08-15-2016 12:46 AM - edited 03-08-2019 06:59 AM
Dear all,
Do you cisco switch 3850 , Is it possible for configure object-group and apply to access-list?
i try to add object-groups and apply to access-list but my access-list not work.
Thanks.
08-15-2016 12:57 AM
Product: |
(1)
|
08-15-2016 01:31 AM
Dear Mark,
Noted with thanks.
Thanks.
08-15-2016 02:05 AM
Hi
object groups are supported in IOS-XE ASRs but I don't see anywhere there supported in 3850s
on 3850 i saw it support command but when we apply to access-list it not work.
Where did you see this ? I cant find the syntax at all on 3850s and I am on the latest IOS-XE versions 3.6.2 and 3.7
Why the command object group available to use ?
That maybe why the bug notice was released its not supposed to be supported in 3850s as per that bug anyway
from Docs
In Cisco IOS XE Release 3.12S, only expanded object-group ACLs are supported with firewalls.
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-16/sec-data-zbf-xe-16-book/sec-zbf-ogacl.html#reference_407867C7240F4559A022AB5100B7375C
08-15-2016 02:30 AM
Dear Mark,
i'm using 3850-x
as below for command that i added on 3850-x and i apply to access-list but it not work.
object-group network Server-Group
10.10.10.0 255.255.255.0
!
object-group network Inside-group
192.168.0.0 255.255.252.0
192.168.1.0 255.255.0.0
!
as below for version that i'm using
Image : cat3k_caa-universalk9
HW: WS-C3850-24S
08-15-2016 02:34 AM
Ok so you have it in cli but would that not explain the bug I posted earlier that was only released last week , its showing as it should not be supported ?
That's most likely why its not working ...
08-15-2016 03:51 AM
it mean not working when we apply to access-list , the hit count not show when we show access-list and and we deny my client still can access also.
but if we use without object-group it is working/.
i would like to make sure does Cisco 3850 is working with object groups or not ?
thanks.
08-15-2016 03:59 AM
I would call in into TAC the docs don't specify exactly that it is supported and the bug notice says it should not be supported in 3850s which to me would suggest even if it shows in cli it wont work even if your able to configure it . wouldn't eb the first time you can configure something in the switch or router but its actually not supported in that platform
other option see if its in the software navigator as supported
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
08-15-2016 01:58 AM
dear Mark,
Could i ask you , Do we need to upgrade the latest IOS for support object group?
on 3850 i saw it support command but when we apply to access-list it not work.
Why the command object group available to use ?
Thanks.
05-17-2019 07:40 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide