10-18
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 10 Controlling Network Access with Access Control Lists
Simplifying Access Control Lists with Object Grouping
The following command adds a standard ACE. To add another ACE at the end of the ACL, enter another
access-list command specifying the same ACL name. Apply the ACL using the “Adding a Route Map”
section on page 8-6.
To add an ACE, enter the following command:
FWSM(config)# access-list
acl_name
standard {deny | permit} {any |
ip_address
mask
}
The following sample ACL identifies routes to 192.168.1.0/24:
FWSM(config)# access-list OSPF standard permit 192.168.1.0 255.255.255.0
Simplifying Access Control Lists with Object Grouping
This section describes how to use object grouping to simplify ACL creation and maintenance, and
includes the following topics:
• How Object Grouping Works, page 10-18
• Adding Object Groups, page 10-19
• Nesting Object Groups, page 10-22
• Displaying Object Groups, page 10-24
• Removing Object Groups, page 10-24
• Using Object Groups with an Access Control List, page 10-23
How Object Grouping Works
By grouping like-objects together, you can use the object group in an ACE instead of having to enter an
ACE for each object separately. You can create the following types of object groups:
• Protocol
• Network
• Service
• ICMP type
For example, consider the following three object groups:
• MyServices—Includes the TCP and UDP port numbers of the service requests that are allowed
access to the internal network
• TrustedHosts—Includes the host and network addresses allowed access to the greatest range of
services and servers
• PublicServers—Includes the host addresses of servers to which the greatest access is provided
After creating these groups, you could use a single ACE to allow trusted hosts to make specific service
requests to a group of public servers.
You can also nest object groups in other object groups.
To Next Page
Loading...
Need help?
General