Cisco 4700M Configuration Manual page 53

Chapter 1 Configuring Security Access Control Lists
Simplifying Access Control Lists with Object Groups
host1/Admin(config)# access-list ACL_IN extended deny tcp host
10.1.1.4 host 209.165.201.78 eq www
host1/Admin(config)# access-list ACL_IN extended deny tcp host
10.1.1.78 host 209.165.201.78 eq www
host1/Admin(config)# access-list ACL_IN extended deny tcp host
10.1.1.89 host 209.165.201.78 eq www
host1/Admin(config)# access-list ACL_IN extended permit ip any any
host1/Admin(config)# interface vlan 100
host1/Admin(config-if)# access-group input ACL_IN
Example of Configuring the Equivalent Extended ACL Using Object Groups
The following example shows how to configure the equivalent of the extended
ACL in the "Example of Configuring an Extended ACL Without Object Groups"
section using two network object groups, one for the inside hosts, and one for the
web servers. Notice how object groups simplify the configuration and allow you
to easily modify it to add more hosts as follows:
host1/Admin(config)# object-group network DENIED
host1/Admin(config-objgrp-network)# host 10.1.1.4
host1/Admin(config-objgrp-network)# host 10.1.1.78
host1/Admin(config-objgrp-network)# host 10.1.1.89
host1/Admin(config)# object-group network WEB
host1/Admin(config-objgrp-network)# host 209.165.201.29
host1/Admin(config-objgrp-network)# host 209.165.201.16
host1/Admin(config-objgrp-network)# host 209.165.201.78
host1/Admin(config)# access-list ACL_IN remark "object-group acl to
deny specific hosts"
host1/Admin(config)# access-list ACL_IN extended deny tcp object-group
DENIED object-group WEB eq www
host1/Admin(config)# access-list ACL_IN extended permit ip any any
host1/Admin(config)# interface vlan 100
host1/Admin(config-if)# access-group input ACL_IN
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
1-29
OL-16202-01