Commented IP Access List Entries

Feature Overview
You can now include comments (remarks) about entries in any IP access list. The remarks make the access list easier for the network administrator to understand. Each remark is limited to 100 characters.

Benefits
User-Friendly
Remarks about entries in an IP access list make the list easier to understand and scan. For example, it is not immediately clear what the purpose of the following entry is:
access-list 1 permit 171.69.2.88

It is much easier to read a remark about the entry to understand its effect, as follows:
access-list 1 remark Permit only Jones workstation through access-list 1 permit 171.69.2.88

Related Documents
For complete information on how to configure IP access lists, refer to the following:

• • •

“Configuring IP Services” chapter in the Cisco IOS Release 12.0 Network Protocols Configuration Guide, Part 1. “IP Services Commands” chapter in the Cisco IOS Release 12.0 Network Protocols Command Reference, Part 1. “Access Control Lists: Overview and Guidelines” chapter in the Cisco IOS Release 12.0 Security Configuration Guide.

Supported Platforms
• • • •
Cisco 800 Cisco 1000 series Cisco 1400 Cisco 1600 series
Commented IP Access List Entries 1

perform one of the following tasks.0(2)T . or Router(config)# ip access-list extended name 2 Cisco IOS Release 12. Remember to apply the access list to an interface or terminal line after the access list is created. and RFCs None Configuration Tasks The remark can go before or after a permit or deny statement. before or after any permit or deny command. it would be confusing to have some remarks before the associated permit or deny statements and some remarks after the associated statements. use the following commands in the order shown. For example. Refer to the related documentation for information on how to apply the access list. MIBs. Step 1 is performed once. Step 1 Command Router(config)# ip access-list standard name Purpose Identifies the access list by name.Write Comments in a Named Access List • • • • • • • • • • • • • Cisco 1720 Cisco 2500 series Cisco 2600 series Cisco 3600 series Cisco 3810 Cisco 4000 series Cisco 7100 Cisco 7200 series Cisco 7500 series AS5200 AS5300 AS5800 UBR900 series Supported Standards. Step 2 can be performed multiple times in the access list. You should be consistent about where you put the remark so it is clear which remark describes which permit or deny statement. depending on whether you are using a named or numbered access list: • • Write Comments in a Named Access List Write Comments in a Numbered Access List Write Comments in a Named Access List To write a comment about an entry in a named IP access list. To include remarks in an access list.

0.2.85 any eq http not allow Smith to browse the web 171. the workstation belonging to Jones is allowed access and the workstation belonging to Smith is not allowed access: access-list access-list access-list access-list 1 1 1 1 remark Permit only Jones workstation through permit 171.69.88 any eq telnet Command Reference This section documents new commands. the Winter and Smith workstations are not allowed to browse the web: access-list access-list access-list access-list 100 100 100 100 remark Do deny host remark Do deny host not allow Winter to browse the web 171. Configuration Examples In the following example of a numbered access list.88 remark Do not allow Smith workstation through deny 171. the Jones subnet is not allowed to use outbound Telnet: ip access-list extended telnetting remark Do not allow Jones subnet to telnet out deny tcp host 171.69.0.69.255.0 0.255 In the following example of a named access list. All other commands used with this feature are documented in the Cisco IOS Release 12.69.3. or Router(config-ext-nacl)# remark remark Write Comments in a Numbered Access List To write a comment about an entry in a numbered IP access list.69.Write Comments in a Numbered Access List Step 2 Command Router(config-std-nacl)# remark remark Purpose Indicates the purpose of the permit or deny statement.13 any eq http In the following example of a named access list.3.0 command references. • • access-list remark remark Commented IP Access List Entries 3 .13 In the following example of a numbered access list.69. the Jones subnet is not allowed access: ip access-list standard prevention remark Do not allow Jones subnet through deny 171.3. use the following command before or after any access-list permit or access-list deny command: Command Router(config)# access-list access-list-number remark remark Purpose Indicates the purpose of the permit or deny statement.2.

2. The remark can be up to 100 characters.69. Comment that describes the access list entry. use the no form of this command. anything longer is truncated.0(2)T.13 Related Commands access-list (extended) access-list (standard) remark 4 Cisco IOS Release 12. If you want to write a comment about an entry in a named access list. use the access-list remark global configuration command. To remove the remark. Examples In the following example.69.0(2)T . Command Mode Global configuration Usage Guidelines This command first appeared in Cisco IOS Release 12. the workstation belonging to Jones is allowed access and the workstation belonging to Smith is not allowed access: access-list access-list access-list access-list 1 1 1 1 remark Permit only Jones workstation through permit 171.access-list remark access-list remark To write a helpful comment (remark) for an entry in a numbered IP access list. use the remark command.88 remark Do not allow Smith workstation through deny 171. Default The access list entries have no remarks. access-list access-list-number remark remark no access-list access-list-number remark remark Syntax Description access-list-number remark Number of an IP access list.3. up to 100 characters long.

88 any eq telnet Related Commands access-list remark deny ip access-list permit Commented IP Access List Entries 5 . Command Mode Access-list configuration Usage Guidelines This command first appeared in Cisco IOS Release 12. up to 100 characters long. The remark can be up to 100 characters. anything longer is truncated.69.2.remark remark To write a helpful comment (remark) for an entry in a named IP access list. remark remark no remark remark Syntax Description remark Comment that describes the access-list entry. To remove the remark. use the remark access-list configuration command. If you want to write a comment about an entry in a numbered IP access list. use the access-list remark command. Examples In the following example.0(2)T. Default The access list entries have no remarks. the Jones subnet is not allowed to use outbound Telnet: ip access-list extended telnetting remark Do not allow Jones subnet to telnet out deny tcp host 171. use the no form of this command.

remark 6 Cisco IOS Release 12.0(2)T .