You have just been given a shiny, new router to configure.  As part of the configuration, you are asked to configure an outbound access list which will only permit traffic through to specific destinations.  Here are the requirements that you are given for your access-list:

Match (and permit) the following destinations using an access-list.  Your access list should use the fewest number of lines, and should not overlap any other address space.

Anything within the address space.
Anything within the address space.
Anything within the address space.
Anything within the address space.

Be warned, it is estimated that a very high percentage of readers will NOT have the correct answer.

access-list 199 permit ip any object-group TEST

What just happened here?  Can you really match those in a single line?  The answer deals with object groups, which allow grouping of other items.  The object group still needs to be configured, but the question just asked for a short access list.

You can enter in either /x notation for mask, or with subnet mask information, as shown in the following examples:

object-group network TEST /8 /12 /16 /16

The router will convert syntax, and the following will be what remains in your config for the group:

object-group network TEST

You can also nest object groups.  You could configure the individual groups as follows:

object-group network A /8
object-group network B /12
object-group network C /16

object-group network RFC1918
group-object A
group-object B
group-object C

object-group network APIPA /16

object-group network TEST
group-object RFC1918
group-object APIPA

Here, we took a brief look at network object groups.  Object groups on the router also have a "service" option, which can be used to group protocols and ports. For those of you with a background configuring PIX / ASA, you may already be very familiar with configuring object groups.  For the rest of you, it may be something that you want to practice before your next scheduled lab date.

For more reading:
Cisco - Object Groups for ACLs

Object groups were added in 12.4(20)T.

About INE

INE is the premier provider of technical training for the IT industry. INE is revolutionizing the digital learning industry through the implementation of adaptive technologies and a proven method of hands on training experiences. Our portfolio of trainings is built for all levels of technical learning, specializing in advanced networking technologies, next generation security and infrastructure programming and development. Want to talk to a training advisor about our course offerings and training plans? Give us a call at 877-224-8987 or email us at

Subscribe to INE Blog Updates

New Blog Posts!