Johan,
I would have recommended the links that Mohamed did as well. Basically it
comes down to the order that you entered them in. See the output below.
First I created a network object-group:
ciscoasa(config)# object-g net NETS
Then I added 5 hosts. Notice the order:
ciscoasa(config-network)# network-object host 10.1.1.1
ciscoasa(config-network)# network-object host 10.1.1.2
ciscoasa(config-network)# network-object host 10.1.1.3
ciscoasa(config-network)# network-object host 10.1.1.4
ciscoasa(config-network)# network-object host 10.1.1.5
ciscoasa(config-network)# ex
Then I added the object-group to an ACL entry:
ciscoasa(config)# access-l OBJTEST permit ip obj NETS any
And finally when you show access-list you can see that the expanded entries
coincide with the order of entry for the object group.
ciscoasa(config)# sh access-l
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list OBJTEST; 5 elements; name hash: 0x91a70a61
access-list OBJTEST line 1 extended permit ip object-group NETS any 0xd35b6723
access-list OBJTEST line 1 extended permit ip host 10.1.1.1 any (hitcnt=0)
0x6dbb635b
access-list OBJTEST line 1 extended permit ip host 10.1.1.2 any (hitcnt=0)
0xdc67b49b
access-list OBJTEST line 1 extended permit ip host 10.1.1.3 any (hitcnt=0)
0x1889b285
access-list OBJTEST line 1 extended permit ip host 10.1.1.4 any (hitcnt=0)
0xf71d9161
access-list OBJTEST line 1 extended permit ip host 10.1.1.5 any (hitcnt=0)
0x7b7029e2
ciscoasa(config)#
Hope that helps.
Regards,
Brandon Carroll - CCIE #23837
Senior Technical Instructor - IPexpert
Mailto: [email protected]
Telephone: +1.810.326.1444
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio
Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S,
Voice, Security & Service Provider) certification(s) with training locations
throughout the United States, Europe, South Asia and Australia. Be sure to
visit our online communities at www.ipexpert.com/communities and our public
website at www.ipexpert.com
On Apr 22, 2010, at 8:31 PM, Johan Bornman wrote:
> Hi,
>
> I am having difficulty finding a good cisco doc about object groups. My
> question is about the acl. Is there any logic to the sequence/position of the
> object groups applied in the acl?
>
> Thanks
>
> Johan
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
