The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
To specify a MAC access control list (ACL) for an identity policy, use the object-group command. To remove ACL from the identity policy, use the no form of this command.
object-group acl-name
no object-group acl-name
acl-name |
Name of a MAC ACL. The name is case sensitive. |
None
Identity policy configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
Use the mac access-list command to create the MAC ACL to assign to the identity policy.
This command does not require a license.
This example shows how to configure an ACL for an identity policy:
switch# configure terminal switch(config)# identity policy AdminPolicy switch(config-id-policy)# object-group
This example shows how to remove an ACL from an identity policy:
switch# configure terminal switch(config)# identity policy AdminPolicy switch(config-id-policy)# no object-group
Command |
Description |
---|---|
identity policy |
Creates or specifies an identity policy and enters identity policy configuration mode. |
mac access-list |
Creates a MAC ACL and enters MAC ACL configuration mode. |
show identity policy |
Displays identity policy information. |
To define an IPv4 address object group or to enter object-group configuration mode for a specific IPv4-address object group, use the object-group ip address command. To remove an IPv4-address object group, use the no form of this command.
object-group ip address name
no object-group ip address name
name |
Name of the IPv4 address object group, which can be up to 64 alphanumeric, case-sensitive characters. |
None
Global configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
You can use IPv4 object groups in permit and deny commands for IPv4 access control lists (ACLs).
IPv4 address object groups are not directional. Whether group members match a source or destination address or whether an object group applies to inbound or outbound traffic depends upon how you use the object group in an IPv4 ACL.
This command does not require a license.
This example shows how to configure an IPv4 address object group named ipv4-addr-group-13 with two group members that are specific IPv4 addresses and one group member that is the 10.23.176.0 subnet:
switch# configure terminal switch(config)# object-group ip address ipv4-addr-group-13 switch(config-ipaddr-ogroup)# host 10.121.57.102 switch(config-ipaddr-ogroup)# 10.121.57.234/32 switch(config-ipaddr-ogroup)# 10.23.176.0 0.0.0.255 switch(config-ipaddr-ogroup)# show object-group ipv4-addr-group-13 10 host 10.121.57.102 20 host 10.121.57.234 30 10.23.176.0/24 switch(config-ipaddr-ogroup)#
Command |
Description |
---|---|
host (IPv4) |
Configures a group member for an IPv4 address object group. |
show object-group |
Displays object groups. |
To define an IP port object group or to enter object-group configuration mode for a specific IP port object group, use the object-group ip port command. To remove an IP port object group, use the no form of this command.
object-group ip port name
no object-group ip port name
name |
Name of the IP port object group, which can be up to 64 alphanumeric, case-sensitive characters. |
None
Global configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
You can use IP port object groups in permit and deny commands for IPv4 and IPv6 access control lists (ACLs).
IP port object groups are not directional. Whether group members match a source or destination port or whether an object group applies to inbound or outbound traffic depends upon how you use the object group in an ACL.
This command does not require a license.
This example shows how to configure an IP port object group named port-group-05 with a group member that matches traffic sent to or from port 443:
switch# configure terminal switch(config)# object-group ip port port-group-05 switch(config-port-ogroup)# eq 443 switch(config-port-ogroup)# show object-group port-group-05 10 eq 443 switch(config-port-ogroup)#
Command |
Description |
---|---|
eq |
Specifies an equal-to group member in an IP port object group. |
gt |
Specifies a greater-than group member in an IP port object group. |
lt |
Specifies a less-than group member in an IP port object group. |
neq |
Specifies a not-equal-to group member in an IP port object group. |
range |
Specifies a port range group member in an IP port object group. |
show object-group |
Displays object groups. |
To define an IPv6 address object group or to enter IPv6 address object group configuration mode for a specific IPv6 address object group, use the object-group ipv6 address command. To remove an IPv6 address object group, use the no form of this command.
object-group ipv6 address name
no object-group ipv6 address name
name |
Name of the IPv6 address group object, which can be up to 64 alphanumeric, case-sensitive characters. |
None
Global configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
You can use IPv6 object groups in permit and deny commands for IPv6 ACLs.
IPv6 address object groups are not directional. Whether group members match a source or destination address or whether an object group applies to inbound or outbound traffic depends upon how you use the object group in an IPv6 ACL.
This command does not require a license.
This example shows how to configure an IPv6 address object group named ipv6-addr-group-A7 with two group members that are specific IPv6 addresses and one group member that is the 2001:db8:0:3ab7:: subnet:
switch# configure terminal switch(config)# object-group ipv6 address ipv6-addr-group-A7 switch(config-ipv6addr-ogroup)# host 2001:db8:0:3ab0::1 switch(config-ipv6addr-ogroup)# 2001:db8:0:3ab0::2/128 switch(config-ipv6addr-ogroup)# 2001:db8:0:3ab7::/96 switch(config-ipv6addr-ogroup)# show object-group i pv6-addr-group-A7 10 host 2001:db8:0:3ab0::1 20 host 2001:db8:0:3ab0::2 30 2001:db8:0:3ab7::/96 switch(config-ipv6addr-ogroup)#
Command |
Description |
---|---|
host (IPv6) |
Configures a group member for an IPv6 address object group. |
show object-group |
Displays object groups. |
To configure an object group that consists of destination IP addresses to which the packets are forwarded, use the object-group udp relay ip address command.
object-group udp relay ip address object-grp-name
no object-group udp relay ip address object-grp-name
object-grp-name |
Specifies the name of the object group. |
None
Global configuration
Release |
Modification |
---|---|
7.3(0)D1(1) |
This command was introduced. |
To use this command, you must enable the UDP relay feature by using the ip forward-protocol udp command. You can create up to 4096 object groups.
This example shows how to configure the object group:
switch# configure terminal switch(config)# ip forward-protocol udp switch(config)# object-group udp relay ip address udprelay1
This example shows how to delete the the object group:
switch(config)# no object-group udp relay ip address udprelay1
Command |
Description |
---|---|
ip forward-protocol udp |
Enables the UDP relay feature. |
To verify the advertised “other” configuration parameter, use the other-config-flag command in RA guard policy configuration mode.
other-config-flag { on | off }
on |
Verification is enabled. |
off |
Verification is disabled. |
Verification is not enabled.
RA guard policy configuration
(config-ra-guard)
Release |
Modification |
---|---|
8.0(1) |
This command was introduced. |
The other-config-flag command enables verification of the advertised "other" configuration parameter (or "O" flag). This flag could be set by an attacker to force hosts to retrieve other configuration information through a Dynamic Host Configuration Protocol for IPv6 (DHCPv6) server that may not be trustworthy.
The following example shows how the command defines a router advertisement (RA) guard policy name as raguard1, places the router in RA guard policy configuration mode, and enables O flag verification:
switch(config)# ipv6 nd raguard policy raguard1 switch(config-ra-guard)# other-config-flag on
Command |
Description |
---|---|
ipv6 nd raguard policy |
Defines the RA guard policy name and enters RA guard policy configuration mode. |