Object Groups for ACLs

Last Updated: January 18, 2012

The Object Groups for ACLs feature lets you classify users, devices, or protocols into groups and apply
those groups to access control lists (ACLs) to create access control policies for those groups. This feature
lets you use object groups instead of individual IP addresses, protocols, and ports, which are used in
conventional ACLs. This feature allows multiple access control entries (ACEs), but now you can use each
ACE to allow an entire group of users to access a group of servers or services or to deny them from doing
so.
In large networks, the number of ACLs can be large (hundreds of lines) and difficult to configure and
manage, especially if the ACLs frequently change. Object group-based ACLs are smaller, more readable,
and easier to configure and manage than conventional ACLs, simplifying static and dynamic ACL
deployments for large user access environments on Cisco IOS routers.
Cisco IOS Firewall benefits from object groups, because they simplify policy creation (for example, group
A has access to group A services).
Finding Feature Information, page 1
Restrictions for Object Groups for ACLs, page 2
Information About Object Groups for ACLs, page 2
How to Configure Object Group-Based ACLs, page 3
Configuration Examples for Object Groups for ACLs, page 14
Additional References, page 16
Feature Information for Object Groups for ACLs, page 17

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release. To find information
about the features documented in this module, and to see a list of the releases in which each feature is
supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Americas Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
 Object Groups
Restrictions for Object Groups for ACLs

Restrictions for Object Groups for ACLs

You can use object groups only in extended named and numbered ACLs.
Object group-based ACLs support only IPv4 addresses.
Object group-based ACLs support only Layer 3 interfaces (such as routed interfaces and VLAN
interfaces). Object group-based ACLs do not support Layer 2 features such as VLAN ACLs (VACLs)
or port ACLs (PACLs).
Object group-based ACLs are not supported with IPsec.
The highest number of object group-based ACEs supported in an ACL is 2048.

Information About Object Groups for ACLs

You can configure conventional ACEs and ACEs that refer to object groups in the same ACL.
You can use object group-based ACLs with quality of service (QoS) match criteria, Cisco IOS Firewall,
Dynamic Host Configuration Protocol (DHCP), and any other features that use extended ACLs. In addition,
you can use object group-based ACLs with multicast traffic.
When there are many inbound and outbound packets, using object group-based ACLs increases
performance when compared to conventional ACLs. Also, in large configurations, this feature reduces the
storage needed in NVRAM, because using object groups in ACEs means that you do not need to define an
individual ACE for every address and protocol pairing.
Object Groups, page 2
ACLs Based on Object Groups, page 3

Object Groups
An object group can contain a single object (such as a single IP address, network, or subnet) or multiple
objects (such as a combination of multiple IP addresses, networks, or subnets).
A typical ACE could allow a group of users to have access only to a specific group of servers. In an object
group-based ACL, you can create a single ACE that uses an object group name instead of creating many
ACEs (which would require each one to have a different IP address). A similar object group (such as a
protocol port group) can be extended to provide access only to a set of applications for a user group to a
server group. ACEs can have object groups for the source only, destination only, none, or both.
You can use object groups to separate the ownership of the components of an ACE. For example, each
department in an organization could control its group membership, and the administrator could own the
ACE itself to control which departments can contact one another.
You can use object groups as members (children) of other object groups. For example, you can create an
ENG-ALL address group that contains the ENG-EAST and ENG-WEST address groups. You can use an
unlimited number of levels of nested (child) object groups (however, a maximum of two levels is
recommended).
You can use object groups in features that use Cisco Policy Language (CPL) class maps.
This feature supports two types of object groups for grouping ACL parameters: network object groups and
service object groups. These object groups can be used to group IP addresses, protocols, protocol services
(ports), and Internet Control Message Protocol (ICMP) types.
Objects Allowed in Network Object Groups, page 3

2
 ACLs Based on Object Groups
Objects Allowed in Network Object Groups

Objects Allowed in Service Object Groups, page 3

Objects Allowed in Network Object Groups

A network object group is a group of any of the following objects:
Any IP address--includes a range from 0.0.0.0 to 255.255.255.255 (This is specified using the any
command.)
Host IP addresses
Hostnames
Other network object groups
Ranges of IP addresses
Subnets

Objects Allowed in Service Object Groups

A service object group is a group of any of the following objects:
Source and destination protocol ports (such as Telnet or Simple Network Management Protocol
(SNMP))
ICMP types (such as echo, echo-reply, or host-unreachable)
Top-level protocols (such as TCP, User Datagram Protocol (UDP), or Encapsulating Security Payload
(ESP))
Other service object groups

ACLs Based on Object Groups

All features that use or reference conventional ACLs are compatible with object group-based ACLs, and
feature interactions for conventional ACLs are the same with object group-based ACLs. This feature
extends the conventional ACL syntax to support object group-based ACLs and also adds new keywords
along with the source and destination addresses and ports.
You can apply object group-based ACLs to interfaces that are configured in a VPN routing and forwarding
(VRF) instance or features that are used within a VRF context.
You can add to, delete from, or change objects in an object group membership list dynamically (meaning
without deleting and redefining the object group). Also, you can add to, delete from, or change objects in
an object group membership list without redefining the ACL ACE that is using the object group (meaning
changing the object group without deleting the ACE and then redefining the ACE after the change). You
can add objects to groups, delete them from groups, and then ensure that the changes are properly
functioning within the object group-based ACL without reapplying the ACL to the interface.
You can configure an object group-based ACL multiple times with a source group only, a destination group
only, or source and destination groups.
You cannot delete an object group that is being used within an ACL or a CPL policy.

How to Configure Object Group-Based ACLs

To configure the Object Groups for ACLs feature, you first create one or more object groups. These can be
any combination of network object groups (containing objects such as host addresses and network

3
 Creating a Network Object Group
How to Configure Object Group-Based ACLs

addresses) or service object groups (which use operators such as lt, eq, gt, neq, and rangewith port
numbers). Then, you create ACEs that apply a policy (such as permit or deny) to those object groups.
Creating a Network Object Group, page 4
Creating a Service Object Group, page 6
Creating an Object Group-Based ACL, page 9
Applying an Object Group-Based ACL to an Interface, page 12
Verifying Object Groups for ACLs, page 13

Creating a Network Object Group

A network object group containing a single object (such as a single IP address, a hostname, another
network object group, or a subnet) or multiple objects (such as a combination of multiple IP addresses,
hostnames, a range of IP addresses, other object network groups, or subnets), can be used with an ACL in a
network object group-based ACL, to create access control policies for the objects.
Perform this task to create a network object group.

SUMMARY STEPS

1. enable
2. configure terminal
3. object-group network object-group-name
4. description description-text
5. host {host-address | host-name}
6. network-address {/ nn | network-mask}
7. range host-address1 host-address2
8. any
9. group-object nested-object-group-name
10. Repeat some combination of Steps Creating a Network Object Group, page 4 through Creating a
Network Object Group, page 4 until you have specified the objects on which you want to base your
object group.
11. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Enter your password if prompted.
Example:

Router> enable

4
 Creating a Network Object Group
How to Configure Object Group-Based ACLs

Command or Action Purpose

Step 2 configure terminal Enters global configuration mode.

Example:

Router# configure terminal

Step 3 object-group network object-group-name Defines the object group name and enters network object-group
configuration mode.

Example:

Router(config)# object-group network

my_network_object_group

Step 4 description description-text (Optional) Specifies a description of the object group.

You can use up to 200 characters.
Example:

Router(config-network-group)# description
test engineers

Step 5 host {host-address | host-name} (Optional) Specifies the IP address or name of a host.
If you specify a host address, you must use an IPv4 address.
Example:

Router(config-network-group)# host
209.165.200.237

Step 6 network-address {/ nn | network-mask} (Optional) Specifies a subnet object.

You must specify an IPv4 address for the network address.
The default network mask is 255.255.255.255.
Example:

Router(config-network-group)#
209.165.200.241 255.255.255.224

Step 7 range host-address1 host-address2 (Optional) Specifies a range of host IP addresses.

If you specify a range of 000.000.000.000 to 255.255.255.255,
the effect is the same as the use of the any command.
Example:
If you specify the same IP address for the host-address1 and
Router(config-network-group)# range host-address2 arguments, the effect is the same as the use of
209.165.200.242 209.165.200.243
the host command--the identical IP address specified becomes
the single host IP address for the object group.

