object-group port
Syntax
Syntax to create a Layer 4 port object group and enter its context:
object-group port <OBJECT-GROUP-NAME>
no object-group port <OBJECT-GROUP-NAME>
Syntax (within the port object-group context) for creating or removing Layer 4 port entries:
[<SEQUENCE-NUMBER>] { {eq|gt|lt} <PORT>|range <MIN-PORT> <MAX-PORT> }
no <SEQUENCE-NUMBER>
Description
Creates a Layer 4 port object group comprised of one or more port entries. Port groups are used solely as a shorthand way of specifying groups of ports in the ACEs that make up ACLs. Layer 4 port groups can be used only in the
access-list ip
and
access-list ipv6
commands. Entering
object-group port
with an existing port group name, enables you to modify an existing port group.
The
no
form of this command deletes the entire port group or deletes a particular port group entry identified by sequence number.
Command context
config
The
object-group ip port
command takes you into the named port group context (with prompt
switch(config-portgroup)#
) where you specify the ports.
Parameters
<OBJECT-GROUP-NAME>
Specifies the port object group name.
<SEQUENCE-NUMBER>
Specifies a sequence number for the port entry. Range: 1 to 4294967295. When omitted, a sequence number 10 larger than the current highest sequence number is auto-assigned. Default auto-assigned sequence numbers are 10, 20, 30, and so on.
{ {eq|gt|lt} <PORT>|range <MIN-PORT> <MAX-PORT> }
- Specifies the port or port range. Port numbers are in the range of 0 to 65535.
eq <PORT>
- specifies the Layer 4 port.gt <PORT>
- specifies any Layer 4 port greater than the indicated port.lt <PORT>
- specifies any Layer 4 port less than the indicated port.range <MIN-PORT> <MAX-PORT>
- specifies the Layer 4 port range.
NOTE:When ACLs using ACEs defined with port groups are applied, the same number of hardware resources are consumed as when the ports are specified directly in the ACEs and not in a group. Keep this in mind when creating port groups that include many ports. Although hardware resource consumption is the same, with or without port groups used, it may not be immediately obvious that some port groups that you have defined, include many ports. It is recommended that you name port groups in a manner that reminds you that a group includes many ports.
Authority
Administrators or local user group members with execution rights for this command.
Examples
Creating a port group with two entries to cover port 80 plus ports 0 through 50:
switch(config)# object-group port my_port_group switch(config-portgroup)# 10 eq 80 switch(config-portgroup)# 20 range 0 50 switch(config-portgroup)# exit switch(config)# show object-group Type Name Sequence L4 Port(s)/IP Address ------------------------------------------------------------------------------- Port my_port_group 10 eq 80 20 range 0 50
Adding an entry for ports greater than 65525 (covers ports 65526 through 65535):
switch(config)# object-group port my_port_group switch(config-portgroup)# 30 gt 65525 switch(config-portgroup)# exit switch(config)# show object-group Type Name Sequence L4 Port(s)/IP Address ------------------------------------------------------------------------------- Port my_port_group 10 eq 80 20 range 0 50 30 gt 65525
Removing an entry (#20) from the port group:
switch(config)# object-group port my_port_group switch(config-portgroup)# no 20 switch(config-portgroup)# exit switch(config)# show object-group Type Name Sequence L4 Port(s)/IP Address ------------------------------------------------------------------------------- Port my_port_group 10 eq 80 30 gt 65525
Removing the port group:
switch(config)# no object-group port my_port_group switch(config)# show object-group No object group found.