display object-group [ { { ip | ipv6 } { address | address-yundi } | mac-address | port | service | service-yundi } [ default ] [ name object-group-name ] | name object-group-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ip address: Specifies the IPv4 address object groups.

ipv6 address: Specifies the IPv6 address object groups.

ip address-yundi: Specifies the IPv4 address object groups for a Yundi network.

ipv6 address-yundi: Specifies the IPv6 address object groups for a Yundi network.

mac-address: Specifies the MAC address object groups.

port: Specifies the port object groups.

service: Specifies the service object groups.

service-yundi: Specifies the service object groups for a Yundi network.

default: Specifies the default object groups.

name object-group-name: Specifies an object group by its name, a case-insensitive string of 1 to 63 characters.

Examples

# Display information about all object groups.

<Sysname> display object-group

IP address object group obj1: 0 object(in use)

IP address object group obj2: 6 objects(out of use)

0 network host address 1.1.1.1

object 0 description this is a description for object 0

10 network host name host

object 10 description this is a description for object 10

20 network subnet 1.1.1.1 255.255.255.0

30 network range 1.1.1.1 1.1.1.2

40 network group-object obj1

50 network user-group group1

70 network exclude range 2.2.2.2 3.3.3.3

IPv6 address object-group obj3: 0 object(in use)

IPv6 address object-group obj4: 5 objects(out of use)

0 network host address 1::1:1

10 network host name host

20 network subnet 1::1:0 112

30 network range 1::1:1 1::1:2

40 network group-object obj3

Service object-group obj5: 0 object(in use)

Service object-group obj6: 6 objects(out of use)

0 service 200

10 service tcp source lt 50 destination range 30 40

20 service udp source range 30 40 destination gt 30

30 service icmp 20 20

40 service icmpv6 20 20

50 service group-object obj5

Port object-group obj7: 0 object(in use)

Port object-group obj8: 3 objects(out of use)

0 port lt 20

10 port range 20 30

20 port group-object obj7

# Display information about object group obj2.

<Sysname> display object-group name obj2

IP address object-group obj2: 5 objects(out of use)

0 network host address 1.1.1.1

10 network host name host

20 network subnet 1.1.1.1 255.255.255.0

30 network range 1.1.1.1 1.1.1.2

40 network group-object obj1

# Display information about all IPv4 address object groups.

<Sysname> display object-group ip address

IP address object-group obj1: 0 object(in use)

IP address object-group obj2: 5 objects(out of use)

0 network host address 1.1.1.1

10 network host name host

20 network subnet 1.1.1.1 255.255.255.0

30 network range 1.1.1.1 1.1.1.2

40 network group-object obj1

50 network exclude range 2.2.2.2 3.3.3.3

# Display information about IPv6 address object group obj4.

<Sysname> display object-group ipv6 address name obj4

IPv6 address object-group obj4: 5 objects(out of use)

0 network host address 1::1:1

10 network host name host

20 network subnet 1::1:0 112

30 network range 1::1:1 1::1:2

40 network group-object obj3

Table 1 Command output

Field	Description
in use	The object group is used by an ACL or object group.
out of use	The object group is not used.

display object-group host

Use display object-group host to display IPv4 or IPv6 addresses for host names.

Syntax

display object-group { ip | ipv6 } host { all | object-group-name object-group-name | name host-name } *

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Specifies all hosts.

object-group-name object-group-name: Specifies an object group by its name, a case-insensitive string of 1 to 63 characters. If you do not specify this option, the command displays information about the specified host name.

name host-name: Specifies a host by its name, a case-insensitive string of 1 to 253 characters. If you do not specify this option, the command displays information about all the included and excluded host names in the specified object group.

Examples

# Display IPv4 addresses for host name a.example.com in object group group1.

<Sysname> display object-group ip host object-group-name group1 name a.example.com

Object group : group1

Object ID : 0

Host name : a.example.com

VPN instance : -

Updated at : 2019-05-20 11:04:24

IP addresses :

169.0.0.10

169.0.0.11

# Display IPv6 addresses for all host names in object group group1.

<Sysname> display object-group ipv6 host object-group-name group1

Object group : group1

Object ID : 0

Host name : a.example.com

VPN instance : -

Updated at : 2019-05-20 11:04:24

IP addresses :

169:0::0:10

169:0::0:11

Object ID : 10

Host name : b.example.com

VPN instance : -

Updated at : 2019-05-20 11:04:24

IP addresses :

