Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ACL object-groups

I have a small problem with ACL object-groups, the main issue I have is when you add new groups into the access-list. Please allow me to explain what has happened in my case.

We have a managed VPN customer XYZ on our MPLS network with one of the CE routers as a gateway for VSAT branches. This CE router is connected to a VSAT Hub via the Ethernet interface and we are running static routes for all the VSAT sites. The same CE router connects to the PE router using BGP.

On the CE router we have a number of object-groups for VSAT sites to limit communication between the different branches and only allowing certain branches to be able to communicate to each other, at the same time these branches need to communicate to the MPLS main site and MPLS remote sites. On the attached configurations you'll notice that there's group named vsat_group, which covers all the VSAT branches’s subnets. This group on the ACL has been configured to deny ip any object-group vsat_group and the last line is permit ip object-group vsat_group. If I understand this correctly these two lines on the ACL including the vsat object-group is only there to facilitate communication between the vsat networks to any other network besides the networks identified on vsat object-group?

The main problem happened after we wanted to add a new object-group with two networks and using the ACL sequence number to add a new line on the ACL. This then broke all traffic to all VSATs.

What I want know is the following:

1. I need someone to assist me why did this break the network when the ACL was applied to the Ethernet in the inbound direction.

2. Since I have setup this scenario in the lab I have noticed that whenever you make changes to the ACL with object-groups you get some funny behavior with respect to object-groups. For example after I made changes to the ACL by adding a new object-group before the deny statement using the sequence number then all communication from the VSAT networks to the MPLS remote networks fails, but communication within the groups still works. If I remove the new line on the ACL the break in communication between VSAT networks and the MPLS remote networks is still maintained, although the new line has been removed, except if I reload the router that's when communication is restored. Why?

3. If I add the new line on the ACL at the bottom then everything works 100% including the new group.

4. Lastly but no least when I move the deny statement to the end of the ACL then everything works but only compromises group communication because every network can communicate to every network which is what the customer does not want.

Could someone please explain why I get these results, I'm thinking that it could be the order of operation or I might be doing something wrong especially since it's the first time I'm working with object-groups on ACL. Please help

Thanks & Kind regards