cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
735
Views
1
Helpful
5
Replies

Create IOS-XE access-list extd Network & Service Object-groups

Eric R. Jones
Level 4
Level 4

Hello all,  I want to cleanup my ACL's by using object-groups. I've been trying to create one on our core, 9404R and 9407R switches using IOS-XE 17.6.X.

So far I keep getting errors when reaching various parts of the configuration. I've done some research and using nested objects I've come up with this. the idea is to have the smtp server talk to our switches, VMservers and printers using port 25 in a bidirectional setup. I've got it working in he old school manner for testing so I know the path is working properly.

config t
Network object group smtp_appliances
host <IPAddress/subnet network devices>
host <IPAddress/subnet VMserver devices>
 
Network object group smtp_server
host <IPAddress of smtp server>
group-object  smtp_appliances
 
Service object group hp_jet_tcp_ports
 tcp eq smtp
 
Service object group lex_util_tcp_ports
 tcp eq smtp
 
Service object group lex_util_udp_ports
 udp eq 25
 
ip access-list extended Printer_vlanOUT
22 permit object-group smtp_server object-group hp_jet_tcp_ports 
23 permit object-group smtp_server object-group lex_util_tcp_ports 
24 permit object-group smtp_server object-group lex_util_udp_ports 
exit
 

 

5 Replies 5

This issue solved ?

Eric R. Jones
Level 4
Level 4

Unfortunately no. I have looked around for examples of Object-groups within ACL's but haven't had any luck getting it to work. 

Command  is little not correct 

 object group service/network 

This how we can add object in ios xe. 

Try this 

MHM

Eric R. Jones
Level 4
Level 4

Example:

Network object group smtp_server
host <IP Address>

Service object group hp_jet_tcp_ports
tcp eq smtp

Line number permit "protocol" object group type "service-object-group name"  object-group type "network-object-group name" log

11 permit tcp object-group hp_jet_tcp_ports object-group smtp_server 

object group network smtp_server
host <IP Address>

 object group service  hp_jet_tcp_ports
tcp eq smtp

11 permit object-group hp_jet_tcp_ports object-group smtp_server  object-group (this last object group for destiantion if you want you can select ANY)

Review Cisco Networking for a $25 gift card