169:0::0:11

169:0::0:12

# Display IPv4 addresses for all host names.

<Sysname> display object-group ip host all

All host names : 3

Object group : group1 (Total host names : 1)

Object ID : 0

Host name : a.example.com

VPN instance : -

Updated at : 2019-05-20 11:04:24

IP addresses : 2

169:0::0:10

169:0::0:11

Object group : group2 (Total host names : 2)

Object ID : 10

Host name : b.example.com

VPN instance : -

Updated at : 2019-05-20 11:04:24

IP addresses : 2

169:0::0:11

169:0::0:12

Host name : c.example.com

VPN instance : -

Updated at : 2019-05-20 11:04:24

IP addresses : 2

169:0::0:11

169:0::0:12

Table 2 Command output

Field

Descrption

VPN instance

This field is not supported in the current software version.

VPN to which the host belongs.

Related commands

object-group

display object-group kernel

Use display object-group kernel to display information about the IP address corresponding to the kernel host name.

Syntax

display object-group kernel { ip | ipv6 } host { object-group-name object-group-name | name host-name } *

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ip: Specifies the IPv4 address object group.

ipv6: Specifies the IPv6 address object group.

name host-name: Specifies the host name, a case-insensitive string of 1 to 60 characters. If you do not specify this option, the command displays the IP addresses corresponding to all host names and excluded host names in the specified object group.

Examples

# Display information about the IP address corresponding to the kernel host name.

<Sysname> display object-group kernel ip host object-group-name group1 name a.example.com

Object group : group1

Object ID : 0

Host name : a.example.com

VPN instance : -

Updated at : 2019-05-20 11:04:24

IP addresses :

169.0.0.10

169.0.0.11

Table 3 Command output

Field	Description
Object group	Object group name.
Object ID	Object ID.
Host name	Host name.
VPN instance	This field is not supported in the current software version. VPN to which the host belongs.
Updated at	Most recent time at which the IP address corresponding to the host name was updated.
IP addresses	IP address corresponding to the host name.

Related commands

object-group

display object-group notify-list

Use display object-group notify-list to display information about the object group module waiting for responses from external modules.

Syntax

display object-group notify-list

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

Examples

# Display information about the object group module waiting for responses from external modules.

<Sysname> display object-group notify-list

Node 1, vsys ID: 1, socket ID: 50, wait: False;

Node 2, vsys ID: 1, socket ID: 50, wait: False;

Table 4 Command output

Field

Description

Vsys ID

ID of the vSystem.

Wait

Whether the object group module is waiting for responses:

· True—Yes.

· False—No.

‌

display object-group query

Use display object-group query to display information about address object groups that contains the specified IP address.

Syntax

display object-group query { ip ip-address | ipv6 ipv6-address } [ group-object object-group-name ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ip ip-address: Specifies an IPv4 address.

ipv6 ipv6-address: Specifies an IPv6 address.

group-object object-group-name: Specifies an object group. The group name is a case-insensitive string of 1 to 63 characters. If you do not specify this option, the command displays all object groups that contain the specified IP address.

verbose: Displays detailed information. If you do not specify this keyword, the command displays only the name of the matching address object group and the number of matching objects.

Examples

# Display the object groups that contain IP address 1.2.3.4 and the number of matching objects.

<Sysname> display object-group query ip 1.2.3.4

Object group Object hits

Group1 3

Group2 4

# Display detailed information about the object groups that contain IP address 1.2.3.4 and the matching objects.

<Sysname> display object-group query ip 1.2.3.4 verbose

IP address object group group1:

20 network host address 1.2.3.4

30 network range 1.1.1.1 2.1.1.2

40 network subnet 1.2.3.0 255.255.255.0

IP address object group group2:

20 network group-object group1

30 network range 1.1.1.1 2.1.1.2

30 network exclude 1.2.2.2

# Display information about the reference of IP address 1.2.3.4 in object group Group4.

<Sysname> display object-group query ipv6 1.2.3.4 object-group Group4

Object group Object hits

Group4 0

# Display detailed information about the reference of IP address 1.2.3.4 in object group Group4.

<Sysname> display object-group query ipv6 1.2.3.4 object-group Group4 verbose

# Display information about the reference of IP address 2:2::2:2 in object group Group5.

<Sysname> display object-group query ipv6 2:2::2:2 object-group Group5

Object group Object hits

Group5 1

# Display detailed information about the reference of IP address 2:2::2:2 in object group Group5.

<Sysname> display object-group query ipv6 2:2::2:2 object-group Group5 verbose

IPv6 address object-group Group5:

10 network host address 2:2::2:2

Table 5 Command output

Field	Description
Object hits	Number of address objects that match the criteria.

mac

Use mac to configure a MAC address object.

