From CCIE Study Wiki

The Object Groups feature allows you group IP addresses, protocols, protocol services (ports), and/or Internet Control Message Protocol (ICMP) types and apply those groups to ACL's.

Theory

Object groups can be used with any feature that uses extended ACLs. They can also be used with multicast traffic.

There are two types of Object Groups:

1. Network Object Group - A network object group is a group of any of the following: hostnames, host IP addresses, subnets, ranges of IP addresses, and other network object groups.
2. Service Object Groups - A service object group is a group of any of the following: Source and destination protocol ports, ICMP types, Top-level protocols (such as TCP, UDP, and ESP) and other service object groups.

Commands

• object-group network object-group-name (global) - creates a network object group
  • description description-text (object-group) - adds a description to the network object group
  • host {host-address | host-name} (object-group) - adds a specific host to the network object group
  • network-address [network-mask] (object-group) - adds a network to the network object group
  • range host-address1 host-address2 (object-group) - adds a IP range to the network object group
  • group-object nested-object-group-name (object-group) - adds another network object group to the network object group

• object-group service object-group-name (global) - creates a service object group
  • description description-text (object-group) - adds a description to the network object group
  • protocol (object-group) - adds an IP protocol number or name
  • [tcp | udp | tcp-udp] [source {{[eq] | lt | gt} port1 | range port1 port2}] [{{[eq] | lt | gt} port1 | range port1 port2}] (object-group) - adds a range of TCP, UDP, or TCP and UDP ports
  • icmp icmp-type (object-group) - adds the decimal number or name of an ICMP type
  • group-object nested-object-group-name (object-group) - adds another service object group to the service object group

Default Settings

• No object groups defined by default

Verification

• Nothing listed yet

Troubleshooting, Tips, and Tricks

• Nothing entered yet

Online Resources

• Cisco IOS Security Guide on Object Groups.

• Tassos, at CCIE In 3 Months shows how to use object groups with ACLs to compact access lists that would otherwise be very large.

• Configuring ACL object groups from Ivan at Cisco IOS Hints and Tricks.

• Routing Bits explains ACL object groups.

Have something to contribute? See a mistake on this page? Have a hint or a link to share?
The CCIE Study Wiki is open to everyone to edit! All you need to do is to create an account to start contributing.
Please be sure to follow our posting guidelines when editing the wiki.

Maybe you have just have some thoughts or suggestions for this entry?
Use the Discussion link on the top or bottom menu to create or join the CCIE forum post on this topic.
You can also go straight to the CCIE Forums and start a new discussion in the forum of your choice.

If you'd rather just contact us with your thoughts, we'd love to hear what you have to say.