Object Groups for ACLs
The Object Groups for ACLs feature lets you classify users, devices, or protocols into groups and apply those groups to access control lists (ACLs) to create access control policies for those groups. This feature lets you use object groups instead of individual IP addresses, protocols, and ports, which are used in conventional ACLs. This feature allows multiple access control entries (ACEs), but now you can use each ACE to allow an entire group of users to access a group of servers or services or to deny them from doing so.
In large networks, the number of ACLs can be large (hundreds of lines) and difficult to configure and manage, especially if the ACLs frequently change. Object group-based ACLs are smaller, more readable, and easier to configure and manage than conventional ACLs, simplifying static and dynamic ACL deployments for large user access environments on Cisco IOS routers.
Cisco IOS Firewall benefits from object groups, because they simplify policy creation (for example, group A has access to group A services).
Restrictions for Object Groups for ACLs
-
You can use object groups only in extended named and numbered ACLs.
-
Object group-based ACLs support only IPv4/IPv6 addresses.
-
Object group-based ACLs support only Layer 3 interfaces(such as routed interfaces and VLAN interfaces) and sub-interfaces.
-
Object group-based ACLs are not supported with IPsec.
-
ACL statements using object groups will be ignored on packets that are sent to RP for processing.
-
The number of object group-based ACEs supported in an ACL varies depending on platform, subject to TCAM availability.
Information About Object Groups for ACLs
You can configure conventional ACEs and ACEs that refer to object groups in the same ACL.
You can use object group-based ACLs with quality of service (QoS) match criteria, Cisco IOS Firewall, Dynamic Host Configuration Protocol (DHCP), and any other features that use extended ACLs. In addition, you can use object group-based ACLs with multicast traffic.
When there are many inbound and outbound packets, using object group-based ACLs increases performance when compared to conventional ACLs. Also, in large configurations, this feature reduces the storage needed in NVRAM, because using object groups in ACEs means that you do not need to define an individual ACE for every address and protocol pairing.
Object Groups
An object group can contain a single object (such as a single IP address, network, or subnet) or multiple objects (such as a combination of multiple IP addresses, networks, or subnets).
A typical access control entry (ACE) allows a group of users to have access only to a specific group of servers. In an object group-based access control list (ACL), you can create a single ACE that uses an object group name instead of creating many ACEs (which requires each ACE to have a different IP address). A similar object group (such as a protocol port group) can be extended to provide access only to a set of applications for a user group. ACEs can have object groups for the source only, destination only, none, or both.
You can use object groups to separate the ownership of the components of an ACE. For example, each department in an organization controls its group membership, and the administrator owns the ACE itself to control which departments can contact one another.
You can use object groups in features that use Cisco Policy Language (CPL) class maps.
This feature supports two types of object groups for grouping ACL parameters: network object groups and service object groups. Use these object groups to group IP addresses, protocols, protocol services (ports), and Internet Control Message Protocol (ICMP) types.
Objects Allowed in Network Object Groups
A network object group is a group of any of the following objects:
-
Any IP address—includes a range from 0.0.0.0 to 255.255.255.255 (This is specified using the any command.)
-
Host IP addresses
-
Hostnames
-
Other network object groups
-
Subnets
-
Host IP addresses
-
Network address of group members
-
Nested object groups
Objects Allowed in Service Object Groups
A service object group is a group of any of the following objects:
-
Source and destination protocol ports (such as Telnet or Simple Network Management Protocol [SNMP])
-
Internet Control Message Protocol (ICMP) types (such as echo, echo-reply, or host-unreachable)
-
Top-level protocols (such as Encapsulating Security Payload [ESP], TCP, or UDP)
-
Other service object groups
ACLs Based on Object Groups
All features that use or reference conventional access control lists (ACLs) are compatible with object-group-based ACLs, and the feature interactions for conventional ACLs are the same with object-group-based ACLs. This feature extends the conventional ACLs to support object-group-based ACLs and also adds new keywords and the source and destination addresses and ports.
You can add, delete, or change objects in an object group membership list dynamically (without deleting and redefining the object group). Also, you can add, delete, or change objects in an object group membership list without redefining the ACL access control entry (ACE) that uses the object group. You can add objects to groups, delete them from groups, and then ensure that changes are correctly functioning within the object-group-based ACL without reapplying the ACL to the interface.
You can configure an object-group-based ACL multiple times with a source group only, a destination group only, or both source and destination groups.
You cannot delete an object group that is used within an ACL or a class-based policy language (CPL) policy.
How to Configure Object Groups for ACLs
To configure object groups for ACLs, you first create one or more object groups. These can be any combination of network object groups (groups that contain objects such as, host addresses and network addresses) or service object groups (which use operators such as lt , eq , gt , neq , and range with port numbers). Then, you create access control entries (ACEs) that apply a policy (such as permit or deny ) to those object groups.
Creating a Network Object Group
A network object group that contains a single object (such as a single IP address, a hostname, another network object group, or a subnet) or multiple objects with a network object-group-based ACL to create access control policies for the objects.