Use undo mac to delete a MAC address object.

Syntax

[ object-id ] mac { mac-address | group-object object-group-name }

undo mac { mac-address | group-object object-group-name | all }

undo object-id

Default

No MAC address objects exist.

Views

MAC address object group view

Predefined user roles

network-admin

Parameters

object-id: Specifies an object ID in the range of 0 to 4294967294. If you do not specify an object ID, the system automatically assigns the object a multiple of 10 next to the greatest ID being used. For example, if the greatest ID is 22, the system automatically assigns 30.

mac-address: Specifies a MAC address in format H-H-H.

group-object object-group-name: Specifies a MAC address object group by its name, a case-insensitive string of 1 to 63 characters.

all: Specifies all MAC address objects in the group.

Usage guidelines

You can execute this command multiple times to create multiple MAC address objects for a MAC address object group.

This command creates a MAC address object if the specified object ID does not exist. Otherwise, the command overwrites the configuration of the specified object.

When you use the group-object object-group-name option, follow these guidelines:

· The object group to be used must be a MAC address object group.

· If the specified object group does not exist, the system creates a MAC address object group with the name you specified and uses the object group for the object.

· Two object groups cannot use each other at the same time.

· The system supports a maximum of five object group hierarchy layers. For example, if groups 1, 2, 3, and 4 use groups 2, 3, 4, and 5, respectively, group 5 cannot use another group and group 1 cannot be used by another group.

Examples

# Configure a MAC address object with MAC address 0010-dc28-a4e9.

<Sysname> system-view

[Sysname] object-group mac-address groupmac

[Sysname-obj-grp-mac-groupmac] mac 0010-dc28-a4e9

# Delete all MAC address objects in group groupmac.

<Sysname> system-view

[Sysname] object-group mac-address groupmac

[Sysname-obj-grp-mac-groupmac] undo mac all

Examples

display object-group

object-group

network (IPv4 address object group view)

Use network to configure an IPv4 address object.

Use undo network to delete an IPv4 address object.

Syntax

[ object-id ] network { host { address ip-address | name host-name } | subnet ip-address { mask-length | mask | wildcard wildcard } | range ip-address1 ip-address2 | group-object object-group-name | user user-name [ domain domain-name ] | user-group user-group-name [ domain domain-name ] }

undo network { host { address ip-address | name host-name } | subnet ip-address { mask-length | mask | wildcard wildcard } | range ip-address1 ip-address2 | group-object object-group-name | user user-name [ domain domain-name ] | user-group user-group-name [ domain domain-name ] | all }

undo object-id

Default

No IPv4 address objects exist.

Views

IPv4 address object group view

Predefined user roles

network-admin

Parameters

host: Configures an IPv4 address object with the host address or name.

address ip-address: Specifies an IPv4 host address.

name host-name: Specifies a host name, a case-insensitive string of 1 to 253 characters. This parameter supports fuzzy matching. You can add an asterisk (*) to the front, end, or both of a string to indicate all host names that include the string. If no asterisks are attached, the system performs exact matching with the specified host name.

subnet ip-address { mask-length | mask | wildcard wildcard }: Configures an IPv4 address object with the subnet address followed by a mask length in the range of 0 to 32 or a mask in dotted decimal notation. The wildcard wildcard option specifies a wildcard mask in dotted decimal notation. A wildcard mask of zeros represents a host address.

range ip-address1 ip-address2: Configures an IPv4 address object with the address range.

group-object object-group-name: Specifies an IPv4 address object group by its name, a case-insensitive string of 1 to 63 characters.

user user-name: Specifies a user by its name, a case-sensitive string of 1 to 55 characters.

user-group user-group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters.

domain domain-name: Specifies the name of a domain to which the user or the user group belongs, a case-insensitive string of 1 to 255 characters. The string cannot contain question marks (?). If you do not specify this option, the command considers that the user or the user group does not belong to any domains.

all: Specifies all IPv4 address objects in the group.

Usage guidelines

This command fails if you use it to configure or change an IPv4 address object to be identical with an existing object.

This command creates an IPv4 address object if the specified object ID does not exist. Otherwise, the command overwrites the configuration of the specified object.

