object-group port

Syntax

Syntax to create a Layer 4 port object group and enter its context:

object-group port <OBJECT-GROUP-NAME>

no object-group port <OBJECT-GROUP-NAME>

Syntax (within the port object-group context) for creating or removing Layer 4 port entries:

  [<SEQUENCE-NUMBER>] { {eq|gt|lt} <PORT>|range <MIN-PORT> <MAX-PORT> }

  no <SEQUENCE-NUMBER>

Description

Creates a Layer 4 port object group comprised of one or more port entries. Port groups are used solely as a shorthand way of specifying groups of ports in the ACEs that make up ACLs. Layer 4 port groups can be used only in the access-list ip and access-list ipv6 commands. Entering object-group port with an existing port group name, enables you to modify an existing port group.

The no form of this command deletes the entire port group or deletes a particular port group entry identified by sequence number.

Command context

config

The object-group ip port command takes you into the named port group context (with prompt switch(config-portgroup)#) where you specify the ports.

Parameters

<OBJECT-GROUP-NAME>

Specifies the port object group name.

<SEQUENCE-NUMBER>

Specifies a sequence number for the port entry. Range: 1 to 4294967295. When omitted, a sequence number 10 larger than the current highest sequence number is auto-assigned. Default auto-assigned sequence numbers are 10, 20, 30, and so on.

{ {eq|gt|lt} <PORT>|range <MIN-PORT> <MAX-PORT> }
Specifies the port or port range. Port numbers are in the range of 0 to 65535.
  • eq <PORT> - specifies the Layer 4 port.

  • gt <PORT> - specifies any Layer 4 port greater than the indicated port.

  • lt <PORT> - specifies any Layer 4 port less than the indicated port.

  • range <MIN-PORT> <MAX-PORT> - specifies the Layer 4 port range.

NOTE:

When ACLs using ACEs defined with port groups are applied, the same number of hardware resources are consumed as when the ports are specified directly in the ACEs and not in a group. Keep this in mind when creating port groups that include many ports. Although hardware resource consumption is the same, with or without port groups used, it may not be immediately obvious that some port groups that you have defined, include many ports. It is recommended that you name port groups in a manner that reminds you that a group includes many ports.

Authority

Administrators or local user group members with execution rights for this command.

Examples

Creating a port group with two entries to cover port 80 plus ports 0 through 50:

switch(config)# object-group port my_port_group
switch(config-portgroup)# 10 eq 80
switch(config-portgroup)# 20 range 0 50
switch(config-portgroup)# exit
switch(config)# show object-group
Type       Name
  Sequence L4 Port(s)/IP Address
-------------------------------------------------------------------------------
Port       my_port_group
        10 eq 80
        20 range 0 50

Adding an entry for ports greater than 65525 (covers ports 65526 through 65535):

switch(config)# object-group port my_port_group
switch(config-portgroup)# 30 gt 65525
switch(config-portgroup)# exit
switch(config)# show object-group
Type       Name
  Sequence L4 Port(s)/IP Address
-------------------------------------------------------------------------------
Port       my_port_group
        10 eq 80
        20 range 0 50
        30 gt 65525

Removing an entry (#20) from the port group:

switch(config)# object-group port my_port_group
switch(config-portgroup)# no 20
switch(config-portgroup)# exit
switch(config)# show object-group
Type       Name
  Sequence L4 Port(s)/IP Address
-------------------------------------------------------------------------------
Port       my_port_group
        10 eq 80
        30 gt 65525

Removing the port group:

switch(config)# no object-group port my_port_group
switch(config)# show object-group
No object group found.