Sep
22

You have just been given a shiny, new router to configure.  As part of the configuration, you are asked to configure an outbound access list which will only permit traffic through to specific destinations.  Here are the requirements that you are given for your access-list:

Match (and permit) the following destinations using an access-list.  Your access list should use the fewest number of lines, and should not overlap any other address space.

Anything within the 10.0.0.0/8 address space.
Anything within the 172.16.0.0/12 address space.
Anything within the 192.168.0.0/16 address space.
Anything within the 169.254.0.0/16 address space.

Be warned, it is estimated that a very high percentage of readers will NOT have the correct answer.

access-list 199 permit ip any object-group TEST

What just happened here?  Can you really match those in a single line?  The answer deals with object groups, which allow grouping of other items.  The object group still needs to be configured, but the question just asked for a short access list.

You can enter in either /x notation for mask, or with subnet mask information, as shown in the following examples:

object-group network TEST
 10.0.0.0 /8
 172.16.0.0 /12
 192.168.0.0 /16
 169.254.0.0 /16

The router will convert syntax, and the following will be what remains in your config for the group:

object-group network TEST
 10.0.0.0 255.0.0.0
 172.16.0.0 255.240.0.0
 192.168.0.0 255.255.0.0
 169.254.0.0 255.255.0.0

You can also nest object groups.  You could configure the individual groups as follows:

object-group network A
 10.0.0.0 /8
object-group network B
 172.16.0.0 /12
object-group network C
 192.168.0.0 /16 

object-group network RFC1918
 group-object A
 group-object B
 group-object C 

object-group network APIPA
 169.254.0.0 /16 

object-group network TEST
 group-object RFC1918
 group-object APIPA

Here, we took a brief look at network object groups.  Object groups on the router also have a “service” option, which can be used to group protocols and ports. For those of you with a background configuring PIX / ASA, you may already be very familiar with configuring object groups.  For the rest of you, it may be something that you want to practice before your next scheduled lab date.

For more reading:
Cisco – Object Groups for ACLs

Object groups were added in 12.4(20)T.


You can leave a response, or trackback from your own site.

7 Responses to “Access List Challenge”

 
  1. Puneet says:

    You can find this feature in DOC CD under

    Security & VPN -> Secure Data Plane document:

    Security and VPN
    Cisco IOS Security Configuration Guide: Securing the Data Plane, Release 12.4T

  2. Anantha Subramanian Natarajan says:

    Very Nice one and thanks for sharing

    Regards
    Anantha Subramanian Natarajan

  3. Robert Roark says:

    Thank you! Very good information to know.

  4. Rack009 says:

    Thanks MG, I always wondered when this feature would appear on an IOS router – I got my answer now.

    Thanks.

  5. Erick says:

    This is great stuff. Thanks for sharing your knowledge with us.

  6. Peter Jordan, CCIE #25268 says:

    Remember to use the right IOS version with this:
    http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml
    (Just released by Cisco)

  7. Jatin says:

    Amazing…i was like ..uh …hello…i wondered object groups were only in PIX/ASA but voila ..look what we have got here.

    Thanks. You proved why you are one of the CCIE’s.

 

Leave a Reply

Categories

CCIE Bloggers