Re: WS-C2960X ACL issue

Jookez · ‎12-19-2018

I have WS-C2960X-24PS-L 15.2(4)E6 C2960X-UNIVERSALK9-M on stack.

When I add in ACL object-group. Like this
object-group network test_obj
 10.10.233.0 255.255.255.0
interface Vlan2330
 description it_test
 ip address 10.10.233.254 255.255.255.0
 ip access-group test2_in in

ip access-list extended test2_in
 deny ip object-group test_obj any
show ip interface vlan 2330 | include access list
 Outgoing access list is not set
 Inbound access list is test2_in

All traffic is free. What am I doing wrong?

Seb Rupik · ‎12-19-2018

Hi there,

Switches and routers require ACL netmasks to be in wildcard format:

!
object-group network test_obj
 10.10.233.0 0.0.0.255
!

cheers,

Seb.

Jookez · ‎12-19-2018

SW01-CORE(config-network-group)#10.10.233.0 0.0.0.255
Mask 0.0.0.255 is not suported
SW01-CORE(config-network-group)#10.10.233.0 ?
/nn or A.B.C.D Network mask
This is not a ACL body. This is a object-group body.

Georg Pauwen · ‎12-19-2018

I am not sure about the wildcard mask...this is the syntax I get:

Switch(config-network-group)#192.168.1.0 ?
/nn or A.B.C.D Network mask

Either way, try the below:

object-group network test_obj
10.10.233.0 255.255.255.0
object-group network any_any
range 0.0.0.0 255.255.255.255
interface Vlan2330
description it_test
ip address 10.10.233.254 255.255.255.0
ip access-group test2_in in

!

ip access-list extended test2_in
deny object-group test_obj object-group any_any

Jookez · ‎12-19-2018

SW01-CORE(config)#object-group network any_any
SW01-CORE(config-network-group)#range 0.0.0.0 255.255.255.255
^
% Invalid input detected at '^' marker.

SW01-CORE(config-network-group)#?
Network object group configuration commands:
A.B.C.D Network address of the group members
description Network object group description
exit Exit from object group configuration mode
group-object Nested object group
host Host address of the object-group member
no Negate or set default values of a command

=(