About address and port object groups

Object groups are useful for defining groups of IP addresses and Layer 4 ports for use exclusively in the two ACL-defining commands access-list ip and access-list ipv6.

Often, common groups of addresses and ports or port ranges are use repeatedly in many ACL definitions. Without address and port object groups, the same addresses and ports must be repeated in each ACL definition that uses them.

With address and port object groups, the IP addresses and ports can be defined once, using any of these commands:

object-group ip address
object-group ipv6 address
object-group port

Once an object group is defined, the group is available for inclusion by name as the <ADDRESS-GROUP> and <PORT-GROUP> parameters in the access-list ip and access-list ipv6 ACL-definition commands.

Object groups simplify the ACL definition process and help ensure consistent address and port specification across many ACLs.

NOTE:

Keep in mind that it is possible to consume many hardware resource entries when using the object group commands. For example, with 3 source addresses, 3 source L4 ports, 3 destination address, and 3 destination L4 ports, a total of 81 hardware entries are consumed (3 * 3 * 3 * 3 = 81).