Posts Tagged Candra Setiawan
KONFIGURASI VLAN, ROUTING STATIC, DHCP DAN NAT PADA LAYER 3 SWITCH CISCO 3560
Layer 3 switch atau Multilayer Switch adalah switch yang bekerja pada layer 2 dan juga bekerja pada layer 3 yang mempunyai fungsi routing, kemampuan routing pada layer 3 switch antara lain routing antar VLAN berdasarkan encapsulation dot 1Q maupun routing protocol static dan routing protocol dinamis lain seperti Border Gateway Protocol (BGP), Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), dan Routing Information Protocol (RIP). Pada contoh ini akan diperlihatkan langkah melakukan konfigurasi VLAN pada Catalyst 3560 serta routing antar VLAN, Routing Static, DHCP dan juga NAT.
Skenario
| VLAN ID | Nama VLAN | Alamat Subnet |
| 2 | Guest | 192.168.0.0/24 |
| 3 | Student | 192.168.1.0/24 |
| 4 | Lecture | 192.168.2.0/24 |
| Interface | IP address |
| Interface vlan 2 | 192.168.0.1/24 |
| Interface vlan 3 | 192.168.1.1/24 |
| Interface vlan 4 | 192.168.2.1/24 |
| Interface gigabitEthernet 0/1 | 222.124.194.2/27 |
Topologi
Buat Database VLAN pada Switch.
Switch>enable
Switch#vlan
Switch#vlan database
Switch(vlan)#vlan 2 name guest
VLAN 2 added:
Name: guest
Switch(vlan)#vlan 3 name student
VLAN 3 added:
Name: student
Switch(vlan)#vlan 4 name lecture
VLAN 4 added:
Name: lecture
Switch(vlan)#exit
APPLY completed.
Exiting….
Switch#
Masuk ke Global Configuration Mode dan lakukan Grouping Port.
Switch#configure terminal
Switch(config)#interface fastEthernet 0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 2
Switch(config-if)#exit
Switch(config)#interface fastEthernet 0/2
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 2
Switch(config-if)#exit
Switch(config)#interface fastEthernet 0/3
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 3
Switch(config-if)#exit
Switch(config)#interface fastEthernet 0/4
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 3
Switch(config-if)#exit
Switch(config)#interface fastEthernet 0/5
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 4
Switch(config-if)#exit
Switch(config)#interface fastEthernet 0/6
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 4
Switch(config-if)#
Buat Interface VLAN yang berfungsi sebagai gateway tiap-tiap VLAN, Nomor Interface VLAN yang dibuat harus sama VLAN ID yang akan dilewatkan, misalnya interface VLAN 2 itu berfungsi sebagai gateway untuk VLAN 2, begitu juga dengan VLAN yang lain.
Switch(config)#interface vlan 2
Switch(config-if)#ip address 192.168.0.1 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#exit
Switch(config)#interface vlan 3
Switch(config-if)#ip address 192.168.1.1 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#exit
Switch(config)#interface vlan 4
Switch(config-if)#ip address 192.168.2.1 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#
Untuk memudahan pemberian IP address pada host tiap-tiap VLAN ada baiknya kita membuat DHCP server, dan pada contoh ini kita akan menggunakan IP 222.124.194.11 sebagai DNS server
Switch(config)#ip dhcp pool vlan2
Switch(dhcp-config)#default-router 192.168.0.1
Switch(dhcp-config)#dns-server 222.124.194.11
Switch(dhcp-config)#network 192.168.0.0 255.255.255.0
Switch(dhcp-config)#exit
Switch(config)#ip dhcp pool vlan3
Switch(dhcp-config)#default-router 192.168.1.1
Switch(dhcp-config)#dns-server 222.124.194.11
Switch(dhcp-config)#network 192.168.1.0 255.255.255.0
Switch(dhcp-config)#exit
Switch(config)#ip dhcp pool vlan4
Switch(dhcp-config)#default-router 192.168.2.1
Switch(dhcp-config)#dns-server 222.124.194.11
Switch(dhcp-config)#network 192.168.2.0 255.255.255.0
Switch(dhcp-config)#exit
Switch(config)#
Berikan IP address pada Interface gigabitEthernet 0/1 (anda bisa mengguakan interface lain jika tidak menggunakan interface ini), perhatikan perintah no switchport , perintah ini digunakan agar interface tersebut itu bisa diberi IP address seperti halnya pada router atau interface layer 3, tanpa perintah ini maka interface pada switch hanya sebagai interface layer 2.
Switch(config)#interface gigabitEthernet 0/1
Switch(config-if)#no switchport
Switch(config-if)#ip address 222.124.194.2 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#exit
Buat default routing yang berfungsi sebagai “the last resort” terhadap tujuan packet dalam menuju alamat yang tidak terdapat pada routing tabel, sehingga packet tidak di-dischard atau dibuang dari network.
Switch(config)#ip route 0.0.0.0 0.0.0.0 222.124.194.1
Buat NAT sehingga IP private yang berada pada VLAN bisa ditranlasi menuju IP Public, masuk ke interface gigabitEthernet 0/1 dan setting sebgai NAT Outside, kemudian masuk ke tiap-tiap Interface VLAN yang sudah kita buat dan set sebagai NAT Inside.
Switch(config)#interface gigabitEthernet 0/1
Switch(config-if)#ip nat outside
Switch(config-if)#exit
Switch(config)#interface vlan 2
Switch(config-if)#ip nat inside
Switch(config-if)#exit
Switch(config)#interface vlan 3
Switch(config-if)#ip nat inside
Switch(config-if)#exit
Switch(config)#interface vlan 4
Switch(config-if)#ip nat inside
Switch(config-if)#exit
Switch(config)#
Kemudian buat aturan NAT dan jangan lupa untuk mengatur access-list agar mengizinkan packet untuk lewat, perhatikan juga nomor aturan NAT dan access-list keduanya harus mempunya nomor yang sama, jadi kalau aturan NAT-nya menggunakan nomor 1 maka pada access-list juga harus menggunakan nomor 1.
Switch(config)#ip nat inside source list 1 interface gigabitEthernet 0/1 overload
Switch(config)#access-list 1 permit any
Switch(config)#
Kembali ke Privilege Mode dan simpan hasil konfigurasian
Switch(config)#exit
Switch#copy running-config startup-config
Switch#
Download pdf
Memisahkan gateway hotspot dengan VLAN
Dimisalkan kita berlangganan dua ISP, ISP1 untuk kepentingan user yang bersifat stationery dan ISP2 untuk kepentingan user yang menggunakan hotspot
TOPOLOGI
Pada contoh topologi ini peralatan yang digunakan adalah switch Cisco dan router Cisco
| No Vlan | Name | Network | First Host | Last Host | Broadcast |
|
1 |
Management | 192.168.1.0/28 | 192.168.1.1/28 | 192.168.1.14/28 | 192.168.1.15/28 |
|
2 |
Lecture | 192.168.1.16/28 | 192.168.1.17/28 | 192.168.1.30/28 | 192.168.1.31/28 |
|
3 |
Staff | 192.168.1.32/28 | 192.168.1.33/28 | 192.168.1.46/28 | 192.168.1.47/28 |
|
4 |
Guest | 192.168.1.48/28 | 192.168.1.49/28 | 192.168.1.62/28 | 192.168.1.63/28 |
|
5 |
Student | 192.168.1.64/28 | 192.168.1.65/28 | 192.168.1.78/28 | 192.168.1.79/28 |
|
6 |
Hotspot | 192.168.1.80/28 | 192.168.1.81/28 | 192.168.1.94/28 | 192.168.1.95/28 |
SWITCH 1
Switch>enable
Switch#conf t
Switch(config)#hostname vtp-server
vtp-server(config)#interface vlan 1
vtp-server(config-if)#ip address 192.168.1.3 255.255.255.240
vtp-server(config-if)#no shutdown
vtp-server(config-if)#exit
vtp-server(config)#ip default-gateway 192.168.1.1
vtp-server(config)#vtp mode server
vtp-server(config)#vtp domain unsri
vtp-server(config)#vtp password unsri
vtp-server(config)#vlan 2
vtp-server(config-vlan)#name lecture
vtp-server(config-vlan)#exit
vtp-server(config)#vlan 3
vtp-server(config-vlan)#name staff
vtp-server(config-vlan)#exit
vtp-server(config)#vlan 4
vtp-server(config-vlan)#name guest
vtp-server(config-vlan)#exit
vtp-server(config)#vlan 5
vtp-server(config-vlan)#name student
vtp-server(config-vlan)#exit
vtp-server(config)#vlan 6
vtp-server(config-vlan)#name hotspot
vtp-server(config-vlan)#exit
vtp-server(config)#interface fastEthernet 0/1
vtp-server(config-if)#switchport mode trunk
vtp-server(config-if)#switchport trunk native vlan 1
vtp-server(config-if)#exit
vtp-server(config)#interface fastEthernet 0/2
vtp-server(config-if)#switchport mode trunk
vtp-server(config-if)#switchport trunk native vlan 1
vtp-server(config-if)#exit
vtp-server(config)#interface fastEthernet 0/4
vtp-server(config-if)#switchport mode trunk
vtp-server(config-if)#switchport trunk native vlan 1
vtp-server(config-if)#exit
vtp-server(config)#interface fastEthernet 0/3
vtp-server(config-if)#switchport mode trunk
vtp-server(config-if)#switchport trunk native vlan 1
vtp-server(config-if)#exit
vtp-server(config)#line vty 0 4
vtp-server(config-line)#password candraganteng
vtp-server(config-line)#login
vtp-server(config-line)#exit
vtp-server(config)#enable secret candragantengtenan
vtp-server(config)#exit
vtp-server#copy running-config startup-config
vtp-server#
SWITCH 2
Switch>enable
Switch#conf t
Switch(config)#hostname vtp-client1
vtp-client1(config)#vtp mode client
vtp-client1(config)#interface vlan 1
vtp-client1(config-if)#ip address 192.168.1.4 255.255.255.240
vtp-client1(config-if)#no shutdown
vtp-client1(config-if)#exit
vtp-client1(config)#ip default-gateway 192.168.1.1
vtp-client1(config)#line vty 0 4
vtp-client1(config-line)#password candraganteng
vtp-client1(config-line)#login
vtp-client1(config-line)#exit
vtp-client1(config)#enable secret candragantengtenan
vtp-client1(config)#exit
vtp-client1(config)#vtp domain unsri
vtp-client1(config)#vtp password unsri
vtp-client1(config)#interface fastEthernet 0/1
vtp-client1(config-if)#switchport mode trunk
vtp-client1(config-if)#switchport trunk native vlan 1
vtp-client1(config-if)#exit
vtp-client1(config)#exit
vtp-client1#show vtp status
VTP Version : 2
Configuration Revision : 11
Maximum VLANs supported locally : 255
Number of existing VLANs : 10
VTP Operating Mode : Client
VTP Domain Name : unsri
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0×71 0×4B 0×63 0×34 0×6A 0xC2 0xEB 0×11
Configuration last modified by 192.168.1.2 at 3-1-93 00:21:42
vtp-client1#sh
vtp-client1#show vl
vtp-client1#show vlan
VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24
2 lecture active
3 staff active
4 guest active
5 student active
6 hotspot active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
—- —– ———- —– —— —— ——– —- ——– —— ——
1 enet 100001 1500 - - - - - 0 0
2 enet 100002 1500 - - - - - 0 0
3 enet 100003 1500 - - - - - 0 0
4 enet 100004 1500 - - - - - 0 0
5 enet 100005 1500 - - - - - 0 0
6 enet 100006 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
Remote SPAN VLANs
——————————————————————————
Primary Secondary Type Ports
——- ——— —————– ——————————————
vtp-client1#conf t
vtp-client1(config)#interface fastEthernet 0/2
vtp-client1(config-if)#switchport mode access
vtp-client1(config-if)#switchport access vlan 6
vtp-client1(config-if)#exit
vtp-client1(config)#interface fastEthernet 0/3
vtp-client1(config-if)#switchport mode access
vtp-client1(config-if)#switchport access vlan 2
vtp-client1(config-if)#exit
vtp-client1(config)#interface fastEthernet 0/4
vtp-client1(config-if)#switchport mode access
vtp-client1(config-if)#switchport access vlan 3
vtp-client1(config-if)#exit
vtp-client1(config)#interface fastEthernet 0/5
vtp-client1(config-if)#switchport mode access
vtp-client1(config-if)#switchport access vlan 4
vtp-client1(config-if)#exit
vtp-client1(config)#interface fastEthernet 0/6
vtp-client1(config-if)#switchport mode access
vtp-client1(config-if)#switchport access vlan 5
vtp-client1(config-if)#exit
vtp-client1(config)#exit
vtp-client1#show vlan
VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Fa0/7, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24
2 lecture active Fa0/3
3 staff active Fa0/4
4 guest active Fa0/5
5 student active Fa0/6
6 hotspot active Fa0/2
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
—- —– ———- —– —— —— ——– —- ——– —— ——
1 enet 100001 1500 - - - - - 0 0
2 enet 100002 1500 - - - - - 0 0
3 enet 100003 1500 - - - - - 0 0
4 enet 100004 1500 - - - - - 0 0
5 enet 100005 1500 - - - - - 0 0
6 enet 100006 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
Remote SPAN VLANs
——————————————————————————
Primary Secondary Type Ports
——- ——— —————– ——————————————
vtp-client1#copy run startup-config
Destination filename [startup-config]?
Building configuration…
[OK]
vtp-client1#
vtp-client1#
SWITCH 3
Switch>enable
Switch#conf t
Switch(config)#hostname vtp-client2
vtp-client2(config)#vtp mode client
vtp-client2(config)#vtp domain unsri
vtp-client2(config)#vtp password unsri
vtp-client2(config)#interface fastEthernet 0/1
vtp-client2(config-if)#switchport mode trunk
vtp-client2(config-if)#switchport trunk native vlan 1
vtp-client2(config)#interface vlan 1
vtp-client2(config-if)#ip address 192.168.1.5 255.255.255.240
vtp-client2(config-if)#no shutdown
vtp-client2(config-if)#exit
vtp-client2(config)#ip default-gateway 192.168.1.1
vtp-client2(config)#line vty 0 4
vtp-client2(config-line)#password candraganteng
vtp-client2(config-line)#login
vtp-client2(config-line)#exit
vtp-client2(config)#enable secret candragantengtenan
vtp-client2(config)#exit
vtp-client2#show vtp status
VTP Version : 2
Configuration Revision : 11
Maximum VLANs supported locally : 255
Number of existing VLANs : 10
VTP Operating Mode : Client
VTP Domain Name : unsri
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0×71 0×4B 0×63 0×34 0×6A 0xC2 0xEB 0×11
Configuration last modified by 192.168.1.2 at 3-1-93 00:21:42
vtp-client2#show vlan
VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24
2 lecture active
3 staff active
4 guest active
5 student active
6 hotspot active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
—- —– ———- —– —— —— ——– —- ——– —— ——
1 enet 100001 1500 - - - - - 0 0
2 enet 100002 1500 - - - - - 0 0
3 enet 100003 1500 - - - - - 0 0
4 enet 100004 1500 - - - - - 0 0
5 enet 100005 1500 - - - - - 0 0
6 enet 100006 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
Remote SPAN VLANs
——————————————————————————
Primary Secondary Type Ports
——- ——— —————– ——————————————
vtp-client2#conf t
vtp-client2(config)#interface fastEthernet 0/2
vtp-client2(config-if)#switchport mode access
vtp-client2(config-if)#switchport access vlan 6
vtp-client2(config-if)#exit
vtp-client2(config)#interface fastEthernet 0/3
vtp-client2(config-if)#switchport mode access
vtp-client2(config-if)#switchport access vlan 2
vtp-client2(config-if)#exit
vtp-client2(config)#interface fastEthernet 0/4
vtp-client2(config-if)#switchport mode access
vtp-client2(config-if)#switchport access vlan 3
vtp-client2(config-if)#exit
vtp-client2(config)#interface fastEthernet 0/5
vtp-client2(config-if)#switchport mode access
vtp-client2(config-if)#switchport access vlan 4
vtp-client2(config-if)#exit
vtp-client2(config)#interface fastEthernet 0/6
vtp-client2(config-if)#switchport mode access
vtp-client2(config-if)#switchport access vlan 5
vtp-client2(config-if)#exit
vtp-client2(config)#exit
vtp-client2#show vlan
VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Fa0/7, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24
2 lecture active Fa0/3
3 staff active Fa0/4
4 guest active Fa0/5
5 student active Fa0/6
6 hotspot active Fa0/2
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
—- —– ———- —– —— —— ——– —- ——– —— ——
1 enet 100001 1500 - - - - - 0 0
2 enet 100002 1500 - - - - - 0 0
3 enet 100003 1500 - - - - - 0 0
4 enet 100004 1500 - - - - - 0 0
5 enet 100005 1500 - - - - - 0 0
6 enet 100006 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
Remote SPAN VLANs
——————————————————————————
Primary Secondary Type Ports
——- ——— —————– ——————————————
vtp-client2#
vtp-client2#
ROUTER 1
Router>enable
Router#conf t
Router(config)#hostname R1
R1(config)#line vty 0 4
R1(config-line)#password candraganteng
R1(config-line)#login
R1(config-line)#exit
R1(config)#enable secret candragantengtenan
R1(config)#service password-encryption
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 222.124.194.23 255.255.255.224
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 222.124.194.1
R1(config)#interface fastEthernet 0/1
R1(config-if)#ip address 192.168.1.1 255.255.255.240
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface fastEthernet 0/1.2
R1(config-subif)#encapsulation dot1Q 2
R1(config-subif)#ip address 192.168.1.17 255.255.255.240
R1(config-subif)#ip nat inside
R1(config-subif)#exit
R1(config)#interface fastEthernet 0/1.3
R1(config-subif)#encapsulation dot1Q 3
R1(config-subif)#ip address 192.168.1.33 255.255.255.240
R1(config-subif)#ip nat inside
R1(config-subif)#exit
R1(config)#interface fastEthernet 0/1.4
R1(config-subif)#encapsulation dot1Q 4
R1(config-subif)#ip address 192.168.1.49 255.255.255.240
R1(config-subif)#ip nat inside
R1(config-subif)#exit
R1(config)#interface fastEthernet 0/1.5
R1(config-subif)#encapsulation dot1Q 5
R1(config-subif)#ip address 192.168.1.65 255.255.255.240
R1(config-subif)#ip nat inside
R1(config-subif)#exit
R1(config)#ip nat inside source list 1 interface fastEthernet 0/1 overload
R1(config)#access-list 1 permit any
R1(config-subif)#exit
R1(config)#ip dhcp pool vlan2
R1(dhcp-config)#default-router 192.168.1.17
R1(dhcp-config)#network 192.168.1.16 255.255.255.240
R1(dhcp-config)#dns-server 222.124.194.11
R1(dhcp-config)#exit
R1(config)#ip dhcp pool vlan3
R1(dhcp-config)#default-router 192.168.1.33
R1(dhcp-config)#dns-server 222.124.194.11
R1(dhcp-config)#exit
R1(config)#ip dhcp pool vlan4
R1(dhcp-config)#default-router 192.168.1.49
R1(dhcp-config)#network 192.168.1.48 255.255.255.240
R1(dhcp-config)#dns-server 222.124.194.11
R1(dhcp-config)#exit
R1(config)#ip dhcp pool vlan5
R1(dhcp-config)#default-router 192.168.1.65
R1(dhcp-config)#network 192.168.1.64 255.255.255.240
R1(dhcp-config)#dns-server 222.124.194.11
R1(dhcp-config)#exit
R1(config)#router ospf 1
R1(config-router)#network 192.168.1.0 0.0.0.15 area 0
R1(config-router)#network 192.168.1.16 0.0.0.15 area 0
R1(config-router)#network 192.168.1.32 0.0.0.15 area 0
R1(config-router)#network 192.168.1.48 0.0.0.15 area 0
R1(config-router)#network 192.168.1.64 0.0.0.15 area 0
R1(config)#exit
R1#copy running-config startup-config
R1#
ROUTER 2
Router>enable
Router#conf t
Router(config)#hostname R2
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 202.134.248.6 255.255.255.240
R2(config-if)#no shutdown
R2(config-if)#ip nat outside
R2(config)#interface fastEthernet 0/1
R2(config-if)#ip address 192.168.1.2 255.255.255.240
R2(config-if)#no shutdown
R2(config)#interface fastEthernet 0/1.6
R2(config-subif)#encapsulation dot1Q 6
R2(config-subif)#ip address 192.168.1.81 255.255.255.240
R2(config-subif)#ip nat inside
R2(config-subif)#exit
R2(config)#ip nat inside source list 1 interface fastEthernet 0/0 overload
R2(config)#access-list 1 permit any
R2(config)#ip route 0.0.0.0 0.0.0.0 202.134.248.1
R2(config)#ip dhcp pool vlan6
R2(dhcp-config)#default-router 192.168.1.81
R2(dhcp-config)#network 192.168.1.80 255.255.255.240
R2(dhcp-config)#dns-server 202.134.248.9
R2(dhcp-config)#exit
R2(config)#line vty 0 4
R2(config-line)#password candraganteng
R2(config-line)#login
R2(config-line)#exit
R2(config)#enable secret candragantengtenan
R2(config)#service password-encryption
R2(config)#
R2(config)#router ospf 1
R2(config-router)#network 192.168.1.0 0.0.0.15 area 0
R2(config-router)#network 192.168.1.80 0.0.0.15 area 0
R2(config-router)#^Z
R2#
ROUTER 1
R1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 222.124.194.1 to network 0.0.0.0
192.168.1.0/28 is subnetted, 6 subnets
C 192.168.1.0 is directly connected, FastEthernet0/1
C 192.168.1.16 is directly connected, FastEthernet0/1.2
C 192.168.1.32 is directly connected, FastEthernet0/1.3
C 192.168.1.48 is directly connected, FastEthernet0/1.4
C 192.168.1.64 is directly connected, FastEthernet0/1.5
O 192.168.1.80 [110/2] via 192.168.1.2, 00:00:27, FastEthernet0/1
222.124.194.0/27 is subnetted, 1 subnets
C 222.124.194.0 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 222.124.194.1
R1#
ROUTER 2
R2#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 202.134.248.1 to network 0.0.0.0
192.168.1.0/28 is subnetted, 6 subnets
C 192.168.1.0 is directly connected, FastEthernet0/1
O 192.168.1.16 [110/2] via 192.168.1.1, 00:00:44, FastEthernet0/1
O 192.168.1.32 [110/2] via 192.168.1.1, 00:00:34, FastEthernet0/1
O 192.168.1.48 [110/2] via 192.168.1.1, 00:00:34, FastEthernet0/1
O 192.168.1.64 [110/2] via 192.168.1.1, 00:00:24, FastEthernet0/1
C 192.168.1.80 is directly connected, FastEthernet0/1.6
202.134.248.0/28 is subnetted, 1 subnets
C 202.134.248.0 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 202.134.248.1
R2#
download pdf memisahkan-gateway-hotspot-dengan-vlan
Prinsip Redistribute Routing Protocol
Redistribute adalah cara untuk meredistribusikan kembali routing tabel yang dibentuk oleh suatu routing protocol untuk diteruskan ke routing protocol lain. Dengan redistribute kita bisa membentuk routing tabel yang lengkap dari suatu topologi walaupun menggunakan routing protocol yang berbeda. Pada prinsipnya router yang menjadi penghubung antara network dengan routing protocol yang berbeda akan menggunakan routing protocol sesuai dengan routing protocol yang dipergunakan oleh kedua network tersebut, misal interface F0/0 pada router tersebut berhubungan dengan network yang menggunakan RIP maka router tersebut harus menggunakan RIP dan pada F0/1 menggunakan OSPF maka router tersebut juga harus menggunakan OSPF sesuai dengan network tempat interface tersebut terhubung. Untuk membuat agar routing tabel yang dibentuk oleh RIP bisa diteruskan menuju ke OSPF maka dipergunakan redistribute RIP, dan sebaliknya agar routing tabel yang terbentuk pada OSPF bisa diteruskan menuju RIP maka dipergunakanlah redistribute OSPF.
Contoh dibawah ini adalah redistribute RIP dan OSPF
Perbandingan Singkat (Brief Comparison) perintah Cisco dan Vyatta
Mode:
| Cisco Prompt | Nama Mode | Vyatta Prompt | Nama Mode |
| Router> | User Mode | vyatta@vyatta:~$ | Operational Mode |
| Router# | Privilege Mode | vyatta@vyatta# | Configurationmode |
| Router(config)# | Global Configuration Mode |
|
—– VYATTA OPERATIONAL MODE COMMANDS —– |
||
| ping traceroute show arp show ip ospf neighbor show ip ospf database show ip ospf neighbor detail show ip ospf border-routers show ip route show ip route ospf show ip route connected show ip route rip show ip route static show ip interfaces |
ping traceroute show arp show ip ospf neighbor show ip ospf database show ip ospf neighbor detail show ip ospf border-routers show ip route show ip route ospf show ip route connected show ip route rip show ip route static show interfaces |
|
|
—– VYATTA CONFIGURATION MODE COMMANDS —– |
||
| SAVE | ||
| copy run start | save | |
| SHOW | ||
| show running-config | show | |
| HELP | ||
| ? | ? | |
| SET SERVICE | ||
| ip http server line vty 0 4 password crypto key generate rsa (only on some IOS versions) |
set service https set service telnet set service ssh |
|
| DHCP | ||
| ip dhcp pool mydhcp
network 192.168.0.0 255.255.255.0 default-router 192.168.0.1 dns-server 192.168.100.1 ip dhcp excluded-address 192.168.0.1 192.168.0.10 |
set service dhcp-server shared-network-name mydhcp
set service dhcp-server shared-network-name mydhcp subnet 192.168.0.0/24 set service dhcp-server shared-network-name mydhcp subnet 192.168.0.0/24 default-router 192.168.0.1 set service dhcp-server shared-network-name mydhcp subnet 192.168.0.0/24 dns-server 192.168.100.1 set service dhcp-server shared-network-name mydhcp subnet 192.168.0.0/24 exclude 192.168.0.1 set service dhcp-server shared-network-name mydhcp subnet 192.168.0.0/24 exclude 192.168.0.10 |
|
| SET SYSTEM | ||
| ip domain-name hostname username …password… ntp server ip name-server terminal monitor clock timezone |
set system domain-name set system host-name set system login set system ntp-server set system name-server set system syslog console set system time-zone |
|
| logging logging facility logging trap |
set system syslog host set system syslog host … facility set system syslog host….facility…level…. |
|
| SET PROTOCOLS … | ||
| INTERFACES interface fastEthernet 0/0 ip address 192.168.1.1 255.255.255.0 duplex auto speed auto description LAN no shutdown |
set interfaces ethernet eth0 address 192.168.1.1/24
set interfaces ethernet eth0 duplex auto set interfaces ethernet eth0 speed auto set interfaces ethernet eth0 description LAN |
|
| OSPF router ospf 1 network 192.168.1.0 0.0.0.255 area 1 log-adjacency-changes router-id 192.168.1.1 |
set protocols ospf area 1 network 192.168.1.0/24
set protocols ospf log-adjacency-changes set protocols ospf parameters router-id 192.168.1.1 |
|
| STATIC ip route 0.0.0.0 0.0.0.0 192.168.0.1 |
set protocols static route 0.0.0.0/0 next-hop 192.168.0.1 | |
| RIP router rip network 192.168.1.0 |
set protocols rip network 192.168.1.0/24 | |
| SNMP snmp-server community … ro|rw snmp-server community … ACL snmp-server location snmp-server contact |
set protocols snmp community … authorization ro|rw set protocols snmp community … client set protocols snmp location set protocols snmp contact |
|
InterVLAN Routing dengan Vyatta
VLAN dibuat dengan encapsulation dot 1Q berdasarkan IEEE 802.1Q, yaitu terjadi peristiwa tagging oleh switch pada header frame ethernet, berupa VLAN ID, dan dengan tag yang terdapat pada header frame inilah maka switch akan melihat port mana saja yang mempunyai VLAN ID yang sama dengan frame tersebut, frame hanya akan diteruskan menuju port yang di set dengan VLAN ID yang sama dan tidak akan diteruskan menuju port dengan VLAN ID yang berbeda, dengan metode inilah maka terjadilah segmentasi LAN berdasarkan port pada switch, sehingga broadcast yang dihasilkan oleh salah satu host tidak akan diteruskan menuju port dengan VLAN ID yang berbeda atau hanya akan diteruskan ke port dengan VLAN ID yang sama, sehingga terjadi efisiensi pemakaian bandwidth. Kondisi inilah yang membuat VLAN seolah-olah mempunyai banyak LAN dalam pengertian logical tetapi sebenarnya berada dalam satu LAN dalam pengertian physical.
LAN-LAN yang berbeda pada VLAN ini harus mempunyai alamat network yang berbeda, sesuai dengan prinsip dasar di network, maka jika ada dua atau lebih alamat network yang berbeda ingin berkomunikasi maka harus melakukan peristiwa routing. Pada peralatan Cisco, routing antar VLAN bisa dilakukan oeh switch itu sendiri asalkan switch tersebut mempunyai fasilitas routing yaitu Layer 3 Switch, jadi ada switch yang hanya mendukung layer 2 dan ada switch yang mendukung layer 3, tentu dari sisi praktis layer 3 switch lebih praktis, dalam artian kita bisa membuat VLAN sekaligus melakukan routing sehingga antar VLAN yang berbeda tadi bisa berkomunikasi, tetapi dari sisi cost, peralatan switch layer 3 mempunyai harga yang lebih mahal dari switch layer 2.
Sebaliknya jika kita menggunakan switch layer 2 dalam membuat VLAN, kita untuk membuat antar VLAN yang berbeda tadi berkomunikasi atau dengan kata lain melakukan routing antar VLAN maka kita harus menggunakan peralatan tambahan berupa router, tentu dari sisi cost, itu berarti harus ada investasi tambahan peralatan yaitu router. Dari situlah kita berpikir bagaimana membuat jaringan yang handal, efisiensi terhadap cost, tentu sekilas kita melihat seolah ada sesuatu yang berlawanan, (“man uji wong pelembang ado rego ado barang”).
Sebenarnya dua hal itu bukanlah dua hal yang bertentangan asal kita mengerti prinsip keilmuan secara fundamental (back to fundamental back to philosophy), mengerti sebenarnya apa yang terjadi, sehingga mengerti apa yang harus kita lakukan. Ada banyak software opensource yang mendukung encapsulation dot 1 q, antara lain adalah Vyatta (http://vyatta.org - thanks to Vyatta), Vyatta bisa di download secara gratis dan tidak membutuhkan hardware dengan klasifikasi tinggi, dari pengalaman yang sudah dilakukan Vyatta bisa dijalankan pada Pentium III RAM 128 MB dengan harga second dibawah 1 juta rupiah, dan mempunyai kinerja cukup baik (man dipikir-pikir sebenernyo katek yang murah, sebab ilmunyo yang mahal, ilmunyo ini yang betahun-tahun nyarinyo, kopi begelas-gelas nak Cappucino pulok, rokok bebungkus-bungkus, DjiSamSoe pulok, singgonyo dak teritung lagi nilai investasi). Pada studi kasus ini dipergunakan Catalyst 2960-24TT untuk membuat VLAN dan Vyatta versi 5.0.2 untuk Inter VLAN Routing. Untuk lebih jelas mari kita lihat topologi dibawah ini.
Topologi
Pada Studi kasus ini kita akan membuat 5 VLAN
- VLAN 2 labnetwork
- VLAN 3 labrobotika
- VLAN 4 labelektronika
- VLAN 100 webserver
- VLAN 101 databaseserver
VLAN 1 tidak dibuat karena sudah ada secara default dan nanti akan digunakan sebagai VLAN Manajemen
Untuk skema pengalamatan
- 192.168.1.0/24 untuk VLAN Manajemen
- 192.168.2.0/24 untuk VLAN labnetwork
- 192.168.3.0/24 untuk VLAN labrobotika
- 192.168.100.0/24 untuk VLAN webserver
- 192.168.101.0/24 untuk VLAN databaseserver
Pada Cisco Switch
Switch>enable
Switch#configure terminal
Switch(config)#interface range fastEthernet 0/1 - 24
Switch(config-if-range)#shutdown
Switch(config-if-range)#exit
Switch(config)#interface range gigabitEthernet 1/1 - 2
Switch(config-if-range)#shutdown
Switch(config-if-range)#exit
Switch(config)#exit
Switch#vlan database
Switch(vlan)#vtp server
Device mode already VTP SERVER.
Switch(vlan)#vtp domain unsri
Switch(vlan)#vtp password kayarayaselamanyamatimasuksurga
Switch(vlan)#vlan 2 name labnetwork
Switch(vlan)#vlan 3 name labrobotika
Switch(vlan)#vlan 4 name labelektronika
Switch(vlan)#vlan 100 name webserver
Switch(vlan)#vlan 101 name databaseserver
Switch(vlan)#exit
Switch#configure terminal
Switch(config)#hostname VLAN-UNSRI
VLAN-UNSRI(config)#interface vlan 1
VLAN-UNSRI(config-if)#ip address 192.168.1.1 255.255.255.0
VLAN-UNSRI(config-if)#no shutdown
VLAN-UNSRI(config-if)#exit
VLAN-UNSRI(config)#interface fastEthernet 0/1
VLAN-UNSRI(config-if)#switchport access vlan 2
VLAN-UNSRI(config-if)#no shutdown
VLAN-UNSRI(config-if)#exit
VLAN-UNSRI(config)#interface fastEthernet 0/2
VLAN-UNSRI(config-if)#switchport access vlan 2
VLAN-UNSRI(config-if)#no shutdown
VLAN-UNSRI(config-if)#exit
VLAN-UNSRI(config)#interface fastEthernet 0/3
VLAN-UNSRI(config-if)#switchport access vlan 3
VLAN-UNSRI(config-if)#no shutdown
VLAN-UNSRI(config-if)#exit
VLAN-UNSRI(config)#interface fastEthernet 0/4
VLAN-UNSRI(config-if)#switchport access vlan 3
VLAN-UNSRI(config-if)#no shutdown
VLAN-UNSRI(config-if)#exit
VLAN-UNSRI(config)#interface fastEthernet 0/5
VLAN-UNSRI(config-if)#switchport access vlan 4
VLAN-UNSRI(config-if)#no shutdown
VLAN-UNSRI(config-if)#exit
VLAN-UNSRI(config)#interface fastEthernet 0/6
VLAN-UNSRI(config-if)#switchport access vlan 4
VLAN-UNSRI(config-if)#no shutdown
VLAN-UNSRI(config-if)#exit
VLAN-UNSRI(config)#interface fastEthernet 0/23
VLAN-UNSRI(config-if)#switchport access vlan 100
VLAN-UNSRI(config-if)#no shutdown
VLAN-UNSRI(config-if)#exit
VLAN-UNSRI(config)#interface fastEthernet 0/24
VLAN-UNSRI(config-if)#switchport access vlan 101
VLAN-UNSRI(config-if)#no shutdown
VLAN-UNSRI(config)#interface gigabitEthernet 1/1
VLAN-UNSRI(config-if)#switchport mode trunk
VLAN-UNSRI(config-if)#switchport trunk native vlan 1
VLAN-UNSRI(config-if)#no shutdown
VLAN-UNSRI(config-if)#exit
VLAN-UNSRI(config)#exit
VLAN-UNSRI#copy running-config startup-config
VLAN-UNSRI#
VYATTA routerVLAN
vyatta@routerVLAN:~$
Masuk ke configure mode
vyatta@routerVLAN:~$configure
Set interface pada Ethernet eth2 yang akan di pergunakan sebagai komunikasi native vlan1
vyatta@routerVLAN#set interface Ethernet eth2 address 192.168.1.1/24
Set eth2 sebagai vlan interface 2
vyatta@routerVLAN#set interface Ethernet eth2 vif 2 address 192.168.2.1/24
Set eth2 sebagai vlan interface 3
vyatta@routerVLAN#set interface Ethernet eth2 vif 3 address 192.168.3.1/24
Set eth2 sebagai vlan interface 4
vyatta@routerVLAN#set interface Ethernet eth2 vif 4 address 192.168.4.1/24
Set eth2 sebagai vlan interface 100
vyatta@routerVLAN#set interface Ethernet eth2 vif 100 address 192.168.100.1/24
Set eth2 sebagai vlan interface 101
vyatta@routerVLAN#set interface Ethernet eth2 vif 101 address 192.168.101.1/24
Set DHCP untuk masing VLAN sehingga setiap computer otomatis akan mendapatkan IP sesuai dengan VLAN masing-masing
DHCP untuk VLAN2
vyatta@routerVLAN#set service dhcp-server shared-network-name VLAN2 subnet 192.168.2.0/24 default-router 192.168.2.1
vyatta@routerVLAN#set service dhcp-server shared-network-name VLAN2 subnet 192.168.2.0/24 start 192.168.2.2 stop 192.168.2.254
vyatta@routerVLAN#set service dhcp-server shared-network-name VLAN2 subnet 192.168.2.0/24 dns-server 192.168.100.2
DHCP untuk VLAN3
vyatta@routerVLAN#set service dhcp-server shared-network-name VLAN3 subnet 192.168.3.0/24 default-router 192.168.3.1
vyatta@routerVLAN#set service dhcp-server shared-network-name VLAN3 subnet 192.168.3.0/24 start 192.168.2.2 stop 192.168.3.254
vyatta@routerVLAN#set service dhcp-server shared-network-name VLAN3 subnet 192.168.3.0/24 dns-server 192.168.100.2
DHCP untuk VLAN4
vyatta@routerVLAN#set service dhcp-server shared-network-name VLAN4 subnet 192.168.4.0/24 default-router 192.168.4.1
vyatta@routerVLAN#set service dhcp-server shared-network-name VLAN4 subnet 192.168.4.0/24 start 192.168.4.2 stop 192.168.4.254
vyatta@routerVLAN#set service dhcp-server shared-network-name VLAN4 subnet 192.168.4.0/24 dns-server 192.168.100.2
Set firewall supaya database server hanya bisa diakses oleh Webserver, dan hanya dizinkan untuk mengakses port 3306 yang merupakan port buat MySQL server
vyatta@routerVLAN#set firewall name dbsafe rule 1 description to-database-server
vyatta@routerVLAN#set firewall name dbsafe rule 1 destination address 192.168.101.2
vyatta@routerVLAN#set firewall name dbsafe rule 1 destination port 3306
vyatta@routerVLAN#set firewall name dbsafe rule 1 source address 192.168.100.2
vyatta@routerVLAN#set firewall name dbsafe rule 1 protocol tcp
vyatta@routerVLAN#set firewall name dbsafe rule 1 action accept
vyatta@routerVLAN#set firewall name dbsafe rule 2 description to-database-server
vyatta@routerVLAN#set firewall name dbsafe rule 2 destination address 192.168.101.2
vyatta@routerVLAN#set firewall name dbsafe rule 2 source address 0.0.0.0/0
vyatta@routerVLAN#set firewall name dbsafe rule 1 protocol all
vyatta@routerVLAN#set firewall name dbsafe rule 1 action drop
vyatta@routerVLAN#commit
vyatta@routerVLAN#save
Sistem ini bisa di-implementasikan di perkantoran dengan banyak departemen dan banyak user.
IBGP-EBGP-RIP-OSPF-Default Routing-NAT menggunakan Vyatta
Addressing Scheme
| Host | Subnet | First Host | Last Host | Broadcast | Available
Host |
|
|
1 |
254 |
172.16.0.0/24 | 172.16.0.1/24 | 172.16.0.254/24 | 172.16.0.255/24 |
254 |
|
2 |
126 |
172.16.1.0/25 | 172.16.1.1/128 | 172.16.1.126/128 | 172.16.1.127/128 |
126 |
|
3 |
60 |
172.16.1.128/26 | 172.16.1.129/26 | 172.16.1.190/26 | 172.16.1.191/26 |
62 |
|
4 |
30 |
172.16.1.192/27 | 172.16.1.193/27 | 172.16.1.222/27 | 172.16.1.223/27 |
30 |
|
5 |
2 |
172.16.1.224/30 | 172.16.1.225/30 | 172.16.1.226/30 | 172.16.1.227/30 |
2 |
|
6 |
2 |
172.16.1.228/30 | 172.16.1.229/30 | 172.16.1.230/30 | 172.16.1.231/30 |
2 |
|
7 |
2 |
172.16.1.232/30 | 172.16.1.233/30 | 172.16.1.234/30 | 172.16.1.235/30 |
2 |
|
8 |
2 |
172.16.1.236/30 | 172.16.1.237/30 | 172.16.1.238/30 | 172.16.1.239/30 |
2 |
|
9 |
2 |
172.16.1.240/30 | 172.16.1.241/30 | 172.16.1.242/30 | 172.16.1.243/30 |
2 |
|
10 |
2 |
172.16.1.244/30 | 172.16.1.245/30 | 172.16.1.246/30 | 172.16.1.247/30 |
2 |
|
11 |
2 |
172.16.1.248/30 | 172.16.1.249/30 | 172.16.1.250/30 | 172.16.1.251/30 |
2 |
|
12 |
2 |
172.16.1.252/30 | 172.16.1.253/32 | 172.16.1.254/32 | 172.16.1.255/32 |
2 |
|
13 |
2 |
172.16.2.0/30 | 172.16.2.1/30 | 172.16.2.2/30 | 172.16.2.3/30 |
2 |
|
14 |
2 |
172.16.2.4/30 | 172.16.2.5/30 | 172.16.2.6/30 | 172.16.2.7/30 |
2 |
|
15 |
2 |
172.16.2.8/30 | 172.16.2.9/30 | 172.16.2.10/30 | 172.16.2.11/30 |
2 |
|
16 |
2 |
172.16.2.12/30 | 172.16.2.13/30 | 172.16.2.14/30 | 172.16.2.15/30 |
2 |
|
17 |
2 |
172.16.2.16/30 | 172.16.2.17/30 | 172.16.2.18/30 | 172.16.2.19/30 |
2 |
|
18 |
2 |
172.16.2.20/30 | 172.16.2.21/30 | 172.16.2.22/30 | 172.16.2.23/30 |
2 |
|
19 |
2 |
172.16.2.24/30 | 172.16.2.25/30 | 172.16.2.26/30 | 172.16.2.27/30 |
2 |
On Cisco Router
Router>
Masuk ke Privilege Mode
Router>enable
Masuk ke Global Configuration Mode
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Set hostname
Router(config)#hostname NetworkLab-Unsri
Masuk ke interface fastEthernet 0/1
NetworkLab-Unsri(config)#interface fastEthernet 0/1
Set IP pada Interface fastEthernet 0/1
NetworkLab-Unsri(config-if)#ip address 202.146.180.228 255.255.255.248
Set interface fastEthernet 0/1 sebagai NAT outside
NetworkLab-Unsri(config-if)#ip nat outside
Set interface fastEthernet 0/1 agar Up
NetworkLab-Unsri(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
Keluar dari fastEthernet 0/1
NetworkLab-Unsri(config-if)#exit
Masuk ke interface fastEthernet 0/0
NetworkLab-Unsri(config)#interface fastEthernet 0/0
Set IP pada Interface fastEthernet 0/1
NetworkLab-Unsri(config-if)#ip address 192.168.5.1 255.255.255.0
Set interface fastEthernet 0/1 sebagai NAT inside
NetworkLab-Unsri(config-if)#ip nat inside
Set interface agar fastEthernet 0/1 Up
NetworkLab-Unsri(config-if)#no shutdown
Keluar dari fastEthernet 0/1
NetworkLab-Unsri(config-if)#exit
Set NAT overload agar seluruh paket yang masuk ke fastEthernet 0/0 dan keluar dari fastEthernet 0/1 di translasi menuju IP public 202.146.180.228
NetworkLab-Unsri(config)#ip nat inside source list 1 interface fastEthernet 0/1 overload
Set access list agar mengizinkan seluruh paket data lewat menuju interface fastEthernet 0/1
NetworkLab-Unsri(config)#access-list 1 permit any
Set default routing
NetworkLab-Unsri(config)#ip route 0.0.0.0 0.0.0.0 fastEthernet 0/1
Set routing protocol RIP
NetworkLab-Unsri(config)#router rip
NetworkLab-Unsri(config-router)#network 192.168.5.0
Set agar routing protocol RIP bisa meng-advertise default routing yang dibuat diatas, sehingga begitu ada paket data menuju ke suatu alamat yang tidak terdapat pada routing tabel maka paket tersebut tidak di-discard (dibuang) tetapi akan diteruskan melalui interface fastEthernet 0/1 pada router Cisco
NetworkLab-Unsri(config-router)#default-information originate
Tekan Control+Z agar langsung bisa kembali ke privilege mode
NetworkLab-Unsri(config-router)#^Z
%SYS-5-CONFIG_I: Configured from console by console
Simpan konfigurasi yang sudah dibuat
NetworkLab-Unsri#copy run startup-config
Destination filename [startup-config]?
Building configuration…
[OK]
NetworkLab-Unsri#
On R1 Vyatta
Masuk ke configure mode
vyatta@R1:~$ configure
[edit]
Berikan hostname
vyatta@R1# set system host-name R1
[edit]
Set IP pada Interface
vyatta@R1# set interfaces ethernet eth0 address 192.168.5.13/24
[edit]
vyatta@R1# set interfaces ethernet eth1 address 172.16.2.22/30
[edit]
vyatta@R1# set interfaces loopback lo address 172.16.2.25/30
[edit]
Set SSH agar bisa diremote
vyatta@R1# set service ssh allow-root true
[edit]
vyatta@R1# set service ssh port 22
[edit]
Set routing protocol RIP
vyatta@R1# set protocols rip network 192.168.5.0/24
[edit]
vyatta@R1# set protocols rip network 172.16.2.20/30
[edit]
vyatta@R1# set protocols rip network 172.16.2.24/30
[edit]
Aktifkan konfigurasi
vyatta@R1# commit
[edit]
Simpan konfigurasi
vyatta@R1# save
Saving configuration to ‘/opt/vyatta/etc/config/config.boot’…
Done
[edit]
vyatta@R1#
On R2 Vyatta
Masuk ke configure mode
vyatta@R2:~$ configure
[edit]
Set Hostname pada R2
vyatta@R2# set system host-name R2
[edit]
vyatta@R2# set interfaces ethernet eth0 address 172.16.2.21/30
[edit]
vyatta@R2# set interfaces ethernet eth1 address 172.16.2.14/30
[edit]
vyatta@R2# set interfaces ethernet eth2 address 172.16.1.225/30
[edit]
vyatta@R2# set interfaces ethernet eth3 address 172.16.1.229/30
[edit]
vyatta@R2# set interfaces loopback lo address 172.16.2.17/30
[edit]
Set Routing Protocol RIP
vyatta@R2# set protocols rip network 172.16.1.224/30
[edit]
vyatta@R2# set protocols rip network 172.16.1.228/30
[edit]
vyatta@R2# set protocols rip network 172.16.2.20/30
[edit]
Redistribute BGP pada RIP
vyatta@R2# set protocols rip redistribute bgp
[edit]
vyatta@R2#
Set Routing Protocol BGP sebagai Interior BGP
vyatta@R2# set protocols bgp 1 network 172.16.2.12/30
[edit]
vyatta@R2# set protocols bgp 1 network 172.16.2.16/30
[edit]
vyatta@R2# set protocols bgp 1 neighbor 172.16.2.13 remote-as 1
[edit]
vyatta@R2# set protocols bgp 1 neighbor 172.16.2.13 nexthop-self
[edit]
vyatta@R2# set protocols bgp 1 neighbor 172.16.2.13 nexthop-self
[edit]
Redistribute RIP pada BGP
vyatta@R2# set protocols bgp 1 redistribute rip
[edit]
Aktifkan konfigurasi
vyatta@R2# commit
[edit]
Simpan konfigurasi
vyatta@R2# save
Saving configuration to ‘/opt/vyatta/etc/config/config.boot’…
Done
[edit]
vyatta@R2#
On R3 Vyatta
Masuk ke configure mode
vyatta@R3:~$ configure
[edit]
Set Hostname
vyatta@R3# set system host-name R3
[edit]
Set IP pada Interface
vyatta@R3# set interfaces ethernet eth0 address 172.16.1.193/27
[edit]
vyatta@R3# set interfaces ethernet eth1 address 172.16.1.226/30
[edit]
Set SSH
vyatta@R3# set service ssh allow-root true
[edit]
vyatta@R3# set service ssh port 22
[edit]
Set Routing Protocol RIP
vyatta@R3# set protocols rip network 172.16.1.192/27
[edit]
vyatta@R3# set protocols rip network 172.16.1.224/30
[edit]
Set interface ethernet eth0 sebagai passive-interface
vyatta@R3# set protocols rip passive-interface eth0
[edit]
Aktifkan konfigurasi
vyatta@R3# commit
[edit]
Simpan konfigurasi
vyatta@R3# save
Saving configuration to ‘/opt/vyatta/etc/config/config.boot’…
Done
[edit]
vyatta@R3#
On R4 Vyatta
vyatta@R4:~$ configure
[edit]
vyatta@R4# set system host-name R4
[edit]
vyatta@R4# set interfaces ethernet eth0 address 172.16.1.129/26
[edit]
vyatta@R4# set interfaces ethernet eth1 address 172.16.1.230/30
[edit]
vyatta@R4# set service ssh allow-root true
[edit]
vyatta@R4# set service ssh port 22
[edit]
vyatta@R4# set protocols rip network 172.16.1.128/26
[edit]
vyatta@R4# set protocols rip network 172.16.1.228/30
[edit]
vyatta@R4# set protocols rip passive-interface eth0
[edit]
vyatta@R4# commit
[edit]
vyatta@R4# save
Saving configuration to ‘/opt/vyatta/etc/config/config.boot’…
Done
[edit]
vyatta@R4#
On R5 Vyatta
Set Hostname
vyatta@R5# set system host-name R5
[edit]
Set IP pada Interface
vyatta@R5# set interfaces ethernet eth0 address 172.16.2.13/30
[edit]
vyatta@R5# set interfaces ethernet eth1 address 172.16.2.5/30
[edit]
vyatta@R5# set interfaces loopback lo address 172.16.2.9/30
[edit]
Set routing protocol BGP
vyatta@R5# set protocols bgp 1 network 172.16.2.4/30
[edit]
vyatta@R5# set protocols bgp 1 network 172.16.2.8/30
[edit]
vyatta@R5# set protocols bgp 1 network 172.16.2.12/30
[edit]
vyatta@R5#
IBGP
vyatta@R5# set protocols bgp 1 neighbor 172.16.2.14 remote-as 1
[edit]
vyatta@R5# set protocols bgp 1 neighbor 172.16.2.14 nexthop-self
[edit]
EBGP
vyatta@R5# set protocols bgp 1 neighbor 172.16.2.6 remote-as 2
