- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-15-2021 02:24 AM
Hey all,
Is it possible to push dACLs containing object groups to the switch? Do I need to configure the object groups locally on the switch or can it be pushed too?
My main goal is to minimize the amount of ACEs, in order to do so I want to group a few services into an object group and then apply the ACL on it.
Thanks in advance.
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-15-2021 02:51 AM
Hello @orp,
Good question !! I have never found any Cisco's document having any information regarding this but I have a very poor experience with these object-groups on switch and routers. While checking I have found that on ISE 2.1 and later, you can create a DACL with object-group such as "permit tcp any addrgroup myobject" and you need to create these object groups locally on switches.
I would like to recommend using them in a test environment first as they are never get tested.
***Please mark all helpful posts***

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-15-2021 02:51 AM
Hello @orp,
Good question !! I have never found any Cisco's document having any information regarding this but I have a very poor experience with these object-groups on switch and routers. While checking I have found that on ISE 2.1 and later, you can create a DACL with object-group such as "permit tcp any addrgroup myobject" and you need to create these object groups locally on switches.
I would like to recommend using them in a test environment first as they are never get tested.
***Please mark all helpful posts***
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-15-2021 03:11 AM
Thanks for the answer! Seems like checking it on a test environment will be necessary indeed.
Just to make sure - In case I'll apply a dACL like this - "permit tcp any addrgroup myobject" and "myobject" contains 3 different hosts, it will count as 1 ACE for the 64 ACEs limit, right?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-15-2021 03:23 AM
Yes, that is true.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-15-2021 04:08 AM - edited 03-15-2021 04:09 AM
Hi @orp ,
please take a look: CSCvj94873 Add possibility to use object groups in DACL on ISE ...
Last Modified: Mar 10,2020
Status: Open
Severity: 6 Enhancement
Symptom: Currently ISE allows to create the DACL only in the format supported by switches (i.e. the source should be 'any', object groups are not allowed, etc.).
Hope this helps !!!

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-15-2021 02:32 PM
Please read the ISE Secure Wired Access Prescriptive Deployment Guide which does a good job of documenting switch configuration including pushing dACLs.
- Pre-Authentication and Post-Authentication Access Control with Low Impact
- Switch Configuration for Low Impact Mode
- Downloadable ACL Authorization
- Validating ACL Authorization/Low-Impact Mode
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-16-2025 02:26 PM
I am finding through my research and to much disappointment, that the device has to support the addrgroup version of object-groups, what I mean by this is look at the how the object-groups are displayed after creating them in the switch... or rather, look at how you would implement an ACL using object-groups on the switch... for example on the 68xx I'm using the addrgroup pushed down from ISE and it's working, but when I try to create an object-group ACL on that same device, it doesn't use the traditional
permit ip any object-group TEST_LIMIT_GROUP log-input
but rather
permit ip any addrgroup TEST_LIMIT_GROUP log-input
on all my other devices I'm having issues using the dACL with the object-groups because those devices require the object-group statement, not the addrgroup statement. I'm continuing to validate, but that's what I've found so far...
