Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1335
Views
5
Helpful
4
Replies

"object-group network " and "object-group service " | Cisco IOS XE | ASR1000

Go to solution
kasunrajapakse
Level 1
Level 1

‎06-01-2021 03:10 AM - edited ‎06-02-2021 01:13 AM

Hi Team, 

I would like to specify few "object-group network" and few "object-group service" and mix them together. 
My requirement is to define a rule so that traffic can be allowed to the following set of IPs but to those mentioned ports. 

However, I can't couple a object-group network and a object-group service. I get an error that says "Object group type mismatch"

How can I achieve this on Cisco IOS XE ???

object-group network test_servers
host 10.13.3.200
host 10.13.3.90
host 10.13.7.200
host 10.13.3.130
host 10.13.3.213
host 10.13.25.130
!

object-group service test_ports
udp eq 5060

udp eq 5061
!

 

ASR1000(config)#object-group network test_servers
ASR1000(config-network-group)#group-object test_ports
Object group type mismatch
ASR1000(config-network-group)#


ASR1000(config)#object-group service test_ports
ASR1000(config-service-group)#group-object test_servers
Object group type mismatch
ASR1000(config-service-group)#

 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎06-01-2021 06:33 AM

Ah you are correct, the source port need to be explicitly defined in the object.

In your ACL the service group precedes the subnet elements:

!
permit object-group test-ports 192.168.1.1 0.0.0.0 object-group test-servers
!

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎06-01-2021 03:44 AM

Hi there,

You combine the two objects-groups via an ACL, eg:

!
ip access-list extended DEMO-ACL
  permit object-group test-ports object-group test-servers any
  deny udp any any
end
!

This would permit UDP traffic from the test-servers group sourced on UDP ports 5060 and 5061 to any destination.

 

cheers,

Seb.

 

0 Helpful

Go to solution
kasunrajapakse
Level 1
Level 1
In response to Seb Rupik

‎06-01-2021 04:04 AM

Hi Seb, 

Thank you for the reply, 
But this brought up few more doubts. 

1) The ports defined in the "object-group service", I thought they defined destination ports. There is an option to explicitly define the source ports, but not destination ports. So I thought the "object-group service" defined the destination ports by default. Is this not true? 

2) My requirement is to allow traffic from few outside IPs to those IPs / Ports listed above in Object groups. 
For example 
Outside IPs - 192.168.1.1/ 192.168.100.1 etc.

 

So what I want is to set a rule as follows. 

permit udp host 192.168.1.1 object-group test_servers <and match the ports defined in the object-group service test_ports>

I want to allow traffic from remote IP (192.168.1.1) to my internal IPs (object-group network test_servers) but only via the ports mentioned in object-group service test_ports

Please refer to the attached image

Hope my requirement is clear now!

Preview file
71 KB
0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎06-01-2021 06:33 AM

Ah you are correct, the source port need to be explicitly defined in the object.

In your ACL the service group precedes the subnet elements:

!
permit object-group test-ports 192.168.1.1 0.0.0.0 object-group test-servers
!
0 Helpful

Go to solution
kasunrajapakse
Level 1
Level 1
In response to Seb Rupik

‎06-02-2021 03:35 AM


Excellent. This worked Seb
I have marked your reply as the solution

Cheers. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card