[edit]
vyatta@R5# set protocols bgp 1 neighbor 172.16.2.6 nexthop-self
[edit]
Aktifkan konfigurasi
vyatta@R5# commit
[edit]
Simpan konfigurasi
vyatta@R5# save
Saving configuration to ‘/opt/vyatta/etc/config/config.boot’…
Done
[edit]
vyatta@R5#
On R6 Vyatta
Masuk ke configure mode
vyatta@R6:~$ configure
[edit]
Set Hostname
vyatta@R6# set system host-name R6
[edit]
Set IP pada Interface
vyatta@R6# set interfaces ethernet eth0 address 172.16.2.6/30
[edit]
vyatta@R6# set interfaces ethernet eth1 address 172.16.1.253/30
[edit]
vyatta@R6# set interfaces loopback lo address 172.16.2.1/30
[edit]
Set SSH
vyatta@R6# set service ssh allow-root true
[edit]
vyatta@R6# set service ssh port 22
[edit]
Set Routing Protocol BGP
vyatta@R6# set protocols bgp 2 network 172.16.1.252/30
[edit]
vyatta@R6# set protocols bgp 2 network 172.16.2.0/30
[edit]
vyatta@R6# set protocols bgp 2 network 172.16.2.4/30
[edit]
Set Routing Protocol BGP sebagai Interior BGP
vyatta@R6# set protocols bgp 2 neighbor 172.16.1.254 remote-as 2
[edit]
vyatta@R6# set protocols bgp 2 neighbor 172.16.1.254 nexthop-self
[edit]
Set Routing Protocol BGP sebagai Exterior BGP
vyatta@R6# set protocols bgp 2 neighbor 172.16.2.5 remote-as 1
[edit]
vyatta@R6# set protocols bgp 2 neighbor 172.16.2.5 nexthop-self
[edit]
Aktifkan konfigurasi
vyatta@R6# commit
[edit]
Simpan Konfigurasi
vyatta@R6# save
Saving configuration to ‘/opt/vyatta/etc/config/config.boot’…
Done
[edit]
vyatta@R6#
On R7 Vyatta
Masuk ke configure mode
vyatta@R7:~$ configure
[edit]
Set Hostname
vyatta@R7# set system host-name R7
[edit]
Set SSH
vyatta@R7# set service ssh allow-root true
[edit]
vyatta@R7# set service ssh port 22
[edit]
Set IP pada Interface
vyatta@R7# set interfaces ethernet eth0 address 172.16.1.254/30
[edit]
vyatta@R7# set interfaces ethernet eth1 address 172.16.1.245/30
[edit]
vyatta@R7# set interfaces ethernet eth2 address 172.16.1.233/30
[edit]
vyatta@R7# set interfaces ethernet eth3 address 172.16.1.237/30
[edit]
Set Routing Protocol OSPF
vyatta@R7# set protocols ospf area 0 network 172.16.1.232/30
[edit]
vyatta@R7# set protocols ospf area 0 network 172.16.1.236/30
[edit]
vyatta@R7# set protocols ospf area 0 network 172.16.1.244/30
[edit]
Redistribute BGP pada OSPF
vyatta@R7# set protocols ospf redistribute bgp
[edit]
set BGP
vyatta@R7# set protocols bgp 2 network 172.16.1.248/30
[edit]
vyatta@R7# set protocols bgp 2 network 172.16.1.252/30
[edit]
Set BGP sebagai Interior BGP
vyatta@R7# set protocols bgp 2 neighbor 172.16.1.253 remote-as 2
[edit]
vyatta@R7# set protocols bgp 2 neighbor 172.16.1.253 nexthop-self
[edit]
Redistribute OSPF pada BGP
vyatta@R7# set protocols bgp 2 redistribute ospf
[edit]
Redistribute Connected pada BGP
vyatta@R7# set protocols bgp 2 redistribute connected
[edit]
Aktifkan konfigurasi
vyatta@R7# commit
[edit]
Simpan konfigurasi
vyatta@R7# save
Saving configuration to ‘/opt/vyatta/etc/config/config.boot’…
Done
[edit]
vyatta@R7#
On R8 Vyatta
Masuk ke configure mode
vyatta@R8:~$ configure
[edit]
Set Hostname
vyatta@R8# set system host-name R8
[edit]
Set IP pada interface
vyatta@R8# set interfaces ethernet eth0 address 172.16.1.1/25
[edit]
vyatta@R8# set interfaces ethernet eth1 address 172.16.1.234/30
[edit]
Set SSH
vyatta@R8# set service ssh allow-root true
[edit]
vyatta@R8# set service ssh port 22
[edit]
Set Routing Protocol OSPF
vyatta@R8# set protocols ospf area 0 network 172.16.1.0/25
[edit]
vyatta@R8# set protocols ospf area 0 network 172.16.1.232/30
[edit]
Set Interface eth0 sebagai passive-interface
vyatta@R8# set protocols ospf passive-interface eth0
[edit]
Aktifkan konfigurasi
vyatta@R8# commit
No configuration changes to commit
[edit]
Simpan Konfigurasi
vyatta@R8# save
Saving configuration to ‘/opt/vyatta/etc/config/config.boot’…
Done
[edit]
vyatta@R8#
On R9 Vyatta
vyatta@vyatta:~$ configure
[edit]
Set IP pada interface
vyatta@R9# set interfaces ethernet eth0 address 172.16.0.1/24
[edit]
vyatta@R9# set interfaces ethernet eth1 address 172.16.1.238/30
[edit]
Set SSH
vyatta@R9# set service ssh allow-root true
[edit]
vyatta@R9# set service ssh port 22
[edit]
Set routing protocol OSPF
vyatta@R9# set protocols ospf area 0 network 172.16.0.0/24
[edit]
vyatta@R9# set protocols ospf area 0 network 172.16.1.236/30
[edit]
Set Interface eth0 sebagai passive-interface
vyatta@R9# set protocols ospf passive-interface eth0
[edit]
Aktifkan konfigurasi
vyatta@R9# commit
[edit]
Simpan Konfigurasi
vyatta@R9# save
Saving configuration to ‘/opt/vyatta/etc/config/config.boot’…
Done
[edit]
vyatta@R9#
On R10 Vyatta
Masuk ke configure mode
vyatta@R10:~$ configure
[edit]
Set Hostname
vyatta@R10# set system host-name R10
[edit]
Set IP pada Interface
vyatta@R10# set interfaces ethernet eth0 address 172.16.1.246/30
[edit]
vyatta@R10# set interfaces ethernet eth1 address 10.0.0.1/24
[edit]
vyatta@R10# set interfaces loopback lo address 172.16.2.241/30
[edit]
Set SSH
vyatta@R10# set service ssh allow-root true
[edit]
vyatta@R10# set service ssh port 22
[edit]
Set routing protocol OSPF
vyatta@R10# set protocols ospf area 0 network 172.16.1.240/30
[edit]
vyatta@R10# set protocols ospf area 0 network 172.16.1.244/30
[edit]
vyatta@R10# set protocols ospf area 0 network 10.0.0.0/24
[edit]
Set Interface eth1sebagai passive-interface
vyatta@R10#set protocols ospf passive-interface eth1
[edit]
Aktifkan konfigurasi
vyatta@R10# commit
[edit]
Simpan konfigurasi
vyatta@R10# save
Saving configuration to ‘/opt/vyatta/etc/config/config.boot’…
Done
[edit]
vyatta@R10#
Melihat Routing Tabel
Setelah seluruh router selesai dikonfigurasi maka kita bisa melihat routing table yang terbentuk pada tiap-tiap router dengan cara menjalankan perintah show ip route
Routing Tabel pada R1 Vyatta
vyatta@R1:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route
R>* 10.0.0.0/24 [120/2] via 172.16.2.21, eth1, 01:25:14
C>* 127.0.0.0/8 is directly connected, lo
R>* 172.16.0.0/24 [120/2] via 172.16.2.21, eth1, 01:25:13
R>* 172.16.1.0/25 [120/2] via 172.16.2.21, eth1, 01:25:13
R>* 172.16.1.128/26 [120/3] via 172.16.2.21, eth1, 01:54:17
R>* 172.16.1.192/27 [120/3] via 172.16.2.21, eth1, 01:55:49
R>* 172.16.1.224/30 [120/2] via 172.16.2.21, eth1, 01:57:11
R>* 172.16.1.228/30 [120/2] via 172.16.2.21, eth1, 01:57:11
R>* 172.16.1.232/30 [120/2] via 172.16.2.21, eth1, 01:20:14
R>* 172.16.1.236/30 [120/2] via 172.16.2.21, eth1, 01:20:10
R>* 172.16.1.241/32 [120/2] via 172.16.2.21, eth1, 00:07:43
R>* 172.16.1.244/30 [120/2] via 172.16.2.21, eth1, 01:20:10
R>* 172.16.1.248/30 [120/2] via 172.16.2.21, eth1, 01:33:15
R>* 172.16.1.252/30 [120/2] via 172.16.2.21, eth1, 01:50:41
R>* 172.16.2.0/30 [120/2] via 172.16.2.21, eth1, 01:50:39
R>* 172.16.2.4/30 [120/2] via 172.16.2.21, eth1, 01:52:31
R>* 172.16.2.8/30 [120/2] via 172.16.2.21, eth1, 01:52:28
R>* 172.16.2.12/30 [120/2] via 172.16.2.21, eth1, 01:57:11
R>* 172.16.2.16/30 [120/2] via 172.16.2.21, eth1, 01:57:11
C>* 172.16.2.20/30 is directly connected, eth1
C>* 172.16.2.24/30 is directly connected, lo
C>* 192.168.5.0/24 is directly connected, eth0
vyatta@R1:~$
Routing Tabel pada R2 Vyatta
vyatta@R2:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route
B>* 10.0.0.0/24 [200/0] via 172.16.2.13, eth1, 01:24:56
C>* 127.0.0.0/8 is directly connected, lo
B>* 172.16.0.0/24 [200/0] via 172.16.2.13, eth1, 01:24:56
B>* 172.16.1.0/25 [200/0] via 172.16.2.13, eth1, 01:24:56
R>* 172.16.1.128/26 [120/2] via 172.16.1.230, eth3, 01:54:00
R>* 172.16.1.192/27 [120/2] via 172.16.1.226, eth2, 01:55:32
C>* 172.16.1.224/30 is directly connected, eth2
C>* 172.16.1.228/30 is directly connected, eth3
B>* 172.16.1.232/30 [200/0] via 172.16.2.13, eth1, 01:19:55
B>* 172.16.1.236/30 [200/0] via 172.16.2.13, eth1, 01:19:55
B>* 172.16.1.241/32 [200/0] via 172.16.2.13, eth1, 00:07:21
B>* 172.16.1.244/30 [200/0] via 172.16.2.13, eth1, 01:19:55
B>* 172.16.1.248/30 [200/0] via 172.16.2.13, eth1, 01:32:57
B>* 172.16.1.252/30 [200/1] via 172.16.2.13, eth1, 01:50:23
B>* 172.16.2.0/30 [200/1] via 172.16.2.13, eth1, 01:50:23
B>* 172.16.2.4/30 [200/1] via 172.16.2.13, eth1, 01:52:13
B>* 172.16.2.8/30 [200/1] via 172.16.2.13, eth1, 01:52:13
C>* 172.16.2.12/30 is directly connected, eth1
C>* 172.16.2.16/30 is directly connected, lo
C>* 172.16.2.20/30 is directly connected, eth0
R>* 172.16.2.24/30 [120/2] via 172.16.2.22, eth0, 01:56:55
R>* 192.168.5.0/24 [120/2] via 172.16.2.22, eth0, 01:38:16
vyatta@R2:~$
Routing Tabel pada R3 Vyatta
vyatta@R3:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route
R>* 10.0.0.0/24 [120/2] via 172.16.1.225, eth1, 01:24:20
