- IP Access List Overview
- Access Control Lists Overview and Guidelines
- Creating an IP Access List and Applying It to an Interface
- Creating an IP Access List to Filter
- ACL Syslog Correlation
- Refining an IP Access List
- Displaying and Clearing IP Access List Data Using ACL Manageability
- Object Groups for ACLs
- Controlling Access to a Virtual Terminal Line
- Access List-Based RBSCP
- ACL IP Options Selective Drop
- ACL Authentication of Incoming rsh and rcp Requests
- Configuring Lock-and-Key Security - Dynamic Access Lists
- Configuring IP Session Filtering - Reflexive Access Lists
- IP Access List Entry Sequence Numbering
Object Groups for ACLs
The Object Groups for ACLs feature lets you classify users, devices, or protocols into groups and apply those groups to access control lists (ACLs) to create access control policies for those groups. This feature lets you use object groups instead of individual IP addresses, protocols, and ports, which are used in conventional ACLs. This feature allows multiple access control entries (ACEs), but now you can use each ACE to allow an entire group of users to access a group of servers or services or to deny them from doing so.
In large networks, the number of ACLs can be large (hundreds of lines) and difficult to configure and manage, especially if the ACLs frequently change. Object group-based ACLs are smaller, more readable, and easier to configure and manage than conventional ACLs, simplifying static and dynamic ACL deployments for large user access environments on Cisco IOS routers.
Cisco IOS Firewall benefits from object groups, because they simplify policy creation (for example, group A has access to group A services).
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for Object Groups for ACLs
- You can use object groups only in extended named and numbered ACLs.
- Object group-based ACLs support only IPv4 addresses.
- Object group-based ACLs support only Layer 3 interfaces (such as routed interfaces and VLAN interfaces). Object group-based ACLs do not support Layer 2 features such as VLAN ACLs (VACLs) or port ACLs (PACLs).
- Object group-based ACLs are not supported with IPsec.
- The highest number of object group-based ACEs supported in an ACL is 2048.
Information About Object Groups for ACLs
You can configure conventional ACEs and ACEs that refer to object groups in the same ACL.
You can use object group-based ACLs with quality of service (QoS) match criteria, Cisco IOS Firewall, Dynamic Host Configuration Protocol (DHCP), and any other features that use extended ACLs. In addition, you can use object group-based ACLs with multicast traffic.
When there are many inbound and outbound packets, using object group-based ACLs increases performance when compared to conventional ACLs. Also, in large configurations, this feature reduces the storage needed in NVRAM, because using object groups in ACEs means that you do not need to define an individual ACE for every address and protocol pairing.
Object Groups
An object group can contain a single object (such as a single IP address, network, or subnet) or multiple objects (such as a combination of multiple IP addresses, networks, or subnets).
A typical ACE could allow a group of users to have access only to a specific group of servers. In an object group-based ACL, you can create a single ACE that uses an object group name instead of creating many ACEs (which would require each one to have a different IP address). A similar object group (such as a protocol port group) can be extended to provide access only to a set of applications for a user group to a server group. ACEs can have object groups for the source only, destination only, none, or both.
You can use object groups to separate the ownership of the components of an ACE. For example, each department in an organization could control its group membership, and the administrator could own the ACE itself to control which departments can contact one another.
You can use object groups as members (children) of other object groups. For example, you can create an ENG-ALL address group that contains the ENG-EAST and ENG-WEST address groups. You can use an unlimited number of levels of nested (child) object groups (however, a maximum of two levels is recommended).
You can use object groups in features that use Cisco Policy Language (CPL) class maps.
This feature supports two types of object groups for grouping ACL parameters: network object groups and service object groups. These object groups can be used to group IP addresses, protocols, protocol services (ports), and Internet Control Message Protocol (ICMP) types.
Objects Allowed in Network Object Groups
A network object group is a group of any of the following objects:
- Any IP address--includes a range from 0.0.0.0 to 255.255.255.255 (This is specified using the any command.)
- Host IP addresses
- Hostnames
- Other network object groups
- Ranges of IP addresses
- Subnets
Objects Allowed in Service Object Groups
A service object group is a group of any of the following objects:
- Source and destination protocol ports (such as Telnet or Simple Network Management Protocol (SNMP))
- ICMP types (such as echo, echo-reply, or host-unreachable)
- Top-level protocols (such as TCP, User Datagram Protocol (UDP), or Encapsulating Security Payload (ESP))
- Other service object groups
ACLs Based on Object Groups
All features that use or reference conventional ACLs are compatible with object group-based ACLs, and feature interactions for conventional ACLs are the same with object group-based ACLs. This feature extends the conventional ACL syntax to support object group-based ACLs and also adds new keywords along with the source and destination addresses and ports.
