Object Group di Cisco IOS command
Kali ini saya ingin sharing mengenai object group di Cisco IOS command. Ambil contoh berikut, jika kita punya access-list yang ingin kita tambahan di router seperti ini:
ip access-list extended inside-in
access-list inside-in extended permit tcp 10.1.10.0 255.255.255.0 any eq www
access-list inside-in extended permit tcp 10.1.10.0 255.255.255.0 any eq https
access-list inside-in extended permit tcp 10.1.10.0 255.255.255.0 any eq ftp
access-list inside-in extended permit tcp 10.1.10.0 255.255.255.0 any eq ftp-data
access-list inside-in extended permit tcp 10.1.10.0 255.255.255.0 any eq ssh
access-list inside-in extended permit tcp 10.1.10.0 255.255.255.0 any eq telnet
access-list inside-in extended permit tcp 10.1.20.0 255.255.255.0 any eq www
access-list inside-in extended permit tcp 10.1.20.0 255.255.255.0 any eq https
access-list inside-in extended permit tcp 10.1.20.0 255.255.255.0 any eq ftp
access-list inside-in extended permit tcp 10.1.20.0 255.255.255.0 any eq ftp-data
access-list inside-in extended permit tcp 10.1.20.0 255.255.255.0 any eq ssh
access-list inside-in extended permit tcp 10.1.20.0 255.255.255.0 any eq telnet
Jika kita ingin menambahkan port lain, misalkan smtp, maka kita create acl baru seperti ini:
access-list inside-in extended permit tcp 10.1.10.0 255.255.255.0 any eq smtp
access-list inside-in extended permit tcp 10.1.10.0 255.255.255.0 any eq smtp
Coba bandingkan jika kita gunakan command object group
router#conf t
router(config)#
object-group service USER-TCP tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object eq ftp-data
port-object eq ssh
port-object eq telnet
port-object eq smtp
object-group network USER
network-object 10.1.10.0 255.255.255.0
network-object 10.1.20.0 255.255.255.0
Kita tuliskan access listnya sbb:
access-list inside-in extended permit tcp object-group USER any object-group USER-TCP
Jadi jika kita ingin menambahkan akses ke port lain kita hanya cukup tambahkan no port/name di object-group service USER-TCP tcp nya saja, begitu juga jika kita ingin tambahkan host/segmen yang bisa akses port2 yang didefinisikan di object-group service, tinggal menambahkan host/segment di object-group network USER.
Semoga membantu.
islamet@gmail.com
islametm