OS is Denali 16.3.6.  Object-groups do not seem to work in the extended ACL that is applied to vlan.  I created a services group and 2 network groups.   Service group name Test-Srvc was created with just 'icmp'.  Network groups name Test-Group1-Net and Test-Group2-N were created with host 192.168.1.240 and 192.168.10.140.  I created an ACL for in and out to deny all traffic except in the object-group:

In-ACL

permit object-group Test-Srvc object-group Test-Group1-Net object-group Test-Group2-Net

deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

Out-ACL

permit object-group Test-Srvc object-group Test-Group2-Net object-group Test-Group1-Net

deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip any 192.168.1.0 0.0.0.255

When I ping 192.168.10.140 from 192.168.1.240 with logging enabled the In-ACL deny matches.

If I modify the ACLs 1st line to not use object-groups I get a match on line 1

In-ACL line 1: permit icmp host 192.168.1.240 host 192.168.10.140

Out-ACL line 1: permit icmp host 192.168.10.140 host 192.168.1.240

Are Object-groups not supported or am I implementing them incorrectly?