In addition to grouping individual objects, it is also possible to group
objects within a nested group. An object can be a member of a group. For object
groups to be nested, they must be of the same type. For example, two or more
Network object groups can be grouped together but a Protocol group and a
Network group cannot be grouped together. In the example shown in Figure
, the
administrator configured hosts from the 10.0.0.0/24 network to form the
Inside_Eng object group. The administrator added hosts from the 10.0.1.0/24
network to form the Inside_Mktg object group. For some ACLs, the administrator
found it advantageous to combine the Inside_Eng and Inside_Mktg object groups
to form the nested object group Inside_Networks and apply the nested object
group, Inside_Networks to selected ACLs. Hierarchical object grouping can
achieve greater flexibility and modularity for specifying access rules.
The group-object command is used to construct
hierarchical, or nested, object groups. The group-object
command, which is not to be confused with the object-group
command, places one object group into another
.
The difference in object groups and group objects is as follows:
- An object group is group consisting of objects.
- A group object is an object in a nested group and is itself a group.
Duplicated objects are allowed in an object group if it is due to the
inclusion of group objects. For example, if object 1 is in both group A and
group B, a group C can be defined which includes both A and B. A group object
which causes the group hierarchy to become circular is not allowed. For
example, if group A includes group B, then group B cannot include group A.
Complete the following steps to configure nested object groups:
Step 1 Create an object group to be nested within another
object group, such as Inside_Eng.
Step 2 Add the
appropriate type of objects to the object group, such as
10.0.1.0/24.
Step 3 Assign an identity to the
object group within which other object groups will be nested, such as
Inside_Networks.
Step 4 Add the first object
group to the second object group.
Step 5 Add any
other objects that are required to the group, such as Inside_Mktg.
Nested Object Group Examples
In Figure
, the
access-list named ALL enables all hosts in HOSTGROUP1 and
HOSTGROUP2 to make outbound FTP connections. Without nesting, all the IP
addresses in HOSTGROUP1 and HOSTGROUP2 would have to be redefined in the
ALLHOSTS group. With nesting, however, the duplicated definitions of the hosts
are eliminated.
Figure
illustrates
multiple nested object groups configured so that one ACL entry enables remote
hosts 172.26.26.50 and 172.26.26.51 to initiate FTP and SMTP connections to all
local hosts in the ALLHOSTS group. Note that with object grouping configured,
only one ACL entry is required.