This article applies to:
Question:
- Best practices for setting up IPGroup Subgroups
Information:
IPGroup Subgroups should be defined if you want a subset of the Master IPGroup's network range to receive a different profile. Because subgroups have a higher precedence than the Master IPGroup, any IP ranges not defined within a subgroup will still receive the profile set in the Master IPGroup.
Here is an example setup:
MasterIPGroup "TestMaster" - (members 10.0.0.0/8, profile Rule1)
|
----Subgroup "TestSub" - (members 10.1.0.0/16, profile Rule4)
With this setup, users in the 10.1.0.0/16 range will receive Rule4 as a profile since the "TestSub" Subgroup takes precedence over the Master IPGroup. All other IP addresses within 10.0.0.0/8 that are not in 10.1.0.0/16 will receive Rule1 via the "TestMaster" group.
Please note that it would not be necessary to create a Subgroup if the Subgroup and the Master IPGroup contains identical members. This is outlined in the following example:
MasterIPGroup "TestMaster" - (members 10.0.0.0/8, profile Rule1)
|
----Subgroup "TestSub" - (members 10.0.0.0/8, profile Rule4)
With this setup, users in the 10.0.0.0/8 range will ALWAYS receive Rule4 as a profile since the Subgroup takes precedence over the Master IPGroup. So the MasterIP profile will never get it's profile.