Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

6130
Views
15
Helpful
9
Replies
Cisco Junky
Cisco Junky Beginner
Beginner
‎12-22-2015 05:54 AM
‎12-22-2015 05:54 AM

How to Add remarks to an existing ACL

Hi,

I am going to be editing an existing extended ACL adding 2 permit lines,(using ACL sequence numbers) but I also want to include remarks.

How do I do this with out having to re-write the entire list, and causing downtime?

You help is much appreciated

Labels:
0 Helpful
Reply
9 REPLIES 9
anoop.verma
anoop.verma Beginner
Beginner
‎12-22-2015 08:15 AM
‎12-22-2015 08:15 AM

Viewing Access Control Lists

Viewing Access Control Lists (ACLs) can be somewhat confusing because the ACLs will all run together. Adding remarks to your ACLs will make them easier to read. When you look at your running-config to view the ACLs without remarks, as shown here:

Switch1#show running-config | include access-list
access-list 50 deny   192.168.8.200
access-list 50 deny   192.168.8.201
access-list 50 permit 192.168.8.0 0.0.0.255
access-list 50 permit 192.168.9.0 0.0.0.255
access-list 60 permit 192.168.8.0 0.0.0.3
access-list 60 deny   192.168.8.0 0.0.0.255
access-list 60 deny   192.168.9.0 0.0.0.255

To make this easier to read, you should start each ACL with a remark line. This does not show up when using the show command; but is in yourrunning-config. This is what it would look like:

Switch1#show running-config | include access-list
access-list 50 deny   192.168.8.200
access-list 50 deny   192.168.8.201
access-list 50 permit 192.168.8.0 0.0.0.255
access-list 50 permit 192.168.9.0 0.0.0.255
access-list 60 remark This ACL is to control the outbound router traffic.
access-list 60 permit 192.168.8.0 0.0.0.3
access-list 60 deny   192.168.8.0 0.0.0.255
access-list 60 deny   192.168.9.0 0.0.0.255
0 Helpful
Reply
Cisco Junky
Cisco Junky Beginner
Beginner
‎12-22-2015 08:20 AM
‎12-22-2015 08:20 AM

Hi there,

Hi there,

I have an existing ACL

access-list 111 permit ip any host 1.1.1.1

access-list 111 permit ip any host 2.2.2.2

access-list 111 permit ip any host 3.3.3.3

access-list 111 deny ip any any

I want to add a new like to permit host 4.4.4.4 but before have a remark saying Test_4.4.4.4 I cant see syntax to complete this.

I will use the show access-list 111 and then use the spare sequence number between the host 3.3.3.3 and the deny any statement to add the new line, however I cannot add a remark this way.

Any solution?

0 Helpful
Reply
anoop.verma
anoop.verma Beginner
Beginner
‎12-22-2015 08:32 AM
‎12-22-2015 08:32 AM

On which device you are

On which device you are creating acl ?

0 Helpful
Reply
Highlighted
Cisco Junky
Cisco Junky Beginner
Beginner
‎12-22-2015 08:37 AM
‎12-22-2015 08:37 AM

6509.

6509.

I believe the only way is to remove the line "access-list 111 deny ip any any"

add the remark and the new permit statement

Re-enter the line "access-list 111 deny ip any any"

The implicit deny any any will cover this so the ACL will be fully operational at all time?

do you agree

0 Helpful
Reply
acampbell
acampbell Advocate
Advocate
‎12-22-2015 08:36 AM
‎12-22-2015 08:36 AM

Hi,

Hi,

Lets say the spare sequence number is 35

conf t

!

ip access-list extended 111

35 permit ip any host 4.4.4.4

remark *** TESTING 4.4.4.4 ***

end

However you will not see the remark in show access-list

You need to issue

show run | beg access-list

to see any remarks

Regards

Alex

Regards, Alex. Please rate useful posts.
0 Helpful
Reply
Cisco Junky
Cisco Junky Beginner
Beginner
‎12-22-2015 08:43 AM
‎12-22-2015 08:43 AM

Hi,

Hi,

This is not correct... the remark statement will then be placed underneath the "deny any any" statement.

0 Helpful
Reply
tdavis85
tdavis85 Beginner
Beginner
‎12-22-2017 12:32 PM
‎12-22-2017 12:32 PM

Re: Hi,

If you place your remark prior to the line with the sequence number, it will show up in the right order.  Your remark should come before the line that you are adding the remark for.  Example:

conf t

!

ip access-list extended 111

remark *** TESTING 4.4.4.4 ***

35 permit ip any host 4.4.4.4

end

 

If you do it that way it should show up in the correct order.

Reply
Michal Demjanovic
Michal Demjanovic Beginner
Beginner
‎06-19-2019 08:11 AM
‎06-19-2019 08:11 AM

Re: Hi,

I guess this is long time since your post but THANKS. Everywhere I looked it was always:

1)do new ACL and replace the old one

2)do the lines and then resequence

 

This needs more recognition!

0 Helpful
Reply
paul driver
VIP Mentor paul driver VIP Mentor
VIP Mentor
‎12-23-2017 04:55 AM
‎12-23-2017 04:55 AM

Re: Hi there,

Hello

 

example:

sh access-lists
(spare sequence number of 40)

ip access-list extended 111
40 permit ?????? etc..
exit

ip access-list resequence 111   10 5

res
Paul



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
0 Helpful
Reply
Latest Contents
OSPF "INIT/DROTHER" error
Created by MrMaregaTech on 01-22-2020 04:45 AM
4
0
4
0
Hi everyone.I have a problem in my Network.So i have 3 routers and a firewall in my topology. I have configured OSPF and all routers works expect R3 (see in the image below)When I watch my neignbor in R3 it says :192.168.7.7 1 INIT/DROTHER 00:00:37 10.0.2... view more
How to SDA Host Onboarding with ISE
Created by ldanny on 01-19-2020 04:48 AM
0
10
0
10
Introduction Host Onboarding is the term used when connecting an endpoint (hosts , IOT , Other devices) to the fabric , and can be accomplished in a couple of ways.One option is the "static" approach as oppose to the dynamic and secure approach using&nbs... view more
Cisco ASA failover status, Sensor for PRTG
Created by Oleg Volkov on 01-17-2020 10:10 AM
0
5
0
5
Hello!We update our ASA Failover sensor for PRTG.Improve usability.New manuals.You can read about it in attachment file.Download sensor from: http://www.powerc.ru/download/asafailover.zip
network issue
Created by abandoumo on 01-16-2020 09:08 AM
4
0
4
0
good morning I have this report from users, saying that they encounter connection issue only when they are wired , but the wireless I fine. both connection are using the same path to the internet ...please advised a troubleshooting plan.
16.12.3 Beta Release for Catalyst Switches
Created by okumar on 01-16-2020 08:30 AM
0
0
0
0
  Enterprise Switching Business Unit is glad to announce Beta release 16.12.3 for all Catalyst 9200/9300/9400/9500/9600. This release is made available to allow users to test, evaluate and share feedback before General Avail... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad