Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
634
Views
0
Helpful
6
Replies

Add object-group in existing ACL

epeeler
Level 1
Level 1

‎08-09-2017 05:49 AM - edited ‎03-05-2019 08:58 AM

I have an existing ACL that is not built using object groups but would like to create a network object group with a list of networks and add it to this ACL.

Will this work or do I need to completely rebuild the ACL using groups for all services and hosts/networks?

Thanks!

Labels:
0 Helpful
6 Replies 6

cofee
Level 5
Level 5

‎08-09-2017 05:59 AM

If existing acl is not using any object-group or objects then I don't think it's possible. But you can create a new ACL using object groups for the target nodes and services and place it on top of the existing ACL using line/sequence numbers. Once you verify that new ACL is being used by looking at hit counters and old ACL is not getting any hit counters ( just to be on the safe side) you can remove the old ACL.

0 Helpful

epeeler
Level 1
Level 1
In response to cofee

‎08-09-2017 06:07 AM

So you can't mix regular statements and group statements in a single ACL?  Looking at the documentation, there doesn't seem to be any difference in the way the ACL is created. It's just a regular extended ACL.

Does something about it change once a group object has been added into it so that standard statements no longer work or vice versa?

0 Helpful

GRANT3779
Spotlight
Spotlight
In response to epeeler

‎08-09-2017 06:10 AM

I believe as long as your current access list is an extended one you can add entries to it using object groups if you wish. As long as your IOS supports object-groups I don't think it is any different from adding another "non object group" line to the ACL.

I believe this is what you are asking..

0 Helpful

epeeler
Level 1
Level 1
In response to GRANT3779

‎08-09-2017 06:13 AM

Thanks Grant and yes that is my question.  I've been asked to give access to a large list of networks and rather than adding 30 lines to my ACL, I'm hoping I can just create a group with these networks in it and add it to the existing extended ACL so that I can do the same thing with one new line.

0 Helpful

GRANT3779
Spotlight
Spotlight
In response to epeeler

‎08-09-2017 06:14 AM

I have just tested on a 2911 running IOS 15.1. Seems it can be done if this is what you are referring to. I think the only caveat here is it will need to be an extended ACL.


ip access-list extended NAT-TO-PLATFORMS
permit ip any 172.17.250.32 0.0.0.31
permit ip any 172.17.254.32 0.0.0.31
permit ip any 172.17.34.32 0.0.0.31
permit ip any 172.17.36.32 0.0.0.31
permit ip any 172.17.246.32 0.0.0.31
permit ip any 172.17.39.208 0.0.0.7
permit ip any 172.17.40.0 0.0.0.15
permit ip any 10.96.129.96 0.0.0.31
permit tcp object-group TEST any

0 Helpful

cofee
Level 5
Level 5
In response to epeeler

‎08-09-2017 07:16 AM

You can mix, I thought you wanted to replace an existing ACE with object-group. Sorry for the confusion.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card