, 2800, 3800, and 7200-series platforms)

*jangan heran…di dunia jaringan penuh dengan 1001 singkatan…heheheh

Cisco Unified CM Express ini support untuk both H.323 and SIP protocols**, site-to-site connections are possible in a variety of environments. The Unified CM Express system can be set up either as a PBX or a Key switch system, providing customers with a familiar experience that suits their operating environment (jadi bisa di set/dibikin jadi PBX/telepon-analog atau IP Phone)

**H.323 adalah protocol untuk mengalirkan suara, video, dan data lewat jaringan computer…contoh Voice over IP (VoIP)…bagaimana technicalnya (call signaling, controlling, dll)…ga gw bahas disini…1 pembahasan sendiri kek SIP

**SIP (Session Initiation Protocol) adalah signaling protocol untuk mengontrol communication session seperti voice dan video over internet protocol (IP), The protocol can be used for creating, modifying and terminating two-party (unicast) or multiparty (multicast) sessions (ngomong dengan banyak orang)…SIP ini adanya di layer 7 (application layer) jadi mo pake UDP, TCP, SCTP*** dia ga perduli.

***SCTP (Stream Control Transmission Protocol) adalah kek semacam hybrid dari TCP & UDP…metode ngirim paket nya kek TCP (reliable) tapi ga sequential/in order kek UDP…jadi memungkinkan untuk memunculkan image dan text secara bersamaan ke web browser…yang dinamakan multi-streaming (capable of streaming packet in parallel way)

Cisco Unity Express (CUE)

Yaitu software yang ketanem di ISR-Router (bisa diupgrade jadi IVR Router-Interactive Voice Response IOS), bisa sampai 250 user, bisa dibikin jadi buat email, voice mail sampe 250-500 (tergantung beli module yang tipe apa).

Bisa ditanem di AIM Module (Advanced Integration Module) atau di NM (Network Module) module. AIM modules are connected to the main board (Router) as a daughter board addition and use flash memory for greetings and message storage. AIM modules therefore have less capacity for storage. NM modules are inserted into module bays in ISR routers, use a hard disk for greeting and message storage, and have greater capacity for storage than AIM modules.

CUE bisa support 4 sampai 16 sesi telepon2an dan sama kek CUCME…bisa d config lewat CLI atau web-browser. Unity Express can be deployed in conjunction with Unified CM or CM Express and can supplement a full Unity deployment.

Figure 4. AIM Module-CUE

Figure 5. NM Module-CUE

Cisco Unity Connection (CUC)

CUC ini bisa digabung dengan Cisco Unified CM Business Edition, klo digabung..support sampe 500 users, tapi klo jadi standalone…bisa support sampe 3000 users per server (tergantung hardware) bisa digabung dengan Cisco Unity yang lain sampe 10 stack (tipe unity nya apa aja)

Koq bisa ya…klo digabung mala jadi dikit ?!?! klo sendiri mungkin kerjanya ga terbebani dengan proses lain…klo digabung nanti bebatnya berat trus jebol (kaliiii…hahaha)

Cisco Unity

Ini biangnya…dedengkotnya…ini platform nya….support sampe 7500 users per server dan up to 250,000 users in multi-server networked environment (sangat jelas buat enterprise)

Cisco Unified IP IVR

Pertama gw jelasin auto-attendant…apa sih auto attendant itu ??

If you have ever heard: “For service in English, press 1. Pour service en Francais, appuyez sur le 2 . . . ,
“…ini dinamakan auto attendants

Tapi klo banyak yg akses…semuanya nunggu donk…

Typically Call centers that have a high call volume and many possible queues of callers waiting for different agent capabilities can effectively deploy Unified IP IVR to steer callers to the correct agent, prompt-and-collect (“Please enter your 10-digit account number, followed by the # sign”).

Cisco Unified Contact Server

Ada 3 macem:

  • Express = integrated “contact center in a box”…up to 300 agents (call agent)
  • Enterprise = Provides intelligent contact routing, call treatment, network-to-desktop computer telephony integration (CTI), and multichannel contact management. It combines multichannel automatic call distributor (ACD – is a device or system that distributes incoming calls to a specific group of terminals that agents use) functionality. Sophisticated monitoring allows customers to be routed to the most appropriate agent (based on real-time conditions such as agent skills, availability, and queue lengths) anywhere in the enterprise, regardless of the agent’s locationintinya ini super canggih…mungkin Telkom speedy butuh ini kek nya…kadang2 jengkel ama mereka…hahaha (curcol mode: on)
  • Hosted = intinya sama kek Enterprise…Cuma di “outsourcing”…hahaha, bedanya ama enterprise biasa adalah mereka gam au repot ngurus dan maintain itu Aplikasi Contact Server…ya itu..outsource…ke Contact Center Service Provider (ada lagi yaks beginian…ahhaahah)…bukan Internet Service Provider yah…

Cisco Unified Mobility Solutions

  • Cisco Unified Mobility = (a.k.a Single Number Reach) Allows multiple remote destinations (commonly a cell phone, a home office phone, or other work location) to be configured to ring at the same time as the worker’s enterprise desk phone. Thus, when a customer calls your work number while you are on your way to a meeting, your cell phone can ring and you can answer without the customer realizing you are away from your desk. Furthermore, if you return to your desk, you can simply pick up your desk phone and continue the call.

    WIIIH…CANGGIH BENERRR

  • Cisco Mobility Voice Access = inti dari teknologi ini adalah…lo telpon customer pake handphone…tapi pas lo call, lo call ke server dulu (enter number dan access code dulu biar ga disalah gunakan)…nanti server bakal forward call lo ke telepon di desk/meja lo..jadi seakan2 lo nelpon dari meja lo (This is useful not only for presenting the preferred Caller-ID number to the customer, but also potentially for long-distance toll savings)
  • Cisco Unified Personal Communicator = A desktop PC (or Mac) application that combines a software IP Phone, IM client, video, and online collaboration capabilities. Presence indications (“Busy,” “In a call,” “Away,” “Do Not Disturb,” and so on) can save time and enhance productivity because users can see the status of the person they want to contact before trying to reach them. Integration with an Outlook toolbar provides click-to-call or click-to-chat from a message or contact. (kombinasi IM dan Phone…kombinasi Yahoo Messenger dan Telepon)
  • Cisco Unified IP Communicator = A fully functioned software IP Phone, often characterized as a “7970 under glass.” Users can place and receive calls from their PCs from anywhere that connectivity to the call agent can be established. This is typically achieved through a VPN connection; it is perfectly possible to place a call from a airport boarding lounge or your local coffee shop. Unified IP Communicator can be enhanced with Unified Video Advantage, which integrates a PC webcam for video calls.
  • Cisco Unified Mobile Communicator = An application for smart mobile phones that provides access to enterprise directories, presence indicators, secure text/chat, voice-mail access, call history of any of the user’s phones displayed on the mobile handset, and collaboration and conferencing integration with Unified Meeting Place. (di BB ada juga koq..minta Cisco nya tapi…lo bisa liat status dari IP Phone nya dari HP lo…entah itu mail, voice mail, call history, dll)
  • Cisco Unified Presence =
    A server-based application that extends the on/off hook status monitoring capability of Unified CM 6.x to include IM-like status messages. Status indications can be displayed or integrated with Personal Communicator, Mobile Communicator, IP Phone Messenger, the Microsoft Office Connector, and IBM Sametime Communicator

Older Entries