9500 ACL Object-Groups not working

rodney83 · ‎08-31-2022

Hi,

I have a pair of 9500s running as a virtual stack, these switches use layer 3 SVIs to route traffic between various VLANS. To control this traffic I have applied some ACLs to the SVIs but I have found that if I use the Object-group command the ACLs do not work as planned.

The config I applied is:

!
object-group network MGMT
description Management subnet
172.20.5.0 255.255.255.0
!
ip access-list extended Management
10 remark Access list used for Management
10 permit icmp object-group MGMT object-group MGMT
20 permit ip object-group MGMT object-group MGMT

vlan 5
name MGMT
!
interface Vlan5
description MGMT
ip address 172.20.5.254 255.255.255.0
access-group Management in
no ip redirects
no ip unreachables
no ip proxy-arp

When I then try to ping from 172.20.5.14 or 172.20.5.220 (I've not tried other addresses in the range) to 172.20.5.254 (the SVI) I recieve timeouts and the following error if I enable logging:

*Aug 24 10:46:04: %SEC-6-IPACCESSLOGDP: list Management denied icmp 172.20.5.220 -> 172.20.5.254 (8/0), 1 packet
*Aug 24 10:46:23: %SEC-6-IPACCESSLOGDP: list Management denied icmp 172.20.5.14 -> 172.20.5.254 (3/3), 1 packet
*Aug 24 10:47:42: %SEC-6-IPACCESSLOGDP: list Management denied icmp 172.20.5.220 -> 172.20.5.254 (3/3), 2 packets
*Aug 24 10:47:42: %SEC-6-IPACCESSLOGDP: list Management denied icmp 172.20.5.220 -> 172.20.5.254 (8/0), 20 packets
*Aug 24 10:47:42: %SEC-6-IPACCESSLOGDP: list Management denied icmp 172.20.5.14 -> 172.20.5.254 (3/3), 1 packet

I have checked and the object-group command expects a network address, not a wildcard mask.

Oddly if I add the following line to the ACL everything works as it should:

permit icmp 172.20.5.0 0.0.0.255 172.20.5.0 0.0.0.255
permit ip 172.20.5.0 0.0.0.255 172.20.5.0 0.0.0.255

IOS version is 17.03.01 There doesn't seem to be anything I can find to say this is a known issue.

Thanks,

balaji.bandi · ‎08-31-2022

Looks for me bug or something which wiered

Try below :

no ip access-list extended Management

ip access-list extended Management
remark Access list used for Management
10 permit icmp object-group MGMT object-group MGMT
20 permit ip object-group MGMT object-group MGMT

30 deny any any

other one :

interface Vlan5
ip access-group Management in

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

rodney83 · ‎09-05-2022

Hi,

I've tried this but get the same results. It appears to be somethign wiht the object-group that the IOS doesn't like for some reason

balaji.bandi · ‎09-05-2022

by the way what version of code and what license you have ?

show version

show licen sum

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Aydin Ehtibarov · ‎04-18-2023

Have similar issue. but instead of object group we have wildcard for source.

Connection all of a sudden stopped to work. ACL is like below and traffic coming from 10.0.249.8 to 10.3.12.1 does not hit the ACE 20.

Extended IP access list vlan301in
5 permit ospf any any
7 permit udp host 10.0.0.1 eq ntp any
8 permit udp host 10.0.0.1 eq domain any
9 permit udp host 10.0.0.7 eq domain any
10 permit ip 10.100.0.0 0.0.0.255 10.3.12.0 0.0.0.255
20 permit ip 10.0.249.0 0.0.0.240 10.3.12.0 0.0.0.255

but if i add "11 permit ip host 10.0.249.8 host 10.3.12.1" traffic from 10.0.249.8 to 10.3.12.1 passes

device model is C9500-48Y4C

Version 17.3.3

Technology Package License Information:

------------------------------------------------------------------------------
Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------------------
network-essentials Smart License network-essentials
dna-essentials Subscription Smart License dna-essentials
AIR License Level: AIR DNA Advantage
Next reload AIR license Level: AIR DNA Advantage

License Usage:
License Entitlement Tag Count Status
-----------------------------------------------------------------------------
network-essentials (C9500 Network Essentials) 1 IN USE
dna-essentials (C9500 48Y4C DNA Essent...) 1 IN USE