Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1649
Views
0
Helpful
11
Replies

Cisco 7600 object group not working

s.giunt
Level 1
Level 1

‎09-29-2018 02:43 AM - edited ‎03-08-2019 04:16 PM

Hello,

we are running IOS 15.5(3)S6 on a 7600 with RSP 720. We are seeing a strange behavior with ACL and object-groups:

 

Network object group tmp
host 1.2.3.4

 

deny icmp object-group tmp any

 

expected result: ping from any host except 1.2.3.4 should work.

actual result: ping does not work.

 

It seems that "object-group tmp" equals to "any", because it matches everything.

 

Of course if I try:

deny icmp h 1.2.3.4 any

ping works except from 1.2.3.4, as expected.

1 person had this problem
Labels:
0 Helpful
11 Replies 11

Deepak Kumar
VIP Alumni
VIP Alumni

‎09-29-2018 04:20 AM

Hi,

Please share your configuration. I remember that one day I have faced the same issue then I created two object groups. One for deny and one for forwarding. I am not sure, are you facing the same issue or not? Please share full running configuration so can understand easily.

 

Regards,

Deepak Kumar 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

s.giunt
Level 1
Level 1
In response to Deepak Kumar

‎09-29-2018 04:59 AM

Thank you for your reply.


Configuration is very simple:

 

ip access-list extended tmp
deny icmp object-group tmp any

 

object-group network tmp

host 1.2.3.4

 

interface GigabitEthernet6/2
switchport
switchport access vlan 2
switchport mode access
ip access-group tmp in

 

It seems that instead of matching only the content of the object-group, it matches everything. Really sounds like a bug.

0 Helpful

s.giunt
Level 1
Level 1
In response to s.giunt

‎09-29-2018 05:17 AM

Well, it really seems that is a bug:

 

R1#sh tcam interface GIgabitEthernet6/2 acl in ip

* Global Defaults shared


Entries from Bank 0

deny icmp any (---> this is the problem) any (8610 matches)
permit ip any any

Entries from Bank 1

permit ip any any (369620 matches)

0 Helpful

s.giunt
Level 1
Level 1
In response to s.giunt

‎09-29-2018 06:20 PM

Just tried with 15.4(3)S9: same problem.

Is there someone succesfully using object-groups in 7600 with IOS 15.4/15.5?

0 Helpful

paul driver
VIP
VIP

‎09-30-2018 03:52 AM - edited ‎09-30-2018 04:08 AM

Hello

Looks like your specifying the network object-group for that particular host your using a extended acl without negating the implicit deny.

 

ip access-list extended tmp
deny icmp object-group tmp any
permit ip any any

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

s.giunt
Level 1
Level 1
In response to paul driver

‎09-30-2018 05:45 AM

Hi Paul,

I forgot to mention, there is a perm ip any any at the end. So that is not the problem. It seems that the object group is not expanding right
0 Helpful

paul driver
VIP
VIP
In response to s.giunt

‎09-30-2018 06:44 AM

Hello

Why are you applying this to an access port and not the svi for that vlan?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

s.giunt
Level 1
Level 1
In response to paul driver

‎09-30-2018 12:22 PM

Hi,

There is no particular reason, it's just for testing the ACL. I also tried with port not belonging to any VLAN with the same result:

 

Network object group testobj
Description test
host 1.2.3.4

 

Extended IP access list tmp
10 deny ip object-group testobj any

20 permit ip any any

 

After applying the ACL inbound to the port:

 

Actual result:

R1#sh tcam interface GigabitEthernet6/1 acl in ip

* Global Defaults shared
Entries from Bank 0

deny ip any any

 

Expected result:

R1#sh tcam interface GigabitEthernet6/1 acl in ip

* Global Defaults shared
Entries from Bank 0

deny ip host 1.2.3.4 any

permit ip any any

 

Thank you

Saverio

0 Helpful

paul driver
VIP
VIP
In response to s.giunt

‎09-30-2018 01:50 PM

Hello

It needs to be applied to a routed interface not an access port, so int your case interface vlan 2


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

s.giunt
Level 1
Level 1
In response to paul driver

‎09-30-2018 02:28 PM

The same problem is happening on a L3 interface:

 

interface GigabitEthernet6/1
ip address 2.2.2.2 255.255.255.0
ip access-group tmp in

end

0 Helpful

s.giunt
Level 1
Level 1

‎10-10-2018 04:16 AM

I have tried about 6 different IOS version and different chassis. This bug is always present. I can't understand how is it possible that nobody reported this problem, object-group is a very basic feauture...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card