ACL not working in LINE VTY using an object-group.

Cesar Molina · ‎05-25-2022

Hello, I've an issue using ACL extended in line VTY with object group, I mean when I set up any ACL using as destination object group and apply this ACL in line VTY to limit some network access, it does not works because the IP destination who lives in the objet group seems that never matches with the object and to check if my ACL is setting fine I deleted the object group an use the traditional network with his mask and works fine, someone has de same issue or any workaround to suggest me?, just for be clear my device is a catalyst 9500 with 17.3.4 version firmware.

MHM Cisco World · ‎05-26-2022

can I see the access-class apply in your VTY?
if you apply access-class IN

then
I think standard not extend is work for you even if you use the Object group.

Aaron Wallace · ‎08-02-2023

Last time I checked, you cannot apply an object-group to a standard ACL, only extended.

Aaron Wallace · ‎08-02-2023

I too am experiencing this issue. I discovered it recently as I have built a lot of object-groups for my Zone Base Firewall configuration and figured I would use a couple of the object-groups so that if any of my management IP addresses change, I can just add that to the single object-group and it will be automatically applied everywhere needed plus object-groups offer ranges instead of relying only on masks for ranges. Did you ever find a reason why ACL's with object-groups in them will not work when applied to line vty?

Aaron Wallace · ‎08-02-2023

Never mind, it is a known bug in ISO-XE.

https://bst.cisco.com/bugsearch/bug/CSCuq64938