Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1570
Views
5
Helpful
5
Replies

9500 ACL Object-Groups not working

rodney83
Level 1
Level 1

‎08-31-2022 01:36 AM

Hi,

I have a pair of 9500s running as a virtual stack, these switches use layer 3 SVIs to route traffic between various VLANS. To control this traffic I have applied some ACLs to the SVIs but I have found that if I use the Object-group command the ACLs do not work as planned.

The config I applied is:

!
object-group network MGMT
description Management subnet
172.20.5.0 255.255.255.0
!
ip access-list extended Management
10 remark Access list used for Management
10 permit icmp object-group MGMT object-group MGMT
20 permit ip object-group MGMT object-group MGMT

vlan 5
name MGMT
!
interface Vlan5
description MGMT
ip address 172.20.5.254 255.255.255.0
access-group Management in
no ip redirects
no ip unreachables
no ip proxy-arp

When I then try to ping from 172.20.5.14 or 172.20.5.220 (I've not tried other addresses in the range) to 172.20.5.254 (the SVI) I recieve timeouts and the following error if I enable logging:

*Aug 24 10:46:04: %SEC-6-IPACCESSLOGDP: list Management denied icmp 172.20.5.220 -> 172.20.5.254 (8/0), 1 packet
*Aug 24 10:46:23: %SEC-6-IPACCESSLOGDP: list Management denied icmp 172.20.5.14 -> 172.20.5.254 (3/3), 1 packet
*Aug 24 10:47:42: %SEC-6-IPACCESSLOGDP: list Management denied icmp 172.20.5.220 -> 172.20.5.254 (3/3), 2 packets
*Aug 24 10:47:42: %SEC-6-IPACCESSLOGDP: list Management denied icmp 172.20.5.220 -> 172.20.5.254 (8/0), 20 packets
*Aug 24 10:47:42: %SEC-6-IPACCESSLOGDP: list Management denied icmp 172.20.5.14 -> 172.20.5.254 (3/3), 1 packet

I have checked and the object-group command expects a network address, not a wildcard mask.

Oddly if I add the following line to the ACL everything works as it should:

permit icmp 172.20.5.0 0.0.0.255 172.20.5.0 0.0.0.255
permit ip 172.20.5.0 0.0.0.255 172.20.5.0 0.0.0.255

IOS version is 17.03.01 There doesn't seem to be anything I can find to say this is a known issue.

Thanks,

 

1 person had this problem
Labels:
0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎08-31-2022 03:51 AM - edited ‎08-31-2022 03:53 AM

Looks for me bug or something which wiered

Try below :

no ip access-list extended Management

ip access-list extended Management
 remark Access list used for Management
10 permit icmp object-group MGMT object-group MGMT
20 permit ip object-group MGMT object-group MGMT

30 deny any any

 

other one :

interface Vlan5
ip access-group Management in

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

rodney83
Level 1
Level 1
In response to balaji.bandi

‎09-05-2022 07:24 AM

Hi,

I've tried this but get the same results. It appears to be somethign wiht the object-group that the IOS doesn't like for some reason

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to rodney83

‎09-05-2022 08:51 AM

by the way what version of code and what license you have ?

show version

show licen sum

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Aydin Ehtibarov
Level 1
Level 1

‎04-18-2023 01:10 PM

Have similar issue. but instead of object group we have wildcard for source.

Connection all of a sudden stopped to work. ACL is like below and traffic coming from 10.0.249.8 to 10.3.12.1 does not hit the ACE 20. 

Extended IP access list vlan301in
5 permit ospf any any
7 permit udp host 10.0.0.1 eq ntp any
8 permit udp host 10.0.0.1 eq domain any
9 permit udp host 10.0.0.7 eq domain any
10 permit ip 10.100.0.0 0.0.0.255 10.3.12.0 0.0.0.255
20 permit ip 10.0.249.0 0.0.0.240 10.3.12.0 0.0.0.255

but if i add "11 permit ip host 10.0.249.8 host 10.3.12.1" traffic from 10.0.249.8 to 10.3.12.1 passes 

 

device model is C9500-48Y4C 

Version 17.3.3

Technology Package License Information:

------------------------------------------------------------------------------
Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------------------
network-essentials Smart License network-essentials
dna-essentials Subscription Smart License dna-essentials
AIR License Level: AIR DNA Advantage
Next reload AIR license Level: AIR DNA Advantage

 

License Usage:
License Entitlement Tag Count Status
-----------------------------------------------------------------------------
network-essentials (C9500 Network Essentials) 1 IN USE
dna-essentials (C9500 48Y4C DNA Essent...) 1 IN USE

0 Helpful

Denid0037
Level 1
Level 1

‎12-20-2024 07:30 AM - edited ‎12-20-2024 07:34 AM

I have the same issue on a C9200 running 17.9.5

150 permit icmp 172.x.y.0 0.0.0.255 object-group LOCAL_NTP_SERVERS echo

Network object group LOCAL_NTP_SERVERS
Description Local_NTP_Servers
host 172.x.z.254
host 172.a.b.254
host 172.x.y.254


%SEC-6-IPACCESSLOGDP: list NP-IN_OBJ denied icmp 172.x.y.4 -> 172.x.y.254 (8/0), 1 packet

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card