ACL Object-groups now on Cisco IOSOctober 29, 2008
A week of standby and late shift is not really permitting of time to blog.
Cisco IOS 12.4(20)T, have some neat new features. One in particular that I’m very excited about, is ACL Obect-groups. Object-groups were very popular and widely used on PIX-OS. It minimizes complex and large ACL configurations, in production environment tremendously.
Being able to group ACE entries into groups, you can easily, add/remove entries, while maintaining ordered and more readable ACL structure, while keeping the time spend on changes to a minimum. It provides a simple and intuitive mechanism for configuring and managing large ACLs, especially ones that frequently change.
You have two types of objects-groups: network object groups and service object groups.
Network objects allows you to group the following:
- Host IP addresses
- Ranges of IP addresses
- Other network object groups
Service objects allows the following to be specified:
- Source and destination protocol ports (such as Telnet or SNMP)
- ICMP types ( such as echo, echo-reply, or host-unreachable)
- Top-level protocols (such as TCP, UDP, or ESP)
- Other service object groups
Have a look at the following example how to configure 2 departments to access multiple servers.
Define network type objects to group IP hosts and networks
object-group network SALES
range 10.50.1.23 10.50.1.45
object-group network HR
Define network type objects for the servers
object-group network PROXY
object-group network MAIL
Define a service type objects to group your protocols and ports
object-group service WEB-PORTS
object-group service MAIL-PORTS
Apply Object Groups in any ACL configurations
ip access-list ext My-OBJECT-ACL
permit object-group WEB-PORTS object-group SALES object-g PROXY
permit object-group MAIL-PORTS object-group HR object-group MAIL
permit ip 10.1.1.0 0.0.255 any
Unfortunately with this implementation, ‘sh ip access-list’ does not show the dynamic entries of the ACL like on PIX, (which would be very handy, but hopefully this is in the pipeline) but your can confirm you configuration with:
sh ip access-list