Skip to main content

object group tracking for ACLs

First Published: July 11, 2008
Last Updated: September 6, 2010

The Object Groups for ACLs feature lets you classify users, devices, or protocols into groups and apply those groups to access control lists (ACLs) to create access control policies for those groups. This feature lets you use object groups instead of individual IP addresses, protocols, and ports, which are used in conventional ACLs. This feature allows multiple access control entries (ACEs), but now you can use each ACE to allow an entire group of users to access a group of servers or services or to deny them from doing so.

In large networks, the number of ACLs can be large (hundreds of lines) and difficult to configure and manage, especially if the ACLs frequently change. Object group-based ACLs are smaller, more readable, and easier to configure and manage than conventional ACLs, simplifying static and dynamic ACL deployments for large user access environments on Cisco IOS routers.

Cisco IOS Firewall benefits from object groups, because they simplify policy creation (for example, group A has access to group A services).


http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_object_group_acl.html#wp1132576

Popular posts from this blog

IOS on Unix (IOU)

source http://evilrouters.net/2011/01/18/cisco-iou-faq/ What is IOU? From the Cisco Engineering Education web site (a long time ago): IOS on Unix (IOU) is a fully working version of IOS that runs as a user mode UNIX (Solaris) process. IOU is built as a native Solaris image and run just like any other program. IOU supports all platform independent protocols and features. What operating systems does IOU run on? It is my understanding that, initially, IOU was Solaris (SPARC) only. Nowadays, however, there are also builds for OS X and Linux. Similar to dynamips, IOU allows you to build out a network topology on a computer, without the need for physical routers. This is useful for validating designs, proof-of-concept testing, and certification self-study. Is my system compatible with IOU? You will need to be running the operating system that your IOU image were built for, obviously. Other than that, there are no special requirements to run IOU. It is not very CPU- or memory-intensive, unlik...

Impressed with Poly brand for conference headphones

I previously used my Sony XM4 headphones for calls and initially found them versatile for multiple purposes. However, as my meetings extended to several hours, I noticed they became less comfortable. To address this, I upgraded to wireless headphones from Poly, which offer significantly improved comfort. While I don’t plan to use them for music listening, my initial impression is very positive.

Flapping LDP/RSVP on Olive

I had a strange problem where the LDP and RSVP was flapping on JunOS/Olive and I think I managed to fix it by changing the driver from e1000 to i82559er and lo0.0 with 127.0.0.1.  I don't want to spend more time investigating it but if someone have similar problem at least this comment could be a good start. root@jr2>  *** MPLS *** May 21 14:27:21.472443 Session 4.4.4.4 hold timer expired in Operational state May 21 14:27:21.473451 Connection 4.4.4.4 state Open -> Closed May 21 14:27:21.473838 Session 4.4.4.4 GR state Operational -> Nonexistent May 21 14:27:21.473923 Session 4.4.4.4 state Operational -> Closing May 21 14:27:21.474054 LDP session 4.4.4.4 is down, reason: hold time expired May 21 14:27:21.474364 RPD_LDP_SESSIONDOWN: LDP session 4.4.4.4 is down, reason: hold time expired May 21 14:27:21.475567 Session 4.4.4.4 state Closing -> Nonexistent May 21 14:27:21.476180 CHANGE   317024 /52          nhid ...