cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

485
Views
0
Helpful
2
Replies
Highlighted
Beginner

Network and Service object groups not working in extended ACL

Hello all.

 

I've been facing a strange problem with network and service object groups so I decided to post it here to get some help.

I am trying to use the network and service object groups in an extended ACL applied to a Vlan, in a Catalyst 4500 L3 Switch Software (cat4500e-ENTSERVICES-M), Version 15.2(4)E9, RELEASE SOFTWARE (fc2).

 

I create an object group with a private class C network (ex: 192.168.15.0 255.255.255.0) and then I try to use it to deny icmp packets at the top of the ACL. Configuration is:

    Network object group stop_icmp
      192.168.15.0 255.255.255.0

    Extended IP access list ACL-TEST-OUT

      10 deny icmp object-group stop_icmp any
      20 permit ip any any (44 estimate matches)

 

If use the object group "stop_icmp" in the ACL, no ping (from any network) is allowed. If I use the "192.168.15.0 0.0.0.255" instead of "object group stop_icmp" the ACL works as expected (it only stops pings from the 192.168.15.0/24 network).

 

I've also tried the service object group. I've created a service group to stop ssh and http.

    Service object group stop_services
       tcp eq 22
       tcp eq 80

    Extended IP access list ACL-TEST-OUT

      10 deny object-group stop_services any any
      20 permit ip any any (62 estimate matches)

 

The deny rule simply doesn't work. SSH and HTTP pass just fine. If I replace "deny object_group stop_services any any" with "deny tcp any any eq 22" and "deny tcp any any eq 80" the two protocols are denied.

 

Is there no support for network and service object groups in this equipment or IOS release?

 

Regards,

Jose

2 REPLIES 2
Highlighted
VIP Advisor

This is strange one. Under object config, if you use ? after the subnet,
does it say netmask or wildcard?

I am using 4500 and I know it uses netmask but want to confirm it with your
case.

**** please remember to rate useful posts
Highlighted

In my case it is network mask. Like I've posted above in the "Network object group stop_icmp".

 

switch(config-network-group)#192.168.15.0 ?
/nn or A.B.C.D Network mask

 

Content for Community-Ad