10-19
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 10 Controlling Network Access with Access Control Lists
Simplifying Access Control Lists with Object Grouping
Note The ACE system limit applies to expanded ACLs. If you use object groups in ACEs, the number of actual
ACEs that you enter is fewer, but the number of expanded ACEs is the same as without object groups.
In many cases, object groups create more ACEs than if you added them manually, because creating ACEs
manually leads you to summarize addresses more than an object group does. To view the number of
expanded ACEs in an ACL, enter the show access-list acl_name command.
Adding Object Groups
This section describes how to add object groups, and includes the following topics:
• Adding a Protocol Object Group, page 10-19
• Adding a Network Object Group, page 10-20
• Adding a Service Object Group, page 10-20
• Adding an ICMP Type Object Group, page 10-21
Note If you add new members to an existing object group that is already in use by an ACE in a large ACL,
recommitting the ACL can take a long time, depending on the size of the ACL and the object group. In
some cases, making this change can cause the FWSM to devote over an hour to committing the ACL,
during which time you cannot access the terminal. We recommend that you first remove the ACE that
refers to the object group, make your change, and then add the ACE back to the ACL. See the “Manually
Committing Access Control Lists and Rules” section on page 10-24 to insert an ACE in an ACL.
Adding a Protocol Object Group
To add or change a protocol object group, follow these steps. After you add the group, you can add more
objects as required by following this procedure again for the same group name and specifying additional
objects. You do not need to reenter existing objects; the commands you already set remain in place unless
you remove them with the no form of the command.
To add a protocol group, follow these steps:
Step 1 To add a protocol group, enter the following command:
FWSM/contexta(config)# object-group protocol
grp_id
The grp_id is a text string up to 64 characters in length.
The prompt changes to the protocol subcommand mode.
Step 2 (Optional) To add a description, enter the following command:
FWSM/contexta(config-protocol)# description
text
The description can be up to 200 characters.
Step 3 To define the protocols in the group, enter the following command for each protocol:
FWSM/contexta(config-protocol)# protocol-object
protocol
To Next Page
Loading...
Need help?
General