Cisco Nexus 7000 Series NX-OS Security Command Reference, Release 4.0
O Commands
Download this chapter
O CommandsO Commands
Download the complete book
Cisco Nexus 7000 Series NX-OS Security Command Reference, Release 4.0Cisco Nexus 7000 Series NX-OS Security Command Reference, Release 4.0 (PDF - 3 MB)
give_us_feedback

Table Of Contents

O Commands

object-group (identity policy)

object-group ip address

object-group ip port

object-group ipv6 address


O Commands

This chapter describes the Cisco NX-OS security commands that begin with O.

object-group (identity policy)

To specify a MAC access control list (ACL) for an identity policy, use the object-group command. To remove ACL from the identity policy, use the no form of this command.

object-group acl-name

no object-group acl-name

Syntax Description

acl-name

Name of a MAC ACL. The name is case sensitive.


Defaults

None

Command Modes

Identity policy configuration

Supported User Roles

network-admin
vdc-admin
VDC user

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

Use the mac access-list command to create the MAC ACL to assign to the identity policy.

This command does not require a license.

Examples

This example shows how to configure an ACL for an identity policy: 

switch# config t

switch(config)# identity policy AdminPolicy

switch(config-id-policy)# object-group

This example shows how to remove an ACL from an identity policy: 

switch# config t

switch(config)# identity policy AdminPolicy

switch(config-id-policy)# no object-group

Related Commands

Command
Description

identity policy

Creates or specifies an identity policy and enters identity policy configuration mode.

mac access-list

Creates a MAC ACL and enters MAC ACL configuration mode.

show identity policy

Displays identity policy information.


object-group ip address

To define an IPv4 address object group or to enter object-group configuration mode for a specific IPv4-address object group, use the object-group ip address command. To remove an IPv4-address object group, use the no form of this command.

object-group ip address name

no object-group ip address name

Syntax Description

name

Name of the IPv4 address object group, which can be up to 64 alphanumeric, case-sensitive characters.


Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

You can use IPv4 object groups in permit and deny commands for IPv4 access control lists (ACLs).

IPv4 address object groups are not directional. Whether group members match a source or destination address or whether an object group applies to inbound or outbound traffic depends upon how you use the object group in an IPv4 ACL.

This command does not require a license.

Examples

This example shows how to configure an IPv4 address object group named ipv4-addr-group-13 with two group members that are specific IPv4 addresses and one group member that is the 10.23.176.0 subnet: 

switch# config t

switch(config)# object-group ip address ipv4-addr-group-13

switch(config-ipaddr-ogroup)# host 10.121.57.102

switch(config-ipaddr-ogroup)# 10.121.57.234/32

switch(config-ipaddr-ogroup)# 10.23.176.0 0.0.0.255

switch(config-ipaddr-ogroup)# show object-group ipv4-addr-group-13

        10 host 10.121.57.102

        20 host 10.121.57.234

        30 10.23.176.0/24

switch(config-ipaddr-ogroup)#

Related Commands

Command
Description

host (IPv4)

Configures a group member for an IPv4 address object group.

show object-group

Displays object groups.


object-group ip port

To define an IP port object group or to enter object-group configuration mode for a specific IP port object group, use the object-group ip port command. To remove an IP port object group, use the no form of this command.

object-group ip port name

no object-group ip port name

Syntax Description

name

Name of the IP port object group, which can be up to 64 alphanumeric, case-sensitive characters.


Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

You can use IP port object groups in permit and deny commands for IPv4 access control lists (ACLs).

IP port object groups are not directional. Whether group members match a source or destination port or whether an object group applies to inbound or outbound traffic depends upon how you use the object group in an ACL.

This command does not require a license.

Examples

This example shows how to configure an IP port object group named port-group-05 with a group member that matches traffic sent to or from port 443: 

switch# config t

switch(config)# object-group ip port port-group-05

switch(config-port-ogroup)# eq 443

switch(config-port-ogroup)# show object-group port-group-05

        10 eq 443

switch(config-port-ogroup)#

Related Commands

Command
Description

eq

Specifies an equal-to group member in an IP port object group.

gt

Specifies a greater-than group member in an IP port object group.

lt

Specifies a less-than group member in an IP port object group.

neq

Specifies a not-equal-to group member in an IP port object group.

range

Specifies a port range group member in an IP port object group.

show object-group

Displays object groups.


object-group ipv6 address

To define an IPv6 address object group or to enter IPv6 address object group configuration mode for a specific IPv6 address object group, use the object-group ipv6 address command. To remove an IPv6 address object group, use the no form of this command.

object-group ipv6 address name

no object-group ipv6 address name

Syntax Description

name

Name of the IPv6 address group object, which can be up to 64 alphanumeric, case-sensitive characters.


Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

This command does not require a license.

Examples

This example shows how to configure an IPv6 address object group named ipv6-addr-group-A7 with two group members that are specific IPv6 addresses and one group member that is the 2001:db8:0:3ab7:: subnet: 

switch# config t

switch(config)# object-group ipv6 address ipv6-addr-group-A7

switch(config-ipv6addr-ogroup)# host 2001:db8:0:3ab0::1

switch(config-ipv6addr-ogroup)# 2001:db8:0:3ab0::2/128

switch(config-ipv6addr-ogroup)# 2001:db8:0:3ab7::/96

switch(config-ipv6addr-ogroup)# show object-group ipv6-addr-group-A7

        10 host 2001:db8:0:3ab0::1

        20 host 2001:db8:0:3ab0::2

        30 2001:db8:0:3ab7::/96

switch(config-ipv6addr-ogroup)#

Related Commands

Command
Description

host (IPv6)

Configures a group member for an IPv6 address object group.

show object-group

Displays object groups.