Daftar Pertemuan
Pertemuan 1 Pertemuan 2 Pertemuan 3 Pertemuan 4 Pertemuan 5 Pertemuan 6 Pertemuan 7 Pertemuan 8 Pertemuan 9 Pertemuan 10 Pertemuan 11 Pertemuan 12 Pertemuan 13 Pertemuan 14 Pertemuan 15 Pertemuan 16
Extended ACL Links
Konsep Extended ACL Block Specific Protocol Time-Based ACL Complex Policy Troubleshooting
Common Port Numbers
FTP: 20 (data), 21 (control)
SSH: 22
Telnet: 23
HTTP: 80
HTTPS: 443
DNS: 53

Pertemuan 11: Extended ACL Implementation

Progress Pembelajaran 11/16
Tujuan Pembelajaran

Mahasiswa mampu mengontrol traffic jaringan dengan Access Control List (ACL) Extended berdasarkan source/destination IP, protocol, port number, serta mengimplementasikan advanced features seperti time-based ACL dan logging.

Konsep Extended Access Control List

1. Perbedaan Standard vs Extended ACL
Feature Standard ACL Extended ACL
Number Range 1-99, 1300-1999 100-199, 2000-2699
Filter Criteria Source IP only Source/destination IP, protocol, port, etc.
Granularity Low High
Placement Close to destination Close to source
Use Case Basic traffic filtering Advanced security policies
2. Extended ACL Syntax

Extended ACL memiliki syntax yang lebih kompleks untuk granular control:

access-list [100-199] [permit|deny] [protocol] [source] [source-wildcard] [operator port] [destination] [destination-wildcard] [operator port] [options]
Protocol Options:
  • ip - All IP traffic
  • tcp - TCP protocol
  • udp - UDP protocol
  • icmp - ICMP protocol
  • gre - GRE tunneling
Operator Options:
  • eq - Equal to port
  • gt - Greater than port
  • lt - Less than port
  • neq - Not equal to port
  • range - Port range
3. Extended ACL Placement Strategy
Close to Source

Extended ACL sebaiknya ditaruh dekat source untuk menghemat bandwidth

Filter Early

Block unwanted traffic sebelum melewati network core

Granular Control

Kontrol berdasarkan service/port yang spesifik

4. Common Extended ACL Examples
Basic Examples
! Allow HTTP from any to web server
access-list 101 permit tcp any host 192.168.1.10 eq 80

! Deny FTP from specific network
access-list 102 deny tcp 192.168.10.0 0.0.0.255 any eq 21
access-list 102 permit ip any any

! Allow DNS queries
access-list 103 permit udp any any eq 53
Advanced Examples
! Block ping but allow other
access-list 104 deny icmp any any echo
access-list 104 permit ip any any

! Allow established connections
access-list 105 permit tcp any any established

! Time-based restriction
access-list 106 deny tcp any any eq 80 time-range WORK-HOURS

Job Sheet Praktikum

Informasi Job Sheet

Durasi: 170 menit

Topik: Extended ACL Implementation

Bobot: 7%

Tujuan: Kontrol traffic granular

Tools: Cisco Packet Tracer

Penilaian: Laporan Praktikum

Diagram Topologi dengan Services
Admin Department
192.168.10.0/24
PC1: 192.168.10.10
WebSrv: 192.168.10.170:80
Router2
Extended ACL
Block FTP
Allow HTTP
Time-Based
Sales Department
192.168.20.0/24
PC3: 192.168.20.10
PC4: 192.168.20.20
IT Department
192.168.30.0/24
PC5: 192.168.30.10
FTPSrv: 192.168.30.170:21
Keterangan Topologi dengan Services:
  • Admin Dept: Web Client (PC1) + Web Server (WebSrv:80)
  • Sales Dept: Regular clients (PC3, PC4)
  • IT Dept: Client (PC5) + FTP Server (FTPSrv:21)
  • Extended ACL diimplementasikan di Router2 untuk granular control
  • Policy berdasarkan protocol (TCP/UDP/ICMP) dan port numbers
Langkah Kerja Detail
Langkah 1: Persiapan Services dan Basic Connectivity

Setup network services dan verifikasi konektivitas sebelum ACL:

