- IP Access List Overview
- Creating an IP Access List and Applying It to an Interface
- Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
- Configuring an FQDN ACL
- Refining an IP Access List
- IP Named Access Control Lists
- Commented IP Access List Entries
- Standard IP Access List Logging
- IP Access List Entry Sequence Numbering
- Configuring Lock-and-Key Security (Dynamic Access Lists)
- ACL IP Options Selective Drop
- Displaying and Clearing IP Access List Data Using ACL Manageability
- ACL Syslog Correlation
- IPv6 Access Control Lists
- IPv6 ACL Undetermined-Transport Support
- Configuring Template ACLs
- IPv6 Template ACL
- IPv4 ACL Chaining Support
- IPv6 ACL Chaining with a Common ACL
- IPv6 ACL Extensions for Hop by Hop Filtering
- Finding Feature Information
- Information About Commented IP Access List Entries
- How to Configure Commented IP Access List Entries
- Configuration Examples for Commented IP Access List Entries
- Additional References for Commented IP Access List Entries
- Feature Information for Commented IP Access List Entries
Commented IP Access List Entries
The Commented IP Access List Entries feature allows you to include comments or remarks about deny or permit conditions in any IP access list. These remarks make access lists easier for network administrators to understand. Each remark is limited to 100 characters in length.
This module provides information about the Commented IP Access List Entries feature.
- Finding Feature Information
- Information About Commented IP Access List Entries
- How to Configure Commented IP Access List Entries
- Configuration Examples for Commented IP Access List Entries
- Additional References for Commented IP Access List Entries
- Feature Information for Commented IP Access List Entries
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About Commented IP Access List Entries
Benefits of IP Access Lists
Authenticate incoming rsh and rcp requests—Access lists can simplify the identification of local users, remote hosts, and remote users in an authentication database that is configured to control access to a device. The authentication database enables Cisco software to receive incoming remote shell (rsh) and remote copy (rcp) protocol requests.
-
Block unwanted traffic or users—Access lists can filter incoming or outgoing packets on an interface, thereby controlling access to a network based on source addresses, destination addresses, or user authentication. You can also use access lists to determine the types of traffic that are forwarded or blocked at device interfaces. For example, you can use access lists to permit e-mail traffic to be routed through a network and to block all Telnet traffic from entering the network.
-
Control access to vty—Access lists on an inbound vty (Telnet) can control who can access the lines to a device. Access lists on an outbound vty can control the destinations that the lines from a device can reach.
Identify or classify traffic for QoS features—Access lists provide congestion avoidance by setting the IP precedence for Weighted Random Early Detection (WRED) and committed access rate (CAR). Access lists also provide congestion management for class-based weighted fair queueing (CBWFQ), priority queueing, and custom queueing.
-
Limit debug command output—Access lists can limit debug output based on an IP address or a protocol.
-
Provide bandwidth control—Access lists on a slow link can prevent excess traffic on a network.
Provide NAT control—Access lists can control which addresses are translated by Network Address Translation (NAT).
-
Reduce the chance of DoS attacks—Access lists reduce the chance of denial-of-service (DoS) attacks. Specify IP source addresses to control traffic from hosts, networks, or users from accessing your network. Configure the TCP Intercept feature to can prevent servers from being flooded with requests for connection.
-
Restrict the content of routing updates—Access lists can control routing updates that are sent, received, or redistributed in networks.
-
Trigger dial-on-demand calls—Access lists can enforce dial and disconnect criteria.
Access List Remarks
You can include comments or remarks about entries in any IP access list. An access list remark is an optional remark before or after an access list entry that describes the entry so that you do not have to interpret the purpose of the entry. Each remark is limited to 100 characters in length.
The remark can go before or after a permit or deny statement. Be consistent about where you add remarks. Users may be confused if some remarks precede the associated permit or deny statements and some remarks follow the associated statements.
The following is an example of a remark that describes function of the subsequent deny statement:
ip access-list extended telnetting remark Do not allow host1 subnet to telnet out deny tcp host 172.16.2.88 any eq telnet
How to Configure Commented IP Access List Entries
Writing Remarks in a Named or Numbered Access List
You can use a named or numbered access list configuration. You must apply the access list to an interface or terminal line after the access list is created for the configuration to work.
1.
enable
2.
configure terminal
3.
ip
access-list
{standard
|
extended} {name |
number}
4.
remark
remark
5.
deny
protocol
host
host-address
any
eq
port
6.
end
DETAILED STEPS
Configuration Examples for Commented IP Access List Entries
Example: Writing Remarks in an IP Access List
Device# configure terminal Device(config)# ip access-list extended telnetting Device(config-ext-nacl)# remark Do not allow host1 subnet to telnet out Device(config-ext-nacl)# deny tcp host 172.16.2.88 any eq telnet Device(config-ext-nacl)# end
Additional References for Commented IP Access List Entries
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Security commands |
|
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Commented IP Access List Entries
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
Commented IP Access List Entries |
Cisco IOS XE Release 2.1 |
The Commented IP Access List Entries feature allows you to include comments or remarks about deny or permit conditions in any IP access list. These remarks make access lists easier for network administrators to understand. Each remark is limited to 100 characters in length. The following command was introduced or modified: remark. |