Login
- Table of Contents
-
- 16-Security Configuration Guide
- 00-Preface
- 01-ACL configuration
- 02-Time range configuration
- 03-User profile configuration
- 04-Password control configuration
- 05-Public key management
- 06-PKI configuration
- 07-IPsec configuration
- 08-SSH configuration
- 09-SSL configuration
- 10-SSL VPN configuration
- 11-Session management
- 12-Connection limit configuration
- 13-Attack detection and prevention configuration
- 14-ARP attack protection configuration
- 15-ND attack defense configuration
- 16-ASPF configuration
- 17-Protocol packet rate limit configuration
- 18-Crypto engine configuration
- 19-Security policy configuration
- 20-Object group configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 20-Object group configuration | 89.71 KB |
Restrictions and guidelines: Object group configuration
Configuring a MAC address object group
Configuring an IPv4 address object group
Configuring an IPv6 address object group
Configuring a port object group
Configuring a service object group
Display and maintenance commands for object groups
Configuring object groups
About object groups
An object group is a group of objects that can be used by an ACL, object policy, or object group to identify packets. Object groups are divided into the following types:
· MAC address object group—A group of MAC address objects used to match the MAC address in a packet.
· IPv4 address object group—A group of IPv4 address objects used to match the IPv4 address in a packet or match the user from whom a packet comes.
· IPv6 address object group—A group of IPv6 address objects used to match the IPv6 address in a packet or match the user from whom a packet comes.
· Port object group—A group of port objects used to match the protocol port number in a packet.
· Service object group—A group of service objects used to match the upper-layer service in a packet.
Restrictions and guidelines: Object group configuration
You cannot edit an object group if the group is used by a global static NAT rule.
Address object groups and service object groups for a Yundi network can only use other existing object groups. You cannot create objects for Yundi address or service object groups. Object groups for a Yundi network are configured on a remote controller, and as a best practice, do not configure these object groups on the device manually.
Configuring a MAC address object group
1. Enter system view.
system-view
2. Create a MAC address object group and enter its view.
object-group mac-address object-group-name
The system has one default IPv4 address object group named any.
3. (Optional.) Configure a description for the MAC address object group.
description text
By default, an object group does not have a description.
4. (Optional.) Specify an alias and tenant ID for the MAC address object group in a Yundi network.
yundi alias alias tenant tenant-id
By default, the alias and tenant ID are not specified.
Typically, the alias and tenant ID are deployed by the remote controller to devices. As a best practice, do not perform this task manually on devices.
5. Configure a MAC address object.
[ object-id ] mac { mac-address | group-object group-object-name }
6. Configure a description for the MAC address object.
description text
By default, a MAC address object does not have a description.
Configuring an IPv4 address object group
1. Enter system view.
system-view
2. Create an IPv4 address object group and enter its view.
object-group ip { address | address-yundi } object-group-name
The system has one default IPv4 address object group named any.
3. (Optional.) Configure a description for the IPv4 address object group.
description text
By default, an object group does not have a description.
4. (Optional.) Specify an alias and tenant ID for the IPv4 address object group in a Yundi network.
yundi alias alias tenant tenant-id
By default, the alias and tenant ID are not specified.
Typically, the alias and tenant ID are deployed by the remote controller to devices. As a best practice, do not perform this task manually on devices.
5. Configure an IPv4 address object.
[ object-id ] network { host { address ip-address | name host-name } | subnet ip-address { mask-length | mask | wildcard wildcard } | range ip-address1 ip-address2 | group-object object-group-name | user user-name [ domain domain-name ] | user-group user-group-name [ domain domain-name ] }
6. Configure a description for the IPv4 address object.
description text
By default, an IPv4 address object does not have a description.
7. Exclude an IPv4 address from the IPv4 address object.
object-id network exclude ip-address
By default, no IPv4 address in an IPv4 address object is excluded.
Configuring an IPv6 address object group
1. Enter system view.
system-view
2. Create an IPv6 address object group and enter its view.
object-group ipv6 { address | address-yundi } object-group-name
The system has one default IPv6 address object group named any.
3. (Optional.) Configure a description for the IPv6 address object group.
description text
By default, an object group does not have a description.
4. (Optional.) Specify an alias and tenant ID for the IPv6 address object group in a Yundi network.
yundi alias alias tenant tenant-id
By default, the alias and tenant ID are not specified.
Typically, the alias and tenant ID are deployed by the remote controller to devices. As a best practice, do not perform this task manually on devices.
5. Configure an IPv6 address object.
[ object-id ] network { host { address ipv6-address | name host-name } | subnet ipv6-address prefix-length | range ipv6-address1 ipv6-address2 | group-object object-group-name | user user-name [ domain domain-name ] | user-group user-group-name [ domain domain-name ] }
6. Configure a description for the IPv6 address object.
description text
By default, an IPv6 address object does not have a description.
7. Exclude an IPv6 address from the IPv6 address object.
object-id network exclude ip-address
By default, no IPv6 address in an IPv6 address object is excluded.
Configuring a port object group
1. Enter system view.
system-view
2. Create a port object group and enter its view.
object-group port object-group-name
The system has one default port object group named any.
3. (Optional.) Configure a description for the port object group.
description text
By default, an object group does not have a description.
4. (Optional.) Specify an alias and tenant ID for the port object group in a Yundi network.
yundi alias alias tenant tenant-id
By default, the alias and tenant ID are not specified.
Typically, the alias and tenant ID are deployed by the remote controller to devices. As a best practice, do not perform this task manually on devices.
5. Configure a port object.
[ object-id ] port { { eq | lt | gt } port | range port1 port2 | group-object object-group-name }
6. Configure a description for the port object.
description text
By default, a port object does not have a description.
Configuring a service object group
1. Enter system view.
system-view
2. Create a service object group and enter its view.
object-group { service | service-yundi } object-group-name
The system has multiple default service object groups.
3. (Optional.) Configure a description for the service object group.
description text
By default, an object group does not have a description.
4. (Optional.) Specify an alias and tenant ID for the service object group in a Yundi network.
yundi alias alias tenant tenant-id
By default, the alias and tenant ID are not specified.
Typically, the alias and tenant ID are deployed by the remote controller to devices. As a best practice, do not perform this task manually on devices.
5. Configure a service object.
[ object-id ] service { protocol [ { source { { eq | lt | gt } port | range port1 port2 } | destination { { eq | lt | gt } port | range port1 port2 } } * | icmp-type icmp-code | icmpv6-type icmpv6-code ] | group-object object-group-name }
6. Configure a description for the service object.
description text
By default, a service object does not have a description.
Renaming an object group
1. Enter system view.
system-view
2. Rename an object group.
object-group rename old-object-group-name new-object-group-name
You can only rename non-default object groups.
Display and maintenance commands for object groups
Execute display commands in any view.
|
Task |
Command |
|
Display information about object groups. |
display object-group [ { { ip | ipv6 } { address | address-yundi } | mac-address | port | service | service-yundi } [ default ] [ name object-group-name ] | name object-group-name ] |
|
Display IPv4 or IPv6 addresses for host names. |
display object-group { ip | ipv6 } host { all | object-group-name object-group-name | name host-name } * |
|
Display information about the object group module waiting for responses from external modules. |
display object-group notify-list |
|
Display information about the IP address corresponding to the kernel host name. |
display object-group kernel { ip | ipv6 } host { object-group-name object-group-name | name host-name } * |
|
Display information about the address object group containing the specified IP address. |
display object-group query { ip ip-address | ipv6 ipv6-address } [ group-object object-group-name ] [ verbose ] |
