Login
- Table of Contents
-
- 11-Security Command Reference
- 00-Preface
- 01-AAA commands
- 02-802.1X commands
- 03-MAC authentication commands
- 04-Portal commands
- 05-Web authentication commands
- 06-Port security commands
- 07-Password control commands
- 08-Keychain commands
- 09-Public key management commands
- 10-PKI commands
- 11-IPsec commands
- 12-SSH commands
- 13-SSL commands
- 14-Object group commands
- 15-Attack detection and prevention commands
- 16-TCP attack prevention commands
- 17-IP source guard commands
- 18-ARP attack protection commands
- 19-ND attack defense commands
- 20-uRPF commands
- 21-MFF commands
- 22-FIPS commands
- 23-MACsec commands
- 24-802.1X client commands
- 25-Microsegmentation commands
- 26-SAVA commands
- 27-Crypto engine commands
- 28-IP-SGT mapping commands
- 29-User profile commands
- 30-CloudSec commands
- 31-SAVI commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 14-Object group commands | 106.38 KB |
Object group commands
description
Use description to configure a description for an object group.
Use undo description to restore the default.
Syntax
description text
undo description
Default
No description is configured for an object group.
Views
Object group view
Predefined user roles
network-admin
mdc-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 127 characters.
Examples
# Configure the description as This is an IPv4 object-group for an IPv4 address object group.
<Sysname> system-view
[Sysname] object-group ip address ipgroup
[Sysname-obj-grp-ip-ipgroup] description This is an IPv4 object-group
display object-group
Use display object-group to display information about object groups.
Syntax
display object-group [ ip address [ default ] [ name object-group-name ] | name object-group-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
ip address: Specifies the IPv4 address object groups.
default: Specifies the default object groups.
name object-group-name: Specifies an object group by its name, a case-insensitive string of 1 to 31 characters.
Examples
# Display information about all object groups.
<Sysname> display object-group
IP address object group obj1: 0 object(in use)
IP address object group obj2: 4 objects(out of use)
0 network host address 1.1.1.1
10 network host name host
20 network subnet 1.1.1.1 255.255.255.0
60 network host name host vpn-instance vpn1
# Display information about object group obj2.
<Sysname> display object-group name obj2
IP address object-group obj2: 4 objects(out of use)
0 network host address 1.1.1.1
10 network host name host
20 network subnet 1.1.1.1 255.255.255.0
50 network host name host vpn-instance vpn1
# Display information about all IPv4 address object groups.
<Sysname> display object-group ip address
IP address object-group obj1: 0 object(in use)
IP address object-group obj2: 4 objects(out of use)
0 network host address 1.1.1.1
10 network host name host
20 network subnet 1.1.1.1 255.255.255.0
50 network host name host vpn-instance vpn1
<Sysname> display object-group ipv6 address name obj4
IPv6 address object-group obj4: 5 objects(out of use)
0 network host address 1::1:1
10 network host name host
20 network subnet 1::1:0 112
Table 1 Command output
|
Field |
Description |
|
in use |
The object group is used by an ACL or object group. |
|
out of use |
The object group is not used. |
display object-group host
Use display object-group host to display IPv4 or IPv6 addresses for host names.
Syntax
In standalone mode:
display object-group { ip | ipv6 } host { object-group-name object-group-name | name host-name [ vpn-instance vpn-instance-name ] } * [ slot slot-number ]
In IRF mode:
display object-group { ip | ipv6 } host { object-group-name object-group-name | name host-name [ vpn-instance vpn-instance-name ] } * [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
object-group-name object-group-name: Specifies an object group by its name, a case-insensitive string of 1 to 63 characters. If you do not specify this option, the command displays information about the specified host name.
name host-name: Specifies a host by its name, a case-insensitive string of 1 to 253 characters. If you do not specify this option, the command displays information about all the included and excluded host names in the specified object group.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the host belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If the host resides on the public network, do not specify this option.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays information for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays information for all cards. (In IRF mode.)
Examples
# Display IPv4 addresses for host name a.example.com in object group group1.
<Sysname> display object-group ip host object-group-name group1 name a.example.com
Object group : group1
Object ID : 0
Host name : a.example.com
VPN instance : -
Updated at : 2019-05-20 11:04:24
IP addresses :
169.0.0.10
169.0.0.11
# Display IPv6 addresses for all host names in object group group1.
<Sysname> display object-group ipv6 host object-group-name group1
Object group : group1
Object ID : 0
Host name : www.a.example.com
Updated at : 2019-05-20 11:04:24
IP addresses :
169:0::0:10
169:0::0:11
Object ID : 10
Host name : www.b.example.com
Updated at : 2019-05-20 11:04:24
IP addresses :
169:0::0:11
169:0::0:12
Table 2 Command output
|
Field |
Descrption |
|
VPN instance |
VPN to which the host belongs. |
Related commands
object-group
display object-group kernel
Use display object-group kernel to display information about the IP address corresponding to the kernel host name.
Syntax
In standalone mode:
display object-group kernel { ip | ipv6 } host { object-group-name object-group-name | name host-name [ vpn-instance vpn-instance-name ] } * [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
display object-group kernel { ip | ipv6 } host { object-group-name object-group-name | name host-name [ vpn-instance vpn-instance-name ] } * [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
ip: Specifies the IPv4 address object group.
ipv6: Specifies the IPv6 address object group.
object-group-name object-group-name: Specifies an object group by its name, a case-insensitive string of 1 to 63 characters. If you do not specify this option, the command displays the IP address corresponding to the specified or excluded host name in any object group.
name host-name: Specifies the host name, a case-insensitive string of 1 to 60 characters. If you do not specify this option, the command displays the IP addresses corresponding to all host names and excluded host names in the specified object group.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the host belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If the host resides on the public network, do not specify this option.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays packet statistics for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays packet statistics for all cards. (In IRF mode.)
Usage guidelines
Non-default vSystems do not support this command.
Examples
# Display information about the IP address corresponding to the kernel host name.
<Sysname> display object-group kernel ip host object-group-name group1 name a.example.com
Object group : group1
Object ID : 0
Host name : a.example.com
VPN instance : -
Updated at : 2019-05-20 11:04:24
IP addresses :
169.0.0.10
169.0.0.11
Table 3 Command output
|
Field |
Description |
|
Object group |
Object group name. |
|
Object ID |
Object ID. |
|
Host name |
Host name. |
|
VPN instance |
VPN to which the host belongs. |
|
Updated at |
Most recent time at which the IP address corresponding to the host name was updated. |
|
IP addresses |
IP address corresponding to the host name. |
Related commands
object-group
network (IPv4 address object group view)
Use network to configure an IPv4 address object.
Use undo network to delete an IPv4 address object.
Syntax
[ object-id ] network { host { address ip-address | name host-name [ vpn-instance vpn-instance-name ] } | subnet ip-address { mask-length | mask } | range ip-address1 ip-address2 }
undo network { host { address ip-address | name host-name } | subnet ip-address { mask-length | mask } | range ip-address1 ip-address2 }
undo object-id
Default
No IPv4 address objects exist.
Views
IPv4 address object group view
Predefined user roles
network-admin
mdc-admin
Parameters
object-id: Specifies an object ID in the range of 0 to 4294967294. If you do not specify an object ID, the system automatically assigns the object a multiple of 10 next to the greatest ID being used. For example, if the greatest ID is 22, the system automatically assigns 30.
host: Configures an IPv4 address object with the host address or name.
address ip-address: Specifies an IPv4 host address.
name host-name: Specifies a host name, a case-insensitive string of 1 to 60 characters.
subnet ip-address { mask-length | mask }: Configures an IPv4 address object with the subnet address followed by a mask length in the range of 0 to 32 or a mask in dotted decimal notation.
range ip-address1 ip-address2: Configures an IPv4 address object with the address range.
Usage guidelines
This command fails if you use it to configure or change an IPv4 address object to be identical with an existing object.
This command creates an IPv4 address object if the specified object ID does not exist. Otherwise, the command overwrites the configuration of the specified object.
If you configure a subnet with the mask length of 32 or the mask of 255.255.255.255, the system configures the object with a host address.
Examples
# Configure an IPv4 address object with the host address of 192.168.0.1.
<Sysname> system-view
[Sysname] object-group ip address ipgroup
[Sysname-obj-grp-ip-ipgroup] network host address 192.168.0.1
# Configure an IPv4 address object with the host name of pc3.
<Sysname> system-view
[Sysname] object-group ip address ipgroup
[Sysname-obj-grp-ip-ipgroup] network host name pc3
# Configure an IPv4 address object with the host name of pc1 and the VPN instance name of vpn1.
<Sysname> system-view
[Sysname] object-group ip address ipgroup
[Sysname-obj-grp-ip-ipgroup] network host name pc1 vpn-instance vpn1
# Configure an IPv4 address object with the IPv4 address of 192.167.0.0 and mask length of 24.
<Sysname> system-view
[Sysname] object-group ip address ipgroup
[Sysname-obj-grp-ip-ipgroup] network subnet 192.167.0.0 24
# Configure an IPv4 address object with the IPv4 address of 192.166.0.0 and mask of 255.255.0.0.
<Sysname> system-view
[Sysname] object-group ip address ipgroup
[Sysname-obj-grp-ip-ipgroup] network subnet 192.166.0.0 255.255.0.0
network (IPv6 address object group view)
Use network to configure an IPv6 address object.
Use undo network to delete an IPv6 address object.
Syntax
[ object-id ] network { host { address ipv6-address | name host-name } | subnet ipv6-address prefix-length | range ipv6-address1 ipv6-address2 }
undo network { host { address ipv6-address | name host-name } | subnet ipv6-address prefix-length | range ipv6-address1 ipv6-address2 }
undo object-id
Default
No IPv6 address objects exist.
Views
IPv6 address object group view
Predefined user roles
network-admin
mdc-admin
Parameters
object-id: Specifies an object ID in the range of 0 to 4294967294. If you do not configure an object ID, the system automatically assigns the object a multiple of 10 next to the greatest ID being used. For example, if the greatest ID is 22, the system automatically assigns 30.
host: Configures an IPv6 address object with the host address or name.
address ipv6-address: Specifies an IPv6 host address.
name host-name: Specifies a host name, a case-insensitive string of 1 to 60 characters.
subnet ipv6-address prefix-length: Configures an IPv6 address object with the subnet address followed by the prefix length in the range of 1 to 128.
range ipv6-address1 ipv6-address2: Configures an IPv6 address range.
Usage guidelines
This command fails if you use it to configure or change an IPv6 address object to be identical with an existing object.
This command creates an IPv6 address object if the specified object ID does not exist. Otherwise, the command overwrites the configuration of the specified object.
If you configure a subnet address with the prefix length of 128, the system configures the object with a host address.
When you use the range ipv6-address1 ipv6-address2 option, follow these guidelines:
· If ipv6-address1 is equal to ipv6-address2, the system configures the object with a host address.
· If ipv6-address1 is not equal to ipv6-address2, the system compares the two IPv6 addresses, configures a range starting with the lower IPv6 address, and performs the following operations:
¡ Configures the object with an address range if the two addresses are in different subnets.
¡ Configures the object with a subnet address if the two addresses are in the same subnet.
Examples
# Configure an IPv6 address object with the host address of 1::1.
<Sysname> system-view
[Sysname] object-group ipv6 address ipv6group
[Sysname-obj-grp-ipv6-ipv6group] network host address 1::1
# Configure an IPv6 address object with the host name of pc3.
<Sysname> system-view
[Sysname] object-group ipv6 address ipv6group
[Sysname-obj-grp-ipv6-ipv6group] network host name pc3
# Configure an IPv6 address object with the IPv6 address of 1:1:1::1 and prefix length of 24.
<Sysname> system-view
[Sysname] object-group ipv6 address ipv6group
[Sysname-obj-grp-ipv6-ipv6group] network subnet 1:1:1::1 24
# Configure an IPv6 address object with the address range of 1:1:1::1 to 1:1:1::100
<Sysname> system-view
[Sysname] object-group ipv6 address ipv6group
[Sysname-obj-grp-ipv6-ipv6group] network range 1:1:1::1 1:1:1::100
object-group
Use object-group to configure an object group and enter its view, or enter the view of an existing object group.
Use undo object-group to delete an object group.
Syntax
object-group { { ip | ipv6 } address | port } object-group-name
undo object-group ip address object-group-name
Default
Default object groups exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
ip address: Configures an IPv4 address object group.
ipv6 address: Configures an IPv6 address object group.
object-group-name: Specifies an object group name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
The object-group command execution results vary with the specified object group.
· If the specified group does not exist, the system creates a new object group and enters the object group view.
· If the specified group exists but the group type is different from that in the command, the command fails.
The undo object-group command execution results vary with the specified object group.
· If the specified group does not exist, the system executes the command without any system prompt.
· If the specified group exists and the group type is the same as that in the command, the system deletes the group.
· If the specified group exists but the group type is different from that in the command, the command fails.
· If the specified object group is being used by an ACL, object policy, or object group, the command fails.
Default object groups cannot be deleted.
Examples
# Configure an IPv4 address object group named ipgroup.
<Sysname> system-view
[Sysname] object-group ip address ipgroup
object-group dns-aging
Use object-group dns-aging to enable aging of DNS-resolved IP addresses from host names.
Use undo object-group dns-aging to disable aging of DNS-resolved IP addresses from host names.
Syntax
object-group dns-aging [ time aging-time ]
undo object-group dns-aging
Default
Aging of DNS-resolved IP addresses from host names is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
time aging-time: Specifies the aging time in the range of 1 to 70000000 minutes. The default value is 120.
Usage guidelines
Non-default vSystems do not support this command.
In load balancing scenarios where one host name maps to several IP addresses, DNS-resolved IP address for a host name changes between these mapping addresses. Upon every change, the object group module notifies relevant policies (such as security policy) of the change, which causes policies to submit changes frequently and consumes memory. To resolve this issue, you can enable aging of DNS-resolved IP addresses from host names.
With this feature enabled, the system maintains an IP address group for each host name. If a resolved IP address is not in the group, the system adds the address to the group and notifies relevant policies of the change. If a resolved IP address is in the group, the system does not notify relevant policies.
As a best practice, set the aging time to be longer than the TTL of resolution records on the DNS server.
Examples
# Enable aging of DNS-resolved IP addresses from host names and set the aging time to 5 minutes.
<Sysname> system-view
[Sysname] object-group dns-aging
[Sysname] object-group dns-aging time 5