You can apply object group-based ACLs to interfaces that are configured in a VPN routing and forwarding (VRF) instance or features that are used within a VRF context.
You can add to, delete from, or change objects in an object group membership list dynamically (meaning without deleting and redefining the object group). Also, you can add to, delete from, or change objects in an object group membership list without redefining the ACL ACE that is using the object group (meaning changing the object group without deleting the ACE and then redefining the ACE after the change). You can add objects to groups, delete them from groups, and then ensure that the changes are properly functioning within the object group-based ACL without reapplying the ACL to the interface.
You can configure an object group-based ACL multiple times with a source group only, a destination group only, or source and destination groups.
You cannot delete an object group that is being used within an ACL or a CPL policy.
How to Configure Object Group-Based ACLs
To configure the Object Groups for ACLs feature, you first create one or more object groups. These can be any combination of network object groups (containing objects such as host addresses and network addresses) or service object groups (which use operators such as lt, eq, gt, neq, and rangewith port numbers). Then, you create ACEs that apply a policy (such as permit or deny) to those object groups.
- Creating a Network Object Group
- Creating a Service Object Group
- Creating an Object Group-Based ACL
- Applying an Object Group-Based ACL to an Interface
- Verifying Object Groups for ACLs
Creating a Network Object Group
A network object group containing a single object (such as a single IP address, a hostname, another network object group, or a subnet) or multiple objects (such as a combination of multiple IP addresses, hostnames, a range of IP addresses, other object network groups, or subnets), can be used with an ACL in a network object group-based ACL, to create access control policies for the objects.
Perform this task to create a network object group.
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
|
Example: Router> enable |
Enables privileged EXEC mode.
|
|
Example: Router# configure terminal |
Enters global configuration mode. |
|
Example: Router(config)# object-group network my_network_object_group |
Defines the object group name and enters network object-group configuration mode. |
|
Example: Router(config-network-group)# description test engineers |
(Optional) Specifies a description of the object group.
|
|
Example: Router(config-network-group)# host 209.165.200.237 |
(Optional) Specifies the IP address or name of a host.
|
|
Example: Router(config-network-group)# 209.165.200.241 255.255.255.224 |
(Optional) Specifies a subnet object.
|
|
Example: Router(config-network-group)# range 209.165.200.242 209.165.200.243 |
(Optional) Specifies a range of host IP addresses.
|
|
Example: Router(config-network-group)# any |
(Optional) Specifies any host IP address in the range 0.0.0.0 to 255.255.255.255. |
|
Example: Router(config-network-group)# group-object my_nested_object_group |
(Optional) Specifies a nested (child) object group to be included in the current (parent) object group.
|
|
|
-- |
|
Example: Router(config-network-group)# end |
Returns to privileged EXEC mode. |
Creating a Service Object Group
You can use a service object group to specify specific TCP and/or UDP ports or ranges of them. When the service object group is associated with an ACL, this service object group-based ACL can be used to control access to the ports.
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
|
Example: Router> enable |
Enables privileged EXEC mode.
|
|
Example: Router# configure terminal |
Enters global configuration mode. |
|
Example: Router(config)# object-group service my_service_object_group |
Defines the object group name and enters service object-group configuration mode. |
|
Example: Router(config-service-group)# description test engineers |
(Optional) Specifies a description of the object group.
|
|
Example: Router(config-service-group)# ahp |
(Optional) Specifies an IP protocol number or name. |
|
Example: Router(config-service-group)# tcp-udp range 2000 2005 |
(Optional) Specifies TCP, UDP, or both. |
|
Example: Router(config-service-group)# icmp conversion-error |
(Optional) Specifies the decimal number or name of an ICMP type. |
|
Example: Router(config-service-group)# group-object my_nested_object_group |
(Optional) Specifies a nested (child) object group to be included in the current (parent) object group.
|
|
|
-- |
|
Example: Router(config-service-group)# end |
Returns to privileged EXEC mode. |
Creating an Object Group-Based ACL
When creating an object group-based ACL, you configure an ACL that references one or more object groups. As with conventional ACLs, you can associate the same access policy with one or more interfaces.
You can define multiple ACEs that reference object groups within the same object group-based ACL. Also, you can reuse a specific object group in multiple ACEs.
Perform this task to create an object group-based ACL.
DETAILED STEPS
Applying an Object Group-Based ACL to an Interface
You use the ip access-group command to apply an object group-based ACL to an interface. The command syntax and usage are the same as for conventional ACLs. The object group-based ACL can be used to control traffic on the interface it is applied to.
Perform this task to apply an object group-based ACL to an interface.
DETAILED STEPS
Verifying Object Groups for ACLs
Perform this task to verify object groups for ACLs.