5
 Creating a Service Object Group
How to Configure Object Group-Based ACLs

Command or Action Purpose

Step 8 any (Optional) Specifies any host IP address in the range 0.0.0.0 to
255.255.255.255.

Example:

Router(config-network-group)# any

Step 9 group-object nested-object-group-name (Optional) Specifies a nested (child) object group to be included in
the current (parent) object group.
The type of child object group must match that of the parent
Example:
(for example, if you are creating a network object group, you
Router(config-network-group)# group-object must specify another network object group as the child).
my_nested_object_group You can use duplicated objects in an object group only via
nesting of group objects. For example, if object 1 is in both
group A and group B, you can define a group C that includes
both A and B. However, you cannot include a group object
that causes the group hierarchy to become circular (for
example, you cannot include group A in group B and then also
include group B in group A).
You can use an unlimited number of levels of nested object
groups (however, a maximum of two levels is recommended).

Step 10 Repeat some combination of Steps Creating a --

Network Object Group, page 4 through Creating a
Network Object Group, page 4 until you have
specified the objects on which you want to base
your object group.
Step 11 end Returns to privileged EXEC mode.

Example:

Router(config-network-group)# end

Creating a Service Object Group

You can use a service object group to specify specific TCP and/or UDP ports or ranges of them. When the
service object group is associated with an ACL, this service object group-based ACL can be used to control
access to the ports.

6
 Creating a Service Object Group
How to Configure Object Group-Based ACLs

SUMMARY STEPS

1. enable
2. configure terminal
3. object-group service object-group-name
4. description description-text
5. protocol
6. tcp | udp | tcp-udp [source {{[eq] | lt | gt} port1 | range port1 port2}] [{[eq] | lt | gt} port1 | range
port1 port2]
7. icmp icmp-type
8. group-object nested-object-group-name
9. Repeat some combination of Steps Creating a Service Object Group, page 6 through Creating a Service
Object Group, page 6 until you have specified the objects on which you want to base your object
group.
10. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Enter your password if prompted.
Example:

Router> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Router# configure terminal

Step 3 object-group service object-group-name Defines the object group name and enters service object-
group configuration mode.

Example:

Router(config)# object-group service

my_service_object_group

Step 4 description description-text (Optional) Specifies a description of the object group.

You can use up to 200 characters.
Example:

Router(config-service-group)# description test

engineers

7
 Creating a Service Object Group
How to Configure Object Group-Based ACLs

Command or Action Purpose

Step 5 protocol (Optional) Specifies an IP protocol number or name.

Example:

Router(config-service-group)# ahp

Step 6 tcp | udp | tcp-udp [source {{[eq] | lt | gt} port1 | range (Optional) Specifies TCP, UDP, or both.
port1 port2}] [{[eq] | lt | gt} port1 | range port1 port2]

Example:

Router(config-service-group)# tcp-udp range 2000

2005

Step 7 icmp icmp-type (Optional) Specifies the decimal number or name of an

ICMP type.

Example:

Router(config-service-group)# icmp conversion-error

Step 8 group-object nested-object-group-name (Optional) Specifies a nested (child) object group to be

included in the current (parent) object group.
The type of child object group must match that of
Example:
the parent (for example, if you are creating a
Router(config-service-group)# group-object network object group, you must specify another
my_nested_object_group network object group as the child).
You can use duplicated objects in an object group
only via nesting of group objects. For example, if
object 1 is in both group A and group B, you can
define a group C that includes both A and B.
However, you cannot include a group object that
causes the group hierarchy to become circular (for
example, you cannot include group A in group B
and then also include group B in group A).
You can use an unlimited number of levels of nested
object groups (however, a maximum of two levels is
recommended).

Step 9 Repeat some combination of Steps Creating a Service Object --

Group, page 6 through Creating a Service Object Group,
page 6 until you have specified the objects on which you want
to base your object group.

8
 Creating an Object Group-Based ACL
How to Configure Object Group-Based ACLs

Command or Action Purpose

Step 10 end Returns to privileged EXEC mode.

Example:

Router(config-service-group)# end

Creating an Object Group-Based ACL

When creating an object group-based ACL, you configure an ACL that references one or more object
groups. As with conventional ACLs, you can associate the same access policy with one or more interfaces.
You can define multiple ACEs that reference object groups within the same object group-based ACL. Also,
you can reuse a specific object group in multiple ACEs.
Perform this task to create an object group-based ACL.

SUMMARY STEPS

1. enable
2. configure terminal
3. ip access-list extended access-list-name
4. remark remark
5. deny protocol source [source-wildcard] destination [destination-wildcard] [option option-name]
[precedence precedence] [tos tos] [established] [log | log-input] [time-range time-range-name]
[fragments]
6. remark remark
7. permit protocol source [source-wildcard] destination [destination-wildcard] [option option-name]
[precedence precedence] [tos tos] [established] [log | log-input] [time-range time-range-name]
[fragments]
8. Repeat some combination of Steps 4 through 7 until you have specified the fields and values on which
you want to base your access list.
9. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Enter your password if prompted.
Example:

Router> enable

9
 Creating an Object Group-Based ACL
How to Configure Object Group-Based ACLs

Command or Action Purpose

Step 2 configure terminal Enters global configuration mode.

Example:

Router# configure terminal

Step 3 ip access-list extended access-list-name Defines an extended IP access list using a name and enters extended
access-list configuration mode.

Example:

Router(config)# ip access-list
extended nomarketing

Step 4 remark remark (Optional) Adds a user-friendly comment about an access list entry.
A remark can precede or follow an access list entry.
Example: In this example, the remark reminds the network administrator that
the subsequent entry denies the Marketing network access to the
Router(config-ext-nacl)# remark interface.
protect server by denying access from
the Marketing network

10
 Creating an Object Group-Based ACL
How to Configure Object Group-Based ACLs

Command or Action Purpose

Step 5 deny protocol source [source-wildcard] (Optional) Denies any packet that matches all of the conditions specified
destination [destination-wildcard] [option in the statement.
option-name] [precedence precedence] [tos
Optionally use the object-group service-object-group-namekeyword
tos] [established] [log | log-input] [time-
and argument as a substitute for the protocol.
range time-range-name] [fragments]
Optionally use the object-group source-network-object-group-
namekeyword and argument as a substitute for the source source-
Example: wildcard.
Optionally use the object-group destination-network-object-group-
Router(config-ext-nacl)# deny ip namekeyword and argument as a substitute for the destination
209.165.200.244 255.255.255.224 host
209.165.200.245 log destination-wildcard.
If the source-wildcard or destination-wildcardisomitted, a wildcard
mask of 0.0.0.0 is assumed, which matches all bits of the source or
destination address, respectively.
Optionally use the any keyword as a substitute for the source
source-wildcardor destination destination-wildcardto specify the
address and wildcard of 0.0.0.0 255.255.255.255.
Optionally use the host sourcekeyword and argument to indicate a
source and source wildcard of source 0.0.0.0 or the host
destinationkeyword and argument to indicate a destination and
destination wildcard of destination 0.0.0.0.
In this example, packets from all sources are denied access to the
destination network 209.165.200.244. Logging messages about
packets permitted or denied by the access list are sent to the facility
configured by the logging facility command (for example, console,
terminal, or syslog). That is, any packet that matches the access list
will cause an informational logging message about the packet to be
sent to the configured facility. The level of messages logged to the
console is controlled by the logging console command.

Step 6 remark remark (Optional) Adds a user-friendly comment about an access list entry.
A remark can precede or follow an access list entry.
Example:

Router(config-ext-nacl)# remark allow

TCP from any source to any destination

11
 Applying an Object Group-Based ACL to an Interface
How to Configure Object Group-Based ACLs

Command or Action Purpose

Step 7 permit protocol source [source-wildcard] Permits any packet that matches all of the conditions specified in the
destination [destination-wildcard] [option statement.
option-name] [precedence precedence] [tos
Every access list needs at least one permit statement.
tos] [established] [log | log-input] [time-
range time-range-name] [fragments] Optionally use the object-group service-object-group-namekeyword
and argument as a substitute for the protocol.
Optionally use the object-group source-network-object-group-
Example: namekeyword and argument as a substitute for the source source-
wildcard.
Router(config-ext-nacl)# permit tcp Optionally use the object-group destination-network-object-group-
any any
namekeyword and argument as a substitute for the destination
destination-wildcard.
If source-wildcard or destination-wildcardisomitted, a wildcard
mask of 0.0.0.0 is assumed, which matches on all bits of the source
or destination address, respectively.
Optionally use the anykeyword as a substitute for the source source-
wildcardor destination destination-wildcardto specify the address
and wildcard of 0.0.0.0 255.255.255.255.
In this example, TCP packets are allowed from any source to any
destination.
Use the log-input keyword to include input interface, source MAC
address, or virtual circuit in the logging output.

