cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4947
Views
5
Helpful
4
Replies

ACL Object Groups on Catalyst switches

Marc Abaya
Level 1
Level 1

I'm looking for ways to make editing ACL on my 3560-x Catalyst switches a lot easier. It's about 200+ lines. I think using Object Network Groups similar to ASA firewalls will be helpful.

I found this link but I don't think it's supported on Catalyst:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html

 Any recommendations?

1 Accepted Solution

Accepted Solutions

Tausif Gaddi
Level 1
Level 1

Object group feature is not supported on 3560 and 3750 switches. Please refer
https://supportforums.cisco.com/discussion/11119341/object-group-c3560-c3750-switches

View solution in original post

4 Replies 4

Hi Marc

Yes you can use object-group in Switches and Routers like we do in ASA, to be honest not sure if all the switches support object-groups but you can try with the following config, the sintaxis is different than the firewalls. 

Please let me prepare an example.




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Example:

object-group ip port HTTP-PORT     <-- object group for services
eq 80

object-group ip address SOURCE
host-info 172.17.2.5  <--- For a host /32
172.17.10.0 255.255.255.0   <--- network 

ip access-list extended OUTBOUND-TRAFFIC
permit tcp addrgroup SOURCE any portgroup HTTP-PORT

The command addrgroup is used for the data groups like SOURCE and the portgroup is used for TCP/UDP ports.

I have used object-groups with Vlan ACL (VACL), if you are going to use object-group keep monitoring the CPU in order to verify if it is increased.

Please rate the comment if it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Tausif Gaddi
Level 1
Level 1

Object group feature is not supported on 3560 and 3750 switches. Please refer
https://supportforums.cisco.com/discussion/11119341/object-group-c3560-c3750-switches

Thanks for confirming. This is also what I thought.

Any similar commands I can use on switches? My objective is trying to prevent so many lines on my ACL and make it easier to read.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco