Cisco Community
English
Register
Welcome Cisco Designated VIP 2021 Class in the 10th Year Anniversary of the Program -- CHECK THE LIST
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
3337
Views
5
Helpful
4
Replies
Highlighted
Marc Abaya
Beginner
Beginner
‎03-20-2017 05:10 PM
‎03-20-2017 05:10 PM

ACL Object Groups on Catalyst switches

I'm looking for ways to make editing ACL on my 3560-x Catalyst switches a lot easier. It's about 200+ lines. I think using Object Network Groups similar to ASA firewalls will be helpful.

I found this link but I don't think it's supported on Catalyst:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html

 Any recommendations?

Labels:
2 people had this problem
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Tausif Gaddi
Beginner
Beginner
‎03-20-2017 08:47 PM
‎03-20-2017 08:47 PM

Object group feature is not supported on 3560 and 3750 switches. Please refer
https://supportforums.cisco.com/discussion/11119341/object-group-c3560-c3750-switches

View solution in original post

Reply
4 REPLIES 4
Highlighted
Julio E. Moisa
VIP Mentor VIP Mentor
VIP Mentor
‎03-20-2017 05:27 PM
‎03-20-2017 05:27 PM

Hi Marc

Yes you can use object-group in Switches and Routers like we do in ASA, to be honest not sure if all the switches support object-groups but you can try with the following config, the sintaxis is different than the firewalls. 

Please let me prepare an example.




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful
Reply
Highlighted
Julio E. Moisa
VIP Mentor VIP Mentor
VIP Mentor
In response to Julio E. Moisa
‎03-20-2017 05:42 PM
‎03-20-2017 05:42 PM

Example:

object-group ip port HTTP-PORT     <-- object group for services
eq 80

object-group ip address SOURCE
host-info 172.17.2.5  <--- For a host /32
172.17.10.0 255.255.255.0   <--- network 

ip access-list extended OUTBOUND-TRAFFIC
permit tcp addrgroup SOURCE any portgroup HTTP-PORT

The command addrgroup is used for the data groups like SOURCE and the portgroup is used for TCP/UDP ports.

I have used object-groups with Vlan ACL (VACL), if you are going to use object-group keep monitoring the CPU in order to verify if it is increased.

Please rate the comment if it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful
Reply
Highlighted
Tausif Gaddi
Beginner
Beginner
‎03-20-2017 08:47 PM
‎03-20-2017 08:47 PM

Object group feature is not supported on 3560 and 3750 switches. Please refer
https://supportforums.cisco.com/discussion/11119341/object-group-c3560-c3750-switches

View solution in original post

Reply
Highlighted
Marc Abaya
Beginner
Beginner
In response to Tausif Gaddi
‎03-21-2017 11:20 AM
‎03-21-2017 11:20 AM

Thanks for confirming. This is also what I thought.

Any similar commands I can use on switches? My objective is trying to prevent so many lines on my ACL and make it easier to read.

0 Helpful
Reply
Latest Contents
Logicalis UK creatively increases SD-WAN service deployment ...
Created by jjoyal on 01-22-2021 12:17 PM
0
0
0
0
  In the last year, we’ve seen substantial changes in how enterprises conduct business. When the pandemic hit, it exposed gaps in business continuity plans, and it showcased the need to quickly deploy and remotely manage secure connections. ngena pr... view more
Cisco IOS XE Bengaluru 17.4.1a: Enterprise Routing Release U...
Created by Lokesh Kumar Lal on 01-20-2021 08:30 AM
0
0
0
0
On 18th December 2020, Cisco announced the latest IOS XE release - Cisco IOS XE Bengaluru 17.4.1a The first one in the Cisco IOS XE Bengaluru release series, IOS XE 17.4.1a unlocks various routing features and enhancements comprehensively c... view more
Community Live FAQ - May the SD-WAN Force Be With You
Created by Cisco Moderador on 01-20-2021 07:00 AM
0
5
0
5
Exploring business options for a SD-WAN managed serviceLogicalis UK offers a rapid, cost effective deployment with ngenaAdvantages that make a differenceSummary of benefits:Looking forwardResources This event had place on Tuesday 19th, January 2021 at 10... view more
Community Live Video - May the SD-WAN Force Be With You
Created by Cisco Moderador on 01-20-2021 06:47 AM
0
0
0
0
(view in My Videos) Community Live- May the SD-WAN Force Be With You This event took place on Tuesday 19th, January 2021 at 10:00hrs PDT  In this session attendees received an introduction to Software Defined-WAN (SD-WAN)  and the importance of ... view more
*New Episode* Cisco Champion Radio: S8|E3 Cisco DNA Center M...
Created by aalesna on 01-19-2021 01:42 PM
0
0
0
0
Cisco Champion Radio · S8|E3 The Cisco DNA Center Machine Reasoning Engine   Machine Reasoning is a new category of AI/ML that you will soon hear a lot about. It saves your IT team time by automating complex and tedious networking tasks. It can also... view more
Content for Community-Ad