Beruflich Dokumente
Kultur Dokumente
Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100
Customer Order Number: DOC-7815202= Text Part Number: 78-15202-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, iQ Net Readiness Scorecard, Networking Academy, and ScriptShare are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0303R) User Guide for ACL Manager Copyright 2003, Cisco Systems, Inc. All rights reserved.
C O N T E N T S
Preface xi Audience xi Conventions xi Product Documentation xii Related Documentation xiv Obtaining Documentation xvi Cisco.com xvi Documentation CD-ROM xvii Ordering Documentation xvii Documentation Feedback xviii Obtaining Technical Assistance xviii Cisco.com xviii Technical Assistance Center xix Cisco TAC Website xx Cisco TAC Escalation Center xx Obtaining Additional Publications and Information xxi
1
CHAPTER
ACL Manager Overview 1-1 ACL Terms and Definitions 1-1 What Is ACL Manager? 1-3 ACL Manager Components 1-4 Benefits of ACL Manager 1-4 ACL Manager Functionality 1-5 ACL Manager Tools 1-7
iii
Contents
ACL Manager Privilege Levels 1-8 Privilege Levels and Tasks 1-9
2
CHAPTER
ACL Definitions and Uses 2-1 Creating ACLs and Templates 2-1 ACL and Template Attributes 2-2 Name, Number, and Type Attributes 2-3 Creation Date Attribute 2-4 Created By Attribute 2-4 Modification Date Attribute 2-4 Last Modified By Attribute 2-4 Comment Attribute 2-5 ACL Properties (Use Details) 2-5 ACL Uses 2-7 Use Modes and Contexts 2-7
CHAPTER
Getting Started 3-1 Before You Begin 3-2 Setting Up Essentials 3-4 Starting ACL Manager 3-4 Saving Scenarios 3-8 Saving Under the Existing Name 3-8 Saving Under a Different Name 3-8 Deleting Scenarios 3-10 Opening A Different Scenario 3-11 Printing 3-12 Navigating in the ACL Manager Main Window 3-12 Using the Find Feature 3-14
iv
78-15202-01
Contents
ACL Manager Menus 3-14 File Menu 3-14 Edit Menu 3-15 View Menu 3-17 ACL Menu 3-18 Tools Menu 3-18 Using the Device State Icons 3-19 Using the Toolbar 3-21 Using Keyboard Shortcuts 3-23 Keyboard Shortcuts for ACL Manager Window 3-23 Keyboard Shortcuts for ACL Manager Dialog Boxes - Windows 3-25 Keyboard Shortcuts for ACL Manager Dialog Boxes - Solaris 3-25 Performing a Complete Workflow Cycle 3-26 Verifying Device Configuration Changes 3-26 Downloading the Changes to the Devices 3-27 Verifying That the Download Was Successful 3-27 Advanced ACL Manager Topics 3-27 Stale Devices 3-27 Refreshing Devices 3-28 How to Avoid Losing Edits When Refreshing a Device 3-29 Backing up ACL Manager Data 3-30 Backing up Data on Solaris 3-30 Backing up Data on Windows Server 3-31 Restoring ACL Manager Data 3-31 Restoring Data on Solaris 3-32 Restoring Data on Windows Server 3-32
4
CHAPTER
Contents
Creating ACLs 4-4 Defining ACL Uses 4-6 Editing ACLs 4-6 Saving ACLs as Templates 4-8 Renaming ACLs 4-9 Manipulating ACEs 4-10 Inserting a New ACE 4-10 Appending a New ACE 4-11 Inserting a Template 4-12 Appending a Comment 4-14 Inserting a Comment 4-15 Reordering ACEs 4-16 Editing ACEs 4-17 Specifying Source and Destination Addresses 4-18 Using the ACE Editor Buttons 4-20 Editing IP ACE Attributes 4-20 Editing IP Extended ACE Attributes 4-22 Editing IP Extended General Attributes 4-22 Editing IP Extended Advanced Attributes 4-24 Editing IP Extended Other Attributes 4-27 Editing IPX ACE Attributes 4-29 Editing IPX Extended ACE Attributes 4-30 Editing IPX SAP ACE Attributes 4-33 Editing IPX SUMMARY ACE Attributes 4-34 Editing RATE LIMIT MAC ACE Attributes 4-35 Editing RATE LIMIT PRECEDENCE ACE Attributes 4-36 Saving ACEs as a Template 4-37 Viewing the Configuration Changes 4-38 Optimizing the ACL 4-42
vi
78-15202-01
Contents
Editing Time Range Definitions 4-42 Time Range Definition - Absolute 4-42 Time Range Definition - Periodic 4-44 Printing the ACL/ACE 4-45
5
CHAPTER
Viewing and Editing VACLs 5-1 Viewing Existing VACLs 5-2 Creating VACLs 5-5 Defining VACL Uses 5-6 Editing VACLs 5-6 Saving VACLs as Templates 5-8 Renaming VACLs 5-9 Manipulating VACEs 5-10 Inserting a New VACE 5-10 Appending a New VACE 5-11 Inserting a Template 5-12 Appending a Comment 5-14 Inserting a Comment 5-15 Reordering VACEs 5-16 Editing VACEs 5-17 Specifying Source and Destination Addresses 5-18 Using the ACE Editor Buttons 5-19 Editing IP VACE Attributes 5-20 Editing IP General Attributes 5-21 Editing IP Advanced Attributes 5-24 Editing IP Other Attributes 5-27 Editing IPX VACE Attributes 5-28 Editing MAC VACE Attributes 5-29 Saving VACEs as a Template 5-31
User Guide for ACL Manager
78-15202-01
vii
Contents
Viewing the Configuration Changes 5-32 Optimizing the VACL 5-36 Printing the VACL/VACE 5-36
6
CHAPTER
Using the Class Manager 6-1 What Is the Class Manager? 6-1 Class Manager Editors 6-2 Invoking the Class Manager 6-3 Using the Class Manager Toolbar 6-3 Using Services and Service Classes 6-4 Creating a New Service 6-4 Editing a Service 6-6 Creating a New Service Class 6-6 Editing a Service Class 6-8 Editing a Service Class Entry 6-9 Identifying Devices That Use Service Class 6-9 Using Networks and Network Classes 6-11 Creating a New Network 6-11 Editing a Network 6-13 Creating a New Network Class 6-13 Editing a Network Class 6-15 Editing a Network Class Entry 6-16 Identifying Devices That Use Network Class 6-16 Using the Class Manager: Example 6-18
CHAPTER
Using the Template Manager 7-1 What is the Template Manager? 7-1 Starting the Template Manager 7-2 Using the Template Manager Toolbar 7-2
User Guide for ACL Manager
viii
78-15202-01
Contents
Template Attributes 7-3 Creating a New Template 7-3 Editing an Existing Template 7-5 Editing the Contents of a Template 7-5 Creating and Inserting Template Folders 7-5 Identifying Devices That Use an ACL Template 7-6
8
CHAPTER
ACL Manager Use Wizard 8-1 Defining ACL Uses 8-1 Defining an ACL Use with the Use ACL Wizard 8-2 Selecting Interfaces, Lines, SNMP Community Settings or VLANS 8-4 Selecting Interfaces for Packet Filtering with the Use ACL Wizard 8-4 Selecting Lines for Line Access with the Use ACL Wizard 8-5 SNMP Community Settings with the Use ACL Wizard 8-6 Selecting VLANs for VLAN Packet Filtering with Use ACL Wizard 8-8 Completing the Use ACL Wizard Summary 8-9 Displaying Use ACL Wizard Results 8-10 Applying an ACL Template to a Specific Device 8-12 Selecting a Template with the Template Use Wizard 8-13 Selecting a Device 8-14 Displaying ACL Creation Results (Single Device) 8-16 Applying an ACL Template to Multiple Devices 8-17 Selecting a Template 8-18 Selecting the Devices 8-19 Displaying ACL Creation Results (Multiple Devices) 8-20 Defining ACL Uses for Multiple Devices 8-22 Selecting Interfaces with the Template Use Wizard 8-23 Selecting Lines with the Template Use Wizard 8-24 SNMP Community Settings with the Template Use Wizard 8-24
ix
Contents
Selecting VLANs for VLAN Packet Filtering with Template Use Wizard 8-25
9
CHAPTER
Scheduling and Downloading 9-1 Enabling Job Approval 9-2 Scheduling Downloads 9-3 Selecting the Devices 9-5 Describing the Job and Selecting the Download Options 9-6 Selecting Job Approvers 9-7 Scheduling the Download 9-7 Verifying the Configuration Changes 9-8 Saving Changes to Disk 9-10 Browsing Job Status and Results 9-13 Job Management Integration 9-17 Viewing a Job Scenario 9-17 Editing and Resubmitting Jobs 9-18 Resubmitting a Job That Has Not Been Completed 9-18 Canceling Pending Jobs and Purging Old Jobs 9-19 What to Do If Your Download Fails 9-19
CHAPTER
10
Optimizing ACLs 10-1 What Are the ACL Optimizer and Hits Optimizer? 10-1 What Is the ACL Optimizer? 10-2 What Is the ACL Hits Optimizer? 10-3 Using the ACL Optimizer 10-4 Using the ACL Hits Optimizer 10-7 Resetting Hit Counters 10-9
INDEX
78-15202-01
Preface
This document describes how to use the Access Control List (ACL) Manager, a software tool for the management of access control lists on Cisco routers and catalyst switches. This preface describes who should read User Guide for ACL Manager, and outlines the document conventions used in this manual.
Audience
This document is for network operators, network administrators, and system administrators. To use the ACL Manager application, you should have a basic understanding of operation, management and the configuration of your network. You should understand the basic ACL structure and configuration and the concept of network and service definitions.
Conventions
This document uses the following conventions: Item Commands and keywords Variables for which you supply values Displayed session and system information Convention boldface font italic font
screen
font
xi
Item Information you enter Variables you enter Menu items and button names Selecting a menu item in paragraphs Selecting a menu item in tables
Convention
boldface screen font italic screen
font
boldface font Option > Network Preferences Option > Network Preferences
Note
Means reader take note. Notes contain helpful suggestions or references to material not covered in the publication.
Caution
Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data.
Product Documentation
Note
Although every effort has been made to validate the accuracy of the information in the printed and electronic documentation, you should also review the ACL Manager documentation on Cisco.com for any updates. The following product documentation is available:
Release Notes for ACL Manager 1.5 on Solaris and Windows
This document describes the new features, the supported devices and the known and resolved problems of ACL Manager 1.5, running on Solaris and Windows. It also provides troubleshooting information. This document is available in the following formats:
As a photocopied document along with the ACL Manager CD-ROM. On Cisco.com. (Select Products and Services > Network Management CiscoWorks > CiscoWorks Access Control List Manager > Versions and Options).
xii
78-15202-01
Installation Guide for ACL Manager provides information on the ACL Manager requirements, and describes the installation procedures on Solaris and Windows. This document is available in the following formats:
PDF on the ACL Manager CD-ROM. On Cisco.com. (Select Products and Services > Network Management CiscoWorks > CiscoWorks Access Control List Manager > Versions and Options). Printed document available by order.
User Guide for ACL Manager describes how to use ACL Manager, a software tool for the management of access control lists on Cisco routers and catalyst switches. This document is available in the following formats:
PDF on the ACL Manager CD-ROM and from the ACL Manager online help. On Cisco.com. (Select Products and Services > Network Management CiscoWorks > CiscoWorks Access Control List Manager > Versions and Options). Printed document available by order.
