Adding Remarks To Access Control Lists - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Chapter 10
Controlling Network Access with Access Control Lists
You might want to manually commit ACLs if you have one of the following situations:
•
•
•
If you enable manual commit, then you must remember to manually commit any changes you make to
ACLs or other rules, whether the change is an addition or a subtraction. Also, you must manually commit
an ACL before you assign it to an interface (access-group command); the FWSM cannot assign an ACL
to an interface if the ACL does not exist yet.
•
•
•
Adding Remarks to Access Control Lists
You can include remarks about entries in any ACL, including extended, EtherType, and standard ACLs.
The remarks make the ACL easier to understand.
To add a remark after the last access-list command you entered, enter the following command:
FWSM/contexta(config)# access-list acl_id remark text
If you enter the remark before any access-list statements, then the remark is the first line in the ACL.
If you delete an ACL using the no access-list acl_id command, then all the remarks are also removed.
The text can be up to 100 characters in length. You can enter leading spaces at the beginning of the text.
Trailing spaces are ignored.
For example, you can add remarks before each ACE, and the remark appears in the ACL in this location.
Entering a dash (-) at the beginning of the remark helps set it apart from ACEs.
OL-6392-01
You are running scripts and want to make sure the ACL was committed in its entirety. With
auto-commit, you might commit partial ACLs if you run into memory limitations or other errors in
the middle of the ACL entry.
You want to modify an ACL, such as inserting lines, but do not want to disrupt traffic. For example,
with auto-commit, you cannot insert a line into an ACL. You have to create a new ACL (with the
inserted line), and then change the ACL name that is assigned to the interface, causing a brief
disruption. With manual commit, you can remove the ACL (from the configuration; not from
running), enter a modified ACL with the same name, and then commit the ACL. Because the ACL
name is the same, you do not need to change the interface assignment, and there is no disruption of
traffic.
You want to add several ACEs to a large ACL at the command line, and do not want the ACL to
commit before you finish making your additions. For example, If you enter a line at the end of a
40,000 line ACL, and you do not enter each additional line within a second of the last line, then the
ACL will commit each time you enter a line. A large ACL can take several minutes to commit, and
you do not want to wait for the ACL to commit before entering the next line.
To enable manual commit, or to return to auto-commit mode, enter the following command:
FWSM/contexta(config)# access-list mode {manual-commit | auto-commit}
Auto-commit is the default.
To commit ACL changes in manual commit mode, enter the following command:
FWSM/contexta(config)# access-list commit
To view which ACLs are committed and which are uncommitted, enter the following command:
FWSM/contexta(config)# show access-list
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
Adding Remarks to Access Control Lists
10-25
Advertisement
Table of Contents
Troubleshooting
