Adding a Comment to an ACL

Problem

You want to add a human readable comment to an ACL to help other engineers understand what you have done.

Solution

You can add a comment to any standard or extended IP ACL by using the remark keyword:

Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 50 remark Authorizing thy trespass with compare Router1(config)#access-list 50 deny host 10.2.2.2
Router1(config)#access-list 50 permit 10.2.2.0 0.0.0.255
Router1(config)#access-list 50 permit any
Router1(config)#end
Router1#

In addition, you can add a comment to a named ACL, as well:

Router2#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip access-list standard TESTACL 
Router2(config-std-nacl)#remark Authorizing thy trespass with compare 
Router2(config-std-nacl)#deny host 10.2.2.2
Router2(config-std-nacl)#permit 10.2.2.0 0.0.0.255
Router2(config-std-nacl)#permit any
Router2(config-std-nacl)#end
Router2#

 

Discussion

This command can be quite useful when you have to keep track of many different ACLs on a router, particularly when several of them look similar. The comment field can be up to 100 characters long. But if you require more space, you can simply add more remark lines to the ACL:

Router1(config)#access-list 50 remark Authorizing thy trespass with compare Router1(config)#access-list 50 remark My self corrupting salving thy amiss,
Router1(config)#access-list 50 remark Excusing thy sins more than thy sins are
Router1(config)#access-list 50 remark Shakespeare, Sonnet 35

When you display this ACL by using the show access-list command, it will not show the remark lines:

Router1#show access-list 50
Standard IP access list 50
 deny 10.2.2.2
 permit 10.2.2.0, wildcard bits 0.0.0.255
 permit any
Router1#

The only way to see these comments is to look at the router's configuration file:

Router1#show running-config | include access-list 50
access-list 50 remark Authorizing thy trespass with compare 
access-list 50 remark My self corrupting salving thy amiss,
access-list 50 remark Excusing thy sins more than thy sins are
access-list 50 remark Shakespeare, Sonnet 35
access-list 50 deny 10.2.2.2
access-list 50 permit 10.2.2.0 0.0.0.255
access-list 50 permit any
access-list 50 remark 
Router1#

Note that the router does not re-order the remark lines in the ACL. So you can use this feature to explain line-by-line what each command does:

Router1(config)#access-list 50 remark loathsome canker
Router1(config)#access-list 50 deny host 10.2.2.2
Router1(config)#access-list 50 remark sweetest bud
Router1(config)#access-list 50 permit 10.2.2.0 0.0.0.255
Router1(config)#access-list 50 permit any

 

See Also

Complete Sonnets by William Shakespeare (Dover)

Router Configuration and File Management

Router Management

User Access and Privilege Levels

TACACS+

IP Routing

RIP

EIGRP

OSPF

BGP

Frame Relay

Handling Queuing and Congestion

Tunnels and VPNs

Dial Backup

NTP and Time

DLSw

Router Interfaces and Media

Simple Network Management Protocol

Logging

Access-Lists

DHCP

NAT

First Hop Redundancy Protocols

IP Multicast

IP Mobility

IPv6

MPLS

Security

Appendix 1. External Software Packages

Appendix 2. IP Precedence, TOS, and DSCP Classifications

Index



Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net