Hello all.

I've been facing a strange problem with network and service object groups so I decided to post it here to get some help.

I am trying to use the network and service object groups in an extended ACL applied to a Vlan, in a Catalyst 4500 L3 Switch Software (cat4500e-ENTSERVICES-M), Version 15.2(4)E9, RELEASE SOFTWARE (fc2).

I create an object group with a private class C network (ex: 192.168.15.0 255.255.255.0) and then I try to use it to deny icmp packets at the top of the ACL. Configuration is:

    Network object group stop_icmp
      192.168.15.0 255.255.255.0

    Extended IP access list ACL-TEST-OUT

      10 deny icmp object-group stop_icmp any
      20 permit ip any any (44 estimate matches)

If use the object group "stop_icmp" in the ACL, no ping (from any network) is allowed. If I use the "192.168.15.0 0.0.0.255" instead of "object group stop_icmp" the ACL works as expected (it only stops pings from the 192.168.15.0/24 network).

I've also tried the service object group. I've created a service group to stop ssh and http.

    Service object group stop_services
       tcp eq 22
       tcp eq 80

    Extended IP access list ACL-TEST-OUT

      10 deny object-group stop_services any any
      20 permit ip any any (62 estimate matches)

The deny rule simply doesn't work. SSH and HTTP pass just fine. If I replace "deny object_group stop_services any any" with "deny tcp any any eq 22" and "deny tcp any any eq 80" the two protocols are denied.

Is there no support for network and service object groups in this equipment or IOS release?

Regards,

Jose