Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
630
Views
5
Helpful
14
Replies

Using an object group in a reflexive ACL

Go to solution
Josh Mil
Level 1
Level 1

‎08-30-2025 08:28 PM - edited ‎08-30-2025 08:31 PM

I'm trying to configure some access rules on a 3560CX switch.

This works without using an object group:

ip access-list extended test1
  permit tcp any any 80 reflect reflexive_acl

 

This works without using a reflexive ACL:

object-group service www_ports
  tcp 80
  tcp 443

ip access-list extended test2
  permit object-group www_ports any any

 

But this is not accepted in the console window:

object-group service www_ports
  tcp 80
  tcp 443

ip access-list extended test3
  permit object-group www_ports any any reflect reflexive_acl

 

After the destination address, there is no more option for reflect keyword

SWITCH(config-ext-nacl)# permit object-group www_ports any any ?
  log        Log matches against this entry
  log-input  Log matches against this entry, including input interface
  <cr>

 

I'm wondering whether this is not supported. Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jens Albrecht
Spotlight
Spotlight

‎08-30-2025 11:12 PM

Hello @Josh Mil,

you need to distinguish between service object-groups and network object-groups.

It is possible to use network object-groups in reflexive ACLs but you cannot use service object-groups.

BTW, the same limitation applies to IPv6 as well.
Network object-groups can be used on IPv6 reflexive ACLs but service object-groups cannot.

HTH!

View solution in original post

14 Replies 14

Go to solution
Jens Albrecht
Spotlight
Spotlight

‎08-30-2025 11:12 PM

Hello @Josh Mil,

you need to distinguish between service object-groups and network object-groups.

It is possible to use network object-groups in reflexive ACLs but you cannot use service object-groups.

BTW, the same limitation applies to IPv6 as well.
Network object-groups can be used on IPv6 reflexive ACLs but service object-groups cannot.

HTH!

Go to solution
Josh Mil
Level 1
Level 1
In response to Jens Albrecht

‎08-30-2025 11:30 PM

Thank you.

If service object group is not supported in reflexive ACLs, is there another way to simplify the code and reduce maintenance work if a group of ports (services) needs to be referenced in multiple reflexive ACLs?

0 Helpful

Go to solution
Jens Albrecht
Spotlight
Spotlight
In response to Josh Mil

‎08-31-2025 02:04 AM

The only way that comes into mind is the use of scripting with Ninja2 templates to create your reflexive ACLs.

Depending on the number of ACLs and devices this could significantly speed up deployment and maintenance.

HTH!

Go to solution
MHM Cisco World
VIP
VIP

‎08-31-2025 01:53 AM

object-group service MY-TCP-PORTS tcp
port-object eq 80
port-object eq 443

!!

ip access-list extended OUTBOUND-FILTER
remark Permit outbound traffic to specific TCP ports
evaluate TCP-REFLEX

permit tcp any any object-group MY-TCP-PORTS reflect TCP-REFLEX timeout 300
deny ip any any log

Try above

MHM

0 Helpful

Go to solution
Josh Mil
Level 1
Level 1
In response to MHM Cisco World

‎08-31-2025 03:08 AM

I tried this initially, but after "any any" there is no option to specify object-group.

Go to solution
MHM Cisco World
VIP
VIP
In response to Josh Mil

‎08-31-2025 03:20 AM

Excuse me why you need object service if you have only two tcp ports?

Use reflexive without object service. 

And even why you use reflexive, use establish keyword which is more light than reflexive

MHM

0 Helpful

Go to solution
Josh Mil
Level 1
Level 1
In response to MHM Cisco World

‎09-01-2025 03:56 AM

Thank you. But establish keyword has some limitations:

1. It works on TCP traffic only. I also need to filter UDP and ICMP.

2. It checks ACK or RST bit, bit doesn't really verify the packet belongs to an established session. An attacker can send a fake packet with ACK bit set, pretending to be the other party of the session.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Josh Mil

‎09-01-2025 04:04 AM

Point 1 Yes 

Point 2 this SW not FW so we have limit in policy to protect it from attack,

Even if hacker send tcp ACK bit the SW reject it, since it don't have any idea about this tcp session

MHM

0 Helpful

Go to solution
Josh Mil
Level 1
Level 1
In response to MHM Cisco World

‎09-01-2025 04:16 AM

Thank you.

Regarding point 2, I always have an impression that inter-vlan routing within a switch is faster than using a firewall. Hence the reason of introducing layer 3 switches into networking. However, if we have to bear with such limitations, then what's the point of using a layer 3 switch?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Josh Mil

‎09-01-2025 04:20 AM

can we postponed this discussion to later tonight I have something to do 
thanks 

MHM 

0 Helpful

Go to solution
Josh Mil
Level 1
Level 1
In response to MHM Cisco World

‎09-02-2025 03:11 AM

Thank you. Apart from this scenario, there are also occasions that we need to allow conditional access between VLANs, as opposed to completely isolating them. For example, Hosts from finance department VLAN need to access a NAS in the marketing department VLAN, but we don't want the NAS initiate sessions to the finance department VLAN. Do we have to route through a router? What's a realistic scenario to use layer 3 switches? If it's just isolating VLANs, why don't we just use layer 2 switches?

Go to solution
MHM Cisco World
VIP
VIP
In response to Josh Mil

‎09-02-2025 03:34 AM

What's a realistic scenario to use layer 3 switches? If it's just isolating VLANs, why don't we just use layer 2 switches? <<- can you more elaborate 

MHM

0 Helpful
Customers Also Viewed These Support Documents