Commented IP Access List Entries

The Commented IP Access List Entries feature allows you to include comments or remarks about deny or permit conditions in any IP access list. These remarks make access lists easier for network administrators to understand. Each remark is limited to 100 characters in length.

This module provides information about the Commented IP Access List Entries feature.

Your software release may not support all the features that are documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. The Feature Information Table at the end of this document provides information about the documented features and lists the releases in which each feature is supported.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/. An account on http://www.cisco.com/ is not required.

Contents

Hardware Compatibility Matrix for the Cisco cBR Series Routers


Note


The hardware components that are introduced in a given Cisco IOS-XE Release are supported in all subsequent releases unless otherwise specified.
Table 1. Hardware Compatibility Matrix for the Cisco cBR Series Routers

Cisco CMTS Platform

Processor Engine

Interface Cards

Cisco cBR-8 Converged Broadband Router

Cisco IOS-XE Release 16.5.1 and Later Releases

Cisco cBR-8 Supervisor:

  • PID—CBR-SUP-250G

  • PID—CBR-CCAP-SUP-160G

Cisco IOS-XE Release 16.5.1 and Later Releases

Cisco cBR-8 CCAP Line Cards:

  • PID—CBR-LC-8D30-16U30

  • PID—CBR-LC-8D31-16U30

  • PID—CBR-RF-PIC

  • PID—CBR-RF-PROT-PIC

  • PID—CBR-CCAP-LC-40G

  • PID—CBR-CCAP-LC-40G-R

  • PID—CBR-CCAP-LC-G2-R

  • PID—CBR-SUP-8X10G-PIC

  • PID—CBR-2X100G-PIC

Digital PICs:

  • PID—CBR-DPIC-8X10G

  • PID—CBR-DPIC-2X100G

Cisco cBR-8 Downstream PHY Module:

  • PID—CBR-D31-DS-MOD

Cisco cBR-8 Upstream PHY Modules:

  • PID—CBR-D31-US-MOD


Note


Do not use DPICs (8X10G and 2x100G) to forward IP traffic, as it may cause buffer exhaustion, leading to line card reload.

The only allowed traffic on a DPICs DEPI, UEPI, and GCP traffic from the Cisco cBR-8 router to Remote PHY devices. Other traffic such as DHCP, SSH, and UTSC should flow via another router, since DPICs cannot be used for normal routing.


Information About Commented IP Access List Entries

Benefits of IP Access Lists

Access control lists (ACLs) perform packet filtering to control the flow of packets through a network. Packet filtering can restrict the access of users and devices to a network, providing a measure of security. Access lists can save network resources by reducing traffic. The benefits of using access lists are as follows:
  • Authenticate incoming rsh and rcp requests—Access lists can simplify the identification of local users, remote hosts, and remote users in an authentication database that is configured to control access to a device. The authentication database enables Cisco software to receive incoming remote shell (rsh) and remote copy (rcp) protocol requests.

  • Block unwanted traffic or users—Access lists can filter incoming or outgoing packets on an interface, thereby controlling access to a network based on source addresses, destination addresses, or user authentication. You can also use access lists to determine the types of traffic that are forwarded or blocked at device interfaces. For example, you can use access lists to permit e-mail traffic to be routed through a network and to block all Telnet traffic from entering the network.

  • Control access to vty—Access lists on an inbound vty (Telnet) can control who can access the lines to a device. Access lists on an outbound vty can control the destinations that the lines from a device can reach.

  • Identify or classify traffic for QoS features—Access lists provide congestion avoidance by setting the IP precedence for Weighted Random Early Detection (WRED) and committed access rate (CAR). Access lists also provide congestion management for class-based weighted fair queueing (CBWFQ), priority queueing, and custom queueing.

  • Limit debug command output—Access lists can limit debug output based on an IP address or a protocol.

  • Provide bandwidth control—Access lists on a slow link can prevent excess traffic on a network.

  • Provide NAT control—Access lists can control which addresses are translated by Network Address Translation (NAT).

  • Reduce the chance of DoS attacks—Access lists reduce the chance of denial-of-service (DoS) attacks. Specify IP source addresses to control traffic from hosts, networks, or users from accessing your network. Configure the TCP Intercept feature to can prevent servers from being flooded with requests for connection.

  • Restrict the content of routing updates—Access lists can control routing updates that are sent, received, or redistributed in networks.

  • Trigger dial-on-demand calls—Access lists can enforce dial and disconnect criteria.

Access List Remarks

You can include comments or remarks about entries in any IP access list. An access list remark is an optional remark before or after an access list entry that describes the entry so that you do not have to interpret the purpose of the entry. Each remark is limited to 100 characters in length.

The remark can go before or after a permit or deny statement. Be consistent about where you add remarks. Users may be confused if some remarks precede the associated permit or deny statements and some remarks follow the associated statements.

The following is an example of a remark that describes function of the subsequent deny statement:


ip access-list extended telnetting
 remark Do not allow host1 subnet to telnet out
 deny tcp host 172.16.2.88 any eq telnet

How to Configure Commented IP Access List Entries

Writing Remarks in a Named or Numbered Access List

You can use a named or numbered access list configuration. You must apply the access list to an interface or terminal line after the access list is created for the configuration to work.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. ip access-list {standard | extended} {name | number}
  4. remark remark
  5. deny protocol host host-address any eq port
  6. end

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:

Device> enable
Enables privileged EXEC mode.
  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

ip access-list {standard | extended} {name | number}

Example:

Device(config)# ip access-list extended telnetting

Identifies the access list by a name or number and enters extended named access list configuration mode.

Step 4

remark remark

Example:

Device(config-ext-nacl)# remark Do not allow host1 subnet to telnet out
Adds a remark for an entry in a named IP access list.
  • The remark indicates the purpose of the permit or deny statement.

Step 5

deny protocol host host-address any eq port

Example:

Device(config-ext-nacl)# deny tcp host 172.16.2.88 any eq telnet

Sets conditions in a named IP access list that denies packets.

Step 6

end

Example:

Device(config-ext-nacl)# end

Exits extended named access list configuration mode and enters privileged EXEC mode.

Additional References for Commented IP Access List Entries

Related Documents

Related Topic

Document Title

Security commands

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for Commented IP Access List Entries

Use Cisco Feature Navigator to find information about the platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to the https://cfnng.cisco.com/ link. An account on the Cisco.com page is not required.


Note


The following table lists the software release in which a given feature is introduced. Unless noted otherwise, subsequent releases of that software release train also support that feature.


Table 2. Feature Information for Commented IP Access List Entries

Feature Name

Releases

Feature Information

IP Access Lists

Cisco IOS XE Fuji 16.7.1

This feature was integrated into Cisco IOS XE Fuji 16.7.1 on theCisco cBR Series Converged Broadband Routers.