If you configure a subnet with the mask length of 32 or the mask of 255.255.255.255, the system configures the object with a host address.

When you use the range ip-address1 ip-address2 option, if ip-address1 is higher than ip-address2, the system adjusts the range to [ ip-address2, ip-address1 ].

When you use the group-object object-group-name option, follow these guidelines:

· The object group to be used must be an IPv4 address object group.

· If the specified object group does not exist, the system creates an IPv4 address object group with the name you specified and uses the object group for the object.

· Two object groups cannot use each other at the same time.

Examples

# Configure an IPv4 address object with the host address of 192.168.0.1.

<Sysname> system-view

[Sysname] object-group ip address ipgroup

[Sysname-obj-grp-ip-ipgroup] network host address 192.168.0.1

# Configure an IPv4 address object with exact-matching host name pc3.

<Sysname> system-view

[Sysname] object-group ip address ipgroup

[Sysname-obj-grp-ip-ipgroup] network host name pc3

# Configure an IPv4 address object with fuzzy-matching host name abc.

<Sysname> system-view

[Sysname] object-group ip address ipgroup1

[Sysname-obj-grp-ip-ipgroup1] network host name *abc*

# Configure an IPv4 address object with the IPv4 address of 192.167.0.0 and mask length of 24.

<Sysname> system-view

[Sysname] object-group ip address ipgroup

[Sysname-obj-grp-ip-ipgroup] network subnet 192.167.0.0 24

# Configure an IPv4 address object with the IPv4 address of 192.166.0.0 and mask of 255.255.0.0.

<Sysname> system-view

[Sysname] object-group ip address ipgroup

[Sysname-obj-grp-ip-ipgroup] network subnet 192.166.0.0 255.255.0.0

# Configure an IPv4 address object with the address range of 192.165.0.100 to 192.165.0.200.

<Sysname> system-view

[Sysname] object-group ip address ipgroup

[Sysname-obj-grp-ip-ipgroup] network range 192.165.0.100 192.165.0.200

# Configure an IPv4 address object using object group ipgroup2.

<Sysname> system-view

[Sysname] object-group ip address ipgroup

[Sysname-obj-grp-ip-ipgroup] network group-object ipgroup2

# Configure an IPv4 address object with the IPv4 address of 192.168.0.1 and wildcard mask of 0.0.255.0.

<Sysname> system-view

[Sysname] object-group ip address ipgroup

[Sysname-obj-grp-ip-ipgroup] network subnet 192.168.0.1 wildcard 0.0.255.0

# Configure an IPv4 address object using user user1 in domain domain1.

<Sysname> system-view

[Sysname] object-group ip address ipgroup

[Sysname-obj-grp-ip-ipgroup] network user user1 domain domain1

# Configure an IPv4 address object using user group usergroup1 in domain domain1.

<Sysname> system-view

[Sysname] object-group ip address ipgroup

[Sysname-obj-grp-ip-ipgroup] network user-group usergroup1 domain domain1

# Delete all IPv4 address objects in group ipgroup.

<Sysname> system-view

[Sysname] object-group ip address ipgroup

[Sysname-obj-grp-ip-ipgroup] undo network all

network (IPv6 address object group view)

Use network to configure an IPv6 address object.

Use undo network to delete an IPv6 address object.

Syntax

[ object-id ] network { host { address ipv6-address | name host-name } | subnet ipv6-address prefix-length | range ipv6-address ipv6-address2 | group-object object-group-name | user user-name [ domain domain-name ] | user-group user-group-name [ domain domain-name ] }

undo network { host { address ipv6-address | name host-name } | subnet ipv6-address prefix-length | range ipv6-address1 ipv6-address2 | group-object object-group-name | user user-name [ domain domain-name ] | user-group user-group-name [ domain domain-name ] | all }

undo object-id

Default

No IPv6 address objects exist.

Views

IPv6 address object group view

Predefined user roles

network-admin

Parameters

object-id: Specifies an object ID in the range of 0 to 4294967294. If you do not configure an object ID, the system automatically assigns the object a multiple of 10 next to the greatest ID being used. For example, if the greatest ID is 22, the system automatically assigns 30.

host: Configures an IPv6 address object with the host address or name.

address ipv6-address: Specifies an IPv6 host address.

subnet ipv6-address prefix-length: Configures an IPv6 address object with the subnet address followed by the prefix length in the range of 0 to 128.

range ipv6-address1 ipv6-address2: Configures an IPv6 address object.

group-object object-group-name: Specifies an IPv6 address object group by its name, a case-insensitive string of 1 to 63 characters.

user user-name: Specifies a user by its name, a case-sensitive string of 1 to 55 characters.

user-group user-group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters.

all: Specifies all IPv6 address objects in the group.