C>* 127.0.0.0/8 is directly connected, lo
R>* 172.16.0.0/24 [120/2] via 172.16.1.225, eth1, 01:24:19
R>* 172.16.1.0/25 [120/2] via 172.16.1.225, eth1, 01:24:19
R>* 172.16.1.128/26 [120/3] via 172.16.1.225, eth1, 01:53:23
C>* 172.16.1.192/27 is directly connected, eth0
C>* 172.16.1.224/30 is directly connected, eth1
R>* 172.16.1.228/30 [120/2] via 172.16.1.225, eth1, 01:54:55
R>* 172.16.1.232/30 [120/2] via 172.16.1.225, eth1, 01:19:20
R>* 172.16.1.236/30 [120/2] via 172.16.1.225, eth1, 01:19:16
R>* 172.16.1.241/32 [120/2] via 172.16.1.225, eth1, 00:06:49
R>* 172.16.1.244/30 [120/2] via 172.16.1.225, eth1, 01:19:16
R>* 172.16.1.248/30 [120/2] via 172.16.1.225, eth1, 01:32:21
R>* 172.16.1.252/30 [120/2] via 172.16.1.225, eth1, 01:49:47
R>* 172.16.2.0/30 [120/2] via 172.16.1.225, eth1, 01:49:45
R>* 172.16.2.4/30 [120/2] via 172.16.1.225, eth1, 01:51:37
R>* 172.16.2.8/30 [120/2] via 172.16.1.225, eth1, 01:51:34
R>* 172.16.2.12/30 [120/2] via 172.16.1.225, eth1, 01:54:55
R>* 172.16.2.16/30 [120/2] via 172.16.1.225, eth1, 01:54:55
R>* 172.16.2.20/30 [120/2] via 172.16.1.225, eth1, 01:54:55
R>* 172.16.2.24/30 [120/3] via 172.16.1.225, eth1, 01:54:55
C>* 192.168.1.96/28 is directly connected, lo
R>* 192.168.5.0/24 [120/3] via 172.16.1.225, eth1, 01:37:40
vyatta@R3:~$
Routing Tabel pada R4 Vyatta
vyatta@R4:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route
R>* 10.0.0.0/24 [120/2] via 172.16.1.229, eth1, 01:23:51
C>* 127.0.0.0/8 is directly connected, lo
R>* 172.16.0.0/24 [120/2] via 172.16.1.229, eth1, 01:23:50
R>* 172.16.1.0/25 [120/2] via 172.16.1.229, eth1, 01:23:50
C>* 172.16.1.128/26 is directly connected, eth0
R>* 172.16.1.192/27 [120/3] via 172.16.1.229, eth1, 01:52:54
R>* 172.16.1.224/30 [120/2] via 172.16.1.229, eth1, 01:52:54
C>* 172.16.1.228/30 is directly connected, eth1
R>* 172.16.1.232/30 [120/2] via 172.16.1.229, eth1, 01:18:51
R>* 172.16.1.236/30 [120/2] via 172.16.1.229, eth1, 01:18:47
R>* 172.16.1.241/32 [120/2] via 172.16.1.229, eth1, 00:06:20
R>* 172.16.1.244/30 [120/2] via 172.16.1.229, eth1, 01:18:47
R>* 172.16.1.248/30 [120/2] via 172.16.1.229, eth1, 01:31:52
R>* 172.16.1.252/30 [120/2] via 172.16.1.229, eth1, 01:49:18
R>* 172.16.2.0/30 [120/2] via 172.16.1.229, eth1, 01:49:16
R>* 172.16.2.4/30 [120/2] via 172.16.1.229, eth1, 01:51:08
R>* 172.16.2.8/30 [120/2] via 172.16.1.229, eth1, 01:51:05
R>* 172.16.2.12/30 [120/2] via 172.16.1.229, eth1, 01:52:54
R>* 172.16.2.16/30 [120/2] via 172.16.1.229, eth1, 01:52:54
R>* 172.16.2.20/30 [120/2] via 172.16.1.229, eth1, 01:52:54
R>* 172.16.2.24/30 [120/3] via 172.16.1.229, eth1, 01:52:54
C>* 192.168.1.16/28 is directly connected, lo
R>* 192.168.5.0/24 [120/3] via 172.16.1.229, eth1, 01:37:11
vyatta@R4:~$
Routing Tabel pada R5 Vyatta
vyatta@R5:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route
B>* 10.0.0.0/24 [20/0] via 172.16.2.6, eth1, 01:23:21
C>* 127.0.0.0/8 is directly connected, lo
B>* 172.16.0.0/24 [20/0] via 172.16.2.6, eth1, 01:23:21
B>* 172.16.1.0/25 [20/0] via 172.16.2.6, eth1, 01:23:21
B>* 172.16.1.128/26 [200/2] via 172.16.2.14, eth0, 01:50:46
B>* 172.16.1.192/27 [200/2] via 172.16.2.14, eth0, 01:50:46
B>* 172.16.1.224/30 [200/1] via 172.16.2.14, eth0, 01:50:46
B>* 172.16.1.228/30 [200/1] via 172.16.2.14, eth0, 01:50:46
B>* 172.16.1.232/30 [20/0] via 172.16.2.6, eth1, 01:18:21
B>* 172.16.1.236/30 [20/0] via 172.16.2.6, eth1, 01:18:21
B>* 172.16.1.241/32 [20/0] via 172.16.2.6, eth1, 00:05:50
B>* 172.16.1.244/30 [20/0] via 172.16.2.6, eth1, 01:18:21
B>* 172.16.1.248/30 [20/0] via 172.16.2.6, eth1, 01:31:21
B>* 172.16.1.252/30 [20/1] via 172.16.2.6, eth1, 01:48:51
B>* 172.16.2.0/30 [20/1] via 172.16.2.6, eth1, 01:48:51
C>* 172.16.2.4/30 is directly connected, eth1
C>* 172.16.2.8/30 is directly connected, lo
C>* 172.16.2.12/30 is directly connected, eth0
B>* 172.16.2.16/30 [200/1] via 172.16.2.14, eth0, 01:50:46
B>* 172.16.2.20/30 [200/1] via 172.16.2.14, eth0, 01:50:46
B>* 172.16.2.24/30 [200/2] via 172.16.2.14, eth0, 01:50:46
B>* 192.168.5.0/24 [200/2] via 172.16.2.14, eth0, 01:36:36
vyatta@R5:~$
Routing Tabel pada R6 Vyatta
vyatta@R6:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route
B>* 10.0.0.0/24 [200/20] via 172.16.1.254, eth1, 01:23:05
C>* 127.0.0.0/8 is directly connected, lo
B>* 172.16.0.0/24 [200/20] via 172.16.1.254, eth1, 01:23:05
B>* 172.16.1.0/25 [200/20] via 172.16.1.254, eth1, 01:23:05
B>* 172.16.1.128/26 [20/0] via 172.16.2.5, eth0, 01:48:53
B>* 172.16.1.192/27 [20/0] via 172.16.2.5, eth0, 01:48:53
B>* 172.16.1.224/30 [20/0] via 172.16.2.5, eth0, 01:48:53
B>* 172.16.1.228/30 [20/0] via 172.16.2.5, eth0, 01:48:53
B>* 172.16.1.232/30 [200/1] via 172.16.1.254, eth1, 01:18:04
B>* 172.16.1.236/30 [200/1] via 172.16.1.254, eth1, 01:18:04
B>* 172.16.1.241/32 [200/20] via 172.16.1.254, eth1, 00:05:24
B>* 172.16.1.244/30 [200/1] via 172.16.1.254, eth1, 01:18:04
B>* 172.16.1.248/30 [200/1] via 172.16.1.254, eth1, 01:31:20
C>* 172.16.1.252/30 is directly connected, eth1
C>* 172.16.2.0/30 is directly connected, lo
C>* 172.16.2.4/30 is directly connected, eth0
B>* 172.16.2.8/30 [20/1] via 172.16.2.5, eth0, 01:48:53
B>* 172.16.2.12/30 [20/1] via 172.16.2.5, eth0, 01:48:53
B>* 172.16.2.16/30 [20/0] via 172.16.2.5, eth0, 01:48:53
B>* 172.16.2.20/30 [20/0] via 172.16.2.5, eth0, 01:48:53
B>* 172.16.2.24/30 [20/0] via 172.16.2.5, eth0, 01:48:53
B>* 192.168.5.0/24 [20/0] via 172.16.2.5, eth0, 01:35:53
vyatta@R6:~$
Routing Tabel pada R7 Vyatta
vyatta@R7:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route
O>* 10.0.0.0/24 [110/20] via 172.16.1.246, eth1, 01:27:59
C>* 127.0.0.0/8 is directly connected, lo
O>* 172.16.0.0/24 [110/20] via 172.16.1.238, eth3, 01:27:59
O>* 172.16.1.0/25 [110/20] via 172.16.1.234, eth2, 01:27:58
B>* 172.16.1.128/26 [200/0] via 172.16.1.253, eth0, 01:30:34
B>* 172.16.1.192/27 [200/0] via 172.16.1.253, eth0, 01:30:34
B>* 172.16.1.224/30 [200/0] via 172.16.1.253, eth0, 01:30:34
B>* 172.16.1.228/30 [200/0] via 172.16.1.253, eth0, 01:30:34
O 172.16.1.232/30 [110/10] is directly connected, eth2, 01:28:05
C>* 172.16.1.232/30 is directly connected, eth2
O 172.16.1.236/30 [110/10] is directly connected, eth3, 01:28:05
C>* 172.16.1.236/30 is directly connected, eth3
O>* 172.16.1.241/32 [110/20] via 172.16.1.246, eth1, 00:04:41
O 172.16.1.244/30 [110/10] is directly connected, eth1, 01:28:10
C>* 172.16.1.244/30 is directly connected, eth1
C>* 172.16.1.248/30 is directly connected, lo
C>* 172.16.1.252/30 is directly connected, eth0
B>* 172.16.2.0/30 [200/1] via 172.16.1.253, eth0, 01:30:34
B>* 172.16.2.4/30 [200/1] via 172.16.1.253, eth0, 01:30:34
B>* 172.16.2.8/30 [200/1] via 172.16.1.253, eth0, 01:30:34
B>* 172.16.2.12/30 [200/1] via 172.16.1.253, eth0, 01:30:34
B>* 172.16.2.16/30 [200/0] via 172.16.1.253, eth0, 01:30:34
B>* 172.16.2.20/30 [200/0] via 172.16.1.253, eth0, 01:30:34
B>* 172.16.2.24/30 [200/0] via 172.16.1.253, eth0, 01:30:34
B>* 192.168.5.0/24 [200/0] via 172.16.1.253, eth0, 01:30:34
vyatta@R7:~$
Routing Tabel pada R8 Vyatta
vyatta@R8:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route
O>* 10.0.0.0/24 [110/30] via 172.16.1.233, eth1, 01:27:31
C>* 127.0.0.0/8 is directly connected, lo
O>* 172.16.0.0/24 [110/30] via 172.16.1.233, eth1, 01:27:31
O 172.16.1.0/25 [110/10] is directly connected, eth0, 01:44:46
C>* 172.16.1.0/25 is directly connected, eth0
O>* 172.16.1.128/26 [110/20] via 172.16.1.233, eth1, 01:23:22
O>* 172.16.1.192/27 [110/20] via 172.16.1.233, eth1, 01:23:22
O>* 172.16.1.224/30 [110/20] via 172.16.1.233, eth1, 01:23:22
O>* 172.16.1.228/30 [110/20] via 172.16.1.233, eth1, 01:23:22
O 172.16.1.232/30 [110/10] is directly connected, eth1, 01:44:41
C>* 172.16.1.232/30 is directly connected, eth1
O>* 172.16.1.236/30 [110/20] via 172.16.1.233, eth1, 01:27:37
O>* 172.16.1.241/32 [110/30] via 172.16.1.233, eth1, 00:04:14
O>* 172.16.1.244/30 [110/20] via 172.16.1.233, eth1, 01:27:37
O>* 172.16.2.0/30 [110/20] via 172.16.1.233, eth1, 01:23:22
O>* 172.16.2.4/30 [110/20] via 172.16.1.233, eth1, 01:23:22
O>* 172.16.2.8/30 [110/20] via 172.16.1.233, eth1, 01:23:22
O>* 172.16.2.12/30 [110/20] via 172.16.1.233, eth1, 01:23:22
O>* 172.16.2.16/30 [110/20] via 172.16.1.233, eth1, 01:23:22
O>* 172.16.2.20/30 [110/20] via 172.16.1.233, eth1, 01:23:22
O>* 172.16.2.24/30 [110/20] via 172.16.1.233, eth1, 01:23:22
O>* 192.168.5.0/24 [110/20] via 172.16.1.233, eth1, 01:23:22
vyatta@R8:~$
Routing Tabel pada R9 Vyatta
vyatta@R9:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route
O>* 10.0.0.0/24 [110/30] via 172.16.1.237, eth1, 01:25:48
