Configuring Access Lists or ACL in Cisco Switch using object-group with Examples

An Access List or ACL is set of rules to filter network traffic that can be applied to router or switches. In some large networks where it requires like hundreds of lines, it’s a bit a pain in the ass to manage and configure this. Another thing if user keeps on requesting for changes like adding and removing rules, then using object-group can be the answer.

Object-groupgs can be implemented in extended ACLs, both numbered and named, and can be applied on L3 interfaces like SVIs(VLAN interface).

Observe examples below the normal and expanded ACL lines. This is very useful in easily adding or removing IPs or ports instead of adding it one by one like in conventional ACL rules.

Example#1: (configured in Cisco Nexus ver.8)
Objective:

Steps:
1. Create the object group for the IPs

NEXUS-SW#conf
NEXUS-SW(config)#object-group ip address allowed_ips
10 192.168.10.0/24
20 192.168.20.0/24
30 192.168.30.0/24

2. Create the rule (using ip means all traffic, including tcp & udp), last rule is explicit deny traffic

NEXUS-SW(config)#ip access list ACL-OFFICE
10 permit ip addrgroup allowed_ips any
20 deny ip any any

3. Verify the rule using the “expanded” options

NEXUS-SW# show access-lists ACL-OFFICE

IP access list ACL-OFFICE
10 permit ip addrgroup allowed_ips any
20 deny ip any any
NEXUS-SW# show access-lists ACL-OFFICE expanded

IP access list ACL-OFFICE
10 permit ip 192.168.10.0/24 any
10 permit ip 192.168.20.0/24 any
10 permit ip 192.168.30.0/24 any
20 deny ip any any

4. Apply the ACL in your vlan

NEXUS-SW(config)#interface Vlan888
description OFFICE_LAN
no shutdown
ip access-group ACL-OFFICE out

Example#2:
Objective:

Steps:
1. Create the object group for the IPs

NEXUS-SW#conf
NEXUS-SW(config)#object-group ip address allowed_ips
10 192.168.10.0/24
20 192.168.20.0/24
30 192.168.30.0/24

2. Create the object group for the ports/services

NEXUS-SW(config)#object-group ip port allowed_ports
10 eq 22
20 eq 80
30 eq 443

3. Create the rule

NEXUS-SW(config)#ip access list ACL-DEV
10 remark ACL for Developers
20 permit udp addrgroup allowed_ips any eq snmp
30 deny udp any any eq snmp
40 permit icmp addrgroup allowed_ips any
50 deny icmp any any
60 permit tcp addrgroup allowed_ips any portgroup allowed_ports
70 deny tcp any any portgroup allowed_ports
60 permit ip any any

4. Verify the rule using the “expanded” options

NEXUS-SW# show access-lists ACL-DEV expanded

IP access list ACL-DEV
10 remark ACL for Developers
20 permit udp 192.168.10.0/24 any eq snmp
20 permit udp 192.168.20.0/24 any eq snmp
20 permit udp 192.168.30.0/24 any eq snmp
30 deny udp any any eq snmp
40 permit icmp 192.168.10.0/24 any
40 permit icmp 192.168.20.0/24 any
40 permit icmp 192.168.30.0/24 any
50 deny icmp any any
60 permit tcp 192.168.10.0/24 any eq 22
60 permit tcp 192.168.10.0/24 any eq www
60 permit tcp 192.168.10.0/24 any eq 443
60 permit tcp 192.168.20.0/24 any eq 22
60 permit tcp 192.168.20.0/24 any eq www
60 permit tcp 192.168.20.0/24 any eq 443
60 permit tcp 192.168.30.0/24 any eq 22
60 permit tcp 192.168.30.0/24 any eq www
60 permit tcp 192.168.30.0/24 any eq 443
70 deny tcp any any eq 22
70 deny tcp any any eq www
70 deny tcp any any eq 443
80 permit ip any any

5. Apply the ACL in your vlan

NEXUS-SW(config)#interface Vlan999
description ACL for DEVs
no shutdown
ip access-group ACL-DEV out