O'Reilly logo

CISCO IOS in a Nutshell by James Boney

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Specific Topics

Here are a few ideas and tricks that will help you write access lists that are appropriate for your network.

Adding Comments to an Access List

You can add comments to access lists by using the remark keyword. Place any descriptive text you want after this keyword. Remarks work in named and numbered access lists.

access-list 110 remark Block traffic to 192.168.1.0. They cause trouble
access-list 110 deny ip 192.168.1.0 0.0.0.255 any
access-list 110 remark Worker bob surfs the internet all day, so stop him
access-list 110 deny tcp host 192.168.2.1 any eq www

Timed Access Lists

Sometimes, we want to control traffic based on the time of day. For example, we might want to prevent staff members from browsing the Web during work hours. So far, we don’t have a way to do that aside from reconfiguring access lists every day at 8 A.M. and 5 P.M. IOS provides an easy solution to this problem. We can use the time-range command to establish a time range; then we can apply the time range to access list rules, establishing times when the rule is active.

For example, let’s build a time range that includes working hours on weekdays:

! This is a global command
time-range block-http
  periodic weekdays 8:00 to 17:00

This time range has the name block-http and is periodic , which means that the time range repeats. (In contrast, an absolute time range has a single fixed starting and ending point.) Now, it is just a matter of adding the time range to a rule in an extended access list:

! Timed ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required