Showing results for 
Search instead for 
Did you mean: 

Cisco 4331 - ACL using Object Group



I’ve got two Cisco 4331 as my border routers participating in eBGP and iBGP. I’ve got an extended IP ACL as anti-spoofing configured to block incoming RFC 1918, APIPA and our prefix.


With my syslog and netflow analyser we’ve notice connectivity that are not supposed to come in via the border routers, so we are planning to create another ACL using object-groups. We’ve got a fair idea on trusted source and destination address and services.


What I’ve done so far is creating multiple object groups and using meshed group objects so I can have only 3 object groups such as Trusted_Source, Trusted_Destination, Trusted_Service


Been trying to get the ACL using these object groups in multiple ways but it seems like it can’t accept it. I tried two object groups in the current extended IP ACL, and it works.


Just need assistance with creating a one line or 2 ACL using object groups so that only trusted source to trusted destination for trusted services is allowed in. The rest is dropped. We can then update individual object groups as the need arise


Any help will be really appreciated

3 Replies 3

VIP Collaborator VIP Collaborator
VIP Collaborator

Hi @utawakevou,

Please take a look at this Cisco config guide, and this blog.



Much appreciated @Milos_Jovanovic. Going through the documents I've come up with this two liner ACL and manage to configure


ip access-list extended INBOUND
5 permit tcp host x.x.x.x(remote WAN interface address) host x.x.x.x(local WAN interface address) eq bgp log-input
10 permit object-group Trusted_Inbound_Service (all object group for protocols/ports to be allowed in) object-group External_Trusted_Endpoints (all object group network/hosts address to be allowed in) object-group Internal_Endpoints (all internal hosts address) log-input


Do note all object groups used above are nested groups and I'm just concentrating on INBOUND and the WAN interface. Any further thoughts or comments that'll help or benefit our configuration will be highly appreciated




This looks ok.

However, I would advise to remove 'log-input' at the end. If you enable logging on ACL, processing doesn't go through hardware anymore, and it needs to be processed on CPU level so it can cause CPU spikes (at least that is how older platforms worked).



Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers