Restrictions for Object Groups for ACLs
-
You can use object groups only in extended named and numbered ACLs. On Cisco Catalyst 9600 Series Supervisor 2 Module, object group are only supported in extended ACLs.
-
Object group-based ACLs support only IPv4 or IPv6 addresses. On Cisco Catalyst 9600 Series Supervisor 2 Module, object group-based ACLs support both IPv4 and IPv6 addresses.
-
Object group-based ACLs support only Layer 3 interfaces (such as routed interfaces and VLAN interfaces), port channel interface, and sub-interfaces.
There is no support on Layer 2 interfaces on Cisco Catalyst 9600 Series Supervisor 2 Module.
-
Object group-based ACLs are not supported with IPsec.
-
ACL statements using object groups will be ignored on packets that are sent to RP for processing. This is not applicable to Cisco Catalyst 9600 Series Supervisor 2 Module.
-
The number of object group-based ACEs supported in an ACL varies depending on platform, subject to TCAM availability.
-
On Cisco Catalyst 9600 Series Supervisor 2 Module, object group-based ACLs are supported only on ingress port. There is no support on egress direction.
-
IPv6 object group-based ACLs with Log option are not supported on C9600X-SUP-2 . However, IPv4 object group-based ACLs with Log option is supported.
-
IPv4 object group-based ACLs for multicast packet control are not supported on Cisco Catalyst 9600 Series Supervisor 2 Module.
-
IPv6 object group-based ACLs for control packet are not supported on Cisco Catalyst 9600 Series Supervisor 2 Module.
-
On Cisco Catalyst 9600 Series Supervisor 2 Module, you cannot configure conventional ACEs and ACEs that refer to object groups in the same ACL.
-
On Cisco Catalyst 9600 Series Supervisor 2 Module, per ACE statistics is supported only for Deny ACEs. Per ACE statistics for Permit ACE is not supported. If the same ACL is applied to multiple ports, then the deny counters are cumulative of all the ports on which the ACL is attached.