Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
197
Views
3
Helpful
3
Replies

Query on ACL in 9606 Platform

Go to solution
Madhu
Level 1
Level 1

‎07-21-2025 01:06 AM

I have reviewed the ACL on the Cisco 9606 platform, and it looks a bit different compared to other platforms.
I have a question: the service object group(LYNCAUDIOSHARING_PORTS) is placed first in the ACL statement — does it refer to the source or the destination? Please clarify and share any Cisco documentation regarding this.

I have gone through a few documents, but none clearly state whether the service object group relates to the source or destination.

10 permit object-group LYNCAUDIOSHARING_PORTS 10.143.102.0 0.0.0.255 object-group LYNCAUDIOSHARING_Servers_new 

 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Enes Simnica
Level 4
Level 4

‎07-21-2025 01:10 AM - edited ‎07-21-2025 01:12 AM

@Madhu  hello. On Cisco platforms like the 9606, when you see an ACL line like:

10 permit object-group LYNCAUDIOSHARING_PORTS 10.143.102.0 0.0.0.255 object-group LYNCAUDIOSHARING_Servers_new

the service object group (LYNCAUDIOSHARING_PORTSLYNCAUDIOSHARING_PORTS) refers to destination ports, not the source. This is standard behavior in Cisco ACLs, the format is always action > protocol/service > source > destination. So even though it comes first in the line, it's specifying the port(s) that the destination must match.

This can be confusing at first glance, especially since the syntax looks a bit different from standard ACLs, but the position of the service object group (right after permit) always indicates it's tied to the destination port. If u're unsure, Cisco's documentation on ACLs with object groups covers this, though not always explicitly. Here's a good starting point:
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html 

Hope this helps G

 

-Enes

more Cisco?!
more Gym?!

View solution in original post

3 Replies 3

Go to solution
Enes Simnica
Level 4
Level 4

‎07-21-2025 01:10 AM - edited ‎07-21-2025 01:12 AM

@Madhu  hello. On Cisco platforms like the 9606, when you see an ACL line like:

10 permit object-group LYNCAUDIOSHARING_PORTS 10.143.102.0 0.0.0.255 object-group LYNCAUDIOSHARING_Servers_new

the service object group (LYNCAUDIOSHARING_PORTSLYNCAUDIOSHARING_PORTS) refers to destination ports, not the source. This is standard behavior in Cisco ACLs, the format is always action > protocol/service > source > destination. So even though it comes first in the line, it's specifying the port(s) that the destination must match.

This can be confusing at first glance, especially since the syntax looks a bit different from standard ACLs, but the position of the service object group (right after permit) always indicates it's tied to the destination port. If u're unsure, Cisco's documentation on ACLs with object groups covers this, though not always explicitly. Here's a good starting point:
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html 

Hope this helps G

 

-Enes

more Cisco?!
more Gym?!

Go to solution
MHM Cisco World
VIP
VIP

‎07-21-2025 01:24 AM - edited ‎07-21-2025 01:25 AM

The object group for L4 port apply only for destiantion 

Also your ACL is wrong you need to add service object group immediately after ""permit/deny"" 

In such as 

Permit/deny <service object> <IP or object group source> <IP or onject group destiantion>

MHM

0 Helpful
Customers Also Viewed These Support Documents