Object Groups
Object groups allow a group of networks, IP addresses, protocols, or services to be referenced with a single name. This is extremely helpful when youâre configuring complex access lists. Take the situation shown in Figure 28-2. There are three web servers, each of which offers the same three protocols: SMTP (TCP port 25), HTTP (TCP port 80), and HTTPS (TCP port 443).
Figure 28-2. Complex access list scenario
Note
This example shows a collocated website. On a normal enterprise network, web servers should not reside on the inside network, but rather in a DMZ. Of course, ânormalâ is a very subjective word.
Because the IP addresses of the three servers are not in a range that can be addressed with a single subnet mask, each server must have its own access list entry. Additionally, there must be an entry for each protocol for each server.
As a result, you must configure nine access list entries to allow each of the three protocols to these three servers:
access-list In permit tcp any host 192.168.1.101 eq smtp access-list In permit tcp any host 192.168.1.101 eq www access-list In permit tcp any host 192.168.1.101 eq https access-list In permit tcp any host 192.168.1.201 eq smtp access-list In permit tcp any host 192.168.1.201 eq www access-list In permit tcp any host 192.168.1.201 eq https access-list In permit tcp any host 192.168.1.228 eq smtp access-list In permit tcp ...
Get Network Warrior, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.