12-22-2015 05:54 AM - edited 03-08-2019 03:11 AM
Hi,
I am going to be editing an existing extended ACL adding 2 permit lines,(using ACL sequence numbers) but I also want to include remarks.
How do I do this with out having to re-write the entire list, and causing downtime?
You help is much appreciated
12-22-2015 08:15 AM
Viewing Access Control Lists (ACLs) can be somewhat confusing because the ACLs will all run together. Adding remarks to your ACLs will make them easier to read. When you look at your running-config to view the ACLs without remarks, as shown here:
Switch1#show running-config | include access-list access-list 50 deny 192.168.8.200 access-list 50 deny 192.168.8.201 access-list 50 permit 192.168.8.0 0.0.0.255 access-list 50 permit 192.168.9.0 0.0.0.255 access-list 60 permit 192.168.8.0 0.0.0.3 access-list 60 deny 192.168.8.0 0.0.0.255 access-list 60 deny 192.168.9.0 0.0.0.255
To make this easier to read, you should start each ACL with a remark line. This does not show up when using the show command; but is in yourrunning-config. This is what it would look like:
Switch1#show running-config | include access-list access-list 50 deny 192.168.8.200 access-list 50 deny 192.168.8.201 access-list 50 permit 192.168.8.0 0.0.0.255 access-list 50 permit 192.168.9.0 0.0.0.255 access-list 60 remark This ACL is to control the outbound router traffic. access-list 60 permit 192.168.8.0 0.0.0.3 access-list 60 deny 192.168.8.0 0.0.0.255 access-list 60 deny 192.168.9.0 0.0.0.255
12-22-2015 08:20 AM
Hi there,
I have an existing ACL
access-list 111 permit ip any host 1.1.1.1
access-list 111 permit ip any host 2.2.2.2
access-list 111 permit ip any host 3.3.3.3
access-list 111 deny ip any any
I want to add a new like to permit host 4.4.4.4 but before have a remark saying Test_4.4.4.4 I cant see syntax to complete this.
I will use the show access-list 111 and then use the spare sequence number between the host 3.3.3.3 and the deny any statement to add the new line, however I cannot add a remark this way.
Any solution?
12-22-2015 08:32 AM
On which device you are creating acl ?
12-22-2015 08:37 AM
6509.
I believe the only way is to remove the line "access-list 111 deny ip any any"
add the remark and the new permit statement
Re-enter the line "access-list 111 deny ip any any"
The implicit deny any any will cover this so the ACL will be fully operational at all time?
do you agree
12-22-2015 08:36 AM
Hi,
Lets say the spare sequence number is 35
conf t
!
ip access-list extended 111
35 permit ip any host 4.4.4.4
remark *** TESTING 4.4.4.4 ***
end
However you will not see the remark in show access-list
You need to issue
show run | beg access-list
to see any remarks
Regards
Alex
12-22-2015 08:43 AM
Hi,
This is not correct... the remark statement will then be placed underneath the "deny any any" statement.
12-22-2017 12:32 PM
If you place your remark prior to the line with the sequence number, it will show up in the right order. Your remark should come before the line that you are adding the remark for. Example:
conf t
!
ip access-list extended 111
remark *** TESTING 4.4.4.4 ***
35 permit ip any host 4.4.4.4
end
If you do it that way it should show up in the correct order.
06-19-2019 08:11 AM
I guess this is long time since your post but THANKS. Everywhere I looked it was always:
1)do new ACL and replace the old one
2)do the lines and then resequence
This needs more recognition!
12-23-2017 04:55 AM
Hello
example:
sh access-lists
(spare sequence number of 40)
ip access-list extended 111
40 permit ?????? etc..
exit
ip access-list resequence 111 10 5
res
Paul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide