Cisco Systems 78-11741-02 Including Comments About Entries in Access Lists, Applying Access Lists

Configuring IP Services

Filtering IP Packets Using Access Lists

time-rangecommand is described in the “Performing Basic System Management” chapter of the Cisco IOS Configuration Fundamentals Configuration Guide. See the “Time Range Applied to an IP Access List Example” section at the end of this chapter for a configuration example of IP time ranges.

Possible benefits of using time ranges include the following:

•The network administrator has more control over permitting or denying a user access to resources. These resources could be an application (identified by an IP address/mask pair and a port number), policy routing, or an on-demand link (identified as interesting traffic to the dialer).

•Network administrators can set time-based security policy, including the following:

–Perimeter security using the Cisco IOS Firewall feature set or access lists

–Data confidentiality with Cisco Encryption Technology or IP Security Protocol (IPSec)

•Policy-based routing (PBR) and queueing functions are enhanced.

•When provider access rates vary by time of day, it is possible to automatically reroute traffic cost effectively.

•Service providers can dynamically change a committed access rate (CAR) configuration to support the quality of service (QoS) service level agreements (SLAs) that are negotiated for certain times of day.

•Network administrators can control logging messages. Access list entries can log traffic at certain times of the day, but not constantly. Therefore, administrators can simply deny access without needing to analyze many logs generated during peak hours.

Including Comments About Entries in Access Lists

You can include comments (remarks) about entries in any named IP access list using the remark access-list configuration command. The remarks make the access list easier for the network administrator to understand and scan. Each remark line is limited to 100 characters.

The remark can go before or after a permit or deny statement. You should be consistent about where you put the remark so it is clear which remark describes which permit or deny statement. For example, it would be confusing to have some remarks before the associated permit or deny statements and some remarks after the associated statements. The standard and extended access list task tables in the previous sections “Creating Standard and Extended Access Lists Using Numbers” and “Creating Standard and Extended Access Lists Using Names” include the remark command. See the “Commented IP Access List Entry Examples” section at the end of this chapter for examples of commented IP access list entries.

Remember to apply the access list to an interface or terminal line after the access list is created. See the following section “Applying Access Lists” for more information.

Applying Access Lists

After creating an access list, you must reference the access list to make it work. To use an access list, perform the tasks described in the following sections. The tasks in the first section are required; the tasks in the remaining sections are optional:

•Controlling Access to a Line or Interface (Required)

•Controlling Policy Routing and the Filtering of Routing Information (Optional)

•Controlling Dialer Functions (Optional)

Cisco IOS IP Configuration Guide

IPC-98