C>* 127.0.0.0/8 is directly connected, lo
O 172.16.0.0/24 [110/10] is directly connected, eth0, 01:40:57
C>* 172.16.0.0/24 is directly connected, eth0
O>* 172.16.1.0/25 [110/30] via 172.16.1.237, eth1, 01:25:47
O>* 172.16.1.128/26 [110/20] via 172.16.1.237, eth1, 01:21:40
O>* 172.16.1.192/27 [110/20] via 172.16.1.237, eth1, 01:21:40
O>* 172.16.1.224/30 [110/20] via 172.16.1.237, eth1, 01:21:40
O>* 172.16.1.228/30 [110/20] via 172.16.1.237, eth1, 01:21:40
O>* 172.16.1.232/30 [110/20] via 172.16.1.237, eth1, 01:25:54
O 172.16.1.236/30 [110/10] is directly connected, eth1, 01:40:52
C>* 172.16.1.236/30 is directly connected, eth1
O>* 172.16.1.241/32 [110/30] via 172.16.1.237, eth1, 00:02:31
O>* 172.16.1.244/30 [110/20] via 172.16.1.237, eth1, 01:25:54
O>* 172.16.2.0/30 [110/20] via 172.16.1.237, eth1, 01:21:40
O>* 172.16.2.4/30 [110/20] via 172.16.1.237, eth1, 01:21:40
O>* 172.16.2.8/30 [110/20] via 172.16.1.237, eth1, 01:21:40
O>* 172.16.2.12/30 [110/20] via 172.16.1.237, eth1, 01:21:40
O>* 172.16.2.16/30 [110/20] via 172.16.1.237, eth1, 01:21:40
O>* 172.16.2.20/30 [110/20] via 172.16.1.237, eth1, 01:21:40
O>* 172.16.2.24/30 [110/20] via 172.16.1.237, eth1, 01:21:40
O>* 192.168.5.0/24 [110/20] via 172.16.1.237, eth1, 01:21:40
vyatta@R9:~$
Routing Tabel pada R10 Vyatta
vyatta@R10:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route
O 10.0.0.0/24 [110/10] is directly connected, eth1, 01:34:39
C>* 10.0.0.0/24 is directly connected, eth1
C>* 127.0.0.0/8 is directly connected, lo
O>* 172.16.0.0/24 [110/30] via 172.16.1.245, eth0, 01:23:45
O>* 172.16.1.0/25 [110/30] via 172.16.1.245, eth0, 01:23:44
O>* 172.16.1.128/26 [110/20] via 172.16.1.245, eth0, 01:19:37
O>* 172.16.1.192/27 [110/20] via 172.16.1.245, eth0, 01:19:37
O>* 172.16.1.224/30 [110/20] via 172.16.1.245, eth0, 01:19:37
O>* 172.16.1.228/30 [110/20] via 172.16.1.245, eth0, 01:19:37
O>* 172.16.1.232/30 [110/20] via 172.16.1.245, eth0, 01:23:51
O>* 172.16.1.236/30 [110/20] via 172.16.1.245, eth0, 01:23:51
C>* 172.16.1.240/30 is directly connected, lo
O 172.16.1.244/30 [110/10] is directly connected, eth0, 01:34:44
C>* 172.16.1.244/30 is directly connected, eth0
O>* 172.16.2.0/30 [110/20] via 172.16.1.245, eth0, 01:19:37
O>* 172.16.2.4/30 [110/20] via 172.16.1.245, eth0, 01:19:37
O>* 172.16.2.8/30 [110/20] via 172.16.1.245, eth0, 01:19:37
O>* 172.16.2.12/30 [110/20] via 172.16.1.245, eth0, 01:19:37
O>* 172.16.2.16/30 [110/20] via 172.16.1.245, eth0, 01:19:37
O>* 172.16.2.20/30 [110/20] via 172.16.1.245, eth0, 01:19:37
O>* 172.16.2.24/30 [110/20] via 172.16.1.245, eth0, 01:19:37
O>* 192.168.5.0/24 [110/20] via 172.16.1.245, eth0, 01:19:37
vyatta@R10:~$
VPN Remote Access dan Site to Site dengan Vyatta
VPN
Virtual Private Network atau VPN adalah suatu jaringan pribadi yang dibuat dengan menggunakan jaringan publik, atau dengan kata lain menciptakan suatu WAN yang sebenarnya terpisah baik secara fisikal maupun geografis sehingga secara logikal membentuk satu netwok tunggal, paket data yang mengalir antar site maupun dari user yang melakukan remote akses akan mengalami enkripsi dan authentikasi sehingga menjamin keamanan, integritas dan validitas data. VPN terbagi pada tipe Site to Site dan Remote Access. Tipe-tipe protokol yang digunakan antara lain IPSec, PPTP dan L2TP.
Untuk lebih jelas memahami dan melakukan konfigurasi dalam membuat VPN, mari kita ikuti studi kasus dibawah ini.
UNTUK VPN SERVER R1
Masuk ke Configure Mode
vyatta@vyatta:~$ configure
[edit]
Kemudian set IP untuk interface yang berada pada R1
vyatta@vyatta# set interfaces ethernet eth0 address 192.168.1.1/24
[edit]
vyatta@vyatta# set interfaces ethernet eth1 address 222.124.194.2/27
[edit]
Jika anda membuat VPN skala laboratorium berdasarkan contoh topologi diatas maka untuk menghubungkan dua alamat network atau lebih diperlukan router dan untuk itu anda perlu menge-set routing protocol supaya tercipta routing tabel, kebetulan untuk contoh tutorial ini kita akan menggunakan routing protocol OSPF. Abaikan langkah ini jika anda mengimplementasikan VPN server yang terhubung langsung dengan internet
vyatta@vyatta# set protocols ospf area 1 network 222.124.194.0/27
[edit]
Set interface eth0 sebagai passive interface agar broadcast pada peristiwa updating routing tabel tidak diteruskan ke local area network
vyatta@vyatta# set protocols ospf passive-interface eth0
[edit]
vyatta@vyatta#
Sesuai dengan petunjuk diatas jika VPN server anda terhubung langsung dengan internet maka set-lah static routing yang berfungsi sebagai default routing untuk setiap paket data yang akan keluar menuju jaringan public
vyatta@vyatta# set protocols static route 0.0.0.0/0 next-hop 222.124.194.1
Beri host name pada VPN Server 1
vyatta@vyatta#set system host-name R1
Set IPSec pada interface yang terhubung dengan internet
vyatta@vyatta#set vpn ipsec ipsec-interfaces interface eth1
vyatta@vyatta#show vpn ipsec ipsec-interfaces
vyatta@vyatta#set vpn ipsec ike-group IKE-1R1 proposal 1
vyatta@vyatta#set vpn ipsec ike-group IKE-1R1 proposal 1 encryption aes256
vyatta@vyatta#set vpn ipsec ike-group IKE-1R1 proposal 1 hash sha1
vyatta@vyatta#set vpn ipsec ike-group IKE-1 R1 proposal 2 encryption aes128
vyatta@vyatta#set vpn ipsec ike-group IKE-1 R1 proposal 2 hash sha1
vyatta@vyatta#set vpn ipsec ike-group IKE-1R1 lifetime 3600
vyatta@vyatta#show -all vpn ipsec ike-group IKE-1R1
vyatta@vyatta#set vpn ipsec esp-group ESP-1R1 proposal 1
vyatta@vyatta#set vpn ipsec esp-group ESP-1R1 proposal 1 encryption aes256
vyatta@vyatta#set vpn ipsec esp-group ESP-1R1 proposal 1 hash sha1
vyatta@vyatta#set vpn ipsec esp-group ESP-1R1 proposal 2 encryption 3des
vyatta@vyatta#set vpn ipsec esp-group ESP-1R1 proposal 2 hash md5
vyatta@vyatta#set vpn ipsec esp-group ESP-1R1 lifetime 1800
vyatta@vyatta#show -all vpn ipsec esp-group ESP-1R1
vyatta@vyatta#set vpn ipsec site-to-site peer 202.146.180.228 authentication mode pre-shared-secret
vyatta@vyatta#edit vpn ipsec site-to-site peer 202.146.180.228
vyatta@vyatta#set authentication pre-shared-secret test_key_1
vyatta@vyatta#set ike-group IKE-1R1
vyatta@vyatta#set local-ip 222.124.194.2
vyatta@vyatta#set tunnel 1 local-subnet 192.168.1.0/24
vyatta@vyatta#set tunnel 1 remote-subnet 192.168.2.0/24
vyatta@vyatta#set tunnel 1 esp-group ESP-1R1
vyatta@vyatta#top
vyatta@vyatta#commit
vyatta@vyatta#show -all vpn ipsec site-to-site peer 202.146.180.228
vyatta@vyatta#exit
Generate RSA key
vyatta@R1>vpn rsa-key generate
A local RSA key file already exists and will be overwritten
<CTRL>C to exit: 8
Your new local RSA key has been generated
The public portion of the key is:
0sAQNZtj56JMxVNR7bhUazGNcNbaybFEi0zf8FZd7fQkSd8GT9HDBQ2QunL7P3LdArEoU9Vw7R0oJzew9zTq3J9mU4/OfG/n1NbNLfcT17QHP7EldgPpGcQ6TaXpfToIENsqN0nEPyT9AM7SBUa8B78wSsE7×9XFI4knSgUX5FmhV5452DWl2nYGrBqVEvL2rnHhbnR2Z0DGbYebWyO4Lbl3TWJkkVrXT6QgzN1GQw0/MkaknEBIFk6XuoAm8HbVE0zFL4Wr/Zs2t1k0amCsh/Dqhj+UZkdxV0LN69BELYn5EYiqigNPlgZFDnZ0jhz1EqxnQ2QT4Q+ErwIf1v0KkhlA+f8Lg2H5GdxkY9pnWcd+zSOQHf
(catatan: pada saat generate RSA key bisa jadi waktu yang perlukan cukup lama, untuk itu anda harus sabar menunggu)
Copy RSA key ini dan masuk lagi ke configure mode
vyatta@R1>configure
Set VPN RSA key dan beri nama dengan R2-Key (sebab berfungsi sebagai key buat R2 yang ingin berhubungan dengan R1) kemudian paste-kan RSA key tadi
vyatta@R1# set vpn rsa-keys rsa-key-name R2-key rsa-key 0sAQNZtj56JMxVNR7bhUazGNcNbaybFEi0zf8FZd7fQkSd8GT9HDBQ2QunL7P3LdArEoU9Vw7R0oJzew9zTq3J9mU4/OfG/n1NbNLfcT17QHP7EldgPpGcQ6TaXpfToIENsqN0nEPyT9AM7SBUa8B78wSsE7×9XFI4knSgUX5FmhV5452DWl2nYGrBqVEvL2rnHhbnR2Z0DGbYebWyO4Lbl3TWJkkVrXT6QgzN1GQw0/MkaknEBIFk6XuoAm8HbVE0zFL4Wr/Zs2t1k0amCsh/Dqhj+UZkdxV0LN69BELYn5EYiqigNPlgZFDnZ0jhz1EqxnQ2QT4Q+ErwIf1v0KkhlA+f8Lg2H5GdxkY9pnWcd+zSOQHf
Simpan hasil konfigurasi
vyatta@R1# commit
[edit]
vyatta@R1#save
UNTUK ROUTER R2
Abaikan langkah ini jika anda memang mengimplementasikan VPN Server yang terhubung langsung dengan internet. Jika tidak ikuti langkah dibawah ini
Set host name
vyatta@vyatta# system host-name R2
[edit]
Kemudian set IP untuk interface yang berada pada R2
vyatta@vyatta# set interfaces ethernet eth0 address 222.124.194.1/27
[edit]
vyatta@vyatta# set interfaces ethernet eth0 address 222.124.194.1/27
[edit]
vyatta@vyatta# set interfaces ethernet eth1 address 202.146.180.224/29
[edit]
Set routing protocol
vyatta@vyatta# set protocols ospf area 1 network 222.124.194.0/27
[edit]
vyatta@vyatta# set protocols ospf area 1 network 202.146.180.224/29
[edit]
Simpan hasil konfigurasi
