It is not compulsory to use object groups for all parameters within the access list. For example, object groups
can be used to group certain hosts/networks to be referenced in the source address parameter, or group like
services together to reference in the operator port parameter, and so on. Object groups simplify configuration
and allow easy modifications to add, update, and remove entries at a later stage.
To illustrate the benefit of using an object group, observe the access list 101 shown in Example 6-22, which has
10 lines of deny statements to web servers from selected hosts and networks. There are many repetitive entries
that could be grouped together. Example 6-23 creates two object groups to cover the repetitions in these 10
lines, consolidating it into one single access list line by referencing these object groups, condensing the
configuration as shown in Example 6-24.
Example 6-22. Regular ACL with No Object Groups
access list 101 remark - ACL with no object groups
access-list 101 deny tcp host 10.1.1.52 host 209.165.201.1 eq www
access-list 101 deny tcp host 10.1.1.52 host 209.165.201.2 eq www
access-list 101 deny tcp host 10.1.1.13 host 209.165.201.1 eq www
access-list 101 deny tcp host 10.
Pages:
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314