Perform this task to create a network object group.
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode. Enter your password, if prompted. |
Step 2 |
configure terminal Example:
|
Enters global configuration mode. |
Step 3 |
object-group network object-group-name Example:
|
Defines the object group name and enters network object-group configuration mode. |
Step 4 |
description description-text Example:
|
(Optional) Specifies a description of the object group.
|
Step 5 |
host {host-address | host-name } Example:
|
(Optional) Specifies the IP address or name of a host.
|
Step 6 |
network-address {/nn | network-mask } Example:
|
(Optional) Specifies a subnet object.
|
Step 7 |
group-object nested-object-group-name Example:
|
(Optional) Specifies a nested (child) object group to be included in the current (parent) object group.
|
Step 8 |
Repeat the steps until you have specified objects on which you want to base your object group. |
— |
Step 9 |
end Example:
|
Exits network object-group configuration mode and returns to privileged EXEC mode. |
Creating a Service Object Group
Use a service object group to specify TCP and/or UDP ports or port ranges. When the service object group is associated with an access control list (ACL), this service object-group-based ACL can control access to ports.
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode. Enter your password, if prompted. |
Step 2 |
configure terminal Example:
|
Enters global configuration mode. |
Step 3 |
object-group service object-group-name Example:
|
Defines an object group name and enters service object-group configuration mode. |
Step 4 |
description description-text Example:
|
(Optional) Specifies a description of the object group.
|
Step 5 |
protocol Example:
|
(Optional) Specifies an IP protocol number or name. |
Step 6 |
{tcp | udp | tcp-udp} [source {{[eq ] | lt | gt } port1 | range port1 port2 }] [{[eq ] | lt | gt } port1 | range port1 port2 ] Example:
|
(Optional) Specifies TCP, UDP, or both. |
Step 7 |
icmp icmp-type Example:
|
(Optional) Specifies the decimal number or name of an Internet Control Message Protocol (ICMP) type. |
Step 8 |
group-object nested-object-group-name Example:
|
(Optional) Specifies a nested (child) object group to be included in the current (parent) object group.
|
Step 9 |
Repeat the steps to specify the objects on which you want to base your object group. |
— |
Step 10 |
end Example:
|
Exits service object-group configuration mode and returns to privileged EXEC mode. |
Creating an Object-Group-Based ACL
When creating an object-group-based access control list (ACL), configure an ACL that references one or more object groups. As with conventional ACLs, you can associate the same access policy with one or more interfaces.
You can define multiple access control entries (ACEs) that reference object groups within the same object-group-based ACL. You can also reuse a specific object group in multiple ACEs.
Perform this task to create an object-group-based ACL.
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode. Enter your password, if prompted. |
Step 2 |
configure terminal Example:
|
Enters global configuration mode. |
Step 3 |
ip access-list extended access-list-name Example:
|
Defines an extended IP access list using a name and enters extended access-list configuration mode. |
Step 4 |
remark remark Example:
|
(Optional) Adds a comment about the configured access list entry.
|
Step 5 |
deny protocol source [source-wildcard ] destination [destination-wildcard ] [option option-name ] [precedence precedence ] [tos tos ] [established ] [log | log-input ] [time-range time-range-name ] [fragments ] Example:
|
(Optional) Denies any packet that matches all conditions specified in the statement.
|
Step 6 |
remark remark Example:
|
(Optional) Adds a comment about the configured access list entry.
|
Step 7 |
permit protocol source [source-wildcard ] destination [destination-wildcard ] [option option-name ] [precedence precedence ] [tos tos ] [established ] [log | log-input ] [time-range time-range-name ] [fragments ] Example:
|
Permits any packet that matches all conditions specified in the statement.
|
Step 8 |
Repeat the steps to specify the fields and values on which you want to base your access list. |
Remember that all sources not specifically permitted are denied by an implicit deny statement at the end of the access list. |
Step 9 |
end Example:
|
Exits extended access-list configuration mode and returns to privileged EXEC mode. |
Applying an Object Group-Based ACL to an Interface
Use the ip access-group command to apply an object group-based ACL to an interface. An object group-based access control list (ACL) can be used to control traffic on the interface it is applied to.
Perform this task to apply an object group-based ACL to an interface.
