Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5934
Views
5
Helpful
4
Replies

ACL Object Groups on Catalyst switches

Go to solution
Marc Abaya
Level 1
Level 1

‎03-20-2017 05:10 PM - edited ‎03-08-2019 09:50 AM

I'm looking for ways to make editing ACL on my 3560-x Catalyst switches a lot easier. It's about 200+ lines. I think using Object Network Groups similar to ASA firewalls will be helpful.

I found this link but I don't think it's supported on Catalyst:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html

 Any recommendations?

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tausif Gaddi
Level 1
Level 1

‎03-20-2017 08:47 PM

Object group feature is not supported on 3560 and 3750 switches. Please refer
https://supportforums.cisco.com/discussion/11119341/object-group-c3560-c3750-switches

View solution in original post

4 Replies 4

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni

‎03-20-2017 05:27 PM

Hi Marc

Yes you can use object-group in Switches and Routers like we do in ASA, to be honest not sure if all the switches support object-groups but you can try with the following config, the sintaxis is different than the firewalls. 

Please let me prepare an example.




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni
In response to Julio E. Moisa

‎03-20-2017 05:42 PM

Example:

object-group ip port HTTP-PORT     <-- object group for services
eq 80

object-group ip address SOURCE
host-info 172.17.2.5  <--- For a host /32
172.17.10.0 255.255.255.0   <--- network 

ip access-list extended OUTBOUND-TRAFFIC
permit tcp addrgroup SOURCE any portgroup HTTP-PORT

The command addrgroup is used for the data groups like SOURCE and the portgroup is used for TCP/UDP ports.

I have used object-groups with Vlan ACL (VACL), if you are going to use object-group keep monitoring the CPU in order to verify if it is increased.

Please rate the comment if it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Go to solution
Tausif Gaddi
Level 1
Level 1

‎03-20-2017 08:47 PM

Object group feature is not supported on 3560 and 3750 switches. Please refer
https://supportforums.cisco.com/discussion/11119341/object-group-c3560-c3750-switches

Go to solution
Marc Abaya
Level 1
Level 1
In response to Tausif Gaddi

‎03-21-2017 11:20 AM

Thanks for confirming. This is also what I thought.

Any similar commands I can use on switches? My objective is trying to prevent so many lines on my ACL and make it easier to read.

0 Helpful
Customers Also Viewed These Support Documents