ACL Object-groups now on Cisco IOS

General info 1 Minute

A week of standby and late shift is not really permitting of time to blog.

Cisco IOS 12.4(20)T, have some neat new features. One in particular that I’m very excited about, is ACL Obect-groups. Object-groups were very popular and widely used on  PIX-OS.  It minimizes complex and large ACL configurations, in production environment tremendously.

Being able to group ACE entries into groups, you can easily, add/remove entries, while maintaining ordered and more readable ACL structure, while keeping the time spend on changes to a minimum. It provides a simple and intuitive mechanism for configuring and managing large ACLs, especially ones that frequently change.

You have two types of objects-groups: network object groups and service object groups.

Network objects allows you to group the following:

  • Hostnames
  • Host IP addresses
  • Subnets
  • Ranges of IP addresses
  • Other network object groups

Service objects allows the following to be specified:

  • Source and destination protocol ports (such as Telnet or SNMP)
  • ICMP types ( such as echo, echo-reply, or host-unreachable)
  • Top-level protocols (such as TCP, UDP, or ESP)
  • Other service object groups

.
Have a look at the following example how to configure 2 departments to access multiple servers.
Define network type objects to group IP hosts and networks

object-group network SALES
host 10.20.20.1
range 10.50.1.23 10.50.1.45

object-group network HR
host 10.20.20.50
10.240.12.0 255.255.255.0

Define network type objects for the servers

object-group network PROXY
host 10.10.10.100
host 10.10.10.200

object-group network MAIL
10.10.10.16 255.255.255.240

Define a service type objects to group your protocols and ports

object-group service WEB-PORTS
tcp www
tcp 8080

object-group service MAIL-PORTS
tcp smtp
tcp pop3

Apply Object Groups in any ACL configurations

ip access-list ext My-OBJECT-ACL
permit object-group WEB-PORTS object-group SALES object-g PROXY
permit object-group MAIL-PORTS object-group HR object-group MAIL
permit ip 10.1.1.0 0.0.255 any

Unfortunately with this implementation, ‘sh ip access-list’ does not show the dynamic entries of the ACL like on PIX, (which would be very handy, but hopefully this is in the pipeline) but your can confirm you configuration with:

sh object-group
sh ip access-list

Advertisement

Published by Ruhann

Just another Network Engineer.

Published

One thought on “ACL Object-groups now on Cisco IOS

  1. If i have one ACL with object-group but that object-group is not present in configuration, what will be the impact.

    Reply

Please leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.