10-25
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 10 Controlling Network Access with Access Control Lists
Adding Remarks to Access Control Lists
You might want to manually commit ACLs if you have one of the following situations:
• You are running scripts and want to make sure the ACL was committed in its entirety. With
auto-commit, you might commit partial ACLs if you run into memory limitations or other errors in
the middle of the ACL entry.
• You want to modify an ACL, such as inserting lines, but do not want to disrupt traffic. For example,
with auto-commit, you cannot insert a line into an ACL. You have to create a new ACL (with the
inserted line), and then change the ACL name that is assigned to the interface, causing a brief
disruption. With manual commit, you can remove the ACL (from the configuration; not from
running), enter a modified ACL with the same name, and then commit the ACL. Because the ACL
name is the same, you do not need to change the interface assignment, and there is no disruption of
traffic.
• You want to add several ACEs to a large ACL at the command line, and do not want the ACL to
commit before you finish making your additions. For example, If you enter a line at the end of a
40,000 line ACL, and you do not enter each additional line within a second of the last line, then the
ACL will commit each time you enter a line. A large ACL can take several minutes to commit, and
you do not want to wait for the ACL to commit before entering the next line.
If you enable manual commit, then you must remember to manually commit any changes you make to
ACLs or other rules, whether the change is an addition or a subtraction. Also, you must manually commit
an ACL before you assign it to an interface (access-group command); the FWSM cannot assign an ACL
to an interface if the ACL does not exist yet.
• To enable manual commit, or to return to auto-commit mode, enter the following command:
FWSM/contexta(config)# access-list mode {manual-commit | auto-commit}
Auto-commit is the default.
• To commit ACL changes in manual commit mode, enter the following command:
FWSM/contexta(config)# access-list commit
• To view which ACLs are committed and which are uncommitted, enter the following command:
FWSM/contexta(config)# show access-list
Adding Remarks to Access Control Lists
You can include remarks about entries in any ACL, including extended, EtherType, and standard ACLs.
The remarks make the ACL easier to understand.
To add a remark after the last access-list command you entered, enter the following command:
FWSM/contexta(config)# access-list
acl_id
remark
text
If you enter the remark before any access-list statements, then the remark is the first line in the ACL.
If you delete an ACL using the no access-list acl_id command, then all the remarks are also removed.
The text can be up to 100 characters in length. You can enter leading spaces at the beginning of the text.
Trailing spaces are ignored.
For example, you can add remarks before each ACE, and the remark appears in the ACL in this location.
Entering a dash (-) at the beginning of the remark helps set it apart from ACEs.
To Next Page
Loading...
Need help?
General