ACL CheatSheet – Kompakt
Standard und Extended Access Control Lists | CISCO Router
📋 Übersicht
| Merkmal |
Standard |
Extended |
| Nummernbereich |
1-99, 1300-1399 |
100-199, 2000-2699 |
| Filter |
Quell-IP |
Quelle, Ziel, Protokoll, Port |
| Position |
Entfernt oder Interface-nah |
Quelle-nah |
🔧 Standard ACL (Numbered)
Syntax
access-list <nummer> [permit | deny] <quell-ip> [wildcard-maske]
Beispiel
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 deny any
Interface-Anwendung
Router(config)# interface FastEthernet 0/0
Router(config-if)# ip access-group 10 in
⚙️ Extended ACL (Numbered)
Syntax
access-list <nummer> [permit | deny] <protokoll> <quelle> <quelle-wc>
<ziel> <ziel-wc> [operatoren]
Beispiel
access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80
access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 443
access-list 100 deny ip any any
Interface-Anwendung
Router(config)# interface Serial 0/0
Router(config-if)# ip access-group 100 out
📛 Standard Named ACL
Syntax
Router(config)# ip access-list standard <name>
Router(config-std-nacl)# [permit | deny] <quell-ip> [wildcard-maske]
Router(config-std-nacl)# exit
Beispiel
Router(config)# ip access-list standard ALLOW_ADMIN
Router(config-std-nacl)# permit host 192.168.1.1
Router(config-std-nacl)# deny any
Router(config-std-nacl)# exit
Router(config)# interface FastEthernet 0/1
Router(config-if)# ip access-group ALLOW_ADMIN in
⚙️ Extended Named ACL
Syntax
Router(config)# ip access-list extended <name>
Router(config-ext-nacl)# [permit | deny] <protokoll> <quelle> <quelle-wc>
<ziel> <ziel-wc> [operatoren]
Router(config-ext-nacl)# exit
Beispiel
Router(config)# ip access-list extended WEB_TRAFFIC
Router(config-ext-nacl)# permit tcp any 10.0.0.0 0.0.0.255 eq 80
Router(config-ext-nacl)# permit tcp any 10.0.0.0 0.0.0.255 eq 443
Router(config-ext-nacl)# deny ip any any
Router(config-ext-nacl)# exit
🎯 Wildcard Masking
Grundprinzip: 0 = Bit vergleichen | 1 = Bit ignorieren
| Wildcard |
Bedeutung |
0.0.0.0 | Genau diese IP (host) |
0.0.0.255 | /24 Subnetz |
0.0.255.255 | /16 Subnetz |
255.255.255.255 | Alle (any) |
📊 Protokolle & Ports
Protokolle
ip – Alle IP-Protokolletcp – Transmission Control Protocoludp – User Datagram Protocolicmp – Internet Control Message Protocol
Häufige Ports
| Service |
Port |
Service |
Port |
| HTTP | 80 | DNS | 53 |
| HTTPS | 443 | DHCP | 67,68 |
| SSH | 22 | NTP | 123 |
| Telnet | 23 | SNMP | 161,162 |
| SMTP | 25 | | |
🔧 Operatoren & Schlüsselwörter
| Operator |
Bedeutung |
Beispiel |
eq | equal (gleich) | eq 80 |
neq | not equal | neq 22 |
gt | greater than | gt 1023 |
lt | less than | lt 1024 |
range | Bereich | range 1000 2000 |
established | Rückantworten | Stateful filtering |
host | Einzelne IP | host 192.168.1.1 |
any | Alle Adressen | Wildcard 255.255.255.255 |
🔍 Verwaltung & Debugging
ACLs anzeigen
Router# show access-lists
Router# show access-lists 100
Router# show ip access-lists
ACLs löschen
Router(config)# no access-list 100
Router(config)# ip access-list extended WEB_TRAFFIC
Router(config-ext-nacl)# no 5
Interface-Anwendung prüfen
Router# show ip interface <interface> | include access list
⚠️ Wichtige Regeln
- First-Match-Prinzip: Erste zutreffende Regel wird angewendet
- Implizites Deny: Ohne explizite Erlaubnis = verweigert
- Spezifisch vor Allgemein: Spezifische Regeln vorne positionieren
- Inbound vs. Outbound: Richtige Richtung beachten (in/out)
- Wildcard invers: Wildcard ≠ Subnetzmaske (invertiert!)