Konfigurasi Services:
! Web Server pada 192.168.10.170
! FTP Server pada 192.168.30.170
! Pastikan services aktif dan accessible
Konfigurasi OSPF untuk konektivitas:
router ospf 1
network 192.168.10.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
network 192.168.30.0 0.0.0.255 area 0
network 10.0.12.0 0.0.0.3 area 0
network 10.0.23.0 0.0.0.3 area 0
exit
Testing services sebelum ACL:
! Dari PC3 test ke semua services
! Web access harus berhasil
http://192.168.10.170

! FTP access harus berhasil
ftp 192.168.30.170
Scenario 1: Block Specific Protocol - Deny FTP but Allow Web

Implementasi ACL untuk memblokir FTP traffic dari Sales department ke IT department, tetapi mengizinkan HTTP traffic:

Buat Extended ACL di Router2:
! Block FTP dari Sales ke IT FTP Server
access-list 101 deny tcp 192.168.20.0 0.0.0.255 192.168.30.170 0.0.0.0 eq 21
access-list 101 deny tcp 192.168.20.0 0.0.0.255 192.168.30.170 0.0.0.0 eq 20

! Allow HTTP dari Sales ke Admin Web Server
access-list 101 permit tcp 192.168.20.0 0.0.0.255 192.168.10.170 0.0.0.0 eq 80

! Permit other traffic
access-list 101 permit ip any any
Apply ACL pada interface:
interface serial 0/0/1
ip access-group 101 out
exit
Testing:
  • Dari PC3 (Sales) FTP ke FTPSrv: GAGAL
  • Dari PC3 (Sales) HTTP ke WebSrv: BERHASIL
  • Dari PC1 (Admin) FTP ke FTPSrv: BERHASIL (tidak diblokir)
Catatan FTP:

FTP menggunakan dua port: 21 (control) dan 20 (data). Keduanya harus diblokir untuk mematikan FTP sepenuhnya.

Scenario 2: Block Ping (ICMP) but Allow Other Traffic

Implementasi ACL untuk memblokir ICMP echo requests (ping) tetapi mengizinkan traffic lainnya:

Buat Extended ACL di Router1:
! Block ICMP echo dari Admin ke Sales
access-list 102 deny icmp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 echo

! Allow other IP traffic
access-list 102 permit ip any any
Apply ACL pada interface:
interface serial 0/0/0
ip access-group 102 out
exit
Testing:
  • Dari PC1 (Admin) ping ke PC3 (Sales): GAGAL
  • Dari PC1 (Admin) telnet ke PC3 (jika active): BERHASIL
  • Dari PC2 (Admin) ping ke PC3 (Sales): GAGAL
ICMP Types:

Gunakan echo untuk block outgoing pings, echo-reply untuk block incoming ping replies.

Scenario 3: Time-Based ACL - Block Social Media During Work Hours

Implementasi time-based ACL untuk memblokir akses social media (HTTP/HTTPS) selama jam kerja:

Buat time-range untuk work hours:
time-range WORK-HOURS
periodic weekdays 08:00 to 17:00
exit
Buat Extended ACL dengan time-range:
! Block HTTP/HTTPS selama work hours
access-list 103 deny tcp any any eq 80 time-range WORK-HOURS
access-list 103 deny tcp any any eq 443 time-range WORK-HOURS

! Allow other traffic
access-list 103 permit ip any any
Apply ACL (hati-hati dengan placement):
interface serial 0/0/0
ip access-group 103 in
exit
Verifikasi time-range:
show time-range
show clock
show access-lists 103
Peringatan:

Hati-hati saat apply ACL inbound pada interface. Test thoroughly untuk memastikan tidak memblokir traffic yang diperlukan.

Scenario 4: Established Connections - Allow Only Return Traffic

Implementasi ACL untuk hanya mengizinkan established connections (return traffic) sebagai security measure:

Buat Extended ACL untuk established connections:
! Allow hanya established/related connections
access-list 104 permit tcp any any established
access-list 104 permit icmp any any echo-reply
access-list 104 permit udp any any eq 53

! Deny semua traffic lainnya
access-list 104 deny ip any any
Apply ACL untuk security:
interface serial 0/0/1
ip access-group 104 in
exit
Testing dan Konsekuensi:
  • Outbound connections: Masih bisa initiate
  • Inbound connections: Diblokir kecuali response
  • DNS queries: Diizinkan (port 53)
  • Ping replies: Diizinkan
Security Benefit:

ACL ini mencegah external hosts menginitiate connections ke internal network, memberikan basic firewall protection.

