10-28-2013 12:37 PM - edited 03-11-2019 07:56 PM
Does Cisco have a way to write an ACL to block the opposite of an object-group?
For example, I want to write an ACL allowing all traffic other than to object-group Corp_Net...
thanks,
ttpm
10-28-2013 02:30 PM
Hi,
Well usually you build the required ACL from a combination of "permit" and "deny" statement. To my understanding there is no other way to use an "object-group" other than to use it as a source or destination of a permit or deny statement. The contents under the "object-group" will be used, nothing else.
I am not sure what the exact requirement in the above is but I would imagine it would be something like this
access-list ACL remark Deny all traffic to Corp_NET
access-list ACL deny ip any object-group Corp_NET
access-list ACL remark Allow all other traffic
access-list ACL permit ip any any
Naturally the above would a pretty simple example of a situation where you want to block traffic from behind some interface to a corporate network and then allow all other traffic.
- Jouni
01-09-2017 07:55 AM
I was also wanting to find a way to invert (or not) an object-group. My use case is to deny access to the internet. It would be difficult to put an object group together that has all public IP space. It would be easier to make a group that has all private IP space, and permit everything that doesn't match.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide