cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
421
Views
10
Helpful
3
Replies

can ACL do this

QFX527518
Level 1
Level 1

like fire policy,on the router or the switch,user can first define the application service,the when user define the ACL,can use the define-service.like this:

define app-service1 tcp= 1812,1813,udp=1813,1646

ip access extend test

permit ip host t1 host t2 service app-service1

permit ip host t3 service app-service1 host t4

1 Accepted Solution

Accepted Solutions

cameron.moody
Level 1
Level 1

Hi,

It sure can with object-groups

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_object_group_acl.html

eg object-group service myservices

tcp 1812

udp 1813

udp 1646

object-group network myservers

host 1.1.1.1

host 2.2.2.2

network 10.10.10.0 255.255.255.0

Hope this helps

Please rate if helpful

View solution in original post

3 Replies 3

cameron.moody
Level 1
Level 1

Hi,

It sure can with object-groups

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_object_group_acl.html

eg object-group service myservices

tcp 1812

udp 1813

udp 1646

object-group network myservers

host 1.1.1.1

host 2.2.2.2

network 10.10.10.0 255.255.255.0

Hope this helps

Please rate if helpful

yes it can. however, i am running into issues with router crashing, as soon as i configure IPsec. in the link you provided, it does say "ipsec is not supported". i am just not sure if things will work if i only use IPsec on ACLs that have nothing to do with VPNs, and only use old style ACLs (without object groups) on ACLs that have anything to do with VPNs. Still trying ...

thx.our company device's IOS not support the object_ACL.only wait new device and new ios.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco