Cisco – Listing Current Object-Group Local LAN Subnets on Cisco IOS 15.5

ciscocisco-ios

I'm configuring an Cisco 867VAE and I'm stumped how to list the current (and I assume) dynamic entries in the object group "local_lan_subnets".

The factory settings for the router come with an ACL called "nat-list". The first ACL entry is:

10 permit ip object-group local_lan_subnets any

I want to make sure this entry is not permitting something it shouldn't. If I take the entry away – all dhcp connected devices lose connection to the outside interface.

I'm trying to run this following command I've seen on a few other posts:

sh running-config object-group id local_lan_subnets

But it's giving me this error:

Invalid input detected at '^' marker

I'm quite new to IOS and not sure if this is an ASA command – but I can't work out how to list what is in that object-group. I'm sure it shouldn't be that difficult.

Best Answer

Cisco has a paper, Object Groups for ACLs, which includes a section called, Example Verifying Object Groups for ACLs:

Example Verifying Object Groups for ACLs

The following example shows how to display all object groups:

Router> enable
Router# show object-group
Network object group auth_proxy_acl_deny_dest
 host 209.165.200.235
Service object group auth_proxy_acl_deny_services
 tcp eq www
 tcp eq 443
Network object group auth_proxy_acl_permit_dest
 209.165.200.226 255.255.255.224
 209.165.200.227 255.255.255.224
 209.165.200.228 255.255.255.224
 209.165.200.229 255.255.255.224
 209.165.200.246 255.255.255.224
 209.165.200.230 255.255.255.224
 209.165.200.231 255.255.255.224
 209.165.200.232 255.255.255.224
 209.165.200.233 255.255.255.224
 209.165.200.234 255.255.255.224
Service object group auth_proxy_acl_permit_services
 tcp eq www
 tcp eq 443

The following example shows how to display information about specific object group-based ACLs:

Router# show ip access-list my_ogacl_policy
Extended IP access list my_ogacl_policy
10    permit object-group eng_service any any
Related Topic