Adding Object Groups; Adding A Protocol Object Group; Adding A Network Object Group; Adding A Service Object Group - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Chapter 10
Controlling Network Access with Access Control Lists
The ACE system limit applies to expanded ACLs. If you use object groups in ACEs, the number of actual
Note
ACEs that you enter is fewer, but the number of expanded ACEs is the same as without object groups.
In many cases, object groups create more ACEs than if you added them manually, because creating ACEs
manually leads you to summarize addresses more than an object group does. To view the number of
expanded ACEs in an ACL, enter the show access-list acl_name command.
Adding Object Groups
This section describes how to add object groups, and includes the following topics:
•
•
•
•
If you add new members to an existing object group that is already in use by an ACE in a large ACL,
Note
recommitting the ACL can take a long time, depending on the size of the ACL and the object group. In
some cases, making this change can cause the FWSM to devote over an hour to committing the ACL,
during which time you cannot access the terminal. We recommend that you first remove the ACE that
refers to the object group, make your change, and then add the ACE back to the ACL. See the
Committing Access Control Lists and Rules" section on page 10-24
Adding a Protocol Object Group
To add or change a protocol object group, follow these steps. After you add the group, you can add more
objects as required by following this procedure again for the same group name and specifying additional
objects. You do not need to reenter existing objects; the commands you already set remain in place unless
you remove them with the no form of the command.
To add a protocol group, follow these steps:
To add a protocol group, enter the following command:
Step 1
FWSM/contexta(config)# object-group protocol grp_id
The grp_id is a text string up to 64 characters in length.
The prompt changes to the protocol subcommand mode.
(Optional) To add a description, enter the following command:
Step 2
FWSM/contexta(config-protocol)# description text
The description can be up to 200 characters.
To define the protocols in the group, enter the following command for each protocol:
Step 3
FWSM/contexta(config-protocol)# protocol-object protocol
OL-6392-01
Adding a Protocol Object Group, page 10-19
Adding a Network Object Group, page 10-20
Adding a Service Object Group, page 10-20
Adding an ICMP Type Object Group, page 10-21
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
Simplifying Access Control Lists with Object Grouping
to insert an ACE in an ACL.
"Manually
10-19
Advertisement
Table of Contents
Troubleshooting
