Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
380
Views
0
Helpful
2
Replies

inverse object-group concept

ttpm12345
Level 1
Level 1

‎10-28-2013 12:37 PM - edited ‎03-11-2019 07:56 PM

Does Cisco have a way to write an ACL to block the opposite of an object-group?

For example, I want to write an ACL allowing all traffic other than to object-group Corp_Net...

thanks,

ttpm

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎10-28-2013 02:30 PM

Hi,

Well usually you build the required ACL from a combination of "permit" and "deny" statement. To my understanding there is no other way to use an "object-group" other than to use it as a source or destination of a permit or deny statement. The contents under the "object-group" will be used, nothing else.

I am not sure what the exact requirement in the above is but I would imagine it would be something like this

access-list ACL remark Deny all traffic to Corp_NET

access-list ACL deny ip any object-group Corp_NET

access-list ACL remark Allow all other traffic

access-list ACL permit ip any any

Naturally the above would a pretty simple example of a situation where you want to block traffic from behind some interface to a corporate network and then allow all other traffic.

- Jouni

0 Helpful

asarles
Level 1
Level 1
In response to Jouni Forss

‎01-09-2017 07:55 AM

I was also wanting to find a way to invert (or not) an object-group. My use case is to deny access to the internet. It would be difficult to put an object group together that has all public IP space. It would be easier to make a group that has all private IP space, and permit everything that doesn't match.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card