Hello,
I have an ACL like this used in a WS-C3850-24XS:
object-group network mynet
10.1.0.0 255.255.0.0
object-group service authservices
tcp eq 1234
tcp eq 2345
ip access-list extended restrict-net
permit tcp any any established
permit icmp any any
<more permits...>
permit object-group authservices object-group mynet any log-input
deny ip any any log-input
int vlan 123
ip access-group restrict-net out
While testing, I noticed multiple logs (and also hit counts) telling me that it was matching the last rule ("deny ip any any log-input") for packages that should be matched by the previous rule. However, the packages were actually delivered. So, the "deny" log was false.
I replaced the use of "object-group" with the real network address like this:
permit tcp 10.1.0.0 0.0.255.255 any eq 1234 2345 log-input
And I started to see the correct permit logs (instead of deny). In both cases, there is no change on what is actually permitted/denied, just how it is written (with or without object-group). It happens with both with network or service object-group, used together or individually.
I also tested the original permit rule without log-input and it correctly stopped both the hit counts on "deny ip any any log-input" and logging a wrong deny rule.
It seems that rule processing when it hits a rule that combines "permit", "object-group" and "log-input".
Does anyone have seem something similar?