Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
213
Views
0
Helpful
2
Replies

Access List extended from Nexus 7000 to Catalyst 9500

mhumali@trends.com.ph
Level 1
Level 1

‎12-27-2023 12:30 AM - last edited on ‎12-27-2023 05:44 PM by Community Manager


Below configuration is from Nexus, i would like to inquire the equivalent configuration on the Catalyst.

object-group ip port NETWORK-PORT
10 eq 1039
20 eq 5900
30 eq 5000
40 eq 443
50 eq 6129
60 eq 21
70 eq 22
80 eq 24
90 eq 1024
100 eq 1023
110 eq 1021
120 eq 1025
130 eq 1027
140 range 1032 1036
150 gt 49000
160 eq 8080
170 eq 80
180 eq 12289
190 eq 10211
!
object-group ip address NETWORK-HOST
10 host 10.199.10.204
20 host 10.199.10.199
30 host 10.199.10.230
40 host 10.199.10.231
!!!!!
ip access-list ACCESS-LIST1
statistics per-entry
10 permit ip any 224.0.0.2/32
40 permit icmp any any
50 permit tcp any 10.160.2.180/32 portgroup NETWORK-PORT
60 permit tcp any 10.151.167.119/32 portgroup NETWORK-PORT
70 permit tcp any addrgroup NETWORK-HOST portgroup NETWORK-PORT
!

This is the configuration converted on C9500, however the line -

50, 60 and 70 are not working if added the Object-group for NETWORK-PORT
50 permit tcp any 10.160.2.180 0.0.0.0 object-group NETWORK-PORT
60 permit tcp any 10.151.167.119 0.0.0.0 object-group NETWORK-PORT
70 permit tcp any object-group NETWORK-HOST object-group NETWORK-PORT
!


object-group service NETWORK-PORT
tcp-udp 1039
tcp-udp 5900
tcp-udp 5000
tcp-udp 443
tcp-udp 6129
tcp-udp 21
tcp-udp 22
tcp-udp 24
tcp-udp 1024
tcp-udp 1023
tcp-udp 1021
tcp-udp 1025
tcp-udp 1027
range 1032 1036
gt 49000
tcp-udp 8080
tcp-udp 80
tcp-udp 12289
tcp-udp 10211

!

object-group service address NETWORK-HOST
10 host 10.199.10.204
20 host 10.199.10.199
30 host 10.199.10.230
40 host 10.199.10.231
!
ip access-list extended ACCESS-LIST1
statistics per-entry
10 permit ip any 224.0.0.0 0.0.0.3
40 permit icmp any any
50 permit tcp any 10.160.2.180 0.0.0.0 object-group NETWORK-PORT
60 permit tcp any 10.151.167.119 0.0.0.0 object-group NETWORK-PORT
70 permit tcp any object-group NETWORK-HOST object-group NETWORK-PORT
!

 

Labels:
0 Helpful
2 Replies 2

pieterh
VIP
VIP

‎12-28-2023 11:44 PM - edited ‎12-28-2023 11:56 PM

>>> object-group service address NETWORK-HOST <<<
this seems to be wrong, (expect network object group, not service)
check these links:

you did not mention the IOS-XE version, so also check

for 17.3.x
nB! doc title mentions 9300, but as this is about ios version it will also be valid for same version on 9500

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎12-29-2023 03:07 AM

You can try below on Cat 9K switches example :

permit object-group NETWORK-PORT host 10.160.2.180 any
permit object-group NETWORK-PORT object-group NETWORK-HOST any

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card