In this blog will show you have to add remarks to entries in an active ACL .
"Remarks" are logically associated with entries in ACL .
They are nothing but the comments given to the entries in an ACL which helps Network administrator to get some information regarding the particular entry in the ACL.
Now let's check an existing ACL named "techstuff" configured in Router R1
R1#sh ip access-lists techstuff
Extended IP access list techstuff
10 permit ip 10.0.0.0 0.0.0.255 any
20 deny ip host 20.1.1.1 any
30 permit ip 20.0.0.0 0.0.0.255 any
40 permit ip 30.0.0.0 0.0.0.255 any
50 permit ip 40.0.0.0 0.0.0.255 any
Alway remember Guys!!! sh ip access-list wont show you any remarks .
To view remarks you need to check the show run of the router
R1#sh run | begin techstuff
ip access-list extended techstuff
permit ip 10.0.0.0 0.0.0.255 any
deny ip host 20.1.1.1 any
permit ip 20.0.0.0 0.0.0.255 any
permit ip 30.0.0.0 0.0.0.255 any
permit ip 40.0.0.0 0.0.0.255 any
!
Lets do for the entry with sequence no.20 which is denying the host 20.1.1.1 for any destination .
R1(config)#ip access-list ex techstuff
R1(config-ext-nacl)#no 20
R1(config-ext-nacl)#remark ** DONT ALLOW 20.1.1.1 WHICH BELONGS TO 3RD FLOOR **
R1(config-ext-nacl)#20 deny ip host 20.1.1.1 any
R1#show run | begin techstuff
ip access-list extended techstuff
permit ip 10.0.0.0 0.0.0.255 any
remark ** DONT ALLOW 20.1.1.1 WHICH BELONGS TO 3RD FLOOR **
deny ip host 20.1.1.1 any
permit ip 20.0.0.0 0.0.0.255 any
permit ip 30.0.0.0 0.0.0.255 any
permit ip 40.0.0.0 0.0.0.255 any
!
Now let deny another host 40.1.1.1 along with remark
R1(config)#ip access-list ex techstuff
R1(config-ext-nacl)#remark ** DONT ALLOW 40.1.1.1 WHICH BELONGS TO 3RD FLOOR **
R1(config-ext-nacl)#45 deny ip host 40.1.1.1 any
R1#show run | begin techstuff
ip access-list extended techstuff
permit ip 10.0.0.0 0.0.0.255 any
remark ** DONT ALLOW 20.1.1.1 WHICH BELONGS TO 3RD FLOOR **
deny ip host 20.1.1.1 any
permit ip 20.0.0.0 0.0.0.255 any
permit ip 30.0.0.0 0.0.0.255 any
remark ** DONT ALLOW 40.1.1.1 WHICH BELONGS TO 3RD FLOOR **
deny ip host 40.1.1.1 any
permit ip 40.0.0.0 0.0.0.255 any
!
Lets also perform the resequence
R1(config)#ip access-list resequence techstuff ?
<1-2147483647> Starting Sequence Number
R1(config)#ip access-list resequence techstuff 10 ?
<1-2147483647> Step to increment the sequence number
R1(config)#ip access-list resequence techstuff 10 10
R1(config)#^Z
R1#
R1#sh ip access-lists
Extended IP access list techstuff
10 permit ip 10.0.0.0 0.0.0.255 any
20 deny ip host 20.1.1.1 any
30 permit ip 20.0.0.0 0.0.0.255 any
40 permit ip 30.0.0.0 0.0.0.255 any
50 deny ip host 40.1.1.1 any
60 permit ip 40.0.0.0 0.0.0.255 any
R1#
Now if you delete an entry the remark associated with it will also get deleted
R1#show run | begin techstuff
ip access-list extended techstuff
permit ip 10.0.0.0 0.0.0.255 any
remark ** DONT ALLOW 20.1.1.1 WHICH BELONGS TO 3RD FLOOR **
deny ip host 20.1.1.1 any
permit ip 20.0.0.0 0.0.0.255 any
permit ip 30.0.0.0 0.0.0.255 any
remark ** DONT ALLOW 40.1.1.1 WHICH BELONGS TO 3RD FLOOR **
deny ip host 40.1.1.1 any
permit ip 40.0.0.0 0.0.0.255 any
R1(config)#ip access-list extended techstuff
R1(config-ext-nacl)#no 50
R1(config-ext-nacl)#^Z
R1#show run | begin techstuff
*Mar 1 00:44:54.479: %SYS-5-CONFIG_I: Configured from console by console
R1#show run | begin techstuff
ip access-list extended techstuff
permit ip 10.0.0.0 0.0.0.255 any
remark ** DONT ALLOW 20.1.1.1 WHICH BELONGS TO 3RD FLOOR **
deny ip host 20.1.1.1 any
permit ip 20.0.0.0 0.0.0.255 any
permit ip 30.0.0.0 0.0.0.255 any
permit ip 40.0.0.0 0.0.0.255 any
!
Hope you all find this post informative and useful .
Thanks for reading
No comments:
Post a Comment