O Commands

Available Languages

Download Options

PDF (119.8 KB)
View with Adobe Reader on a variety of devices

Updated:June 13, 2008

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

O Commands

Table Of Contents

O Commands

object-group (identity policy)

object-group ip address

object-group ip port

object-group ipv6 address

O Commands

This chapter describes the Cisco NX-OS security commands that begin with O.

object-group (identity policy)

To specify a MAC access control list (ACL) for an identity policy, use the object-group command. To remove ACL from the identity policy, use the no form of this command.

object-group acl-name

no object-group acl-name

Syntax Description

acl-name

Name of a MAC ACL. The name is case sensitive.

Defaults

None

Command Modes

Identity policy configuration

Supported User Roles

network-admin
vdc-admin
VDC user

Command History

Release

Modification

4.0(1)

This command was introduced.

Usage Guidelines

Use the mac access-list command to create the MAC ACL to assign to the identity policy.

This command does not require a license.

Examples

This example shows how to configure an ACL for an identity policy:
switch# config t
switch(config)# identity policy AdminPolicy
switch(config-id-policy)# object-group 
This example shows how to remove an ACL from an identity policy:
switch# config t
switch(config)# identity policy AdminPolicy
switch(config-id-policy)# no object-group 
Related Commands

Command

Description

identity policy

Creates or specifies an identity policy and enters identity policy configuration mode.

mac access-list

Creates a MAC ACL and enters MAC ACL configuration mode.

show identity policy

Displays identity policy information.

object-group ip address

To define an IPv4 address object group or to enter object-group configuration mode for a specific IPv4-address object group, use the object-group ip address command. To remove an IPv4-address object group, use the no form of this command.

object-group ip address name

no object-group ip address name

Syntax Description

name

Name of the IPv4 address object group, which can be up to 64 alphanumeric, case-sensitive characters.

Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release

Modification

4.0(1)

This command was introduced.

Usage Guidelines

You can use IPv4 object groups in permit and deny commands for IPv4 access control lists (ACLs).

IPv4 address object groups are not directional. Whether group members match a source or destination address or whether an object group applies to inbound or outbound traffic depends upon how you use the object group in an IPv4 ACL.

This command does not require a license.

Examples

This example shows how to configure an IPv4 address object group named ipv4-addr-group-13 with two group members that are specific IPv4 addresses and one group member that is the 10.23.176.0 subnet:
switch# config t
switch(config)# object-group ip address ipv4-addr-group-13
switch(config-ipaddr-ogroup)# host 10.121.57.102
switch(config-ipaddr-ogroup)# 10.121.57.234/32
switch(config-ipaddr-ogroup)# 10.23.176.0 0.0.0.255
switch(config-ipaddr-ogroup)# show object-group ipv4-addr-group-13
        10 host 10.121.57.102
        20 host 10.121.57.234
        30 10.23.176.0/24
switch(config-ipaddr-ogroup)# 
Related Commands

Command

Description

host (IPv4)

Configures a group member for an IPv4 address object group.

show object-group

Displays object groups.

object-group ip port

To define an IP port object group or to enter object-group configuration mode for a specific IP port object group, use the object-group ip port command. To remove an IP port object group, use the no form of this command.

object-group ip port name

no object-group ip port name

Syntax Description

name

Name of the IP port object group, which can be up to 64 alphanumeric, case-sensitive characters.

Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release

Modification

4.0(1)

This command was introduced.

Usage Guidelines

You can use IP port object groups in permit and deny commands for IPv4 and IPv6 access control lists (ACLs).

IP port object groups are not directional. Whether group members match a source or destination port or whether an object group applies to inbound or outbound traffic depends upon how you use the object group in an ACL.

This command does not require a license.

Examples

This example shows how to configure an IP port object group named port-group-05 with a group member that matches traffic sent to or from port 443:
switch# config t
switch(config)# object-group ip port port-group-05
switch(config-port-ogroup)# eq 443
switch(config-port-ogroup)# show object-group port-group-05
        10 eq 443
switch(config-port-ogroup)# 
Related Commands

Command

Description

eq

Specifies an equal-to group member in an IP port object group.

gt

Specifies a greater-than group member in an IP port object group.

lt

Specifies a less-than group member in an IP port object group.

neq

Specifies a not-equal-to group member in an IP port object group.

range

Specifies a port range group member in an IP port object group.

show object-group

Displays object groups.

object-group ipv6 address

To define an IPv6 address object group or to enter IPv6 address object group configuration mode for a specific IPv6 address object group, use the object-group ipv6 address command. To remove an IPv6 address object group, use the no form of this command.

object-group ipv6 address name

no object-group ipv6 address name

Syntax Description

name

Name of the IPv6 address group object, which can be up to 64 alphanumeric, case-sensitive characters.

Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release

Modification

4.0(1)

This command was introduced.

Usage Guidelines

You can use IPv6 object groups in permit and deny commands for IPv6 ACLs.

IPv6 address object groups are not directional. Whether group members match a source or destination address or whether an object group applies to inbound or outbound traffic depends upon how you use the object group in an IPv6 ACL.

This command does not require a license.

Examples

This example shows how to configure an IPv6 address object group named ipv6-addr-group-A7 with two group members that are specific IPv6 addresses and one group member that is the 2001:db8:0:3ab7:: subnet:
switch# config t
switch(config)# object-group ipv6 address ipv6-addr-group-A7
switch(config-ipv6addr-ogroup)# host 2001:db8:0:3ab0::1
switch(config-ipv6addr-ogroup)# 2001:db8:0:3ab0::2/128
switch(config-ipv6addr-ogroup)# 2001:db8:0:3ab7::/96
switch(config-ipv6addr-ogroup)# show object-group ipv6-addr-group-A7
        10 host 2001:db8:0:3ab0::1
        20 host 2001:db8:0:3ab0::2
        30 2001:db8:0:3ab7::/96
switch(config-ipv6addr-ogroup)# 
Related Commands

Command

Description

host (IPv6)

Configures a group member for an IPv6 address object group.

show object-group

Displays object groups.

acl-name	Name of a MAC ACL. The name is case sensitive.

Release	Modification
4.0(1)	This command was introduced.

Command	Description
identity policy	Creates or specifies an identity policy and enters identity policy configuration mode.
mac access-list	Creates a MAC ACL and enters MAC ACL configuration mode.
show identity policy	Displays identity policy information.

name	Name of the IPv4 address object group, which can be up to 64 alphanumeric, case-sensitive characters.

Release	Modification
4.0(1)	This command was introduced.

Command	Description
host (IPv4)	Configures a group member for an IPv4 address object group.
show object-group	Displays object groups.

name	Name of the IP port object group, which can be up to 64 alphanumeric, case-sensitive characters.

Release	Modification
4.0(1)	This command was introduced.

Command	Description
eq	Specifies an equal-to group member in an IP port object group.
gt	Specifies a greater-than group member in an IP port object group.
lt	Specifies a less-than group member in an IP port object group.
neq	Specifies a not-equal-to group member in an IP port object group.
range	Specifies a port range group member in an IP port object group.
show object-group	Displays object groups.

name	Name of the IPv6 address group object, which can be up to 64 alphanumeric, case-sensitive characters.

Release	Modification
4.0(1)	This command was introduced.

Command	Description
host (IPv6)	Configures a group member for an IPv6 address object group.
show object-group	Displays object groups.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)