Login
- Table of Contents
-
- 11-Security Configuration Guide
- 00-Preface
- 01-AAA configuration
- 02-802.1X configuration
- 03-MAC authentication configuration
- 04-Portal configuration
- 05-Web authentication configuration
- 06-Triple authentication configuration
- 07-Port security configuration
- 08-Password control configuration
- 09-Keychain configuration
- 10-Public key management
- 11-PKI configuration
- 12-IPsec configuration
- 13-SSH configuration
- 14-SSL configuration
- 15-Object group configuration
- 16-Attack detection and prevention configuration
- 17-TCP attack prevention configuration
- 18-IP source guard configuration
- 19-ARP attack protection configuration
- 20-ND attack defense configuration
- 21-uRPF configuration
- 22-MFF configuration
- 23-FIPS configuration
- 24-MACsec configuration
- 25-802.1X client configuration
- 26-Microsegmentation configuration
- 27-SAVA configuration
- 28-Crypto engine configuration
- 29-IP-SGT mapping configuration
- 30-User profile configuration
- 31-CloudSec configuration
- 32-SAVI configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 15-Object group configuration | 60.27 KB |
Configuring an IPv4 address object group
Configuring an IPv6 address object group
Configuring a port object group
Configuring aging of DNS-resolved IP addresses from host names
Display and maintenance commands for object groups
Configuring object groups
About object groups
An IPv4 object group can be used by an ACL and object policy to identify packets.
IPv4 address object group is a group of IPv4 address objects used to match the IPv4 address in a packet or match the user from whom a packet comes.
Configuring an IPv4 address object group
1. Enter system view.
system-view
2. Configure an IPv4 address object group and enter its view.
object-group ip address object-group-name
The system has one default IPv4 address object group named any.
3. (Optional.) Configure a description for the IPv4 address object group.
description text
By default, an object group does not have a description.
4. Configure an IPv4 address object.
[ object-id ] network { host { address ip-address | name host-name } | subnet ip-address { mask-length | mask } | range ip-address1 ip-address2 }
Configuring an IPv6 address object group
1. Enter system view.
system-view
2. Configure an IPv6 address object group and enter its view.
object-group ipv6 address object-group-name
The system has one default IPv6 address object group named any.
3. (Optional.) Configure a description for the IPv6 address object group.
description text
By default, an object group does not have a description.
4. Configure an IPv6 address object.
[ object-id ] network { host { address ipv6-address | name host-name } | subnet ipv6-address prefix-length | range ip-address1 ip-address2 }
Configuring a port object group
1. Enter system view.
system-view
2. Configure a port object group and enter its view.
object-group port object-group-name
The system has one default port object group named any.
3. (Optional.) Configure a description for the port object group.
description text
By default, an object group does not have a description.
4. Configure a port object.
[ object-id ] port { { eq | lt | gt } port | range port1 port2 }
Configuring aging of DNS-resolved IP addresses from host names
About this task
In load balancing scenarios where one host name maps to several IP addresses, DNS-resolved IP address for a host name changes between these mapping addresses. Upon every change, the object group module notifies relevant policies (such as security policy) of the change, which causes policies to submit changes frequently and consumes memory. To resolve this issue, you can enable aging of DNS-resolved IP addresses from host names.
With this feature enabled, the system maintains an IP address group for each host name. If a resolved IP address is not in the group, the system adds the address to the group and notifies relevant policies of the change. If a resolved IP address is in the group, the system does not notify relevant policies.
Restrictions and guidelines
As a best practice, set the aging time to be longer than the TTL of resolution records on the DNS server.
Procedure
1. Enter system view.
system-view
2. Enable aging of DNS-resolved IP addresses from host names.
object-group dns-aging [ time aging-time ]
By default, aging of DNS-resolved IP addresses from host names is disabled.
Display and maintenance commands for object groups
Execute display commands in any view.
|
Task |
Command |
|
Display information about object groups. |
display object-group [ ip address[ default ] [ name object-group-name ] | name object-group-name ] |
|
Display IPv4 or IPv6 addresses for host names. |
display object-group { ip | ipv6 } host { object-group-name object-group-name | name host-name [ vpn-instance vpn-instance-name ] } * In standalone mode: display object-group { ip | ipv6 } host { object-group-name object-group-name | name host-name [ vpn-instance vpn-instance-name ] } * [ slot slot-number In IRF mode: display object-group { ip | ipv6 } host { object-group-name object-group-name | name host-name [ vpn-instance vpn-instance-name ] } * [ chassis chassis-number slot slot-number |
|
Display information about the IP address corresponding to the kernel host name. |
display object-group kernel { ip | ipv6 } host { object-group-name object-group-name | name host-name [ vpn-instance vpn-instance-name ] } * In standalone mode: display object-group kernel { ip | ipv6 } host { object-group-name object-group-name | name host-name [ vpn-instance vpn-instance-name ] } * [ slot slot-number [ cpu cpu-number ] ] In IRF mode: display object-group kernel { ip | ipv6 } host { object-group-name object-group-name | name host-name [ vpn-instance vpn-instance-name ] } * [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
|
