nodetool updatecidrgroup¶
Cassandra 5.0+
This command is available in Cassandra 5.0 and later.
Creates or updates a CIDR group with specified IP ranges.
Synopsis¶
nodetool [connection_options] updatecidrgroup <group_name> <cidr_ranges>
Description¶
nodetool updatecidrgroup creates a new CIDR group or updates an existing one with the specified IP address ranges. CIDR groups define network ranges that can be associated with roles for IP-based access control.
Arguments¶
| Argument | Description |
|---|---|
group_name |
Name for the CIDR group (alphanumeric and underscores) |
cidr_ranges |
Space-separated list of CIDR ranges (each CIDR as separate argument) |
CIDR Notation¶
CIDR (Classless Inter-Domain Routing) notation specifies IP ranges:
| CIDR | Range | Addresses |
|---|---|---|
10.0.0.0/8 |
10.0.0.0 - 10.255.255.255 | 16,777,216 |
172.16.0.0/12 |
172.16.0.0 - 172.31.255.255 | 1,048,576 |
192.168.0.0/16 |
192.168.0.0 - 192.168.255.255 | 65,536 |
192.168.1.0/24 |
192.168.1.0 - 192.168.1.255 | 256 |
10.0.0.1/32 |
10.0.0.1 only | 1 |
Examples¶
Create New CIDR Group¶
nodetool updatecidrgroup office_network 192.168.1.0/24 192.168.2.0/24
Add Private Network Ranges¶
nodetool updatecidrgroup internal_network 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
Create Datacenter-Specific Group¶
nodetool updatecidrgroup dc_us_east 10.1.0.0/16 10.2.0.0/16
Single IP Address¶
nodetool updatecidrgroup admin_workstation 10.0.0.50/32
IPv6 Ranges¶
nodetool updatecidrgroup ipv6_network 2001:db8::/32 fd00::/8
Update Existing Group¶
# Add new range by redefining the group
nodetool updatecidrgroup office_network 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24
When to Use¶
Initial Set up¶
# Define network groups during cluster setup
nodetool updatecidrgroup app_servers 10.100.0.0/16
nodetool updatecidrgroup monitoring 10.200.0.0/24
nodetool updatecidrgroup admin 10.0.0.0/24
Network Expansion¶
# Add new subnet to existing group
nodetool listcidrgroups # Check current ranges
nodetool updatecidrgroup app_servers 10.100.0.0/16 10.101.0.0/16
Security Segmentation¶
# Create groups for different access levels
nodetool updatecidrgroup readonly_apps 10.50.0.0/16
nodetool updatecidrgroup write_apps 10.60.0.0/16
nodetool updatecidrgroup admin_access 10.0.1.0/24
Best Practices¶
Naming Conventions
Use descriptive, consistent names:
dc_<datacenter>for datacenter-specific groupsapp_<application>for application groupsenv_<environment>for environment groups (prod, staging, dev)role_<role>for access-level groups
Important Considerations
- Updates replace all ranges - When updating, specify ALL desired ranges, not just new ones
- Test before production - Verify CIDR ranges in non-production environments
- Document changes - Maintain records of CIDR group modifications
- Coordinate with network team - Ensure CIDR ranges match actual network topology
After Creating Groups
After creating CIDR groups, associate them with roles using CQL:
ALTER ROLE app_user WITH ACCESS TO CIDR GROUP 'app_servers';
Broad Ranges
Avoid overly broad CIDR ranges that could allow unintended access:
# Too broad - avoid
nodetool updatecidrgroup all_access 0.0.0.0/0
# Better - specific ranges
nodetool updatecidrgroup app_access 10.100.0.0/16
Verification¶
After creating or updating a CIDR group:
# List all groups to verify
nodetool listcidrgroups
# Test specific IP membership
nodetool getcidrgroupsofip 10.100.50.25
# Clear cache if needed
nodetool invalidatecidrpermissionscache
Related Commands¶
| Command | Relationship |
|---|---|
| listcidrgroups | List all CIDR groups |
| getcidrgroupsofip | Check IP group membership |
| dropcidrgroup | Remove CIDR groups |
| invalidatecidrpermissionscache | Clear CIDR cache |
| reloadcidrgroupscache | Reload from storage |
| cidrfilteringstats | View filtering statistics |