DETAILED STEPS
Configuration Examples for Object Groups for ACLs
- Example Creating a Network Object Group
- Example Creating a Service Object Group
- Example Creating an Object Group-Based ACL
- Example Applying an Object Group-Based ACL to an Interface
- Example Verifying Object Groups for ACLs
Example Creating a Network Object Group
The following example shows how to create a network object group named my_network_object_group, which contains two hosts, a range of IP addresses, and a subnet as objects:
Router> enable Router# configure terminal Router(config)# object-group network my_network_object_group Router(config-network-group)# host 209.165.200.237 Router(config-network-group)# host 209.165.200.238 Router(config-network-group)# range 209.165.200.239 209.165.200.240 Router(config-network-group)# 209.165.200.241 255.255.255.224
The following example shows how to create a network object group named sjc_ftp_servers, which contains two hosts, a subnet, and an existing object group (child) named sjc_eng_ftp_servers as objects:
Router> enable Router# configure terminal Router(config)#object-group network sjc_ftp_servers Router(config-network-group)# host sjc.eng.ftp Router(config-network-group)# host 209.165.200.242 Router(config-network-group)# 209.165.200.225 255.255.255.224 Router(config-network-group)# group-object sjc_eng_ftp_servers
Example Creating a Service Object Group
The following example shows how to create a service object group named my_service_object_group, which contains several ICMP, TCP, UDP, and TCP-UDP protocols and an existing object group (child) named sjc_eng_svcs as objects:
Router> enable Router# configure terminal Router(config)# object-group service my_service_object_group Router(config-service-group)# icmp echo Router(config-service-group)# tcp smtp Router(config-service-group)# tcp telnet Router(config-service-group)# tcp source range 1 65535 telnet Router(config-service-group)# udp domain Router(config-service-group)# tcp-udp range 2000 2005 Router(config-service-group)# group-object sjc_eng_svcs
Example Creating an Object Group-Based ACL
The following example shows how to create an object group-based ACL that permits packets from the users in my_network_object_group if the protocol ports match the ports specified in my_service_object_group:
Router> enable Router# configure terminal Router(config)# ip access-list extended my_ogacl_policy Router(config-ext-nacl)# permit object-group my_service_object_group object-group my_network_object_group any Router(config-ext-nacl)# deny tcp any any Router(config-ext-nacl)# exit Router(config)# exit
Example Applying an Object Group-Based ACL to an Interface
The following example shows how to apply an object group-based ACL to an interface. In this example, an object group-based ACL named my_ogacl_policy is applied to VLAN interface 100:
Router> enable Router# configure terminal Router(config)# interface vlan 100 Router(config-if)# ip access-group my_ogacl_policy in Router(config-if)# end
Example Verifying Object Groups for ACLs
The following example shows how to display all object groups:
Router> enable Router# show object-group Network object group auth_proxy_acl_deny_dest host 209.165.200.235 Service object group auth_proxy_acl_deny_services tcp eq www tcp eq 443 Network object group auth_proxy_acl_permit_dest 209.165.200.226 255.255.255.224 209.165.200.227 255.255.255.224 209.165.200.228 255.255.255.224 209.165.200.229 255.255.255.224 209.165.200.246 255.255.255.224 209.165.200.230 255.255.255.224 209.165.200.231 255.255.255.224 209.165.200.232 255.255.255.224 209.165.200.233 255.255.255.224 209.165.200.234 255.255.255.224 Service object group auth_proxy_acl_permit_services tcp eq www tcp eq 443
The following example shows how to display information about specific object group-based ACLs:
Router# show ip access-list my_ogacl_policy
Extended IP access list my_ogacl_policy
10 permit object-group eng_service any any
Additional References
Related Documents
Related Topic |
Document Title |
---|---|
General information about ACLs |
" IP Access List Overview" |
Cisco IOS commands |
|
Security commands |
Cisco IOS Security Command Reference |
Standards
Standard |
Title |
---|---|
None |
-- |
MIBs
MIB |
MIBs Link |
---|---|
None |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
RFC |
Title |
---|---|
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature. |
-- |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Object Groups for ACLs
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 | Feature Information for Object Groups for ACLs |
Feature Name |
Releases |
Feature Information |
---|---|---|
Object Groups for ACLs |
12.4(20)T |
The Object Groups for ACLs feature lets you classify users, devices, or protocols into groups and apply them to access control lists (ACLs) to create access control policies for those groups. This feature lets you use object groups instead of individual IP addresses, protocols, and ports, which are used in conventional ACLs. This feature allows multiple access control entries (ACEs), but now you can use each ACE to allow an entire group of users to access a group of servers or services or to deny them from doing so. The following commands were introduced or modified: deny, ip access-group, ip access-list, object-group network, object-group service, permit, show ip access-list, show object-group. |
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2011 Cisco Systems, Inc. All rights reserved.