Adding Object Groups; Adding A Protocol Object Group - Cisco 7604 Configuration Manual
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Simplifying Access Lists with Object Grouping
•
•
After creating these groups, you could use a single ACE to allow trusted hosts to make specific service
requests to a group of public servers.
You can also nest object groups in other object groups.
The ACE system limit applies to expanded access lists. If you use object groups in ACEs, the number of
Note
actual ACEs that you enter is fewer, but the number of expanded ACEs is the same as without object
groups. In many cases, object groups create more ACEs than if you added them manually, because
creating ACEs manually leads you to summarize addresses more than an object group does. To view the
number of expanded ACEs in an access list, enter the show access-list command.
For example, consider a network object group with 100 sources, a network object group with 100
destinations, and a port object group with 5 ports. Permitting the ports from sources to destinations could
result in 50,000 ACEs (5 x 100 x 100) in the expanded access list.
Adding Object Groups
This section describes how to add object groups, and includes the following topics:
•
•
•
•
Adding a Protocol Object Group
To add or change a protocol object group, perform the following steps. After you add the group, you can
add more objects as required by following this procedure again for the same group name and specifying
additional objects. You do not need to reenter existing objects; the commands you already set remain in
place unless you remove them with the no form of the command.
To add a protocol group, perform the following steps:
To add a protocol group, enter the following command:
Step 1
hostname(config)# object-group protocol grp_id
The grp_id is a text string up to 64 characters in length.
The prompt changes to protocol configuration mode.
Step 2
(Optional) To add a description, enter the following command:
hostname(config-protocol)# description text
The description can be up to 200 characters.
To define the protocols in the group, enter the following command for each protocol:
Step 3
hostname(config-protocol)# protocol-object protocol
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
13-12
TrustedHosts—Includes the host and network addresses allowed access to the greatest range of
services and servers
PublicServers—Includes the host addresses of servers to which the greatest access is provided
Adding a Protocol Object Group, page 13-12
Adding a Network Object Group, page 13-13
Adding a Service Object Group, page 13-14
Adding an ICMP Type Object Group, page 13-14
Chapter 13
Identifying Traffic with Access Lists
OL-20748-01
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
