cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1071
Views
0
Helpful
2
Replies

Cisco ISE DACLs and object groups

Jeremy Zaruba
Beginner
Beginner

Is it possible to use object groups within an ISE DACL? Would make DACLs much easier to manage if I didn't have to touch each one anytime a common server IP changes. Looking to get away from SGTs/SGAs due to external requirements.

For example: permit tcp <Web_Servers> eq http.... and so on - instead of creating a line for each individual IP address that would fall into the Web Servers group?

Currently on v1.3 but moving to 2.1 very soon.

2 REPLIES 2

Rahul Govindan
Advocate
Advocate

I thought this was not possible in the past, but I took at look at my ISE 2.1 to check. I was able to create a DACL such as "permit tcp any addrgroup myobject". I have not been able to verify it as I have never used this in the past. Also, be wary of the limit of ACE's the DACL can hold (64). If more than that is required, SGACL's are the way to go.

Hello!

Still looking for an aswer to that. Can anyone explain how to use object-groups in DACL?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: