Object-Group Commands

continent

To add a continent to a geo object group, use the continent command in configuration geo group mode. To remove a continent from a geo object group, use the no form of this command.

continent continent-code

no continent continent-code

Syntax Description

continent continent-code

Specifies the two-letter continent codes:

  • AF: Africa

  • AN: Antarctica

  • AS: Asia

  • EU: Europe

  • NA: North America

  • OC: Oceania

  • SA: South America

Command Default

No continent is added to a geo object group.

Command Modes

Configuration geo group (config-geo-group)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

When you configure the object-group geo command, the command mode changes to geo group configuration mode (config-geo-group), which allows you to add a continent to a geo object group.

The following example shows how to add the continent EU to a geo object group:

Device(config-geo-group)# continent EU

country

To configure a country in a geo object group, use the country command in configuration geo group mode. To remove a country from a geo object group, use the no form of this command.

country country-code

no country country-code

Syntax Description

country country-code

Specifies the three-letter ISO-3166 country codes.

Command Default

No country is added to a geo object group.

Command Modes

Configuration geo group (config-geo-group)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

When you configure the object-group geo command, the command mode changes to geo group configuration mode (config-geo-group), which allows you to configure a country for a geo object group.

The following example shows how to add the country GBR to a geo object group:

Device(config-geo-group)# country GBR

description (fqdn-group)

To add a description to an object group, use the description command in fqdn group configuration mode. To remove a description from an object group, use the no form of this command.

description description-text

no description description-text

Syntax Description

description description-text

Specifies a description for a fully qualified domain name (FQDN) object group. You can use up to 200 characters.

Command Default

No description is added to an FQDN object group.

Command Modes

fqdn group configuration mode (config-fqdn-group)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

When you configure the object-group fqdn command, the command mode changes to fqdn group configuration mode (config-fqdn-group), which allows you to add a description to an FQDN object.

The following example shows how to add a description to an FQDN object group:

Device(config-fqdn-group)# description Source FQDN

description (geo-group)

To add a description to an object group, use the description command in geo group configuration mode. To remove a description from an object group, use the no form of this command.

description description-text

no description description-text

Syntax Description

description description-text

Specifies a description for a geo object group. You can use up to 200 characters.

Command Default

No description is added to a geo object group.

Command Modes

geo group configuration mode (config-geo-group)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

When you configure the object-group geo command, the command mode changes to geo group configuration mode (config-geo-group), which allows you to add a description to a geo object.

The following example shows how to add a description to a geo object group:

Device(config-geo-group)# description GEO_1

geo database

To enable a geo database, use the geo database command in global configuration mode. To remove a geo database from the configuration, use the no form of this command.

geo database

no geo database

Syntax Description

This command has no arguments or keywords.

Command Default

A geodatabase is not enabled.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

After executing the geo database command, you must commit your changes to enable the geolocation database.

The following example shows how to configure the geo database command: 

Device(config)# geo database

The following is a sample output from the show geo status command. 

Device# show geo status 
Geo-Location Database is enabled 
File in use       : Device default

geo database revert

To revert the geolocation database file back to the default if the geolocation database is corrupted, use the geo database revert command in privileged EXEC mode.

geo database revert default

Syntax Description

This command has no arguments or keywords.

Command Default

The geolocation database file is not reverted to the default.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

Use the geo database revert command to revert the geolocation database file to its default if the geolocation database is corrupted.

The following example shows a sample output from the geo database revert default command: 

Device# geo database revert default

geo database update

To update the geolocation database file, use the geo database update command in privileged EXEC mode.

geo database update file [ bootflash: | crashinfo: | flash: ]

Syntax Description

file

Specifies the full directory path to the geolocation database file within one of the following folders:

  • bootflash

    Note

     

    The default file location for the geodatabase is in the bootflash folder.

  • crashinfo

  • flash

Command Default

The geolocation database is not updated.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

To ensure that you are using up-to-date geographical location data, we recommend that you update the geolocation database.

The following example shows how to update the geo database in the bootflash folder:

Device# geo database update bootflash:geo_ip4_db

group-object (fqdn-group)

To view existing fully qualified domain name (FQDN) objects, or to create a new FQDN object, use the group-object command in configuration fqdn group mode. To remove an FQDN group object, use the no form of this command.

group-object group-object-name

no group-object group-object-name

Syntax Description

group-object group-object-name

Displays the existing FQDN objects you previously created. You can also create a new FQDN object.

Command Default

No group object is displayed or created.

Command Modes

Configuration fqdn group (config-fqdn-group)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

You can view existing FQDN objects, or you can create a new FQDN object using the group-object command.

The following example shows how to create a group object called FQDN-1:

Device(config-fqdn-group)# group-object FQDN-1

group-object (geo-group)

To view existing geo objects, or to create a new geo object, use the group-object command in configuration geo group mode. To remove a group object, use the no form of this command.

group-object group-object-name

no group-object group-object-name

Syntax Description

group-object group-object-name

Specifies an existing geo object (child) to be included in the current object group (parent).

Command Default

No group object is added to a geo object group.

Command Modes

Configuration geo group (config-geo-group)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

You can create nested geo objects using the group-object command.

The following example shows how to create a geo object called GEO_1:

Device(config-geo-group)# group-object GEO_1

object-group fqdn

To create a fully-qualified domain name (FQDN) object group for use in object-group-based access control lists (ACLs), use the object-group fqdn command in global configuration mode. To remove an FQDN object group from the configuration, use the no form of this command.

object-group fqdn object-group-name

no object-group fqdn object-group-name

Syntax Description

object-group-name

Specifies the name of a FQDN object group.

A sequence of 1 to 64 characters consisting of letters, digits, underscores (_), dashes (-), or periods. The object-group-name must start with a letter.

Command Default

No FQDN object group is created.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

When Access Control Lists (ACLs) are configured using an FQDN, ACLs can be applied based on the destination domain name. The destination domain name is then resolved to an IP address, which is provided to the client as part of the DNS response.


Note

When defining a firewall rule in a security policy, avoid configuring an fqdn in both the source data prefix and the destination data prefix in the same firewall rule.

Create two different rules containing the following:

  • 1st rule: Use fqdn in the source data prefix only.

  • 2nd rule: Use fqdn in the destination data prefix only.

The following example shows how to create a new FQDN object group, obj.example.com:

Device (config)# object-group obj.example.com

object-group geo

To create a geolocation object group for use in object group-based access control lists (ACLs), use the object-group geo command in global configuration mode. To remove a geolocation object group from the configuration, use the no form of this command.

object-group geo object-group-name

no object-group geo object-group-name

Syntax Description

object-group-name

Specifies the name of the geo object group.

A sequence of 1 to 64 characters consisting of letters, digits, underscores (_), dashes (-), or periods. The object-group-name must start with a letter.

Command Default

No geolocation object group is created.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

Add object groups to use in Access Control Lists (ACLs) to enable geolocation-based firewall rules.


Note

When defining a firewall rule in a security policy, avoid configuring a geo in both the source data prefix and the destination data prefix in the same firewall rule.

Create two different rules containing the following:

  • 1st rule: Use geo in the source data prefix only.

  • 2nd rule: Use geo in the destination data prefix only.

The following example shows how to create a new object group GEO_1:

Device(config)# object-group geo GEO_1

object-group network

To define network object groups for use in object group-based access control lists (ACLs) and enter network group configuration mode, use the object-group network command in global configuration mode. To remove network object groups from the configuration, use the no form of this command.

object-group network object-group-name

no object-group network object-group-name

Syntax Description

object-group-name

Name for a network type of object group.

object-group-name is a sequence of 1 to 64 characters consisting of letters, digits, underscores (_), dashes (-), or periods (.). The object-group-name must start with a letter.

