All features that use or reference conventional access control lists (ACLs) are compatible with object-group-based ACLs, and
the feature interactions for conventional ACLs are the same with object-group-based ACLs. This feature extends the conventional
ACLs to support object-group-based ACLs and also adds new keywords and the source and destination addresses and ports.
You can apply object-group-based ACLs to interfaces that are configured in a VPN routing and forwarding (VRF) instance or
features that are used within a VRF context.
You can add, delete, or change objects in an object group membership list dynamically (without deleting and redefining the
object group). Also, you can add, delete, or change objects in an object group membership list without redefining the ACL
access control entry (ACE) that uses the object group. You can add objects to groups, delete them from groups, and then ensure
that changes are correctly functioning within the object-group-based ACL without reapplying the ACL to the interface.
You can configure an object-group-based ACL multiple times with a source group only, a destination group only, or both source
and destination groups.
You cannot delete an object group that is used within an ACL or a class-based policy language (CPL) policy.