Usage guidelines

This command fails if you use it to configure or change an IPv6 address object to be identical with an existing object.

This command creates an IPv6 address object if the specified object ID does not exist. Otherwise, the command overwrites the configuration of the specified object.

If you configure a subnet address with the prefix length of 128, the system configures the object with a host address.

When you use the range ipv6-address1 ipv6-address2 option, if ip-address1 is higher than ip-address2, the system adjusts the range to [ ip-address2, ip-address1 ].

When you use the group-object object-group-name option, follow these guidelines:

· The object group to be used must be an IPv6 address object group.

· If the specified object group does not exist, the system creates an IPv6 address object group with the name you specified and uses the object group for the object.

· Two object groups cannot use each other at the same time.

Examples

# Configure an IPv6 address object with the host address of 1::1.

<Sysname> system-view

[Sysname] object-group ipv6 address ipv6group

[Sysname-obj-grp-ipv6-ipv6group] network host address 1::1

# Configure an IPv6 address object with exact-matching host name pc3.

<Sysname> system-view

[Sysname] object-group ipv6 address ipv6group

[Sysname-obj-grp-ipv6-ipv6group] network host name pc3

# Configure an IPv6 address object with fuzzy-matching host name abc.

<Sysname> system-view

[Sysname] object-group ipv6 address ipv6group1

[Sysname-obj-grp-ipv6-ipv6group1] network host name *abc*

# Configure an IPv6 address object with the IPv6 address of 1:1:1::1 and prefix length of 24.

<Sysname> system-view

[Sysname] object-group ipv6 address ipv6group

[Sysname-obj-grp-ipv6-ipv6group] network subnet 1:1:1::1 24

# Configure an IPv6 address object with the address range of 1:1:1::1 to 1:1:1::100

<Sysname> system-view

[Sysname] object-group ipv6 address ipv6group

[Sysname-obj-grp-ipv6-ipv6group] network range 1:1:1::1 1:1:1::100

# Configure an IPv6 address object using object group ipv6group2.

<Sysname> system-view

[Sysname] object-group ipv6 address ipv6group

[Sysname-obj-grp-ipv6-ipv6group] network group-object ipv6group2

# Configure an IPv6 address object using user user1 in domain domain1.

<Sysname> system-view

[Sysname] object-group ipv6 address ipv6group

[Sysname-obj-grp-ipv6-ipv6group] network user user1 domain domain1

# Configure an IPv6 address object using user group usergroup1 in domain domain1.

<Sysname> system-view

[Sysname] object-group ipv6 address ipv6group

[Sysname-obj-grp-ipv6-ipv6group] network user-group usergroup1 domain domain1

# Delete all IPv6 address objects in group ipv6group.

<Sysname> system-view

[Sysname] object-group ipv6 address ipv6group

[Sysname-obj-grp-ipv6-ipv6group] undo network all

network exclude (IPv4 address object group view)

Use network exclude to exclude an IPv4 address or a subnet from an address object.

Use undo network exclude to restore the default.

Syntax

object-id network exclude ip-address

undo object-id network exclude ip-address

Default

No IPv4 address or subnet in an address object is excluded.

Views

IPv4 address object group view

Predefined user roles

network-admin

Parameters

object-id: Specifies an address object by its ID in the range of 1 to 4294967294. The specified address object must have been created.

ip-address: Specifies the IPv4 address to be excluded.

Usage guidelines

You can execute this command multiple times to exclude multiple IPv4 addresses from an address object. Make sure the excluded items do not overlap with each other.

Examples

# Configure an IPv4 address object with the IPv4 address of 192.166.0.0 and mask of 255.255.0.0. Exclude IPv4 address 192.166.0.10 .

<Sysname> system-view

[Sysname] object-group ip address ipgroup

[Sysname-obj-grp-ip-ipgroup] 10 network subnet 192.166.0.0 255.255.0.0

[Sysname-obj-grp-ip-ipgroup] 10 network exclude 192.166.0.10

network exclude (IPv6 address object group view)

Use network exclude to exclude an IPv6 address or a subnet from an address object.