Select an option from the navigation tree, then click Help. Click the Help button in the dialog box.
xiii
Related Documentation
Note
Although every effort has been made to validate the accuracy of the information in printed and electronic documentation, you should also review Cisco product documentation on Cisco.com for any updates. ACL Manager 1.5 runs on Resource Manager Essentials 3.5. The following documentation on Resource Manager Essentials 3.5 is available:
Release Notes for Resource Manager Essentials 3.5:
Release Notes for Resource Manager Essentials on Solaris, Software Release 3.5. Release Notes for Resource Manager Essentials on Windows, Software Release 3.5
Installation and Setup Guide for Resource Manager Essentials on Solaris, Software Release 3.5. Installation and Setup Guide for Resource Manager Essentials on Windows, Software Release 3.5.
PDFs on the Resource Manager Essentials CD-ROM. On Cisco.com. Printed documents available by order.
xiv
78-15202-01
Resource Manager Essentials runs on Common Services 2.2 (Includes CiscoView 5.5). This document is available in the following formats:
PDF on the Resource Manager Essentials CD-ROM and from the Resource Manager Essentials online help. On Cisco.com. Printed document available by order.
Resource Manager Essentials 3.5 runs on Common Services 2.2. The following documentation on Common Services 2.2 is available:
Release Notes Common Services 2.2:
Release Notes for Common Services 2.2 (Includes CiscoView 5.5) on Solaris. Release Notes for Common Services 2.2 (Includes CiscoView 5.5) on Windows 2000. As a photocopied documents along with the product CD-ROM. On Cisco.com.
Installation and Setup Guide for Common Services 2.2 (Includes CiscoView 5.5) on Solaris. Installation and Setup Guide for Common Services 2.2 (Includes CiscoView 5.5) on Windows2000. PDFs on the Common Services CD-ROM. On Cisco.com. Printed documents available by order.
xv
PDF on the Common Services CD-ROM and from the Common Services online help. On Cisco.com. Printed document available by order.
You can download device packages for new devices from Cisco.com and find information about all supported devices by logging into Cisco.com. Device packages are released cumulatively; that is, new device packages contain the contents of any previous packages. To determine which packages are installed on your CiscoWorks Server, select Server Configuration > About the Server > Applications and Versions. You can also obtain any published patches from the download site.
Obtaining Documentation
Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation on the World Wide Web at this URL: http://www.cisco.com/univercd/home/home.htm You can access the Cisco website at this URL: http://www.cisco.com International Cisco web sites can be accessed from this URL: http://www.cisco.com/public/countries_languages.shtml
xvi
78-15202-01
Documentation CD-ROM
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription. Registered Cisco.com users can order the Documentation CD-ROM (product number DOC-CONDOCCD=) through the online Subscription Store: http://www.cisco.com/go/subscription
Ordering Documentation
You can find instructions for ordering documentation at this URL: http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm You can order Cisco documentation in these ways:
Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace: http://www.cisco.com/en/US/partner/ordering/index.shtml Registered Cisco.com users can order the Documentation CD-ROM (Customer Order Number DOC-CONDOCCD=) through the online Subscription Store: http://www.cisco.com/go/subscription Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, U.S.A.) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).
xvii
Documentation Feedback
You can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click Feedback at the top of the page. You can email your comments to bug-doc@cisco.com. You can submit your comments by mail by using the response card behind the front cover of your document or by writing to the following address: Cisco Systems Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883 We appreciate your comments.
Cisco.com
Cisco.com offers a suite of interactive, networked services that let you access Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world. Cisco.com provides a broad range of features and services to help you with these tasks:
Streamline business processes and improve productivity Resolve technical issues with online support Download and test software packages
xviii
78-15202-01
Order Cisco learning materials and merchandise Register for online skill assessment, training, and certification programs
To obtain customized information and service, you can self-register on Cisco.com at this URL: http://www.cisco.com
Priority level 4 (P4)You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration. Priority level 3 (P3)Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue. Priority level 2 (P2)Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available. Priority level 1 (P1)Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.
