cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1446
Views
0
Helpful
2
Replies

Cisco ISE DACLs and object groups

Jeremy Zaruba
Level 1
Level 1

Is it possible to use object groups within an ISE DACL? Would make DACLs much easier to manage if I didn't have to touch each one anytime a common server IP changes. Looking to get away from SGTs/SGAs due to external requirements.

For example: permit tcp <Web_Servers> eq http.... and so on - instead of creating a line for each individual IP address that would fall into the Web Servers group?

Currently on v1.3 but moving to 2.1 very soon.

2 Replies 2

Rahul Govindan
VIP Alumni
VIP Alumni

I thought this was not possible in the past, but I took at look at my ISE 2.1 to check. I was able to create a DACL such as "permit tcp any addrgroup myobject". I have not been able to verify it as I have never used this in the past. Also, be wary of the limit of ACE's the DACL can hold (64). If more than that is required, SGACL's are the way to go.

Hello!

Still looking for an aswer to that. Can anyone explain how to use object-groups in DACL?