ACL object-group 6509 VSS

alessandro.derobertis · ‎09-18-2017

Hi all,

I'm new in this support forum and almost new in networking field.

I'm working to migrate extended ACL to Object-group using IP ADDRESS group and IP PORT group.

But I don't know how to proceed implementing the new ACL. An example:

I have this

ip access-list extended from X to Y

1890 permit tcp 10.xxx.xx.0 0.0.1.255 host 10.xxx.xxx.xxx eq 80
1900 permit tcp 10.xxx.xx.0 0.0.1.255 host 10.xxx.xxx.xxx eq 443
1910 permit tcp 10.xxx.xx.0 0.0.1.255 host 10.xxx.xxx.xxx eq 8443
1920 permit tcp 10.xxx.xx.0 0.0.1.255 host 10.xxx.xxx.xxx eq 22443
1930 permit tcp 10.xxx.xx.0 0.0.1.255 host 10.xxx.xxx.xxx eq 22443

I want to implement this using

object-group ip address to Y (connection srv)
host-info 10.xxx.xxx.xxx
host-info 10.xxx.xxx.xxx
host-info 10.xxx.xxx.xxx
host-info 10.xxx.xxx.xxx
host-info 10.xxx.xxx.xxx

object-group ip port to Y
eq 80
eq 443
eq 8443
eq 22443

ACL as following

permit tcp addrgroup 10.x.x.x 0.0.1.255 addrgroup to Y (connection srv) portgroup to Y
permit udp addrgroup 10.x.x.x 0.0.1.255 addrgroup to Y (connection srv) eq 22443

I want to use the same ACL Extended name.

The question is: Do I have to create Object group first, and next? Have I to go line by line in order to cancel the old ACL and copy the new one?

Most probably it has to be performed outside working hours, but what the best way to mswap from old ACL to the new one?

Thank in advance for your help, I'm a bit confused.

Alex