Step 8 Repeat some combination of Steps 4 through 7 Remember that all sources not specifically permitted are denied by an
until you have specified the fields and values implicit deny statement at the end of the access list.
on which you want to base your access list.
Step 9 end Returns to privileged EXEC mode.

Example:

Router(config-ext-nacl)# end

Applying an Object Group-Based ACL to an Interface

You use the ip access-group command to apply an object group-based ACL to an interface. The command
syntax and usage are the same as for conventional ACLs. The object group-based ACL can be used to
control traffic on the interface it is applied to.
Perform this task to apply an object group-based ACL to an interface.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip access-group {access-list-name | access-list-number} {in | out}
5. end

12
 Verifying Object Groups for ACLs
How to Configure Object Group-Based ACLs

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Enter your password if prompted.
Example:

Router> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Router# configure terminal

Step 3 interface type number Specifies the interface type and number and enters
interface configuration mode.

Example:

Router(config)# interface vlan 100

Step 4 ip access-group {access-list-name | access-list-number} {in | Applies the ACL to the interface and specifies
out} whether to filter inbound or outbound packets.

Example:

Router(config-if)# ip access-group my_ogacl_policy in

Step 5 end Returns to privileged EXEC mode.

Example:

Router(config-if)# end

Verifying Object Groups for ACLs

Perform this task to verify object groups for ACLs.

SUMMARY STEPS

1. enable
2. show object-group [object-group-name]
3. show ip access-list [access-list-name]

13
 Example Creating a Network Object Group
Configuration Examples for Object Groups for ACLs

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Enter your password if prompted.
Example:

Router> enable

Step 2 show object-group [object-group-name] Displays the configuration in the named or numbered object group
(or in all object groups if no name is entered).

Example:

Router# show object-group my_object_group

Step 3 show ip access-list [access-list-name] Displays the contents of the named or numbered access list or object
group-based ACL (or for all access lists and object group-based
ACLs if no name is entered).
Example:

Router# show ip access-list my_ogacl_policy

Configuration Examples for Object Groups for ACLs

Example Creating a Network Object Group, page 14
Example Creating a Service Object Group, page 15
Example Creating an Object Group-Based ACL, page 15
Example Applying an Object Group-Based ACL to an Interface, page 15
Example Verifying Object Groups for ACLs, page 15

Example Creating a Network Object Group

The following example shows how to create a network object group named my_network_object_group,
which contains two hosts, a range of IP addresses, and a subnet as objects:

Router> enable
Router# configure terminal
Router(config)# object-group network my_network_object_group
Router(config-network-group)# host 209.165.200.237
Router(config-network-group)# host 209.165.200.238
Router(config-network-group)# range 209.165.200.239 209.165.200.240
Router(config-network-group)# 209.165.200.241 255.255.255.224
The following example shows how to create a network object group named sjc_ftp_servers, which contains
two hosts, a subnet, and an existing object group (child) named sjc_eng_ftp_servers as objects:

Router> enable
Router# configure terminal
Router(config)#object-group network sjc_ftp_servers
Router(config-network-group)# host sjc.eng.ftp

14
 Example Creating a Service Object Group
Configuration Examples for Object Groups for ACLs

Router(config-network-group)# host 209.165.200.242

Router(config-network-group)# 209.165.200.225 255.255.255.224
Router(config-network-group)# group-object sjc_eng_ftp_servers

Example Creating a Service Object Group

The following example shows how to create a service object group named my_service_object_group,
which contains several ICMP, TCP, UDP, and TCP-UDP protocols and an existing object group (child)
named sjc_eng_svcs as objects:

Router> enable
Router# configure terminal
Router(config)# object-group service my_service_object_group
Router(config-service-group)# icmp echo
Router(config-service-group)# tcp smtp
Router(config-service-group)# tcp telnet
Router(config-service-group)# tcp source range 1 65535 telnet
Router(config-service-group)# udp domain
Router(config-service-group)# tcp-udp range 2000 2005
Router(config-service-group)# group-object sjc_eng_svcs

Example Creating an Object Group-Based ACL

The following example shows how to create an object group-based ACL that permits packets from the
users in my_network_object_group if the protocol ports match the ports specified in
my_service_object_group:

Router> enable
Router# configure terminal
Router(config)# ip access-list extended my_ogacl_policy
Router(config-ext-nacl)# permit object-group my_service_object_group object-group
my_network_object_group any
Router(config-ext-nacl)# deny tcp any any
Router(config-ext-nacl)# exit
Router(config)# exit

Example Applying an Object Group-Based ACL to an Interface

The following example shows how to apply an object group-based ACL to an interface. In this example, an
object group-based ACL named my_ogacl_policy is applied to VLAN interface 100:

Router> enable
Router# configure terminal
Router(config)# interface vlan 100
Router(config-if)# ip access-group my_ogacl_policy in
Router(config-if)# end

Example Verifying Object Groups for ACLs

The following example shows how to display all object groups:

Router> enable
Router# show object-group
Network object group auth_proxy_acl_deny_dest
host 209.165.200.235
Service object group auth_proxy_acl_deny_services
tcp eq www
tcp eq 443
Network object group auth_proxy_acl_permit_dest
209.165.200.226 255.255.255.224
209.165.200.227 255.255.255.224

15
 Example Verifying Object Groups for ACLs
Additional References

209.165.200.228 255.255.255.224
209.165.200.229 255.255.255.224
209.165.200.246 255.255.255.224
209.165.200.230 255.255.255.224
209.165.200.231 255.255.255.224
209.165.200.232 255.255.255.224
209.165.200.233 255.255.255.224
209.165.200.234 255.255.255.224
Service object group auth_proxy_acl_permit_services
tcp eq www
tcp eq 443

The following example shows how to display information about specific object group-based ACLs:

Router# show ip access-list my_ogacl_policy

Extended IP access list my_ogacl_policy
10 permit object-group eng_service any any

Additional References
Related Documents

Related Topic Document Title

General information about ACLs " IP Access List Overview"

Cisco IOS commands Cisco IOS Master Commands List, All Releases

Security commands Cisco IOS Security Command Reference

Standards

Standard Title
None --

MIBs

MIB MIBs Link

None To locate and download MIBs for selected
platforms, Cisco IOS releases, and feature sets, use
Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs

RFCs

RFC Title
No new or modified RFCs are supported by this --
feature, and support for existing RFCs has not been
modified by this feature.

16
 Example Verifying Object Groups for ACLs
Feature Information for Object Groups for ACLs

Technical Assistance

Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/
provides online resources to download index.html
documentation, software, and tools. Use these
resources to install and configure the software and
to troubleshoot and resolve technical issues with
Cisco products and technologies. Access to most
tools on the Cisco Support and Documentation
website requires a Cisco.com user ID and
password.

Feature Information for Object Groups for ACLs

The following table provides release information about the feature or features described in this module.
This table lists only the software release that introduced support for a given feature in a given software
release train. Unless noted otherwise, subsequent releases of that software release train also support that
feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

17
 Example Verifying Object Groups for ACLs

Table 1 Feature Information for Object Groups for ACLs

Feature Name Releases Feature Information

Object Groups for ACLs 12.4(20)T The Object Groups for ACLs
feature lets you classify users,
devices, or protocols into groups
and apply them to access control
lists (ACLs) to create access
control policies for those groups.
This feature lets you use object
groups instead of individual IP
addresses, protocols, and ports,
which are used in conventional
ACLs. This feature allows
multiple access control entries
(ACEs), but now you can use
each ACE to allow an entire
group of users to access a group
of servers or services or to deny
them from doing so.
The following commands were
introduced or modified: deny, ip
access-group, ip access-list,
object-group network, object-
group service, permit, show ip
access-list, show object-group.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S.
and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Third-party trademarks mentioned are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be
actual addresses and phone numbers. Any examples, command display output, network topology diagrams,
and other figures included in the document are shown for illustrative purposes only. Any use of actual IP
addresses or phone numbers in illustrative content is unintentional and coincidental.

2011 Cisco Systems, Inc. All rights reserved.

2012 Cisco Systems, Inc. All rights reserved.

18