The use of object-groups in Cisco IOS Software

Access Control Lists (ACLs) have been available for quite while and represent a very useful resource for activities such as packet filtering and traffic classification. This latter usage of ACLs has applications in many practical scenarios, some of which are listed below:

  • Filtering routing updates
  • Defining the interesting traffic to be encrypted by an IPSec tunnel
  • Establishing traffic that will undergo Network Address Translation (NAT)
  • Differentiate traffic classes using criteria such as source and destination addresses, IP protocol type and L4 ports involved.

Cisco IOS 12.4.20T added support to object-groups, a feature that undoubtedly helps anyone that needs to deal with access-lists. Figure 1 brings a set of sample network and service object-groups and teaches how to display those groups already configured.

Figure 1: Sample IOS object-groups

Figure 2 demonstrates the structure of the IOS Access Control Lists that employ object-groups. It should be observed that the logic of ACL contruction, in this case, is a bit different. Instead of specifying a sequence of sources, destinations and services, this new type of IOS ACL refers to service object-groups, source network object-groups and destination network object-groups (in this order). Figure 2 includes a practical example of IOS ACL that uses the sample object-groups defined in Figure 1.

Figure 2: Structure of IOS Access Control Lists (ACLs) that use object-groups

Figure 2 brings some additional information about Cisco IOS:
  • The ip access-list logging hash-generation command is used to correlate an Access Control Entry (ACE) enabled for logging with the Syslog message it generates. This important feature was introduced in IOS 12.4.22T and may be used by management tools to locate an entry in the rule table upon receipt of a Syslog message.
  • The show running-config | section command was used to display the  occurrences of access-list statements. Notice that this is more than a simple string match.
** Topics for study:
  • Investigate how the show running-config | section command compares with other CLI output filtering options such as show run | include and show run | begin.
  • Contrast the construction logic of IP extended ACLs with the access-lists presented in this post.
  • Reproduce the network topology shown in Figure 1 ( including the ACL and object-groups) and analyze the log messages issued by the IOS router.
  • Research the other options available for the object-group command. Is it possible to specify a range of IP addresses ?

Leave a comment

Filed under English, Firewalls, Security

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s