topic Re: Pushing object groups dACLs through ISE in Network Access Control

Pushing object groups dACLs through ISE

orp — Mon, 15 Mar 2021 09:24:25 GMT

Hey all,

Is it possible to push dACLs containing object groups to the switch? Do I need to configure the object groups locally on the switch or can it be pushed too?

My main goal is to minimize the amount of ACEs, in order to do so I want to group a few services into an object group and then apply the ACL on it.

Thanks in advance.

Re: Pushing object groups dACLs through ISE

Spooster IT Services — Mon, 15 Mar 2021 09:51:13 GMT

Hello @orp,

Good question !! I have never found any Cisco's document having any information regarding this but I have a very poor experience with these object-groups on switch and routers. While checking I have found that on ISE 2.1 and later, you can create a DACL with object-group such as "permit tcp any addrgroup myobject" and you need to create these object groups locally on switches.

I would like to recommend using them in a test environment first as they are never get tested.

***Please mark all helpful posts***

Re: Pushing object groups dACLs through ISE

orp — Mon, 15 Mar 2021 10:11:21 GMT

Thanks for the answer! Seems like checking it on a test environment will be necessary indeed.

Just to make sure - In case I'll apply a dACL like this - "permit tcp any addrgroup myobject" and "myobject" contains 3 different hosts, it will count as 1 ACE for the 64 ACEs limit, right?

Re: Pushing object groups dACLs through ISE

Spooster IT Services — Mon, 15 Mar 2021 10:23:30 GMT

Yes, that is true.

Re: Pushing object groups dACLs through ISE

Marcelo Morais — Mon, 15 Mar 2021 11:09:11 GMT

Hi @orp ,

please take a look: CSCvj94873 Add possibility to use object groups in DACL on ISE ...

Last Modified: Mar 10,2020
Status: Open
Severity: 6 Enhancement
Symptom: Currently ISE allows to create the DACL only in the format supported by switches (i.e. the source should be 'any', object groups are not allowed, etc.).

Hope this helps !!!

Re: Pushing object groups dACLs through ISE

thomas — Mon, 15 Mar 2021 21:32:26 GMT

Please read the ISE Secure Wired Access Prescriptive Deployment Guide which does a good job of documenting switch configuration including pushing dACLs.

Re: Pushing object groups dACLs through ISE

richard bedwell — Mon, 16 Jun 2025 21:26:53 GMT

I am finding through my research and to much disappointment, that the device has to support the addrgroup version of object-groups, what I mean by this is look at the how the object-groups are displayed after creating them in the switch... or rather, look at how you would implement an ACL using object-groups on the switch... for example on the 68xx I'm using the addrgroup pushed down from ISE and it's working, but when I try to create an object-group ACL on that same device, it doesn't use the traditional

permit ip any object-group TEST_LIMIT_GROUP log-input

but rather

permit ip any addrgroup TEST_LIMIT_GROUP log-input

on all my other devices I'm having issues using the dACL with the object-groups because those devices require the object-group statement, not the addrgroup statement. I'm continuing to validate, but that's what I've found so far...