vyatta@vyatta#commit
vyatta@vyatta#save
UNTUK VPN SERVER R3
Masuk ke configure mode
vyatta@vyatta:~$ configure
[edit]
vyatta@vyatta# system host-name R3
[edit]
vyatta@vyatta# set interfaces ethernet eth0 address 202.146.180.228/29
[edit]
vyatta@vyatta# set interfaces ethernet eth1 address 192.168.2.1/24
[edit]
Sama seperti keterangan diatas jika anda membuat VPN skala laboratorium berdasarkan topologi diatas maka diperlukan routing protocol supaya tercipta routing table. Abaikan juga langkah ini jika anda mengimplementasikan VPN server yang terhubung langsung dengan internet
vyatta@vyatta# set protocols ospf area 0 network 202.146.180.224/29
[edit]
vyatta@vyatta# set protocols ospf passive-interface eth1
[edit]
vyatta@vyatta#
Dan seperti yang sudah dijelaskan jika VPN server anda terhubung langsung dengan internet maka set-lah static routing yang berfungsi sebagai default routing untuk setiap paket data yang akan keluar menuju jaringan public
vyatta@vyatta# set protocols static route 0.0.0.0/0 next-hop 202.146.180.225
Set ipsec pada interface yang terhubung dengan internet
vyatta@vyatta#set vpn ipsec ipsec-interfaces interface eth0
vyatta@vyatta#show vpn ipsec ipsec-interfaces
vyatta@vyatta#set vpn ipsec ike-group IKE-1R3 proposal 1
vyatta@vyatta#set vpn ipsec ike-group IKE-1R3 proposal 1 encryption aes256
vyatta@vyatta#set vpn ipsec ike-group IKE-1R3 proposal 1 hash sha1
vyatta@vyatta#set vpn ipsec ike-group IKE-1R3 proposal 2 encryption aes128
vyatta@vyatta#set vpn ipsec ike-group IKE-1R3 proposal 2 hash sha1
vyatta@vyatta#set vpn ipsec ike-group IKE-1R3 lifetime 3600
vyatta@vyatta#show -all vpn ipsec ike-group IKE-1R3
vyatta@vyatta#set vpn ipsec esp-group ESP-1R3 proposal 1
vyatta@vyatta#set vpn ipsec esp-group ESP-1R3 proposal 1 encryption aes256
vyatta@vyatta#set vpn ipsec esp-group ESP-1R3 proposal 1 hash sha1
vyatta@vyatta#set vpn ipsec esp-group ESP-1R3 proposal 2 encryption 3des
vyatta@vyatta#set vpn ipsec esp-group ESP-1R3 proposal 2 hash md5
vyatta@vyatta#set vpn ipsec esp-group ESP-1R3 lifetime 1800
vyatta@vyatta#show -all vpn ipsec esp-group ESP-1R3
vyatta@vyatta#set vpn ipsec site-to-site peer 222.124.194.2 authentication mode pre-shared-secret
vyatta@vyatta#edit vpn ipsec site-to-site peer 222.124.194.2
vyatta@vyatta#set authentication pre-shared-secret test_key_1
vyatta@vyatta#set ike-group IKE-1R3
vyatta@vyatta#set local-ip 202.146.180.228
vyatta@vyatta#set tunnel 1 local-subnet 192.168.2.0/24
vyatta@vyatta#set tunnel 1 remote-subnet 192.168.1.0/24
vyatta@vyatta#set tunnel 1 esp-group ESP-1R3
vyatta@vyatta#top
vyatta@vyatta#commit
vyatta@vyatta#show -all vpn ipsec site-to-site peer 222.124.194.2
vyatta@vyatta#exit
vyatta@R3>vpn rsa-key generate
A local RSA key file already exists and will be overwritten
<CTRL>C to exit: 8
Your new local RSA key has been generated
The public portion of the key is:
0sAQOaAFWK13JnatBgfiQR76ei0/yhxfdAzJ85AU2pu9udS8t3oKQU3EhZvuQVGA/YRkY9godKr7bz3Gw0hfDVXVumX/zwKmW8AcYoCCvj7xMAnyCHHRmtHaSaT/5AMXBHGEaQpkGyXfrvs55+drxtAaLFXgVQ0MDivYUYmASicNErUy9MPWLSABfvhH+i0QrTEHcIwmyzD/0AGlz0QvbcMlssEDe7OVmjLeOKwp+yb+uNr+48+1aMggIL0qfENfDH+JZh8jlNF3LriRrXJkTLkGdLjfVv3TUtdUoSa6eiCJ18XrbTr+vVaRNvOVWY9d9Bl3yZVmAaEihYGiqOynnWtyNsZHEaiHofS+DU5lzv/BI2MyVb
Jika ingin melihat RSA key yang sudah digenerate
vyatta@R3> show vpn ike rsa-keys
Local public key (/opt/vyatta/etc/config/ipsec.d/rsa-keys/localhost.key):
0sAQOaAFWK13JnatBgfiQR76ei0/yhxfdAzJ85AU2pu9udS8t3oKQU3EhZvuQVGA/YRkY9godKr7bz3Gw0hfDVXVumX/zwKmW8AcYoCCvj7xMAnyCHHRmtHaSaT/5AMXBHGEaQpkGyXfrvs55+drxtAaLFXgVQ0MDivYUYmASicNErUy9MPWLSABfvhH+i0QrTEHcIwmyzD/0AGlz0QvbcMlssEDe7OVmjLeOKwp+yb+uNr+48+1aMggIL0qfENfDH+JZh8jlNF3LriRrXJkTLkGdLjfVv3TUtdUoSa6eiCJ18XrbTr+vVaRNvOVWY9d9Bl3yZVmAaEihYGiqOynnWtyNsZHEaiHofS+DU5lzv/BI2MyVb
Masuk kembali ke configure mode set RSA key name dengan nama R1-key
vyatta@R3> configure
[edit]
vyatta@EAST# set vpn rsa-keys rsa-key-name R1-key rsa-key 0sAQOaAFWK13JnatBgfiQR76ei0/yhxfdAzJ85AU2pu9udS8t3oKQU3EhZvuQVGA/YRkY9godKr7bz3Gw0hfDVXVumX/zwKmW8AcYoCCvj7xMAnyCHHRmtHaSaT/5AMXBHGEaQpkGyXfrvs55+drxtAaLFXgVQ0MDivYUYmASicNErUy9MPWLSABfvhH+i0QrTEHcIwmyzD/0AGlz0QvbcMlssEDe7OVmjLeOKwp+yb+uNr+48+1aMggIL0qfENfDH+JZh8jlNF3LriRrXJkTLkGdLjfVv3TUtdUoSa6eiCJ18XrbTr+vVaRNvOVWY9d9Bl3yZVmAaEihYGiqOynnWtyNsZHEaiHofS+DU5lzv/BI2MyVb
[edit]
Simpan hasil konfigurasi
vyatta@R3# commit
[edit]
vyatta@R3# save
Saving configuration to ‘/opt/vyatta/etc/config/config.boot’…
Done
[edit]
vyatta@R3#
Sampai langkah ini VPN Site to site sudah selesai kita lakukan, untuk client-client yang terhubung pada VPN server, set IP sesuai dengan alamat yang terdapat pada masing-masing site dengan tidak lupa memberikan gateway, yaitu alamat IP yang terdapat pada router/VPN Server yang terhubung dengan Local Area Network.
Contoh untuk client yang berada pada alamat network 192.168.1.0/24 maka bisa diberikan alamat
IP Address: 192.168.1.2
Subnet Mask 255.255.255.0
Gateway: 192.168.1.1
Kemudian lakukan ping antar local area network untuk menguji apakah VPN server ini sudah berjalan sebagaimana mestinya
VPN REMOTE ACCESS
Setelah selesai melakukan konfigurasi untuk VPN site to site selanjutnya kita bisa melakukan konfigurasi untuk VPN remote access. Disini kita akan menjadikan R1 sebagai VPN Server Remote access
Masuk ke configure mode
vyatta@R1>configure
vyatta@R1#set vpn pptp remote-access outside-address 222.124.194.2
Atur range IP pool, yaitu IP yang akan diberikan secara otomatis pada user yang mengakses VPN server, sehingga pada client akan mempunyai dua IP yaitu IP yang digunakan untuk berhubungan dengan internet, dan satu lagi IP yang didapat dari hasil tunneling ke VPN server, dengan IP yang didapat dari VPN Server inilah maka client tampak seolah-olah berada network yang sama dengan network yang diaksesnya
vyatta@R1#set vpn pptp remote-access client-ip-pool start 192.168.1.50
vyatta@R1#set vpn pptp remote-access client-ip-pool stop 192.168.1.60
vyatta@R1#set vpn pptp remote-access authentication mode local
Buat username dan password untuk user agar bisa mengakses VPN Server, ulangi lagi
langkah ini jika ingin menambah user lain
vyatta@R1#set vpn pptp remote-access authentication local-users username candra password fasilkom
Supaya user yang mengakses ke VPN server juga bisa mengakses internet maka pada Server VPN kita lakukan NAT
vyatta@R1#set service nat rule 10 type source
vyatta@R1#set service nat rule 10 source address 192.168.1.0/24
vyatta@R1#set service nat rule 10 outbound-interface eth1
vyatta@R1#set service nat rule 10 outside-address address 222.124.194.2
Dan jika kita memiliki DNS Server local kita bisa mengarahkan query ke IP DNS server local
set vpn pptp remote-access dns-servers server-2 192.168.1.2
Tetapi jika kita memiliki DNS server yang berada ditempat lain maka kita bisa melakukan forwarding ke IP DNS server tersebut (Misal DNS dengan IP 202.146.180.230)
vyatta@R1# set service dns forwarding listen-on eth1
[edit]
vyatta@R1# set service dns forwarding name-server 222.124.194.18
[edit]
Dan jika kita ingin agar web server kita tadi juga berfungsi sebagai web caching maka
vyatta@R1#set service webproxy listen-address 192.168.1.1
Simpan hasil konfigurasi
vyatta@R1#commit
vyatta@R1#save
vyatta@R1#show vpn pptp remote-access
Selanjutnya supaya user bisa mengkases VPN server lakukan konfigurasi dengan cara:
- Pilh Start > Control Panel > Network Connections.
- Pilih Create a new connection. klik Next.
- Pilih Connect to the network at my workplace. klik Next.
- Pilih Virtual Private Network connection. klik Next.
- Buat nama; sebagai contoh “VPN-FASILKOM†klik Next.
- Pilih Do not dial the initial connection. klik Next.
- Ketik alamat dari VPN server yaitu 222.124.194.3 klik Next.
- Pilih Do not use my smart card. klik Next.
- Tandai add shortcut to this connection to my desktop
- klik Finish
- Klik dua kali shortcut yang sudah terbentuk pada desktop
- Masukkan username dan password untuk user yang sudah dibuat pada server
- Setelah proses authentikasi valid akan user akan terhubung dengan VPN server
- Untuk mengetahui IP yang didapat dari VPN server, klik start, ketik CMD kemudian enter
- Kemudian ketik ipconfig /all, maka disitu akan terlihat berapa IP yang didapatkan, bandingkan alamat network IP tersebut dengan alamat network local area yang diakses
- Lakukan ping dengan salah satu alamat yang terdapat pada Local Area Network tersebut, jika mendapat reply berarti VPN Server remote access sudah berhasil kita buat
Selamat mencoba
Download pdf
vpn-remote-access-dan-site-to-site-dengan-vyatta