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode. Enter your password, if prompted. |
Step 2 |
configure terminal Example:
|
Enters global configuration mode. |
Step 3 |
interface type number Example:
|
Specifies the interface and enters interface configuration mode. |
Step 4 |
ip access-group {access-list-name | access-list-number } {in | out } Example:
|
Applies the ACL to the interface and specifies whether to filter inbound or outbound packets. |
Step 5 |
end Example:
|
Exits interface configuration mode and returns to privileged EXEC mode. |
Verifying Object Groups for ACLs
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode. Enter your password, if prompted. |
Step 2 |
show object-group [object-group-name ] Example:
|
Displays the configuration in the named or numbered object group (or in all object groups if no name is entered). |
Step 3 |
show ip access-list [access-list-name ] Example:
|
Displays the contents of the named or numbered access list or object group-based ACL (or for all access lists and object group-based ACLs if no name is entered). |
Configuration Examples for Object Groups for ACLs
Example: Creating a Network Object Group
The following example shows how to create a network object group named my-network-object-group, which contains two hosts and a subnet as objects:
Device> enable
Device# configure terminal
Device(config)# object-group network my-network-object-group
Device(config-network-group)# description test engineers
Device(config-network-group)# host 209.165.200.237
Device(config-network-group)# host 209.165.200.238
Device(config-network-group)# 209.165.200.241 255.255.255.224
Device(config-network-group)# end
The following example shows how to create a network object group named my-company-network, which contains two hosts, a subnet, and an existing object group (child) named my-nested-object-group as objects:
Device> enable
Device# configure terminal
Device(config)# object-group network my-company-network
Device(config-network-group)# host host1
Device(config-network-group)# host 209.165.200.242
Device(config-network-group)# 209.165.200.225 255.255.255.224
Device(config-network-group)# group-object my-nested-object-group
Device(config-network-group)# end
Example: Creating a Service Object Group
The following example shows how to create a service object group named my-service-object-group, which contains several ICMP, TCP, UDP, and TCP-UDP protocols and an existing object group named my-nested-object-group as objects:
Device> enable
Device# configure terminal
Device(config)# object-group service my-service-object-group
Device(config-service-group)# icmp echo
Device(config-service-group)# tcp smtp
Device(config-service-group)# tcp telnet
Device(config-service-group)# tcp source range 1 65535 telnet
Device(config-service-group)# tcp source 2000 ftp
Device(config-service-group)# udp domain
Device(config-service-group)# tcp-udp range 2000 2005
Device(config-service-group)# group-object my-nested-object-group
Device(config-service-group)# end
Example: Creating an Object Group-Based ACL
The following example shows how to create an object-group-based ACL that permits packets from the users in my-network-object-group if the protocol ports match the ports specified in my-service-object-group:
Device> enable
Device# configure terminal
Device(config)# ip access-list extended my-ogacl-policy
Device(config-ext-nacl)# permit object-group my-service-object-group object-group my-network-object-group any
Device(config-ext-nacl)# deny tcp any any
Device(config-ext-nacl)# end
Applying an Object Group-Based ACL to an Interface
Use the ip access-group command to apply an object group-based ACL to an interface. An object group-based access control list (ACL) can be used to control traffic on the interface it is applied to.
Perform this task to apply an object group-based ACL to an interface.
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode. Enter your password, if prompted. |
Step 2 |
configure terminal Example:
|
Enters global configuration mode. |
Step 3 |
interface type number Example:
|
Specifies the interface and enters interface configuration mode. |
Step 4 |
ip access-group {access-list-name | access-list-number } {in | out } Example:
|
Applies the ACL to the interface and specifies whether to filter inbound or outbound packets. |
Step 5 |
end Example:
|
Exits interface configuration mode and returns to privileged EXEC mode. |
Example: Verifying Object Groups for ACLs
The following example shows how to display all object groups:
Device# show object-group
Network object group auth-proxy-acl-deny-dest
host 209.165.200.235
Service object group auth-proxy-acl-deny-services
tcp eq www
tcp eq 443
Network object group auth-proxy-acl-permit-dest
209.165.200.226 255.255.255.224
209.165.200.227 255.255.255.224
209.165.200.228 255.255.255.224
209.165.200.229 255.255.255.224
209.165.200.246 255.255.255.224
209.165.200.230 255.255.255.224
209.165.200.231 255.255.255.224
209.165.200.232 255.255.255.224
209.165.200.233 255.255.255.224
209.165.200.234 255.255.255.224
Service object group auth-proxy-acl-permit-services
tcp eq www
tcp eq 443
The following example shows how to display information about specific object-group-based ACLs:
Device# show ip access-list my-ogacl-policy
Extended IP access list my-ogacl-policy
10 permit object-group eng_service any any
Additional References for Object Groups for ACLs
Related Documents
Related Topic |
Document Title |
---|---|
Security commands |
|
ACL configuration guide |
Security Configuration Guide: Access Control Lists |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature History for Object Groups for ACLs
This table provides release and related information for the features explained in this module.
These features are available in all the releases subsequent to the one they were introduced in, unless noted otherwise.
Release |
Feature |
Feature Information |
---|---|---|
Cisco IOS XE Gibraltar 16.12.1 |
Object Groups for ACLs |
The Object Groups for ACLs feature lets you classify users, devices, or protocols into groups and apply them to access control lists (ACLs) to create access control policies for those groups. This feature lets you use object groups instead of individual IP addresses, protocols, and ports, which are used in conventional ACLs. This feature allows multiple access control entries (ACEs), but now you can use each ACE to allow an entire group of users to access a group of servers or services or to deny them from doing so. |
Use the Cisco Feature Navigator to find information about platform and software image support. To access Cisco Feature Navigator, go to https://cfnng.cisco.com/.