Managing the permissions and rules for resources on the network can be a complex task when you need to make changes. Fortunately, network objects simplify administration by allowing you to group several related resources into one "object." Rules can then be set for the object as a whole. Any change to the settings for the object automatically applies to its members, thus eliminating the need for separate configuration changes to each network resource. Also, by giving network objects logical and understandable names, you can make it easier for new IT staff to learn the network architecture more quickly.
Two of the most commonly used network objects are IP address objects and service objects. IP address objects (also called, simply, "network objects") allow you to group together hosts, subnets, IP ranges, and even fully qualified domain names into a single object. Service objects allow you to group together various services, including the protocols (e.g., TCP, UPD) and the ports used.
When configuring access control lists, you use the "object network" command to define IP address objects and "object service" to define service objects.
To set rules for multiple objects at once, Cisco also allows you to create groups of objects. These are called object groups. To create them, use the "object-group network" and "object-group service" commands.
No comments:
Post a Comment