Name: Cisco Catalyst 6500 Series
Brand: Cisco
Rating: 4 (1 reviews)

To Next Page

To Previous Page

10-23

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide

OL-6392-01

Chapter 10 Controlling Network Access with Access Control Lists

Simplifying Access Control Lists with Object Grouping

FWSM/contexta(config-network)# group-object eng

FWSM/contexta(config-network)# group-object hr

FWSM/contexta(config-network)# group-object finance

You only need to specify the admin object group in your ACE as follows:

FWSM/contexta(config)# access-list ACL_IN extended permit ip object-group admin host

209.165.201.29

Using Object Groups with an Access Control List

To use object groups in an ACL, replace the normal protocol (protocol), network (source_address mask,

etc.), service (operator port), or ICMP type (icmp_type) parameter with object-group grp_id.

For example, to use object groups for all available parameters in the access-list {tcp | udp} command,

enter the following command:

FWSM(config)# access-list

acl_name

[extended]

{deny | permit}

{tcp | udp} object-group

nw_grp_id

[object-group

svc_grp_id

]

object-group

nw_grp_id

[object-group

svc_grp_id

]

[log [[

level

] [interval

secs

] | disable | default]]

You do not have to use object groups for all parameters; for example, you can use an object group for

the source address, but identify the destination address with an address and mask.

The following normal ACL that does not use object groups restricts several hosts on the inside network

from accessing several web servers. All other traffic is allowed.

FWSM/contexta(config)# access-list ACL_IN extended deny tcp host 10.1.1.4 host

209.165.201.29 eq www

FWSM/contexta(config)# access-list ACL_IN extended deny tcp host 10.1.1.78 host

209.165.201.29 eq www

FWSM/contexta(config)# access-list ACL_IN extended deny tcp host 10.1.1.89 host

209.165.201.29 eq www

FWSM/contexta(config)# access-list ACL_IN extended deny tcp host 10.1.1.4 host

209.165.201.16 eq www

FWSM/contexta(config)# access-list ACL_IN extended deny tcp host 10.1.1.78 host

209.165.201.16 eq www

FWSM/contexta(config)# access-list ACL_IN extended deny tcp host 10.1.1.89 host

209.165.201.16 eq www

FWSM/contexta(config)# access-list ACL_IN extended deny tcp host 10.1.1.4 host

209.165.201.78 eq www

FWSM/contexta(config)# access-list ACL_IN extended deny tcp host 10.1.1.78 host

209.165.201.78 eq www

FWSM/contexta(config)# access-list ACL_IN extended deny tcp host 10.1.1.89 host

209.165.201.78 eq www

FWSM/contexta(config)# access-list ACL_IN extended permit ip any any

FWSM/contexta(config)# access-group ACL_IN in interface inside

If you make two network object groups, one for the inside hosts, and one for the web servers, then the

configuration can be simplified and can be easily modified to add more hosts:

FWSM/contexta(config)# object-group network denied

FWSM/contexta(config-network)# network-object host 10.1.1.4

FWSM/contexta(config-network)# network-object host 10.1.1.78

FWSM/contexta(config-network)# network-object host 10.1.1.89

FWSM/contexta(config-network)# object-group network web

FWSM/contexta(config-network)# network-object host 209.165.201.29

Brand

Cisco

Model

Catalyst 6500 Series

Cisco Catalyst 6500 Series User Manual

Table of Contents

Other manuals for Cisco Catalyst 6500 Series

Questions and Answers:

Cisco Catalyst 6500 Series Specifications

Related product manuals