ACL Object-groups now on Cisco IOS

A week of standby and late shift is not really permitting of time to blog.

Cisco IOS 12.4(20)T, have some neat new features. One in particular that I’m very excited about, is ACL Obect-groups. Object-groups were very popular and widely used on  PIX-OS.  It minimizes complex and large ACL configurations, in production environment tremendously.

Being able to group ACE entries into groups, you can easily, add/remove entries, while maintaining ordered and more readable ACL structure, while keeping the time spend on changes to a minimum. It provides a simple and intuitive mechanism for configuring and managing large ACLs, especially ones that frequently change.

You have two types of objects-groups: network object groups and service object groups.

Network objects allows you to group the following:

  • Hostnames
  • Host IP addresses
  • Subnets
  • Ranges of IP addresses
  • Other network object groups

Service objects allows the following to be specified:

  • Source and destination protocol ports (such as Telnet or SNMP)
  • ICMP types ( such as echo, echo-reply, or host-unreachable)
  • Top-level protocols (such as TCP, UDP, or ESP)
  • Other service object groups

Have a look at the following example how to configure 2 departments to access multiple servers.
Define network type objects to group IP hosts and networks

object-group network SALES

object-group network HR

Define network type objects for the servers

object-group network PROXY

object-group network MAIL

Define a service type objects to group your protocols and ports

object-group service WEB-PORTS
tcp www
tcp 8080

object-group service MAIL-PORTS
tcp smtp
tcp pop3

Apply Object Groups in any ACL configurations

ip access-list ext My-OBJECT-ACL
permit object-group WEB-PORTS object
-group SALES object-g PROXY
permit object-group MAIL-PORTS object
-group HR object-group MAIL
permit ip 0.0.255 any

Unfortunately with this implementation, ‘sh ip access-list’ does not show the dynamic entries of the ACL like on PIX, (which would be very handy, but hopefully this is in the pipeline) but your can confirm you configuration with:

sh object-group
sh ip access-list


One thought on “ACL Object-groups now on Cisco IOS

  1. If i have one ACL with object-group but that object-group is not present in configuration, what will be the impact.

Please leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.