Re:

sharlino · ‎03-20-2017

Hello! I have a Catalyst 3650-24TD, running IPServices version 03.07.04E

I have a problem with router ACL containing object group: ACL is not working.

WORKING config

ip access-list extended TEST
 deny   icmp host 10.1.1.97 host 172.17.1.1 echo
 permit ip any any

interface vlan 20
 ip access-group TEST in

NOT WORKING config


object-group network SRC-HOST
 10.1.1.97 255.255.255.255


ip access-list extended TEST
 deny icmp object-group SRC-HOST host 172.17.1.1 echo
 permit ip any any


interface vlan 20
 ip access-group TEST in

Is this a bug or I missed something ? Thanks in advance!

Julio E. Moisa · ‎03-20-2017

Hi

Try to include

deny icmp object-group SRC-HOST host 172.17.1.1 echo-reply

or just

deny icmp object-group SRC-HOST host 172.17.1.1

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

sharlino · ‎03-20-2017

Thank you Julio, but none of these methods were helpful. Frankly, quite as expected, in my opinion.

hemantpatel · ‎10-31-2017

How did you created object-groups on Cisco-3650?

Georg Pauwen · ‎10-31-2017

Hello,

instead of:

object-group network SRC-HOST
10.1.1.97 255.255.255.255

try:

object-group network SRC-HOST
host 10.1.1.97

hemantpatel · ‎10-31-2017

I am running IOS 3.7.5E and I don't see an option of "object-group" in config mode. Am I missing anything?

Georg Pauwen · ‎10-31-2017

Hello,

what do you mean ? If your config is;

object-group network SRC-HOST
10.1.1.97 255.255.255.255

How did you get that object group configured ? Sorry for the confusion...

Catalyst 3650, ACL is not working