About address and port object groups
Object groups are useful for defining groups of IP addresses and Layer 4 ports for use exclusively in the two ACL-defining commands
access-list ip
and
access-list ipv6
.
Often, common groups of addresses and ports or port ranges are use repeatedly in many ACL definitions. Without address and port object groups, the same addresses and ports must be repeated in each ACL definition that uses them.
object-group ip address
object-group ipv6 address
object-group port
Once an object group is defined, the group is available for inclusion by name as the
<ADDRESS-GROUP>
and
<PORT-GROUP>
parameters in the
access-list ip
and
access-list ipv6
ACL-definition commands.
Object groups simplify the ACL definition process and help ensure consistent address and port specification across many ACLs.
Keep in mind that it is possible to consume many hardware resource entries when using the object group commands. For example, with 3 source addresses, 3 source L4 ports, 3 destination address, and 3 destination L4 ports, a total of 81 hardware entries are consumed (3 * 3 * 3 * 3 = 81).