Configuring Commented Access Lists

20 Mar

Configuring Commented Access Lists
When you use named access lists, you are able to provide a small description of the access list within the name, as shown in Listing 7.15 and Listing 7.16. Sometimes, though, the name of an access list does not provide enough information about what the access list does or what function each line within the access list provides. In 12.0.2 code, Cisco released a feature known as commented access lists. In Listings 7.1 and Listing 7.15, Raul has an access list configured that permits the 192.168.20.0 network and denies all others. In Listing 7.15, a name was used to define the access list instead of a number; I attempted to give the access list a name that was relevant to the function that it provided. In Listing 7.1, a standard numbered access list was used to define the same access lists; however, no descriptive information about the access list could be made with the numbered access list. You can add a comment to standard and extended access lists as well as to numbered and named access lists. Follow these steps to configure comments within a name−based access list:

1.Use the following configuration command to define a named access list:

ip access−list <standard | extended> name

2.Use the remark command to define the comment on an access list basis or on a per−filter−rule basis. The remark parameter is limited to 100 characters, including spaces.

3.Use this command to select the input interface under which the access list will be applied:

interface <interface name> <interface number>

4.Use the following command to bind the access list to the interface and to apply the filter to packets entering into or exiting the interface:

ip access−group name {in | out}

Follow these steps to configure comments within a numbered access:

1.Use the following configuration command to define the numbered access list and to define the comment on an access list basis:

access−list access−list−number remark remark

2.Use this command to select the input interface under which the access list will be applied:

interface <interface name> <interface number>

3.Use this command to bind the access list to the interface and to apply the filter to packets entering into or exiting the interface:

ip access−group access list number {in | out}

Figure 7.7 displays a router with two networks directly attached to it. The router, Router C, has a large access list configuration defined, and if remarks weren’t used, the access list would be fairly complicated to fully understand. To add clarity to the access list, remarks have been defined within the list. Router C will be configured with a name−based access list and the appropriate remarks will be added within the access list. Listing 7.18 displays the configuration of Router C.

Figure 7.7: Router C permitting and denying traffic.
Listing 7.18: Commented named access list on Router C.

hostname Router−C
!
interface FastEthernet0/0
ip address 172.16.15.1 255.255.255.0
no ip directed−broadcast
!
interface Serial1/0
ip address 10.10.10.1 255.255.255.0
ip access−group Commented in
no ip directed−broadcast
!
ip access−list extended Commented
remark Deny any inbound request unless initiated from inside
permit tcp any 172.16.0.0 0.0.255.255 established
remark Permit mail traffic to this host
permit tcp any host 172.16.15.83 eq smtp
remark Permit telnet from XYZ company to our company
permit tcp 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255 −
eq telnet
remark Permit FTP from XYZ company to our company
permit tcp 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255 eq ftp
remark Allow DNS traffic to the internal DNS server
permit udp any host 172.16.15.84 eq domain
remark Deny all other traffic
deny ip any any

Router C has been configured with an extended name−based access list. Within the access list remarks provide clarity on the function of each filter rule statement. As mentioned earlier, comments can also be listed for numbered access lists. Using the same requirements that were listed with Listing 7.18, Router C can now be configured with a numbered access list that contains remarks for each filter rule. An extended numbered access list is used to accomplish the same thing Listing 7.18 accomplishes. Listing 7.19 displays the configuration of Router C using numbered access lists.
Listing 7.19: Commented numbered access list on Router C.

hostname Router−C
!
interface FastEthernet0/0
ip address 172.16.15.1 255.255.255.0
no ip directed−broadcast
!
interface Serial1/0
ip address 10.10.10.1 255.255.255.0
ip access−group 121 in
no ip directed−broadcast
!
access−list 121 remark Deny any inbound request
access−list 121 permit tcp any 172.16.0.0 0.0.255.255 −
established
access−list 121 remark Permit mail traffic to this host
access−list 121 permit tcp any host 172.16.15.83 eq smtp
access−list 121 remark Permit telnet from XYZ company
access−list 121 permit tcp 10.10.10.0 0.0.0.255 −
172.16.0.0 0.0.255.255 eq telnet
access−list 121 remark Permit FTP from XYZ company to our −
company
access−list 121 permit tcp 10.10.10.0 0.0.0.255 −
172.16.0.0 0.0.255.255 eq ftp
access−list 121 Allow DNS traffic to the internal DNS server
access−list 121 permit udp any host 172.16.15.84 eq domain
access−list 121 remark Deny all other traffic
access−list 121 deny ip any any

Note Because of the format limitations of this book, some lines of code listed above have been broken with a hyphen.

Random Posts

No comments yet

Leave a Reply

You must be logged in to post a comment.