Best practices for IPGroup Subgroups


This article applies to:

  • R3000
  • R3000IR

Question:

  • Best practices for setting up IPGroup Subgroups

Information:

IPGroup Subgroups should be defined if you want a subset of the Master IPGroup's network range to receive a different profile. Because subgroups have a higher precedence than the Master IPGroup, any IP ranges not defined within a subgroup will still receive the profile set in the Master IPGroup.

Here is an example setup:

MasterIPGroup "TestMaster" - (members 10.0.0.0/8, profile Rule1)
   |
   ----Subgroup "TestSub" - (members 10.1.0.0/16, profile Rule4)

With this setup, users in the 10.1.0.0/16 range will receive Rule4 as a profile since the "TestSub" Subgroup takes precedence over the Master IPGroup. All other IP addresses within 10.0.0.0/8 that are not in 10.1.0.0/16 will receive Rule1 via the "TestMaster" group.

Please note that it would not be necessary to create a Subgroup if the Subgroup and the Master IPGroup contains identical members. This is outlined in the following example:

MasterIPGroup "TestMaster" - (members 10.0.0.0/8, profile Rule1)
   |
   ----Subgroup "TestSub" - (members 10.0.0.0/8, profile Rule4)

With this setup, users in the 10.0.0.0/8 range will ALWAYS receive Rule4 as a profile since the Subgroup takes precedence over the Master IPGroup. So the MasterIP profile will never get it's profile.


Last Modified 6/22/2009.
https://support.trustwave.com/kb/KnowledgebaseArticle12822.aspx