62-39
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 62 Configuring Network Security with ACLs
Configuring Object Group ACLs
applied to the ingress traffic from Host A, the VACL is applied on the traffic and finally, and the input
Router ACL is applied to the traffic that needs routing. (that is, the merged results of the input PACL,
VACL, and input Router ACL are applied to the traffic).
Configuring Object Group ACLs
Object groups provide an alternative way of dealing with ACLs.
Instead of allowing or disallowing individual IP addresses, protocols, and ports (which are used in
conventional ACLs), you can use each ACE to allow or disallow an entire group of users to access a
group of servers or services.
Object groups enable you to group ACE entries and add or remove entries while keeping your ACL
structure more readable. Object group ACLs (OG ACLs) are especially suited to help you manage large
ACLs that require frequent changing. Cisco IOS Firewall benefits from object groups, because they
simplify policy creation (for example, group A has access to group A services).
Beginning with Cisco IOS XE Release 3.7.1E, object groups are supported for IPv4 ACLs (IPv4 OG
ACLs), and with Cisco IOS XE Release 3.9.2E, for IPv6 ACLs (IPv6 OG ACLs). The feature is
supported only on Cisco Catalyst 4500E Series Switches with Supervisor Engines 7-E, 7L-E, and 8-E,
and Cisco Catalyst 4500-X Series Switches.
See the following sections for more information:
• Overview, page 62-39
• Configuring IPv4 OG ACLs, page 62-40
• Configuring IPv6 OG ACLs, page 62-46
Overview
All features that use or reference conventional ACLs are compatible with OG ACLs. This feature extends
the conventional ACLs to support OG ACLs and also adds new keywords and the source and destination
addresses and ports.
To configure OG ACLs, you first create one or more object groups. These can be any combination of
network object groups or service object groups. You then create ACEs that apply a policy (such as permit
or deny) to those object groups.
A network object group includes the following objects:
• Host IP addresses
• Network address of group members
• Nested object groups
A service object group includes the following objects:
• Source and destination protocol ports (such as Telnet or Simple Network Management Protocol
[SNMP])
• Internet Control Message Protocol (ICMP) types (such as echo, echo-reply, or host-unreachable)
• Top-level protocols (such as Encapsulating Security Payload [ESP], TCP, or UDP)
• Other service object groups
You can configure an OG ACL multiple times with a source group only, a destination group only, or both
source and destination groups.
To Next Page
Loading...
Need help?
General
