Organizing and Managing ACE
It is quite common to have several access lists with several access-list elements in them on a
Cisco Security Appliance. To deal with this sometimes becomes arduous, especially in the
following situations:
■ When attempting to identify the reason for each ACE in the access list because no
descriptions or comments are included for software releases earlier than version 6.3
■ When removing a single ACE from an access list at the command line on software earlier
than version 6.3, which becomes a several-step process
Configuring a remark or comment allows you and other administrators to understand and
identify access-list entries. Cisco Security Appliances lets you include comments about entries
in any access control list (ACL). A remark can be up to 100 characters and can precede or
follow an access-list command. The following is the syntax for configuring an access-list
remark:
access-list acl-id remark text
The ACL remark can be placed before or after an access-list command statement, but it
should be placed in a consistent position so that it is clear which remark describes which
access-list command. For example, it would be confusing to have some remarks before the
associated access-list commands and some remarks after the associated access-list
commands. Example 7-3 shows a sample configuration on how to create comments
for ACEs.
In addition to adding remarks to access lists, version 6.3 and later add numbering to accesslist
elements. Each ACE and remark has an associated line number. Line numbers can then
be used to insert or delete elements at any position in an access list. These numbers are
maintained internally in increasing order starting from 1. The line numbers are always
maintained in increasing order, with an individual line number for each ACE.
Example 7-3 Configuring Comments for ACEs
Pixfw(config)#access-list 115 remark Allow network engineering group to telnet
PixfW(config)#access-list 115 permit tcp 192.168.1.0 255.255.255.224 host
10.10.100.20 telnet
PixfW(config)#access-list 115 remark Allowsales group to login
PixfW(config)#access-list 115 permit tcp 192.168.3.0 255.255.255.224 host
10.10.100.12
NOTE All ACEs resulting from a single object group access-list command statement have
a single line number. Consequently, you cannot insert an ACE in the middle of objectgroup
ACEs.