topic You can mix, I thought you in Routing and SD-WAN

Add object-group in existing ACL

epeeler — Tue, 05 Mar 2019 16:58:57 GMT

I have an existing ACL that is not built using object groups but would like to create a network object group with a list of networks and add it to this ACL.

Will this work or do I need to completely rebuild the ACL using groups for all services and hosts/networks?

Thanks!

If existing acl is not using

cofee — Wed, 09 Aug 2017 12:59:58 GMT

If existing acl is not using any object-group or objects then I don't think it's possible. But you can create a new ACL using object groups for the target nodes and services and place it on top of the existing ACL using line/sequence numbers. Once you verify that new ACL is being used by looking at hit counters and old ACL is not getting any hit counters ( just to be on the safe side) you can remove the old ACL.

So you can't mix regular

epeeler — Wed, 09 Aug 2017 13:07:08 GMT

So you can't mix regular statements and group statements in a single ACL? Looking at the documentation, there doesn't seem to be any difference in the way the ACL is created. It's just a regular extended ACL.

Does something about it change once a group object has been added into it so that standard statements no longer work or vice versa?

I believe as long as your

GRANT3779 — Wed, 09 Aug 2017 13:10:13 GMT

I believe as long as your current access list is an extended one you can add entries to it using object groups if you wish. As long as your IOS supports object-groups I don't think it is any different from adding another "non object group" line to the ACL.

I believe this is what you are asking..

Thanks Grant and yes that is

epeeler — Wed, 09 Aug 2017 13:13:41 GMT

Thanks Grant and yes that is my question. I've been asked to give access to a large list of networks and rather than adding 30 lines to my ACL, I'm hoping I can just create a group with these networks in it and add it to the existing extended ACL so that I can do the same thing with one new line.

I have just tested on a 2911

GRANT3779 — Wed, 09 Aug 2017 13:14:51 GMT

I have just tested on a 2911 running IOS 15.1. Seems it can be done if this is what you are referring to. I think the only caveat here is it will need to be an extended ACL.

ip access-list extended NAT-TO-PLATFORMS
permit ip any 172.17.250.32 0.0.0.31
permit ip any 172.17.254.32 0.0.0.31
permit ip any 172.17.34.32 0.0.0.31
permit ip any 172.17.36.32 0.0.0.31
permit ip any 172.17.246.32 0.0.0.31
permit ip any 172.17.39.208 0.0.0.7
permit ip any 172.17.40.0 0.0.0.15
permit ip any 10.96.129.96 0.0.0.31
permit tcp object-group TEST any

You can mix, I thought you

cofee — Wed, 09 Aug 2017 14:16:20 GMT

You can mix, I thought you wanted to replace an existing ACE with object-group. Sorry for the confusion.