Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3886
Views
25
Helpful
6
Replies

Pushing object groups dACLs through ISE

Go to solution
orp
Level 1
Level 1

‎03-15-2021 02:24 AM

Hey all,

 

Is it possible to push dACLs containing object groups to the switch? Do I need to configure the object groups locally on the switch or can it be pushed too?

 

My main goal is to minimize the amount of ACEs, in order to do so I want to group a few services into an object group and then apply the ACL on it.

 

Thanks in advance.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Spooster IT Services
Level 7
Level 7

‎03-15-2021 02:51 AM

Hello @orp,

Good question !! I have never found any Cisco's document having any information regarding this but I have a very poor experience with these object-groups on switch and routers. While checking I have found that on ISE 2.1 and later, you can create a DACL with object-group such as "permit tcp any addrgroup myobject" and you need to create these object groups locally on switches.

 

I would like to recommend using them in a test environment first as they are never get tested.

 

 

***Please mark all helpful posts***

Spooster IT Services Team

View solution in original post

6 Replies 6

Go to solution
Spooster IT Services
Level 7
Level 7

‎03-15-2021 02:51 AM

Hello @orp,

Good question !! I have never found any Cisco's document having any information regarding this but I have a very poor experience with these object-groups on switch and routers. While checking I have found that on ISE 2.1 and later, you can create a DACL with object-group such as "permit tcp any addrgroup myobject" and you need to create these object groups locally on switches.

 

I would like to recommend using them in a test environment first as they are never get tested.

 

 

***Please mark all helpful posts***

Spooster IT Services Team

Go to solution
orp
Level 1
Level 1
In response to Spooster IT Services

‎03-15-2021 03:11 AM

Thanks for the answer! Seems like checking it on a test environment will be necessary indeed.

Just to make sure - In case I'll apply a dACL like this - "permit tcp any addrgroup myobject" and "myobject" contains 3 different hosts, it will count as 1 ACE for the 64 ACEs limit, right?

0 Helpful

Go to solution
Spooster IT Services
Level 7
Level 7
In response to orp

‎03-15-2021 03:23 AM

Yes, that is true.

Spooster IT Services Team

Go to solution
Marcelo Morais
VIP
VIP

‎03-15-2021 04:08 AM - edited ‎03-15-2021 04:09 AM

Hi @orp ,

 please take a look: CSCvj94873 Add possibility to use object groups in DACL on ISE ...

Last Modified: Mar 10,2020
Status: Open
Severity: 6 Enhancement
Symptom: Currently ISE allows to create the DACL only in the format supported by switches (i.e. the source should be 'any', object groups are not allowed, etc.).

 

Hope this helps !!!

Go to solution
richard bedwell
Level 1
Level 1

‎06-16-2025 02:26 PM

I am finding through my research and to much disappointment, that the device has to support the addrgroup version of object-groups, what I mean by this is look at the how the object-groups are displayed after creating them in the switch... or rather, look at how you would implement an ACL using object-groups on the switch... for example on the 68xx I'm using the addrgroup pushed down from ISE and it's working, but when I try to create an object-group ACL on that same device, it doesn't use the traditional 

permit ip any object-group TEST_LIMIT_GROUP log-input

but rather 

permit ip any addrgroup TEST_LIMIT_GROUP log-input

on all my other devices I'm having issues using the dACL with the object-groups because those devices require the object-group statement, not the addrgroup statement. I'm continuing to validate, but that's what I've found so far... 


0 Helpful
Customers Also Viewed These Support Documents