Scenario 5: Complex Policy - Department Access Control

Implementasi policy kompleks dengan multiple department restrictions:

Policy Requirements:
  • Admin bisa akses Web di IT tapi tidak bisa FTP
  • Sales bisa akses Web di Admin tapi tidak bisa akses IT sama sekali
  • IT bisa akses semua services di Admin
Implementasi di Router2:
! Block Sales ke IT completely
access-list 105 deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255

! Allow Admin ke Web di IT but deny FTP
access-list 105 deny tcp 192.168.10.0 0.0.0.255 192.168.30.170 0.0.0.0 eq 21
access-list 105 deny tcp 192.168.10.0 0.0.0.255 192.168.30.170 0.0.0.0 eq 20
access-list 105 permit tcp 192.168.10.0 0.0.0.255 192.168.30.170 0.0.0.0 eq 80

! Allow IT to Admin completely
access-list 105 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255

! Allow Sales to Admin Web
access-list 105 permit tcp 192.168.20.0 0.0.0.255 192.168.10.170 0.0.0.0 eq 80

! Permit other necessary traffic
access-list 105 permit ip any any
Apply ACL:
interface serial 0/0/1
ip access-group 105 out
exit
Langkah 6: Verification dan Troubleshooting Extended ACL

Verifikasi ACL functionality dan troubleshooting advanced issues:

Extended ACL Verification Commands:
! Show semua ACL dengan details
show access-lists
show ip access-lists

! Show interface dengan applied ACL
show ip interface serial 0/0/0
show ip interface serial 0/0/1

! Show time-range status
show time-range

! Monitor ACL statistics dengan hit counts
show access-lists 101
show access-lists 102
show access-lists 103

! Clear ACL counters untuk testing baru
clear access-list counters 101
Testing dengan berbagai protocol:
! Test ICMP
ping 192.168.20.10

! Test TCP services
telnet 192.168.20.10 23
ftp 192.168.30.170

! Test UDP services (jika ada)
! Test HTTP/HTTPS via web browser
http://192.168.10.170
Troubleshooting Common Extended ACL Issues:
! Check ACL order dan syntax
show running-config | include access-list

! Check protocol dan port specification
show access-lists 101

! Debug ACL hits
debug ip packet 101

! Check time-range functionality
show time-range
show clock

Advanced Extended ACL Features

Reflexive ACL

Dynamic filtering berdasarkan session state:

! Create reflexive ACL
ip reflexive-list timeout 120

! Define reflexive ACL
interface serial 0/0/0
ip access-group reflexive-in in
ip access-group reflexive-out out
exit

! Reflexive ACL example
access-list reflexive-out permit tcp any any reflect MY-REFLEXIVE
access-list reflexive-in permit tcp any any eq 80 evaluate MY-REFLEXIVE
Named Extended ACL

ACL dengan nama untuk better management:

! Create named extended ACL
ip access-list extended DEPARTMENT-POLICY
deny tcp 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 eq 21
permit tcp 192.168.20.0 0.0.0.255 192.168.10.170 0.0.0.0 eq 80
permit ip any any
exit

! Apply named ACL
interface serial 0/0/1
ip access-group DEPARTMENT-POLICY out
exit

Extended ACL Best Practices

Configuration Best Practices
  • Place extended ACLs close to the source
  • Gunakan named ACLs untuk better management
  • Add comments untuk setiap ACL statement
  • Test ACLs selama maintenance window
  • Gunakan logging untuk monitoring dan troubleshooting
Common Mistakes to Avoid
  • Wrong protocol specification (tcp/udp/icmp)
  • Incorrect port numbers atau service names
  • Wrong wildcard mask untuk source/destination
  • Missing "eq" keyword untuk port specification
  • ACL statement order incorrect
  • Forgetting implicit deny at the end
  • Wrong interface direction (in/out)

Checklist Verifikasi

Scenario Test Case Protocol/Port Expected Result Status
Scenario 1 PC3 → FTPSrv FTP (21) BLOCKED Check
Scenario 1 PC3 → WebSrv HTTP (80) ALLOWED Check
Scenario 2 PC1 → PC3 ICMP Echo BLOCKED Check
Scenario 3 Work Hours Web HTTP (80) BLOCKED Check
Scenario 4 Inbound Initiation Any TCP BLOCKED Check
Scenario 5 Admin → IT FTP FTP (21) BLOCKED Check
Standard ACL NAT & PAT