CSCuq64938 - Object Groups in ACL are not supported under VTY on IOS XE

pillarama · ‎03-19-2019

I am also seeing this bug on ISR4451-X running 16.06.05.

The exact same IPs, when used in an object-group are ignored but work fine when referenced directly in the ACL rule.

This fails:

object-group network MGMT-NETS-NETGRP
192.168.0.0 255.255.0.0

ip access-list extended VTY-IN-ACL
permit ip object-group MGMT-NETS-NETGRP any

line vty 0 4
access-class VTY-IN-ACL in vrf-also

But this works:

ip access-list extended VTY-IN-ACL
permit ip 192.168.0.0 0.0.255.255 any

line vty 0 4
access-class VTY-IN-ACL in vrf-also

This shows a match logged on the explicit IP rule:

object-group network MGMT-NETS-NETGRP
192.168.0.0 255.255.0.0

ip access-list extended VTY-IN-ACL
permit ip object-group MGMT-NETS-NETGRP any

permit ip 192.168.0.0 0.0.255.255 any log

line vty 0 4
access-class VTY-IN-ACL in vrf-also

*Mar 20 2019 11:59:47.978 ACDT: %SEC-6-IPACCESSLOGP: list VTY-IN-ACL permitted tcp 192.168.42.254(32974) -> 0.0.0.0(22), 1 packet

#show ip access-list VTY-IN-ACL
Extended IP access list VTY-IN-ACL

10 permit ip object-group PRIVATE-NETS-NETGRP any
20 permit ip 192.168.0.0 0.0.255.255 any (6 matches)