An object group can contain a single object (such as a single IP address, network, or subnet) or multiple objects (such as
a combination of multiple IP addresses, networks, or subnets).
A typical access control entry (ACE) allows a group of users to have access only to a specific group of servers. In an object
group-based access control list (ACL), you can create a single ACE that uses an object group name instead of creating many
ACEs (which requires each ACE to have a different IP address). A similar object group (such as a protocol port group) can
be extended to provide access only to a set of applications for a user group. ACEs can have object groups for the source only,
destination only, none, or both.
You can use object groups to separate the ownership of the components of an ACE. For example, each department in an organization
controls its group membership, and the administrator owns the ACE itself to control which departments can contact one another.
IPv6 addresses and services (protocols) are treated as objects, which are then grouped into various object-groups as required.
The two types of object groups are v6-network (for addresses) and v6-service (for protocols) object groups. You can do the
nesting of object groups if required.
The object groups can be referenced in the place of protocol or source or destination address while configuring an IPv6 ACE.
The ACE containing object group(s) is expanded into individual ACEs (for each object) and programmed into the hardware.
IPv6 network and service object-groups have their own config sub-modes in which the objects are added.
You can use object groups in features that use Cisco Policy Language (CPL) class maps.
This feature supports two types of object groups for grouping ACL parameters: network object groups and service object groups.
Use these object groups to group IP addresses, protocols, protocol services (ports), and Internet Control Message Protocol
(ICMP) types.