Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access-List configuration on ASR9k

hello All,

I have on my network an ASR 9000 and want to configure an access-list. But is there any command to refer an ACL via object network as ASA do.

and which is the command that refer to it?

So is it possible to create objects and then to refer at the acl

Regards,

mery

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Access-List configuration on ASR9k

Hi Mery,

here is an example.           

RP/0/RSP0/CPU0:ASR9K-PE2-R1#show configuration commit changes last 1

Mon Feb 24 00:06:10.681 UTC

Building configuration...

!! IOS XR Configuration 5.1.0

object-group network ipv4 real

host 100.1.1.1

!

ipv4 access-list real

10 permit icmp any any

20 permit tcp any net-group real eq www

30 permit tcp any net-group real eq www log

40 permit tcp any net-group real eq ftp

50 permit tcp any net-group real eq telnet

60 permit tcp any net-group real eq pop3

70 permit tcp any net-group real eq smtp

80 permit tcp any net-group real eq domain

90 permit tcp any net-group real eq ftp-data

100 permit tcp any net-group real established

110 permit tcp any net-group real eq 389

111 permit udp any net-group real eq 389

120 permit tcp any net-group real eq 636

121 permit udp any net-group real eq 636

200 permit ipv4 any any

!

end

RP/0/RSP0/CPU0:ASR9K-PE2-R1#

7 REPLIES
Cisco Employee

Access-List configuration on ASR9k

Hi Mery,

ASAIk ,object-group based ACL is not supported yet.

Support for this will be added in XE 3.12 (ETA March 2014).

Thanks-
Afroz
[Do rate the useful post]
****Ratings Encourages Contributors ****

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****
Cisco Employee

Re: Access-List configuration on ASR9k

Actually it is supported. You will find it in the acl config guide. Support came in IOS XR 431. Let me know if you can't find it.

Regards
Eddie.

Sent from Cisco Technical Support iPhone App

Cisco Employee

Re: Access-List configuration on ASR9k

http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-3/addr_serv/configuration/guide/b_ipaddr_cg43xa9k/b_ipaddr_cg42a9k_chapter_01.html#task_A3E3C33145EA4333B518FDAFE9AADBB3

Sent from Cisco Technical Support iPhone App

New Member

Re: Access-List configuration on ASR9k

yes i saw that but how is the net-group

network-group-west

created? So if i have to add an ip on this group how can i do that?

10 permit tcp net-group network-group-west net-group network-group-east port-group 

mery

Cisco Employee

Re: Access-List configuration on ASR9k

Hi Mery,

here is an example.           

RP/0/RSP0/CPU0:ASR9K-PE2-R1#show configuration commit changes last 1

Mon Feb 24 00:06:10.681 UTC

Building configuration...

!! IOS XR Configuration 5.1.0

object-group network ipv4 real

host 100.1.1.1

!

ipv4 access-list real

10 permit icmp any any

20 permit tcp any net-group real eq www

30 permit tcp any net-group real eq www log

40 permit tcp any net-group real eq ftp

50 permit tcp any net-group real eq telnet

60 permit tcp any net-group real eq pop3

70 permit tcp any net-group real eq smtp

80 permit tcp any net-group real eq domain

90 permit tcp any net-group real eq ftp-data

100 permit tcp any net-group real established

110 permit tcp any net-group real eq 389

111 permit udp any net-group real eq 389

120 permit tcp any net-group real eq 636

121 permit udp any net-group real eq 636

200 permit ipv4 any any

!

end

RP/0/RSP0/CPU0:ASR9K-PE2-R1#

New Member

Re: Access-List configuration on ASR9k

Thank you very much for your help.

I really appreciate

regards,

New Member

A note for application is

A note for application is that Trident LC don't support object-groups.

 

1068
Views
0
Helpful
7
Replies
CreatePlease login to create content