Problem
You want to add a human readable comment to an ACL to help other engineers understand what you have done.
Solution
You can add a comment to any standard or extended IP ACL by using the remark keyword:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#access-list 50 remark Authorizing thy trespass with compare Router1(config)#access-list 50 deny host 10.2.2.2 Router1(config)#access-list 50 permit 10.2.2.0 0.0.0.255 Router1(config)#access-list 50 permit any Router1(config)#end Router1#
In addition, you can add a comment to a named ACL, as well:
Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#ip access-list standard TESTACL Router2(config-std-nacl)#remark Authorizing thy trespass with compare Router2(config-std-nacl)#deny host 10.2.2.2 Router2(config-std-nacl)#permit 10.2.2.0 0.0.0.255 Router2(config-std-nacl)#permit any Router2(config-std-nacl)#end Router2#
Discussion
This command can be quite useful when you have to keep track of many different ACLs on a router, particularly when several of them look similar. The comment field can be up to 100 characters long. But if you require more space, you can simply add more remark lines to the ACL:
Router1(config)#access-list 50 remark Authorizing thy trespass with compare Router1(config)#access-list 50 remark My self corrupting salving thy amiss, Router1(config)#access-list 50 remark Excusing thy sins more than thy sins are Router1(config)#access-list 50 remark Shakespeare, Sonnet 35
When you display this ACL by using the show access-list command, it will not show the remark lines:
Router1#show access-list 50 Standard IP access list 50 deny 10.2.2.2 permit 10.2.2.0, wildcard bits 0.0.0.255 permit any Router1#
The only way to see these comments is to look at the router's configuration file:
Router1#show running-config | include access-list 50 access-list 50 remark Authorizing thy trespass with compare access-list 50 remark My self corrupting salving thy amiss, access-list 50 remark Excusing thy sins more than thy sins are access-list 50 remark Shakespeare, Sonnet 35 access-list 50 deny 10.2.2.2 access-list 50 permit 10.2.2.0 0.0.0.255 access-list 50 permit any access-list 50 remark Router1#
Note that the router does not re-order the remark lines in the ACL. So you can use this feature to explain line-by-line what each command does:
Router1(config)#access-list 50 remark loathsome canker Router1(config)#access-list 50 deny host 10.2.2.2 Router1(config)#access-list 50 remark sweetest bud Router1(config)#access-list 50 permit 10.2.2.0 0.0.0.255 Router1(config)#access-list 50 permit any
See Also
Complete Sonnets by William Shakespeare (Dover)
Router Configuration and File Management
Router Management
User Access and Privilege Levels
TACACS+
IP Routing
RIP
EIGRP
OSPF
BGP
Frame Relay
Handling Queuing and Congestion
Tunnels and VPNs
Dial Backup
NTP and Time
DLSw
Router Interfaces and Media
Simple Network Management Protocol
Logging
Access-Lists
DHCP
NAT
First Hop Redundancy Protocols
IP Multicast
IP Mobility
IPv6
MPLS
Security
Appendix 1. External Software Packages
Appendix 2. IP Precedence, TOS, and DSCP Classifications
Index