Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2296
Views
4
Helpful
8
Replies

IP ACLs on 3750 / 3850 L3 switch - with object-groups

pschulz
Level 1
Level 1

‎06-18-2023 01:06 PM - edited ‎06-20-2023 06:19 AM

** Updated - as I found out that my problem is related to object groups **

My understanding is, that on a L3 switch like the 3850 or 3750 with IP routing enabled, the following is true for IP ACLs applied to the SVI of VLANs:

  • With no ACLs applied at all, all traffic is permitted between VLANs (the switch is acting as router)
  • ACLs applied by an access-group to an SVI with the "in" keyword are applied to packets entering the switch from hosts connected to interfaces of that VLAN.Packets matching one of the ACEs can enter the switch.If no ACE matches, the switch drops the packet.
  • ACLs applied by an access-group to an SVI with the "out" keyword are appliedafter routing and just before exiting the switch towards connected hosts. Same rules as for "in" apply.
  • At the end of each ACL, there is an implicit "deny ip any any" statement.

To the best of my knowledge, that's exactly what the Cisco configuration guide says
(IOS software version 15.2).

However, when using object-groups in ACLs, this does not seem to work.

Test 1

Given these interfaces

interface vlan 4
ip address 10.0.4.0 255.255.255.0
ip access-group acl-4 in

interface vlan 7
ip address 10.0.7.0 255.255.255.0
ip access-group acl-7 in

and object groups

object-group network g4
10.0.4.0 255.255.255.0
object-group network g7
10.0.7.0 255.255.255.0

and these ACLs

ip access-list extended acl-4
permit ip object-group g4 object-group g4 log

ip access-list extended acl-7
permit ip object-group g7 object-group g7 log

the expected behaviour would be that the two VLANs are isolated.
I should not be able to ping hosts connected to ports of VLAN-7
from hosts connected to ports of VLAN-4.

What Really Happens

However, a real switch configured like the above allows all traffic from hosts of any VLAN to the hosts of the other VLAN. I have tested connectivity between the hosts using ping and also using RDP between PCs.
Log messages appear in the console that the traffic has been permitted by the above ACLs.
(Tested on a 3750-X)

(The command "show vlan" shows the proper interfaces connected to the VLANs
where my hosts are connected. This is not the problem.)

Adding an explicit
deny ip any any
into each of the two ACLs does not change anything - still all the traffic allowed.

Also adding explicit deny statements for the other VLAN has the same result.

This is contrary to how it should work.
And the object groups are correct - we can verify with
show ip access-list acl-4 expanded
which shows the object group expansion in ACL syntax as expected.

However, when replacing the object-groups with the written-out numeric representation,
then everything works as expected:

    ip access-list extended acl-4
       permit ip 10.0.4.0 0.0.0.255 10.0.4.0 0.0.0.255 log

    ip access-list extended acl-7
      permit ip 10.0.7.0 0.0.0.255 10.0.7.0 0.0.0.255 log

This works totally fine, no traffic allowed between VLANs.
Any more specific permit and deny statements work exactly as per the rules laid out above.

But as soon as any of the ACEs contain any object group in the source or destination
address, ALL traffic is allowed.

Is this is bug in IOS, including what is used in L3 switches? 

I found following post stating a similar problem:

Object-group-entry-in-acl-breaks-ios-firewall 

 

 

Labels:
8 Replies 8

MHM Cisco World
VIP
VIP

‎06-18-2023 01:25 PM

This ACL apply to l3 SVI'

The traffic between host in same vlan so the traffic not inter-vlab to hit the acl of SVI.

For traffic between differ vlan the traffic inter-vlan and must hit the acl line below 

deny ip 10.0.4.0 0.0.0.255 10.0.7.0 0.0.0.255 log

Do check that traffic deny or not?

0 Helpful

pschulz
Level 1
Level 1
In response to MHM Cisco World

‎06-18-2023 03:59 PM

Traffic is not denied by that line (see my "Test 3" above).

The log does not specify the line but states that "ACL-4" permitted the traffic.

0 Helpful

pschulz
Level 1
Level 1

‎06-20-2023 06:22 AM

Meanwhile I found out that this behaviour only occurs when using object-groups in ACLs.

My actual configuration which I tested did include object groups, not the raw numerical representation as I listed it in the post. Edited the post to reflect this. When using the numerical representation it works all as expected.

MHM Cisco World
VIP
VIP
In response to pschulz

‎06-20-2023 08:16 AM

Yes two day think' check your config it correct' but object group in acl as you mention is limited to some platform.

I think ASR with IOS XE support this feature but 3k not.

Thank for update me 

Have a nice day 

MHM

0 Helpful

Flavio Miranda
VIP
VIP

‎06-20-2023 06:31 AM

Hi @pschulz 

  It seems this is not supported on IOS. I saw some thread here say that but unfortunatelly no one offered a Cisco doc.

https://community.cisco.com/t5/switching/object-group-in-c3560-c3750-switches/td-p/1640554

https://community.cisco.com/t5/switching/acl-object-groups-on-catalyst-switches/td-p/3082302

 

But, for IOS-XE I have found the doc below and they mention the restriction ofr Object Groups ACLs:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/17-4/configuration_guide/sec/b_174_sec_9200_cg/object_groups_for_acls.html#concept_pdx_dk4_c3b

 

Restrictions for Object Groups for ACLs

  • You can use object groups only in extended named and numbered ACLs.

  • Object group-based ACLs support only IPv4/IPv6 addresses.

  • Object group-based ACLs support only Layer 3 interfaces(such as routed interfaces and VLAN interfaces) and sub-interfaces.

  • Object group-based ACLs are not supported with IPsec.

  • ACL statements using object groups will be ignored on packets that are sent to RP for processing.

  • The number of object group-based ACEs supported in an ACL varies depending on platform, subject to TCAM availability.

0 Helpful

pschulz
Level 1
Level 1
In response to Flavio Miranda

‎06-20-2023 08:08 AM

I made some document research, and here is what I found.

For the 3850, the software configuration guide (IOS XE 16.3) omits any mention of object groups, and the syntax of configuring IPv4 access lists does not include object groups. So one is supposed to follow this per the letter I guess:

3850 Configuration Guide 

In the older 3750-X configuration guide (IOS 15.2), 

3750x-3560x Configuration Guide 

I found a specific restriction:

  • Object groups are not supported in Cisco Catalyst 3560-x Series Switches

In general, object groups were introduced in IOS 12.4, see the feature information section in the following IOS document 

Object Groups for ACLs 

So while the feature has been around since 2012, it seems it never made it into the 3750 / 3850 line of switches, not even in IOS XE.

Speaking about a trap - the switch accepts the configuration with no warning but then cancels the entire ACL as if it was empty, with just a single ACE line containing an object group. Completely unexpected behaviour.

0 Helpful

MHM Cisco World
VIP
VIP
In response to pschulz

‎06-20-2023 11:18 AM

come to see what happened in Nexus, guide say support and command not found!!

0 Helpful

ProTofik
Level 1
Level 1

‎09-13-2023 07:51 AM

Same problem here on Cisco WS-C3560CX-8PC-S running 15.2(7)E8.

If I create an extended access-list that contains even a single object-group as a source, that access list line effectively becomes "permit ip any any". On top of that, according to my SNMP monitor applying that access list on a SVI causes switch CPU to spike to nearly 100%.

Has Cisco ever officially acknowledged this bug? 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card