cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
130
Views
5
Helpful
1
Replies
Highlighted
Beginner

Object Group ACLs - Assistance

Hello everyone,

 I am attempting to restrict all traffic other than management and infrastructure services into my management SVIs. I would like to do this using object-group ACLs but so far I have not been successful in doing so. My implementation is as follows:

 

object-group network NET_MGMT_SYSTEMS

 host ip add 1

 host ip add 2

 etc.

object-group network INFRASTRUCTURE_SYSTEMS

 host ip add 1

 host ip add 2

etc.   

object-group service NET_MGMT_PPS

icmp

22

143

49

162

161

udp eq 1812

udp eq 1813

udp eq 20514

udp eq syslog

igmp

etc.

ip access-list extended NET_MGMT_INT

permit object-group NET_MGMT_PPS object-group NET_MGMT_SYSTEMS host (SVI interface) log-input

permit object-group NET_MGMT_PPS object-group INFRASTRUCTURE_SYSTEMS host (SVI interface) log-input

permit ip any any log-input

deny ip any any log-input

int vlan(SVI interface)

ip access-group NET_MGMT_INT in

 

So, on the NET_MGMT_INT ACL the first two ACEs should, I would think, be counting hits as TACACS, NTP, SSH, etc., traffic hits the interface and is then parsed by the ACEs. However, this is not happening. The permit ip any any is there so that I do not get kicked out of the device and that is the ACE that is gathering hits and allowing the traffic. 

I am not sure if this is a directionality issue in the way I have built the ACE or something else.  
Any help with this would be greatly appreciated!

1 REPLY 1
Highlighted
VIP Collaborator

@AntDPre Hello,

 

Look this link: https://community.cisco.com/t5/network-security/object-groups-in-acl/m-p/1373552#M857386

 

They have solved a problem like the one you are experiencing.

Jaderson Pessoa
*** Rate All Helpful Responses ***
Content for Community-Ad