Object Grouping
Nested object groups

In addition to grouping individual objects, it is also possible to group objects within a nested group. An object can be a member of a group. For object groups to be nested, they must be of the same type. For example, two or more Network object groups can be grouped together but a Protocol group and a Network group cannot be grouped together. In the example shown in Figure , the administrator configured hosts from the 10.0.0.0/24 network to form the Inside_Eng object group. The administrator added hosts from the 10.0.1.0/24 network to form the Inside_Mktg object group. For some ACLs, the administrator found it advantageous to combine the Inside_Eng and Inside_Mktg object groups to form the nested object group Inside_Networks and apply the nested object group, Inside_Networks to selected ACLs. Hierarchical object grouping can achieve greater flexibility and modularity for specifying access rules.

The group-object command is used to construct hierarchical, or nested, object groups. The group-object command, which is not to be confused with the object-group command, places one object group into another .

The difference in object groups and group objects is as follows:

  • An object group is group consisting of objects.
  • A group object is an object in a nested group and is itself a group.

Duplicated objects are allowed in an object group if it is due to the inclusion of group objects. For example, if object 1 is in both group A and group B, a group C can be defined which includes both A and B. A group object which causes the group hierarchy to become circular is not allowed. For example, if group A includes group B, then group B cannot include group A.

Complete the following steps to configure nested object groups:

Step 1 Create an object group to be nested within another object group, such as Inside_Eng.
Step 2 Add the appropriate type of objects to the object group, such as 10.0.1.0/24.
Step 3 Assign an identity to the object group within which other object groups will be nested, such as Inside_Networks.
Step 4 Add the first object group to the second object group.
Step 5 Add any other objects that are required to the group, such as Inside_Mktg.

Nested Object Group Examples
In Figure , the access-list named ALL enables all hosts in HOSTGROUP1 and HOSTGROUP2 to make outbound FTP connections. Without nesting, all the IP addresses in HOSTGROUP1 and HOSTGROUP2 would have to be redefined in the ALLHOSTS group. With nesting, however, the duplicated definitions of the hosts are eliminated.

Figure illustrates multiple nested object groups configured so that one ACL entry enables remote hosts 172.26.26.50 and 172.26.26.51 to initiate FTP and SMTP connections to all local hosts in the ALLHOSTS group. Note that with object grouping configured, only one ACL entry is required.


Interactive Media Activity

Demonstration Activity: 5 Step Process to Creating Nested Object Groups

In this activity, students will learn how to configure nested object groups