nodetool listcidrgroups¶
Cassandra 5.0+
This command is available in Cassandra 5.0 and later.
Lists all defined CIDR groups in the cluster.
Synopsis¶
nodetool [connection_options] listcidrgroups [cidrGroup]
Arguments¶
| Argument | Description |
|---|---|
cidrGroup |
Optional. Name of a specific CIDR group to list CIDRs for |
Description¶
nodetool listcidrgroups displays all CIDR groups defined in the cluster. CIDR groups are named collections of IP address ranges used for network-based access control.
CIDR groups can be assigned to roles to restrict which IP addresses can authenticate as those roles, providing an additional layer of security beyond username/password authentication.
Output Format¶
Without arguments, the command displays a list of CIDR group names:
CIDR Groups
internal_network
datacenter_us
datacenter_eu
vpn_clients
With a group name argument, it displays the CIDRs for that group:
CIDRs for Group: internal_network
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
Examples¶
List All Group Names¶
nodetool listcidrgroups
Sample output:
CIDR Groups
internal_network
datacenter_us
datacenter_eu
vpn_clients
List CIDRs for a Specific Group¶
nodetool listcidrgroups internal_network
Sample output:
CIDRs for Group: internal_network
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
When to Use¶
Audit Access Control Configuration¶
# Review all CIDR-based access rules
nodetool listcidrgroups
Use this command to:
- Audit network-level access control configuration
- Verify CIDR groups before assigning to roles
- Document current security configuration
- Troubleshoot connection authorization issues
Before Modifying CIDR Groups¶
# Check current groups before changes
nodetool listcidrgroups
# Then modify as needed
nodetool updatecidrgroup new_office '192.168.50.0/24'
Best Practices¶
CIDR Group Management
- Use descriptive names - Name groups by purpose (e.g.,
datacenter_us,office_network) - Document groups - Maintain external documentation of CIDR group purposes
- Review regularly - Periodically audit groups for accuracy
- Least privilege - Define specific ranges rather than broad ones
Security Considerations
- CIDR groups are part of your security configuration
- Changes affect which IPs can authenticate as specific roles
- Test changes in non-production environments first
- Coordinate with network team when defining ranges
Configuration¶
CIDR groups are stored in the system tables and can be managed through:
- CQL commands (
CREATE CIDR GROUP,ALTER CIDR GROUP) - nodetool commands (
updatecidrgroup,dropcidrgroup)
Related Commands¶
| Command | Relationship |
|---|---|
| cidrfilteringstats | View filtering statistics |
| getcidrgroupsofip | Find groups containing an IP |
| updatecidrgroup | Add or modify CIDR groups |
| dropcidrgroup | Remove CIDR groups |
| invalidatecidrpermissionscache | Clear authorization cache |
| reloadcidrgroupscache | Reload groups from storage |