Command Default

No network object groups are created.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.2.1v

Command qualified for use in Cisco vManage CLI templates.

Usage Guidelines

When you configure the object-group network command, the command mode changes to network group configuration mode (config-network-group) and allows you to populate or modify a network object-group ACL. The following command is available in network group configuration mode:

host {host-address }—Specifies the host object. You must use an IPv4 address for the host address.

Note the following restrictions:

  • You cannot associate an empty object group with an access control list (ACL).

  • If you use an object group with an ACL, you cannot empty or delete the object group. You can use Cisco SD-WAN Manager add-on feature templates to delete an attached ACL and its object group in the same template push, as long as there are no other references to the object group in the configuration. However, the commands will fail on the device. To avoid this, do not delete or empty an object group that is associated with an ACL.

For further usage guidelines, see the Cisco IOS XE object-group network command. 


object-group network Auth-Servers
 host 10.16.137.22
 !

object-group security

To create an object group to identify the traffic coming from a specific user or endpoint, use the object-group security command in global configuration mode. To remove the object group, use the no form of this command.

object-group security name

no object-group security name

Syntax Description

name

Object group name.

Command Default

No object group is defined.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

For usage guidelines, see the Cisco IOS XE object-group security command.

The following example shows how the object-group security command is used in the class map configuration of the Security Group Access (SGA) zone-based firewall: 

Device(config)# object-group security myobject1
Device(config-object-group)# security-group tag-id 1
Device(config-object-group)# exit
Device(config)# class-map type inspect xmatch-any myclass1
Device(config-cmap)# match group-object security source myobject1
Device(config-cmap)# end

object-group service

To define service object groups for use in object-group-based access control lists (ACLs), use the object-group service command in global configuration mode. To remove service object groups from the configuration, use the no form of this command.

object-group service object-group-name

no object-group service object-group-name

Syntax Description

object-group-name

Name of a service type of object group.

Command Default

No service object groups are created.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.2.1v

Command qualified for use in Cisco vManage CLI templates.

Usage Guidelines

When you configure the object-group service command, configuration mode changes to service group configuration mode (config-service-group) allows you to populate or modify a service-object-group ACL. The following commands are available in service group configuration mode:

  • {tcp | udp | tcp-udp} [source {source-port-number | range minimum-port maximum-port}] [destination-port-number | range minimum-port maximum-port ] —Specifies a TCP or UDP protocol port number or a range of port numbers.

  • ip —Specifies any protocol.

  • number — Specifies a specific protocol number

  • icmp —Specifies the ICMP protocol.

Note the following restrictions:

  • You cannot associate an empty object group with an access control list (ACL).

  • If you use an object group with an ACL, you cannot empty or delete the object group. You can use Cisco SD-WAN Manager add-on feature templates to delete an attached ACL and its object group in the same template push, as long as there are no other references to the object group in the configuration. However, the commands will fail on the device. To avoid this, do not delete or empty an object group that is associated with an ACL.

For more usage guidelines, see the Cisco IOS XE object-group service command. 


 object-group service ZBF-DIA-External
  tcp 80
  udp
  tcp range 1024 65535
  tcp source 23
  ip
  icmp
 !

pattern

To add a pattern for finding valid fully qualified domain names (FQDN), use the pattern command in fqdn group configuration mode. To remove a pattern from the configuration, use the no form of this command.

pattern match-pattern

no pattern match-pattern

Syntax Description

match-pattern

Specifies a pattern for finding valid FQDNs.

Command Default

No pattern is matched.

Command Modes

fqdn group configuration mode (config-fqdn-group)

Command History

Release

Modification

Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Command qualified for use in Cisco SD-WAN Manager CLI templates.

Usage Guidelines

When you configure the object-group fqdn command, the command mode changes to fqdn group configuration mode (config-fqdn-group), which allows you to add a pattern for finding valid FQDNs.

The following example shows how to add a pattern of example.com:

Device(config-fqdn-group)# pattern example.com