05-25-2022 07:03 PM
Hello, I've an issue using ACL extended in line VTY with object group, I mean when I set up any ACL using as destination object group and apply this ACL in line VTY to limit some network access, it does not works because the IP destination who lives in the objet group seems that never matches with the object and to check if my ACL is setting fine I deleted the object group an use the traditional network with his mask and works fine, someone has de same issue or any workaround to suggest me?, just for be clear my device is a catalyst 9500 with 17.3.4 version firmware.
05-26-2022 02:06 AM - edited 05-26-2022 02:06 AM
can I see the access-class apply in your VTY?
if you apply access-class IN
then
I think standard not extend is work for you even if you use the Object group.
08-02-2023 06:06 AM
Last time I checked, you cannot apply an object-group to a standard ACL, only extended.
08-02-2023 06:12 AM - edited 08-02-2023 08:37 AM
I too am experiencing this issue. I discovered it recently as I have built a lot of object-groups for my Zone Base Firewall configuration and figured I would use a couple of the object-groups so that if any of my management IP addresses change, I can just add that to the single object-group and it will be automatically applied everywhere needed plus object-groups offer ranges instead of relying only on masks for ranges. Did you ever find a reason why ACL's with object-groups in them will not work when applied to line vty?
08-02-2023 08:44 AM
Never mind, it is a known bug in ISO-XE.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide