Tuesday, 24 March 2020

Adding Remarks to Entries in Active ACL

In this blog will show you have to add remarks to entries in an active ACL .

"Remarks" are logically associated with entries in ACL .


They are nothing but the comments given to the entries in an ACL which helps Network administrator to get some information regarding the particular entry in the ACL. 


Now let's check an existing ACL named "techstuff" configured in Router R1

R1#sh ip access-lists techstuff

Extended IP access list techstuff
    10 permit ip 10.0.0.0 0.0.0.255 any
    20 deny ip host 20.1.1.1 any
    30 permit ip 20.0.0.0 0.0.0.255 any
    40 permit ip 30.0.0.0 0.0.0.255 any
    50 permit ip 40.0.0.0 0.0.0.255 any


Alway remember Guys!!! sh ip access-list wont show you any remarks .


To view remarks you need to check the show run of the router 

R1#sh run | begin techstuff

ip access-list extended techstuff
 permit ip 10.0.0.0 0.0.0.255 any
 deny   ip host 20.1.1.1 any
 permit ip 20.0.0.0 0.0.0.255 any
 permit ip 30.0.0.0 0.0.0.255 any
 permit ip 40.0.0.0 0.0.0.255 any
!

Here you can check there is no remark yet configured for this ACL . 

Lets do for the entry with sequence no.20 which is denying the host 20.1.1.1 for any destination . 


R1(config)#ip access-list ex techstuff

R1(config-ext-nacl)#no 20
R1(config-ext-nacl)#remark ** DONT ALLOW 20.1.1.1 WHICH BELONGS TO 3RD FLOOR **
R1(config-ext-nacl)#20 deny ip host 20.1.1.1 any

R1#show run | begin techstuff

ip access-list extended techstuff
 permit ip 10.0.0.0 0.0.0.255 any
remark ** DONT ALLOW 20.1.1.1 WHICH BELONGS TO 3RD FLOOR **
 deny   ip host 20.1.1.1 any
 permit ip 20.0.0.0 0.0.0.255 any
 permit ip 30.0.0.0 0.0.0.255 any
 permit ip 40.0.0.0 0.0.0.255 any
!

Now let deny another host 40.1.1.1 along with remark

R1(config)#ip access-list ex techstuff
R1(config-ext-nacl)#remark ** DONT ALLOW 40.1.1.1 WHICH BELONGS TO 3RD FLOOR **
R1(config-ext-nacl)#45 deny ip host 40.1.1.1 any

R1#show run | begin techstuff
ip access-list extended techstuff
 permit ip 10.0.0.0 0.0.0.255 any
 remark ** DONT ALLOW 20.1.1.1 WHICH BELONGS TO 3RD FLOOR **
 deny   ip host 20.1.1.1 any
 permit ip 20.0.0.0 0.0.0.255 any
 permit ip 30.0.0.0 0.0.0.255 any
remark ** DONT ALLOW 40.1.1.1 WHICH BELONGS TO 3RD FLOOR **
deny   ip host 40.1.1.1 any
 permit ip 40.0.0.0 0.0.0.255 any
!

Lets also perform the resequence 

R1(config)#ip access-list resequence techstuff ?
  <1-2147483647>  Starting Sequence Number

R1(config)#ip access-list resequence techstuff 10 ?
  <1-2147483647>  Step to increment the sequence number

R1(config)#ip access-list resequence techstuff 10 10
R1(config)#^Z
R1#
R1#sh ip access-lists
Extended IP access list techstuff
    10 permit ip 10.0.0.0 0.0.0.255 any
    20 deny ip host 20.1.1.1 any
    30 permit ip 20.0.0.0 0.0.0.255 any
    40 permit ip 30.0.0.0 0.0.0.255 any
    50 deny ip host 40.1.1.1 any
    60 permit ip 40.0.0.0 0.0.0.255 any
R1#

Now if you delete an entry the remark associated with it will also get deleted

R1#show run | begin techstuff
ip access-list extended techstuff
 permit ip 10.0.0.0 0.0.0.255 any
 remark ** DONT ALLOW 20.1.1.1 WHICH BELONGS TO 3RD FLOOR **
 deny   ip host 20.1.1.1 any
 permit ip 20.0.0.0 0.0.0.255 any
 permit ip 30.0.0.0 0.0.0.255 any
 remark ** DONT ALLOW 40.1.1.1 WHICH BELONGS TO 3RD FLOOR **
 deny   ip host 40.1.1.1 any
 permit ip 40.0.0.0 0.0.0.255 any

R1(config)#ip access-list extended techstuff
R1(config-ext-nacl)#no 50
R1(config-ext-nacl)#^Z

R1#show run | begin techstuff
*Mar  1 00:44:54.479: %SYS-5-CONFIG_I: Configured from console by console
R1#show run | begin techstuff
ip access-list extended techstuff
 permit ip 10.0.0.0 0.0.0.255 any
 remark ** DONT ALLOW 20.1.1.1 WHICH BELONGS TO 3RD FLOOR **
 deny   ip host 20.1.1.1 any
 permit ip 20.0.0.0 0.0.0.255 any
 permit ip 30.0.0.0 0.0.0.255 any
 permit ip 40.0.0.0 0.0.0.255 any
!


Hope you all find this post informative and useful .

Thanks for reading

No comments:

Post a Comment