Here are a few ideas and tricks that will help you write access lists that are appropriate for your network.
You can add
comments to access lists by using the
remark keyword. Place any descriptive text you
want after this keyword. Remarks work in named and numbered access
access-list 110 remark Block traffic to 192.168.1.0. They cause trouble access-list 110 deny ip 192.168.1.0 0.0.0.255 any access-list 110 remark Worker bob surfs the internet all day, so stop him access-list 110 deny tcp host 192.168.2.1 any eq www
Sometimes, we want to control traffic
based on the time of day. For example, we might want to prevent staff
members from browsing the Web during work hours. So far, we
don’t have a way to do that aside from reconfiguring access
lists every day at 8 A.M. and 5 P.M. IOS provides an easy solution to
this problem. We can use the
command to establish a time range; then
we can apply the time range to access list rules, establishing times
when the rule is active.
For example, let’s build a time range that includes working hours on weekdays:
! This is a global command time-range block-http periodic weekdays 8:00 to 17:00
This time range has the name
block-http and is
, which means that the time range repeats.
(In contrast, an
time range has a single fixed starting
and ending point.) Now, it is just a matter of adding the time range
to a rule in an extended access list:
! Timed ...