Standart Access Control List (ACL)

Dalam penggunaan standart akses list memiliki aturan. contoh penggunaan standart akses list :

  Router_A(config)#access-list 1 deny 172.16.5.2 0.0.0.0
  Router_A(config)#access-list 1 deny 172.16.5.3 0.0.0.0
  Router_A(config)#access-list 1 permit any

The previous example is a standard IP access list that denies the hosts 172.16.5.2 and 172.16.5.3, while allowing all other traffic. The list is applied sequentially from the top down as the router checks the packets arriving at the interface where this access list is applied, in order to check if the packets match the permit and deny statements. In the process of applying the access list, the router first checks an arriving packet to determine if it matches the deny 172.16.5.2 0.0.0.0 statement. If it does, the router discards the packet. If it does not, the router applies the second statement, deny 172.16.5.3 0.0.0.0. If the packet matches the second statement, the router discards the packet. Once again, if the packet does not meet the rules of the first two lines, the router applies the final permit any statement, and the packet is forwarded through the interface.

If you wish to remove an access-list, you use the no access-list (list #) command. For example, to remove the above list, you enter global configuration mode and type the no access-list command. The information below shows the correct procedure for typing this command.

From Global Configuration mode, type in:

 access-list [access-list-number] [deny/permit]  [ wildcard mask]

 interface [interface-number]
   ip access-group [number of list] in/out

Example:

 access-list 5 permit 11.0.3.0 0.0.0.255
 access-list 5 permit 10.0.5.0 0.0.0.255
 int fa0/0
   ip access-group 5 in

The above example permits traffic from two specific networks. Note that the access-list must be defined, and assigned an interface. An access-list by itself (not assigned to an interface) doesn’t do anything at all.

“in” or “out” refer to the traffic into, or out of, the router that is being configured.

From Global configuration mode type:

 ip access-list standard [name]
 deny  [wildcard mask or keyword any]
 OR
permit  [wildcard mask or keyword any]

Problems with Access Lists

I. One of the most common problems associated with access lists is a lack of planning. Before you even begin the process of creating access lists on your router, you must plan exactly what needs to be filtered and where it needs to be filtered.

II. Another troublesome area is the sequential nature in which you must enter the lists into the router. You cannot remove individual statements once they are entered. When making changes, you must remove the list, using the no access-list command, and then retype the commands.

You can remove an entry in the access-list by using the “ip access-list” command.

 gw(config)#access-list 77 permit 1.1.1.1
 gw(config)#access-list 77 permit 1.1.1.2
 gw(config)#do show access-list 77
 Standard IP access list 77
     10 permit 1.1.1.1
     20 permit 1.1.1.2
 gw(config)#ip access-list standard 77
 gw(config-std-nacl)#no 10 permit 1.1.1.1
 gw(config-std-nacl)#do show access-list 77
 Standard IP access list 77
     20 permit 1.1.1.2

III. Finally, many new network administrators find themselves in trouble when they Telnet into a router and begin applying an access list. An access list begins to work the second it’s applied to an interface. It’s very possible that many new administrators will find themselves inadvertently blocked from the same router on which they’re applying the access list.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s