comment.mif
6 Pages
English

comment.mif

-

Downloading requires you to have access to the YouScribe library
Learn all about the services we offer

Description

Commented IP Access List EntriesFeature OverviewYou can now include comments (remarks) about entries in any IP access list. The remarks make the access list easier for the network administrator to understand. Each remark is limited to 100 characters.BenefitsUser-FriendlyRemarks about entries in an IP access list make the list easier to understand and scan. For example, it is not immediately clear what the purpose of the following entry is:access-list 1 permit 171.69.2.88It is much easier to read a remark about the entry to understand its effect, as follows:access-list 1 remark Permit only Jones workstation throughaccess-list 1 permit 171.69.2.88Related DocumentsFor complete information on how to configure IP access lists, refer to the following:• “Configuring IP Services” chapter in the Cisco IOS Release 12.0 Network Protocols Configuration Guide, Part 1.? “IP Services Commands” chapter in the Cisco IOS Release 12.0 Network Protocols Command Reference, Part 1.? “Access Control Lists: Overview and Guidelines” chapter in the Cisco IOS Release 12.0 Security Configuration Guide.Supported Platforms? Cisco 800? Cisco 1000 series? Cisco 1400? Cisco 1600 series Commented IP Access List Entries 1Write Comments in a Named Access List? Cisco 1720? Cisco 2500 series? Cisco 2600 series? Cisco 3600 series? Cisco 3810 ? Cisco 4000 series? Cisco 7100? Cisco 7200 series? Cisco 7500 series? AS5200? AS5300? AS5800? UBR900 seriesSupported Standards, ...

Subjects

Informations

Published by
Reads 29
Language English
Commented IP Access List Entries
1
Commented IP Access List Entries
Feature Overview
You can now include comments (remarks) about entries in any IP access list. The remarks make the
access list easier for the network administrator to understand. Each remark is limited to
100 characters.
Benefits
User-Friendly
Remarks about entries in an IP access list make the list easier to understand and scan. For example,
it is not immediately clear what the purpose of the following entry is:
access-list 1 permit 171.69.2.88
It is much easier to read a remark about the entry to understand its effect, as follows:
access-list 1 remark Permit only Jones workstation through
access-list 1 permit 171.69.2.88
Related Documents
For complete information on how to configure IP access lists, refer to the following:
“Configuring IP Services” chapter in the Cisco IOS Release 12.0
Network Protocols
Configuration Guide, Part 1
.
“IP Services Commands” chapter in the Cisco IOS Release 12.0
Network Protocols Command
Reference, Part 1
.
“Access Control Lists: Overview and Guidelines” chapter in the Cisco IOS Release 12.0
Security
Configuration Guide
.
Supported Platforms
Cisco 800
Cisco 1000 series
Cisco 1400
Cisco 1600 series
Write Comments in a Named Access List
2
Cisco IOS Release 12.0(2)T
Cisco 1720
Cisco 2500 series
Cisco 2600 series
Cisco 3600 series
Cisco 3810
Cisco 4000 series
Cisco 7100
Cisco 7200 series
Cisco 7500 series
AS5200
AS5300
AS5800
UBR900 series
Supported Standards, MIBs, and RFCs
None
Configuration Tasks
The remark can go before or after a
permit
or
deny
statement. You should be consistent about where
you put the remark so it is clear which remark describes which
permit
or
deny
statement. For
example, it would be confusing to have some remarks
before
the associated
permit
or
deny
statements and some remarks
after
the associated statements.
Remember to apply the access list to an interface or terminal line after the access list is created. Refer
to the related documentation for information on how to apply the access list.
To include remarks in an access list, perform one of the following tasks, depending on whether you
are using a named or numbered access list:
Write Comments in a Named Access List
Write Comments in a Numbered Access List
Write Comments in a Named Access List
To write a comment about an entry in a named IP access list, use the following commands in the
order shown. Step 1 is performed once; Step 2 can be performed multiple times in the access list,
before or after any
permit
or
deny
command.
Step
Command
Purpose
1
Router(config)#
ip access-list
standard
name
or
Router(config)#
ip access-list
extended
name
Identifies the access list by name.
Write Comments in a Numbered Access List
Commented IP Access List Entries
3
Write Comments in a Numbered Access List
To write a comment about an entry in a numbered IP access list, use the following command before
or after any
access-list permit
or
access-list deny
command:
Configuration Examples
In the following example of a numbered access list, the workstation belonging to Jones is allowed
access and the workstation belonging to Smith is not allowed access:
access-list 1 remark Permit only Jones workstation through
access-list 1 permit 171.69.2.88
access-list 1 remark Do not allow Smith workstation through
access-list 1 deny 171.69.3.13
In the following example of a numbered access list, the Winter and Smith workstations are not
allowed to browse the web:
access-list 100 remark Do not allow Winter to browse the web
access-list 100 deny host 171.69.3.85 any eq http
access-list 100 remark Do not allow Smith to browse the web
access-list 100 deny host 171.69.3.13 any eq http
In the following example of a named access list, the Jones subnet is not allowed access:
ip access-list standard prevention
remark Do not allow Jones subnet through
deny 171.69.0.0 0.0.255.255
In the following example of a named access list, the Jones subnet is not allowed to use outbound
Telnet:
ip access-list extended telnetting
remark Do not allow Jones subnet to telnet out
deny tcp host 171.69.2.88 any eq telnet
Command Reference
This section documents new commands. All other commands used with this feature are documented
in the Cisco IOS Release 12.0 command references.
access-list remark
remark
2
Router(config-std-nacl)#
remark
remark
or
Router(config-ext-nacl)#
remark
remark
Indicates the purpose of the
permit
or
deny
statement.
Command
Purpose
Router(config)#
access-list
access-list-number
remark
remark
Indicates the purpose of the
permit
or
deny
statement.
Step
Command
Purpose
access-list remark
4
Cisco IOS Release 12.0(2)T
access-list remark
To write a helpful comment (remark) for an entry in a numbered IP access list, use the
access-list
remark
global configuration command. To remove the remark, use the
no
form of this command.
access-list
access-list-number
remark
remark
no access-list
access-list-number
remark
remark
Syntax Description
Default
The access list entries have no remarks.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 12.0(2)T.
The remark can be up to 100 characters; anything longer is truncated.
If you want to write a comment about an entry in a named access list, use the
remark
command.
Examples
In the following example, the workstation belonging to Jones is allowed access and the workstation
belonging to Smith is not allowed access:
access-list 1 remark Permit only Jones workstation through
access-list 1 permit 171.69.2.88
access-list 1 remark Do not allow Smith workstation through
access-list 1 deny 171.69.3.13
Related Commands
access-list (extended)
access-list (standard)
remark
access-list-number
Number of an IP access list.
remark
Comment that describes the access list entry, up to 100 characters
long.
remark
Commented IP Access List Entries
5
remark
To write a helpful comment (remark) for an entry in a named IP access list, use the
remark
access-list configuration command. To remove the remark, use the
no
form of this command.
remark
remark
no remark
remark
Syntax Description
Default
The access list entries have no remarks.
Command Mode
Access-list configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 12.0(2)T.
The remark can be up to 100 characters; anything longer is truncated.
If you want to write a comment about an entry in a numbered IP access list, use the
access-list
remark
command.
Examples
In the following example, the Jones subnet is not allowed to use outbound Telnet:
ip access-list extended telnetting
remark Do not allow Jones subnet to telnet out
deny tcp host 171.69.2.88 any eq telnet
Related Commands
access-list remark
deny
ip access-list
permit
remark
Comment that describes the access-list entry, up to 100 characters
long.
remark
6
Cisco IOS Release 12.0(2)T