Table Of Contents
object-group (identity policy)
O Commands
This chapter describes the Cisco NX-OS security commands that begin with O.
object-group (identity policy)
To specify a MAC access control list (ACL) for an identity policy, use the object-group command. To remove ACL from the identity policy, use the no form of this command.
object-group acl-name
no object-group acl-name
Syntax Description
Defaults
None
Command Modes
Identity policy configuration
Supported User Rolesnetwork-admin
vdc-admin
VDC userCommand History
Usage Guidelines
Use the mac access-list command to create the MAC ACL to assign to the identity policy.
This command does not require a license.
Examples
This example shows how to configure an ACL for an identity policy:
switch# config tswitch(config)# identity policy AdminPolicyswitch(config-id-policy)# object-groupThis example shows how to remove an ACL from an identity policy:
switch# config tswitch(config)# identity policy AdminPolicyswitch(config-id-policy)# no object-groupRelated Commands
object-group ip address
To define an IPv4 address object group or to enter object-group configuration mode for a specific IPv4-address object group, use the object-group ip address command. To remove an IPv4-address object group, use the no form of this command.
object-group ip address name
no object-group ip address name
Syntax Description
name
Name of the IPv4 address object group, which can be up to 64 alphanumeric, case-sensitive characters.
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You can use IPv4 object groups in permit and deny commands for IPv4 access control lists (ACLs).
IPv4 address object groups are not directional. Whether group members match a source or destination address or whether an object group applies to inbound or outbound traffic depends upon how you use the object group in an IPv4 ACL.
This command does not require a license.
Examples
This example shows how to configure an IPv4 address object group named ipv4-addr-group-13 with two group members that are specific IPv4 addresses and one group member that is the 10.23.176.0 subnet:
switch# config tswitch(config)# object-group ip address ipv4-addr-group-13switch(config-ipaddr-ogroup)# host 10.121.57.102switch(config-ipaddr-ogroup)# 10.121.57.234/32switch(config-ipaddr-ogroup)# 10.23.176.0 0.0.0.255switch(config-ipaddr-ogroup)# show object-group ipv4-addr-group-1310 host 10.121.57.10220 host 10.121.57.23430 10.23.176.0/24switch(config-ipaddr-ogroup)#Related Commands
Command Descriptionhost (IPv4)
Configures a group member for an IPv4 address object group.
show object-group
Displays object groups.
object-group ip port
To define an IP port object group or to enter object-group configuration mode for a specific IP port object group, use the object-group ip port command. To remove an IP port object group, use the no form of this command.
object-group ip port name
no object-group ip port name
Syntax Description
name
Name of the IP port object group, which can be up to 64 alphanumeric, case-sensitive characters.
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You can use IP port object groups in permit and deny commands for IPv4 and IPv6 access control lists (ACLs).
IP port object groups are not directional. Whether group members match a source or destination port or whether an object group applies to inbound or outbound traffic depends upon how you use the object group in an ACL.
This command does not require a license.
Examples
This example shows how to configure an IP port object group named port-group-05 with a group member that matches traffic sent to or from port 443:
switch# config tswitch(config)# object-group ip port port-group-05switch(config-port-ogroup)# eq 443switch(config-port-ogroup)# show object-group port-group-0510 eq 443switch(config-port-ogroup)#Related Commands
object-group ipv6 address
To define an IPv6 address object group or to enter IPv6 address object group configuration mode for a specific IPv6 address object group, use the object-group ipv6 address command. To remove an IPv6 address object group, use the no form of this command.
object-group ipv6 address name
no object-group ipv6 address name
Syntax Description
name
Name of the IPv6 address group object, which can be up to 64 alphanumeric, case-sensitive characters.
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You can use IPv6 object groups in permit and deny commands for IPv6 ACLs.
IPv6 address object groups are not directional. Whether group members match a source or destination address or whether an object group applies to inbound or outbound traffic depends upon how you use the object group in an IPv6 ACL.
This command does not require a license.
Examples
This example shows how to configure an IPv6 address object group named ipv6-addr-group-A7 with two group members that are specific IPv6 addresses and one group member that is the 2001:db8:0:3ab7:: subnet:
switch# config tswitch(config)# object-group ipv6 address ipv6-addr-group-A7switch(config-ipv6addr-ogroup)# host 2001:db8:0:3ab0::1switch(config-ipv6addr-ogroup)# 2001:db8:0:3ab0::2/128switch(config-ipv6addr-ogroup)# 2001:db8:0:3ab7::/96switch(config-ipv6addr-ogroup)# show object-group ipv6-addr-group-A710 host 2001:db8:0:3ab0::120 host 2001:db8:0:3ab0::230 2001:db8:0:3ab7::/96switch(config-ipv6addr-ogroup)#Related Commands
Command Descriptionhost (IPv6)
Configures a group member for an IPv6 address object group.
show object-group
Displays object groups.