Cisco – How to add ACL entry comments on a Cisco 3750

aclciscocisco-catalyst

I'm trying to find the best way to add comments into my access-lists. For the moment, the only manner I found is the following one:

switch#conf t
switch(config)#ip access-list extended VLAN-TEST3
switch(config-ext-nacl)#remark first remark
switch(config-ext-nacl)#10 permit ip any any
switch(config-ext-nacl)#remark second remark
switch(config-ext-nacl)#20 deny ip any any
switch(config-ext-nacl)#remark third remark

But by using this, I'm unable to see the comments with the command sh ip access-list VLAN-TEST3 they appear only when I do a sh run (which isn't the most practical to see an ACL). I also cannot specify a number of lines for the remark and I can't modify/delete them.

What is the best way to do that? I'm using a Cisco 3750

Best Answer

Cisco does not provide any other way see view access lists remarks besides viewing them from the running configuration.

The lines containing remark statements are not numbered so they are ignored when running show ip access-list

You can filter the running config output and display only the section regarding to access-lists like this:

show running-config | section ip access-list

Related Solutions

Cisco – Why does Cisco ios save and display access list entries out of order

From the Cisco documentation:

The major difference in a standard access list is that the Cisco IOS adds an entry by descending order of the IP address, not on a sequence number.

You can read more here.

HP Procurve 5406zl – ACL issue

According to the Access Security Guide for your device, the first address and mask of an ACE is source and the second address and mask is the destination. (Just in case, an ACE is an Access Control Entry; that is any line an access-list is made of)

ACE 20 of your ACL states source 192.168.50.0/24 and destination 192.168.101.0/24, then you apply the ACL at VLAN 101 input; however, your VLAN 101 is 192.168.101.0/24, so any input traffic at VLAN 101 would have source address in 192.168.101.0/24. So ACE 20 in your ACL is wrong, you need an ACE with action permit, source 192.168.101.0/24 and destination 192.168.50.0/24.

ip access-list extended "SecureContent"
    10 permit ip 192.168.101.0 0.0.0.255 192.168.50.0 0.0.0.255

Regarding the way back for this traffic, it will cross VLAN 101 outbound, so ACL should not be applied to this traffic and it should be allowed.

If traffic back is not allowed then you need to add the way back in your ACL.

ip access-list extended "SecureContent"
    10 permit ip 192.168.101.0 0.0.0.255 192.168.50.0 0.0.0.255
    20 permit ip 192.168.50.0 0.0.0.255 192.168.101.0 0.0.0.255

EDITED to change the line above to reflect proper ACL structure of numbered entries. (10, 20, etc).

Best Answer

Related Solutions

Cisco – Why does Cisco ios save and display access list entries out of order

HP Procurve 5406zl – ACL issue

Related Topic