Use undo network exclude to restore the default.

Syntax

object-id network exclude ipv6-address

undo object-id network exclude ipv6-address

Default

No IPv6 address or subnet in an address object is excluded.

Views

IPv6 address object group view

Predefined user roles

network-admin

Parameters

object-id: Specifies an address object by its ID in the range of 1 to 4294967294. The specified address object must have been created.

ip-address: Specifies the IPv6 address to be excluded.

Usage guidelines

You can execute this command multiple times to exclude multiple IPv6 addresses from an address object. Make sure the excluded items do not overlap with each other.

Examples

# Configure an IPv6 address object with the IPv6 address of 1:1:1::1 and prefix length of 24. Exclude IPv6 address 1:1:1::10 and.

<Sysname> system-view

[Sysname] object-group ipv6 address ipv6group

[Sysname-obj-grp-ipv6-ipv6group] 10 network subnet 1:1:1::1 24

[Sysname-obj-grp-ipv6-ipv6group] 10 network exclude 1:1:1::10

object description

Use object description to configure a description for an object.

Use undo object description to restore the default.

Syntax

object object-id description text

undo object object-id description

Default

No description is configured for an object.

Views

Object group view

Predefined user roles

network-admin

Parameters

object-id: Specifies an object ID in the range of 0 to 4294967294. The object must already exist.

text: Specifies a description, a case-sensitive string of 1 to 127 characters.

Examples

# Configure the description as This is an IPv4 object 0 for an IPv4 address object.

<Sysname> system-view

[Sysname] object-group ip address ipgroup

[Sysname-obj-grp-ip-ipgroup] 0 network host address 1.2.3.4

[Sysname-obj-grp-ip-ipgroup] object 0 description This is a description for object 0

Examples

object-group

Use object-group to create an object group and enter its view, or enter the view of an existing object group.

Use undo object-group to delete an object group.

Syntax

object-group { { ip | ipv6 } { address | address-yundi } | mac-address | port | service | service-yundi } object-group-name

undo object-group { { ip | ipv6 } { address | address-yundi } | mac-address | port | service | service-yundi } object-group-name

Default

Default object groups exist.

Views

System view

Predefined user roles

network-admin

Parameters

ip address: Creates an IPv4 address object group.

ipv6 address: Creates an IPv6 address object group.

ip address-yundi: Creates an IPv4 address object group for a Yundi network.

ipv6 address-yundi: Creates an IPv6 address object group for a Yundi network.

mac-address: Creates a MAC object group.

port: Creates a port object group.

service: Creates a service object group.

service-yundi: Creates a service object group for a Yundi network.

object-group-name: Specifies an object group name, a case-insensitive string of 1 to 63 characters. The object group name must be globally unique.

Usage guidelines

The object-group command execution results vary with the specified object group.

· If the specified group does not exist, the system creates a new object group and enters the object group view.

· If the specified group exists but the group type is different from that in the command, the command fails.

The undo object-group command execution results vary with the specified object group.

· If the specified group does not exist, the system executes the command without any system prompt.

· If the specified group exists and the group type is the same as that in the command, the system deletes the group.

· If the specified group exists but the group type is different from that in the command, the command fails.

· If the specified object group is being used by an ACL, object policy, or object group, the command fails.

Default object groups cannot be deleted.

Address object groups and service object groups for a Yundi network can only use other existing object groups. You cannot create objects for Yundi address or service object groups.

Examples

# Create an IPv4 address object group named ipgroup.

<Sysname> system-view

[Sysname] object-group ip address ipgroup

# Create an IPv6 address object group named ipv6group.

<Sysname> system-view

[Sysname] object-group ipv6 address ipv6group

# Create a MAC object group named groupmac.

<Sysname> system-view

[Sysname] object-group mac-address groupmac

# Create a port object group named portgroup.

<Sysname> system-view

[Sysname] object-group port portgroup

# Create a service object group named servicegroup.

<Sysname> system-view

[Sysname] object-group service servicegroup

# Create an IPv4 address object group named ipyundi for a Yundi network.

<Sysname> system-view

[Sysname] object-group ip address-yundi ipyundi

# Create an IPv6 address object group named ipv6yundi for a Yundi network.

<Sysname> system-view

[Sysname] object-group ipv6 address-yundi ipv6yundi

# Create a service object group named serviceyundi for a Yundi network.

<Sysname> system-view

[Sysname] object-group service-yundi serviceyundi

object-group rename

Use object-group rename to rename an object group.

