01-23-2017 01:07 PM - edited 03-11-2019 12:23 AM
Is it possible to use object groups within an ISE DACL? Would make DACLs much easier to manage if I didn't have to touch each one anytime a common server IP changes. Looking to get away from SGTs/SGAs due to external requirements.
For example: permit tcp <Web_Servers> eq http.... and so on - instead of creating a line for each individual IP address that would fall into the Web Servers group?
Currently on v1.3 but moving to 2.1 very soon.
01-23-2017 02:45 PM
I thought this was not possible in the past, but I took at look at my ISE 2.1 to check. I was able to create a DACL such as "permit tcp any addrgroup myobject". I have not been able to verify it as I have never used this in the past. Also, be wary of the limit of ACE's the DACL can hold (64). If more than that is required, SGACL's are the way to go.
11-27-2017 11:55 PM
Hello!
Still looking for an aswer to that. Can anyone explain how to use object-groups in DACL?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide