You are on page 1of 6

Commented IP Access List Entries

Feature Overview
You can now include comments (remarks) about entries in any IP access list. The remarks make the access list easier for the network administrator to understand. Each remark is limited to 100 characters.

Benefits
User-Friendly
Remarks about entries in an IP access list make the list easier to understand and scan. For example, it is not immediately clear what the purpose of the following entry is:
access-list 1 permit 171.69.2.88

It is much easier to read a remark about the entry to understand its effect, as follows:
access-list 1 remark Permit only Jones workstation through access-list 1 permit 171.69.2.88

Related Documents
For complete information on how to configure IP access lists, refer to the following:

• • •

“Configuring IP Services” chapter in the Cisco IOS Release 12.0 Network Protocols Configuration Guide, Part 1. “IP Services Commands” chapter in the Cisco IOS Release 12.0 Network Protocols Command Reference, Part 1. “Access Control Lists: Overview and Guidelines” chapter in the Cisco IOS Release 12.0 Security Configuration Guide.

Supported Platforms
• • • •
Cisco 800 Cisco 1000 series Cisco 1400 Cisco 1600 series
Commented IP Access List Entries 1

use the following commands in the order shown. and RFCs None Configuration Tasks The remark can go before or after a permit or deny statement.0(2)T . Remember to apply the access list to an interface or terminal line after the access list is created. You should be consistent about where you put the remark so it is clear which remark describes which permit or deny statement. depending on whether you are using a named or numbered access list: • • Write Comments in a Named Access List Write Comments in a Numbered Access List Write Comments in a Named Access List To write a comment about an entry in a named IP access list. it would be confusing to have some remarks before the associated permit or deny statements and some remarks after the associated statements. perform one of the following tasks. For example. Step 1 Command Router(config)# ip access-list standard name Purpose Identifies the access list by name. before or after any permit or deny command. or Router(config)# ip access-list extended name 2 Cisco IOS Release 12. Refer to the related documentation for information on how to apply the access list. To include remarks in an access list.Write Comments in a Named Access List • • • • • • • • • • • • • Cisco 1720 Cisco 2500 series Cisco 2600 series Cisco 3600 series Cisco 3810 Cisco 4000 series Cisco 7100 Cisco 7200 series Cisco 7500 series AS5200 AS5300 AS5800 UBR900 series Supported Standards. MIBs. Step 2 can be performed multiple times in the access list. Step 1 is performed once.

88 remark Do not allow Smith workstation through deny 171. Configuration Examples In the following example of a numbered access list. the workstation belonging to Jones is allowed access and the workstation belonging to Smith is not allowed access: access-list access-list access-list access-list 1 1 1 1 remark Permit only Jones workstation through permit 171.0.69.88 any eq telnet Command Reference This section documents new commands.3. the Winter and Smith workstations are not allowed to browse the web: access-list access-list access-list access-list 100 100 100 100 remark Do deny host remark Do deny host not allow Winter to browse the web 171.69.13 In the following example of a numbered access list. the Jones subnet is not allowed to use outbound Telnet: ip access-list extended telnetting remark Do not allow Jones subnet to telnet out deny tcp host 171.255 In the following example of a named access list. • • access-list remark remark Commented IP Access List Entries 3 .69.Write Comments in a Numbered Access List Step 2 Command Router(config-std-nacl)# remark remark Purpose Indicates the purpose of the permit or deny statement.0 0.0.0 command references.3. the Jones subnet is not allowed access: ip access-list standard prevention remark Do not allow Jones subnet through deny 171.2.2.255.69.3. or Router(config-ext-nacl)# remark remark Write Comments in a Numbered Access List To write a comment about an entry in a numbered IP access list.69. use the following command before or after any access-list permit or access-list deny command: Command Router(config)# access-list access-list-number remark remark Purpose Indicates the purpose of the permit or deny statement. All other commands used with this feature are documented in the Cisco IOS Release 12.13 any eq http In the following example of a named access list.69.85 any eq http not allow Smith to browse the web 171.

access-list access-list-number remark remark no access-list access-list-number remark remark Syntax Description access-list-number remark Number of an IP access list. If you want to write a comment about an entry in a named access list.0(2)T .88 remark Do not allow Smith workstation through deny 171. Command Mode Global configuration Usage Guidelines This command first appeared in Cisco IOS Release 12. use the access-list remark global configuration command. Comment that describes the access list entry.69. To remove the remark.3.69.2. Default The access list entries have no remarks. use the no form of this command. the workstation belonging to Jones is allowed access and the workstation belonging to Smith is not allowed access: access-list access-list access-list access-list 1 1 1 1 remark Permit only Jones workstation through permit 171. use the remark command. anything longer is truncated. The remark can be up to 100 characters.access-list remark access-list remark To write a helpful comment (remark) for an entry in a numbered IP access list. Examples In the following example.0(2)T.13 Related Commands access-list (extended) access-list (standard) remark 4 Cisco IOS Release 12. up to 100 characters long.

88 any eq telnet Related Commands access-list remark deny ip access-list permit Commented IP Access List Entries 5 . Examples In the following example.69.remark remark To write a helpful comment (remark) for an entry in a named IP access list. Command Mode Access-list configuration Usage Guidelines This command first appeared in Cisco IOS Release 12. use the access-list remark command. anything longer is truncated. To remove the remark.2. use the no form of this command. If you want to write a comment about an entry in a numbered IP access list. Default The access list entries have no remarks. use the remark access-list configuration command. The remark can be up to 100 characters. remark remark no remark remark Syntax Description remark Comment that describes the access-list entry.0(2)T. the Jones subnet is not allowed to use outbound Telnet: ip access-list extended telnetting remark Do not allow Jones subnet to telnet out deny tcp host 171. up to 100 characters long.

remark 6 Cisco IOS Release 12.0(2)T .