Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3284
Views
25
Helpful
5
Replies

Pushing object groups dACLs through ISE

Go to solution
orp
Level 1
Level 1

‎03-15-2021 02:24 AM

Hey all,

 

Is it possible to push dACLs containing object groups to the switch? Do I need to configure the object groups locally on the switch or can it be pushed too?

 

My main goal is to minimize the amount of ACEs, in order to do so I want to group a few services into an object group and then apply the ACL on it.

 

Thanks in advance.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Spooster IT Services
Level 7
Level 7

‎03-15-2021 02:51 AM

Hello @orp,

Good question !! I have never found any Cisco's document having any information regarding this but I have a very poor experience with these object-groups on switch and routers. While checking I have found that on ISE 2.1 and later, you can create a DACL with object-group such as "permit tcp any addrgroup myobject" and you need to create these object groups locally on switches.

 

I would like to recommend using them in a test environment first as they are never get tested.

 

 

***Please mark all helpful posts***

Spooster IT Services Team

View solution in original post

5 Replies 5

Go to solution
Spooster IT Services
Level 7
Level 7

‎03-15-2021 02:51 AM

Hello @orp,

Good question !! I have never found any Cisco's document having any information regarding this but I have a very poor experience with these object-groups on switch and routers. While checking I have found that on ISE 2.1 and later, you can create a DACL with object-group such as "permit tcp any addrgroup myobject" and you need to create these object groups locally on switches.

 

I would like to recommend using them in a test environment first as they are never get tested.

 

 

***Please mark all helpful posts***

Spooster IT Services Team

Go to solution
orp
Level 1
Level 1
In response to Spooster IT Services

‎03-15-2021 03:11 AM

Thanks for the answer! Seems like checking it on a test environment will be necessary indeed.

Just to make sure - In case I'll apply a dACL like this - "permit tcp any addrgroup myobject" and "myobject" contains 3 different hosts, it will count as 1 ACE for the 64 ACEs limit, right?

0 Helpful

Go to solution
Spooster IT Services
Level 7
Level 7
In response to orp

‎03-15-2021 03:23 AM

Yes, that is true.

Spooster IT Services Team

Go to solution
Marcelo Morais
VIP
VIP

‎03-15-2021 04:08 AM - edited ‎03-15-2021 04:09 AM

Hi @orp ,

 please take a look: CSCvj94873 Add possibility to use object groups in DACL on ISE ...

Last Modified: Mar 10,2020
Status: Open
Severity: 6 Enhancement
Symptom: Currently ISE allows to create the DACL only in the format supported by switches (i.e. the source should be 'any', object groups are not allowed, etc.).

 

Hope this helps !!!

Customers Also Viewed These Support Documents