Syntax

object-group rename old-object-group-name new-object-group-name

Views

System view

Predefined user roles

network-admin

Parameters

old-object-group-name: Specifies the name of the object group to be renamed, a case-insensitive string of 1 to 63 characters.

new-object-group-name: Specifies a new name for the object group, a case-insensitive string of 1 to 63 characters. The object group name must be globally unique.

Usage guidelines

You can only rename non-default object groups.

Examples

# Rename object group ipgroup1 to ipgroup2.

<Sysname> system-view

[Sysname] object-group rename ipgroup1 ipgroup2

Related commands

object-group

port (port object group view)

Use port to configure a port object.

Use undo port to delete a port object.

Syntax

[ object-id ] port { { eq | lt | gt } port | range port1 port2 | group-object object-group-name }

undo port { { eq | lt | gt } port | range port1 port2 | group-object object-group-name | all }

undo object-id

Default

No port objects exist.

Views

Port object group view

Predefined user roles

network-admin

Parameters

eq: Configures a port object with a port number equal to the specified port.

lt: Configures a port object with a port number smaller than the specified port.

gt: Configures a port object with a port number greater than the specified port.

port: Specifies a port number in the range of 0 to 65535.

range port1 port2: Configures a port object with a port range. The value range for the port1 and port2 arguments is 0 to 65535.

group-object object-group-name: Specifies a port object group by its name, a case-insensitive string of 1 to 63 characters.

all: Specifies all port objects in the group.

Usage guidelines

This command fails if you use it to configure or change a port object to be identical with an existing object.

This command creates a port object if the specified object ID does not exist. Otherwise, the command overwrites the configuration of the specified object.

When you use the lt port option, follow these guidelines:

· The value of port cannot be 0.

· If the value of port is 1, the system configures the object with a port number of 0.

· If the value of port is in the range of 2 to 65535, the system configures the object with a port number range of [0, port–1].

When you use the gt port option, follow these guidelines:

· The value of port cannot be 65535.

· If the value of port is 65534, the system configures the object with a port number of 65535.

· If the value of port is in the range of 0 to 65533, the system configures the object with a port number range of [port+1, 65535].

When you use the range port1 port2 option, follow these guidelines:

· If port1 is equal to port2, the system configures the object with the port number port1.

· If port1 is smaller than port2, the system configures the object with the port number range.

· If port1 is greater than port2, the system changes the range to [port2, port1] and configures the object with the changed port number range.

· If port1 is 0, the range is displayed as lt port2+1.

· If port2 is 65535, the range is displayed as gt port1–1.

When you use the group-object object-group-name option, follow these guidelines:

· The object group to be used must be a port object group.

· If the specified object group does not exist, the system creates a port object group with the name you specified and uses the object group for the object.

· Two object groups cannot use each other at the same time.

Examples

# Configure a port object with a port number of 100.

<Sysname> system-view

[Sysname] object-group port portgroup

[Sysname-obj-grp-port-portgroup] port eq 100

# Configure a port object with a port number smaller than 20.

<Sysname> system-view

[Sysname] object-group port portgroup

[Sysname-obj-grp-port-portgroup] port lt 20

# Configure a port object with a port number greater than 60000.

<Sysname> system-view

[Sysname] object-group port portgroup

[Sysname-obj-grp-port-portgroup] port gt 60000

# Configure a port object with a port number in the range of 1000 to 2000.

<Sysname> system-view

[Sysname] object-group port portgroup

[Sysname-obj-grp-port-portgroup] port range 1000 2000

# Configure a port object using object group portgroup2.

<Sysname> system-view

[Sysname] object-group port portgroup

[Sysname-obj-grp-port-portgroup] port group-object portgroup2

# Delete all port objects in object group portgroup2.

<Sysname> system-view

[Sysname] object-group port portgroup

[Sysname-obj-grp-port-portgroup] undo port all

service (service object group view)

Use service to configure a service object.

Use undo service to delete a service object.

Syntax

[ object-id ] service { protocol [ { source { { eq | lt | gt } port | range port1 port2 } | destination { { eq | lt | gt } port | range port1 port2 } } * | icmp-type icmp-code | icmpv6-type icmpv6-code ] | group-object object-group-name }

undo service { protocol [ { source { { eq | lt | gt } port | range port1 port2 } | destination { { eq | lt | gt } port | range port1 port2 } } * | icmp-type icmp-code | icmpv6-type icmpv6-code ] | group-object object-group-name | all }

undo object-id

Default

No service objects exist.

Views

Service object group view

Predefined user roles

network-admin

Parameters

object-id: Configures an object ID in the range of 0 to 4294967294. If you do not configure an ID for the object, the system automatically assigns the object a multiple of 10 next to the greatest ID being used. For example, if the greatest ID is 22, the automatically assigned ID is 30.

protocol: Configures the protocol number in the range of 0 to 255, or the protocol name such as TCP, UDP, SCTP, ICMP, and ICMPv6.

source: Configures a service object with a source port when the protocol is TCP, UDP, or SCTP.

destination: Configures a service object with a destination port when the protocol is TCP, UDP, or SCTP.

eq: Configures a port equal to the specified port.

lt: Configures a port smaller than the specified port.

gt: Configures a port greater than the specified port.

port: Specifies a port number in the range of 0 to 65535.

range port1 port2: Configures a service object with a port range. The value range for the port1 and port2 arguments is 0 to 65535.

icmp-type: Configures the ICMP message type in the range of 0 to 255.

icmp-code: Configures the ICMP message code in the range of 0 to 255.

icmpv6-type: Configures the ICMPv6 message type in the range of 0 to 255.

icmpv6-code: Configures the ICMPv6 message code in the range of 0 to 255.

group-object object-group-name: Specifies a service object group by its name, a case-insensitive string of 1 to 31 characters.

all: Specifies all service objects in the group.

Usage guidelines

This command fails if you use it to configure or change a service object to be identical with an existing object.

This command creates a service object if the specified object ID does not exist. Otherwise, the command overwrites the configuration of the specified object.

When you use the lt port option, follow these guidelines:

· The value of port cannot be 0.

· If the value of port is in the range of 1 to 65535, the system configures the object with a port number range of [0, port–1].

When you use the gt port option, follow these guidelines:

· The value of port cannot be 65535.

· If the value of port is in the range of 0 to 65534, the system configures the object with a port number range of [port+1, 65535].

When you use the range port1 port2 option, if port1 is greater than port2, the system changes the range to [port2, port1].

When use the group-object object-group-name option, follow these guidelines:

· The object group to be used must be a service object group.

· If the specified object group does not exist, the system creates a service object group with the name you specified and uses the object group for the object.

· Two object groups cannot use each other at the same time.

Examples

# Configure a service object with a protocol number of 100.

<Sysname> system-view

[Sysname] object-group service servicegroup

[Sysname-obj-grp-service-servicegroup] service 100

# Configure a service object with the source and destination port numbers for the TCP service.

<Sysname> system-view

[Sysname] object-group service servicegroup

[Sysname-obj-grp-service-servicegroup] service tcp source eq 100 destination range 10 100

# Configure a service object with the message type and code for the ICMP service.

<Sysname> system-view

[Sysname] object-group service servicegroup

[Sysname-obj-grp-service-servicegroup] service icmp 100 150

# Configure a service object using object group servicegroup2.

<Sysname> system-view

[Sysname] object-group service servicegroup

[Sysname-obj-grp-service-servicegroup] service group-object servicegroup2

# Delete all service objects in object group servicegroup2.

<Sysname> system-view

[Sysname] object-group service servicegroup

[Sysname-obj-grp-service-servicegroup] undo service all

yundi alias

Use yundi alias to specify an alias and tenant ID for an object group in a Yundi network.

Use undo yundi alias to restore the default.

Syntax

yundi alias alias tenant tenant-id

undo yundi alias alias tenant tenant-id

Default

The alias and tenant ID are not specified.

Views

Object group view

Predefined user roles

network-admin

Parameters

alias: Specifies the object group alias, a case-insensitive string of 1 to 63 characters.

tenant tenant-id: Specifies the object group tenant ID, a case insensitive string of 1 to 63 characters.

Usage guidelines

In a Yundi network, the tenant specifies an alias and tenant ID on the controller at object group creation, and then the controller deploys the alias and tenant ID to devices. As a best practice, do not perform this task manually on devices.

Examples

# Specify alias alias1 and tenant ID tenant1 for IPv4 address object group ipgroup.

<Sysname> system-view

[Sysname] object-group ip address ipgroup

[Sysname-obj-grp-ip-ipgroup] yundi alias alias1 tenant tenant1

16-Security Command Reference

Object group commands

object-group rename

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us