h1

ACL Object-groups now on Cisco IOS

October 29, 2008

A week of standby and late shift is not really permitting of time to blog.

Cisco IOS 12.4(20)T, have some neat new features. One in particular that I’m very excited about, is ACL Obect-groups. Object-groups were very popular and widely used on  PIX-OS.  It minimizes complex and large ACL configurations, in production environment tremendously.

Being able to group ACE entries into groups, you can easily, add/remove entries, while maintaining ordered and more readable ACL structure, while keeping the time spend on changes to a minimum. It provides a simple and intuitive mechanism for configuring and managing large ACLs, especially ones that frequently change.

You have two types of objects-groups: network object groups and service object groups.

Network objects allows you to group the following:

  • Hostnames
  • Host IP addresses
  • Subnets
  • Ranges of IP addresses
  • Other network object groups

Service objects allows the following to be specified:

  • Source and destination protocol ports (such as Telnet or SNMP)
  • ICMP types ( such as echo, echo-reply, or host-unreachable)
  • Top-level protocols (such as TCP, UDP, or ESP)
  • Other service object groups

.
Have a look at the following example how to configure 2 departments to access multiple servers.
Define network type objects to group IP hosts and networks

object-group network SALES
host 10.20.20.1
range 10.50.1.23 10.50.1.45

object-group network HR
host 10.20.20.50
10.240.12.0 255.255.255.0

Define network type objects for the servers

object-group network PROXY
host 10.10.10.100
host 10.10.10.200

object-group network MAIL

10.10.10.16 255.255.255.240

Define a service type objects to group your protocols and ports

object-group service WEB-PORTS
tcp www
tcp 8080

object-group service MAIL-PORTS
tcp smtp
tcp pop3

Apply Object Groups in any ACL configurations

ip access-list ext My-OBJECT-ACL
permit object-group WEB-PORTS object
-group SALES object-g PROXY
permit object-group MAIL-PORTS object
-group HR object-group MAIL
permit ip 10.1.1.0 0.0.255 any

Unfortunately with this implementation, ‘sh ip access-list’ does not show the dynamic entries of the ACL like on PIX, (which would be very handy, but hopefully this is in the pipeline) but your can confirm you configuration with:

sh object-group
sh ip access-list

Advertisements

One comment

  1. If i have one ACL with object-group but that object-group is not present in configuration, what will be the impact.



Please leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s