01-23-2017 01:07 PM - edited 03-11-2019 12:23 AM
Is it possible to use object groups within an ISE DACL? Would make DACLs much easier to manage if I didn't have to touch each one anytime a common server IP changes. Looking to get away from SGTs/SGAs due to external requirements.
For example: permit tcp <Web_Servers> eq http.... and so on - instead of creating a line for each individual IP address that would fall into the Web Servers group?
Currently on v1.3 but moving to 2.1 very soon.
01-23-2017 02:45 PM
I thought this was not possible in the past, but I took at look at my ISE 2.1 to check. I was able to create a DACL such as "permit tcp any addrgroup myobject". I have not been able to verify it as I have never used this in the past. Also, be wary of the limit of ACE's the DACL can hold (64). If more than that is required, SGACL's are the way to go.
11-27-2017 11:55 PM
Hello!
Still looking for an aswer to that. Can anyone explain how to use object-groups in DACL?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: