object-group network

Description                                                    Create a network object group, for specifying match criteria using Layer 3 parameters. An object group is a named set of IP addresses or protocol values. 

Syntax                                                                  [no] object-group network group-name [acl | fw {v4 | v6}]

Parameter

Description

group-name

Name of the network object group (1-63 characters).

acl

Create a network object group that will be used by Access Control Lists.

When you configure an IPv4 or IPv6 ACL, you can specify the name of an object group in place of IP address or protocol parameters. This capability can be useful in cases where the same match criteria are used in more than one ACL. If you need to modify the match criteria, you can apply the changes to all affected ACLs at the same time, by modifying the object group. You do not need to edit each individual ACL.

fw v4

Create a network object group that will be used for IPv4 firewall config­urations.

f4 v6

Create a network object group that will be used for IPv4 firewall config­urations.

This command changes the CLI to the configuration level for the network object group, where the following commands are available: 

Command

Description

[no] any

Matches on all IP addresses.

[no] host host-src-ipaddr

Matches only on the specified host IPv4 or IPv6 address.

[no] net-src-ipaddr {
  
filter-mask |
  /mask-length }

Matches on any host in the specified IPv4 subnet.

The filter-mask specifies the portion of the address to filter:

  Use 0 to match.

  Use 255 to ignore.

For example, the following filter-mask filters on a 24-bit subnet: 0.0.0.255

Alternatively, you can use mask-length to specify the portion of the address to filter. For example, you can specify “/24” instead “0.0.0.255” to filter on a 24-bit subnet.

[no] net-src-ipv6addr
/prefix-length

Matches on any host in the specified subnet. The prefix-length specifies the portion of the address to filter.

Default                                                                Not set

Mode                                                                   Configuration mode

Example                                                            The following commands configure network object groups INT_CLIENTS,  HTTP_SERVERS and FTP_SERVERS:

ACOS(config)# object-group network INT_CLIENTS

ACOS(config-network-group:INT_CLIENTS)# host 10.9.9.1

ACOS(config-network-group:INT_CLIENTS)# host 10.9.9.2

ACOS(config-network-group:INT_CLIENTS)# 10.1.0.0 0.0.255.255

ACOS(config-network-group:INT_CLIENTS)# 10.2.0.0 0.0.255.255

ACOS(config-network-group:INT_CLIENTS)# exit

ACOS(config)# object-group network HTTPS_SERVERS

ACOS(config-network-group:HTTPS_SERVERS)# host 192.168.230.215

ACOS(config-network-group:HTTPS_SERVERS)# host 192.168.230.216

ACOS(config-network-group:HTTPS_SERVERS)# host 192.168.230.217

ACOS(config-network-group:HTTPS_SERVERS)# exit

ACOS(config)# object-group network FTP_SERVERS

ACOS(config-network-group:FTP_SERVERS)# host 192.168.230.5

ACOS(config-network-group:FTP_SERVERS)# host 192.168.230.216

ACOS(config-network-group:FTP_SERVERS)# exit

Table of Contents

Index

Glossary

-Search-

Back