IOS XE 16.12.1(Gibraltar) object-group permit shown as deny in log (WS-C3850-24XS)
I have an ACL like this used in a WS-C3850-24XS:
object-group network mynet
object-group service authservices
tcp eq 1234
tcp eq 2345
ip access-list extended restrict-net
permit tcp any any established
permit icmp any any
permit object-group authservices object-group mynet any log-input
deny ip any any log-input
int vlan 123
ip access-group restrict-net out
While testing, I noticed multiple logs (and also hit counts) telling me that it was matching the last rule ("deny ip any any log-input") for packages that should be matched by the previous rule. However, the packages were actually delivered. So, the "deny" log was false.
I replaced the use of "object-group" with the real network address like this:
permit tcp 10.1.0.0 0.0.255.255 any eq 1234 2345 log-input
And I started to see the correct permit logs (instead of deny). In both cases, there is no change on what is actually permitted/denied, just how it is written (with or without object-group). It happens with both with network or service object-group, used together or individually.
I also tested the original permit rule without log-input and it correctly stopped both the hit counts on "deny ip any any log-input" and logging a wrong deny rule.
It seems that rule processing when it hits a rule that combines "permit", "object-group" and "log-input".
1. Log into CLI of DNAC:
ssh maglev@< DNAC appliance IP> -p 2222
2. Run this curl command to get token to get member id:
curl -X POST -u admin:<admin user password> -H -V https://<CLUSTER-IP>/api/system/v1/identitymgmt/token
Enterprise Switching Business Unit is glad to announce Beta release 16.12.2 for all Catalyst 9200/9300/9400/9500/9600 and Catalyst 3650/3850 Platforms. This release is made available to allow users to test, evaluate and share fee...
Do you currently have hands-on networking experience? If you do, we'd love to hear from you!
Your feedback will be reviewed and analyzed by our team to directly influence a networking management and monitoring product.
Take the 20-min or les...