xix
xx
78-15202-01
The Cisco Product Catalog describes the networking products offered by Cisco Systems as well as ordering and customer support services. Access the Cisco Product Catalog at this URL: http://www.cisco.com/en/US/products/products_catalog_links_launch.html Cisco Press publishes a wide range of networking publications. Cisco suggests these titles for new and experienced users: Internetworking Terms and Acronyms Dictionary, Internetworking Technology Handbook, Internetworking Troubleshooting Guide, and the Internetworking Design Guide. For current Cisco Press titles and other information, go to Cisco Press online at this URL: http://www.ciscopress.com Packet magazine is the Cisco monthly periodical that provides industry professionals with the latest information about the field of networking. You can access Packet magazine at this URL: http://www.cisco.com/en/US/about/ac123/ac114/ about_cisco_packet_magazine.html
iQ Magazine is the Cisco monthly periodical that provides business leaders and decision makers with the latest information about the networking industry. You can access iQ Magazine at this URL: http://business.cisco.com/prod/ tree.taf%3fasset_id=44699&public_view=true&kbns=1.html
Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in the design, development, and operation of public and private internets and intranets. You can access the Internet Protocol Journal at this URL: http://www.cisco.com/en/US/about/ac123/ ac147/about_cisco_the_internet_protocol_journal.html
TrainingCisco offers world-class networking training, with current offerings in network training listed at this URL: http://www.cisco.com/en/US/learning/le31/ learning_recommended_training_list.html.
User Guide for ACL Manager
78-15202-01
xxi
xxii
78-15202-01
C H A P T E R
ACL Terms and Definitions What Is ACL Manager? ACL Manager Tools ACL Manager Privilege Levels
1-1
Note
The generic term ACL refers to both IOS ACLs and VLAN ACLs. Wherever the term VACL is used, it applies only to VLAN ACL.Wherever the term IOS ACL is used, it applies only to Router ACL. ACL Template (Template): A named set of ACEs. Templates can be inserted into ACLs (see Template Include ACE). Templates can include other templates. ACL Use: ACL Use statements in a device configuration utilize or reference an ACL for some purpose. There are over 50 possible purposes, which include, for example: IP packet filtering, line access, traffic shaping, IP multicast rate limiting, SNMP server, IPX input SAP filtering, IPX router filtering, and so on. ACL Use Modes and Contexts: IOS ACLs can be used in various IOS configuration modes: global, router, route-map, crypto-map, line, and interface. Except for global, the configuration modes have named contexts within which ACL use statements can be created in IOS. The contexts for line mode are the actual vtys (for example, console, vty 0, vty 1, and so on); the contexts for interface mode are interface names (for example, Serial 0, Ethernet 0, TokenRing 0, and so on). ACL Manager allows you to create use statements only for line, interface and global modes. ACL Manager allows you to apply these statements only for line access, packet filtering, and SNMP server access controls. VACLs can be used only for packet filtering and redirection on VLANs. For VACL uses, the mode is VLAN and the contexts are the VLANs defined on the switch. IOS ACLs: Also known as Router ACLs. They are used in routers for packet filtering on interfaces, line access, SNMP access, route maps, and other purposes. Logical View: An abstract or high-level view of ACE statements in an ACL. The logical view could show ACEs using service and network class definitions, template include statements and comments. Network: A network is a named IP address and mask combination. It is a subnet specification used in the source and destination fields of ACE statements. Network Class: A network class is a named set of IP addresses, hostnames, IP address ranges, networks, or (recursively) other network classes that ACL Manager allows you to use in ACE source or destination fields. Physical View: A low-level view of ACE statements in an ACL. The physical view maps one-to-one with the IOS/Catalyst OS commands corresponding to the ACE statements.
1-2
78-15202-01
Chapter 1
Scenario: The set of devices whose ACLs and ACL use statements you are currently editing. You can name a scenario and save it for future use. You can set the attributes of a scenario to make it editable and viewable only by you, or writable and viewable by other users besides yourself. Note that you can edit devices in multiple scenarios, simultaneously. Service: Services are named TCP or UDP ports that can be used in individual ACEs to provide a specification of the network traffic to be matched by filter criteria. Service Class: A service class consists of named port range specifications that ACL Manager allows you to use in ACE port specification fields. Service class definitions are recursive and can use other service or service class definitions. Template: See ACL Template. Template Include ACE: A special ACE that proxies for, or represents, the set of ACEs corresponding to the template. VLAN Access Lists (VACLs): VACLs are similar to Router/IOS ACLs in terms of their definition. However, they are used by Catalyst 6000 family switches to access control all packets they switch, including packets bridged within a VLAN.
1-3
Provides a uniform interface that insulates the user from differences in ACL features for the supported IOS/Catalyst OS versions. Is easy to use and ensures high productivity for the user.
1-4
78-15202-01
Chapter 1
Supports Secure Sockets Layer (SSL) for secure client to server communication. Supports Secure Shell (SSH) for secure server to device communication. Reduces device configuration time dramatically. Reduces installation costs. Is integrated with Essentials and uses the Config Archive, Inventory, Change Audit Service, and Transport facilities. Provides a browser-based GUI and integrates the task flow with the Essentials GUI. Allows the user to fully exploit the ACL features in IOS/Catalyst OS. Reduces operation time when deploying ACLs to several devices. Provides for automated deployment of ACLs. Enables you to apply VACLs on Private VLANs. Allows novice operators to safely deploy complex ACLs previously set up through templates. Allows the enterprise to establish policies and to standardize on ACL uses through the use of templates. Avoids the drudgery of entering ACL configurations repeatedly on multiple devices by providing point-and-click copy and paste functionality. Minimizes human error in ACL creation by reducing the necessity of creating multiple ACEs, by allowing the use of classes. Improves network throughput by enabling ACL optimization. Permits the use of Domain Name System (DNS) names in ACE source and destination fields. ACL Manager will automatically perform a DNS look-up and convert these fields to the appropriate IP addresses.
1-5
The ACL Manager suite is integrated with the Essentials Config Archive and Inventory applications. It uses device information from Inventory, and reads the configuration contained in the Config Archive to create a model of the ACLs and ACL use statements in the device configuration. The ACL Manager module provides a tree view to display this information in a Windows Explorer-type GUI. When you change device ACLs and ACL use statements, ACL Manager generates the appropriate IOS commands (config deltas) to implement the configuration changes. A download mechanism is provided to enable you to apply the configuration changes to the appropriate devices. The Config Archive is updated automatically after a successful ACL Manager download. ACL Manager uses Java Plug-in. The plug-in improves the performance of ACL Manager, and it is provided with the CiscoWorks application (see the topic Installing the Java Plug-in in Chapter 3 in User Guide for CiscoWorks Server). Some of the tasks that the ACL Manager suite enables you to perform include:
Identifying when an ACL was last modified and applied (Modification Date Attribute in Chapter 2). Navigating around devices to see which ACLs are defined and where they are usedeven ACL uses not supported for creation by ACL Manager are listed (Viewing Existing ACLs in Chapter 4). Creating new ACLs (Creating ACLs in Chapter 4). Editing an existing ACL and returning it to its device (Editing ACLs in Chapter 4). Reordering ACEs (Reordering ACEs in Chapter 4). Naming, renaming, and numbering ACLs; making the appropriate changes in the rest of the configuration file (Renaming ACLs in Chapter 4). Saving an ACL as a template, and associating it with a logical name (Editing ACLs in Chapter 4). Creating an alias for an ACL and using it in a device where named ACLs are not supported (Editing ACLs in Chapter 4). Naming networks and services and creating classes containing host addresses, address ranges, networks, or other classes, and using them in ACL definitions (Using the Class Manager in Chapter 6). Creating and editing templates (Using the Template Manager in Chapter 7).
1-6
78-15202-01
Chapter 1
Applying ACL templates or ACLs for packet filtering or line access on devices (Defining ACL Uses in Chapter 8). Deploying ACLs on a group of devices (Scheduling Downloads in Chapter 9). Scheduling and downloading to modified ACL and ACL use statements and/or changes in meta-information, such as comments and template include statements, to devices (Scheduling Downloads in Chapter 9). Optimizing ACL statements to eliminate redundancies, compressing entries, and adjusting order of ACEs for maximum performance (Optimizing ACLs in Chapter 10).
Class Manager, which enables you to create and edit services, service classes, networks, and network classes. You can then use these definitions in ACE source and destination fields, saving you the trouble of entering multiple IOS commands covering all possible combinations of source and destination field components. (See Chapter 6, Using the Class Manager.) Template Manager, which allows you to create and edit ACL templates. (See Chapter 7, Using the Template Manager.) Template Use Wizard and its variants, which allow you to perform the following sequence of actions: Job Browser, for displaying the status of download jobs. (See Chapter 9, Scheduling and Downloading.) Downloader for scheduling and downloading the modified ACL and ACL use statements and/or changes in meta-information such as comments, and template include statement creations, to devices. (See Chapter 9, Scheduling and Downloading.) Optimizer, for examining an ACL to see if optimization is possible after an ACL has been created or edited. (See Chapter 10,Optimizing ACLs.)
1-7
Hits Optimizer, for reordering ACEs within an ACL in accordance with the hit-rate. (See Chapter 10,Optimizing ACLs.) Diff Viewer, for displaying the configuration changes you have made since creating the scenario. (See Chapter 10, Optimizing ACLs.)
Directory HD
AP
Description Help Desk Approver Network Operator Network Administrator System Administrator
2 4 8
NO NA SA
ACL Manager tasks require various privilege levels, and your ability to perform these tasks depends on your assigned privilege level. You should contact your system administrator to find out your privilege level and which tasks you can access. ACL Manager tasks are usually performed with network operator or network administrator privileges. You can view the tasks that can be performed at each level by going to the Essentials navigation tree and selecting Server Configuration > Setup > Security > Permission Reports.
1-8
78-15202-01
Chapter 1
View ACLs Use ACL Templates Browse Download Jobsbrowse and cancel download jobs Schedule Downloads View ACLs Edit ACLscreate and edit ACLs Delete Scenarios Schedule Downloads Edit ACL Templates Edit Class Definitions Reset Hit Counter View ACLs
Network Administrator
1-9
1-10
78-15202-01
C H A P T E R
Creating ACLs and Templates ACL and Template Attributes ACL Properties (Use Details) ACL Uses
Using a combination of the ACL Editor and the ACE Editor. Using the cut, copy, and paste features; by cutting or copying ACLs or ACEs from one device or ACL and then pasting them to other devices or ACLs. Using the Template Use Wizard to create an ACL that utilizes a template. This creates a Use statement as well as the ACL definition.
Using the Template Manager in the same way that you create an ACL using the Template Editor and the ACE Editor. Saving portions of an ACL (a set of ACEs) as a template. Saving an existing ACL as a template.
2-1
Description Name or number of the ACL or ACL template. For a VACL, number is not applicable Associated ACL type (see Name, Number, and Type Attributes). Date and time the ACL or template was created. This attribute cannot be editedit is automatically determined by ACL Manager. Name of the user who created the ACL or template. Date when the ACL or template was last modified. Name of the user who last modified the ACL or template. Comments inserted by the creator or modifier of the ACL.
Creation Date
After you start ACL Manager (see Chapter 3, Getting Started), you can use the following procedure to view the ACL definitions for a particular device.
Procedure
Step 1 Step 2
Expand the device folder in the ACL Manager Main Window. Select ACL Definitions. The ACLs and their attributes appear in the right pane (see Figure 2-1).
2-2
78-15202-01
Chapter 2
Figure 2-1
2-3
ACL Type IPX Summary Rate Limit MAC Rate Limit Precedence
Named ACLs are not supported on some versions of device IOSs. In which case, the ACL name is shown with an automatically generated number appended to the name and enclosed in parentheses. For Rate Limit ACLs, ACL Manager distinguishes the ACL from a standard IP ACL by appending the string rate-limit to the number.
Created By Attribute
Your login name (for example, admin) is inserted automatically when you create an ACL.
2-4
78-15202-01
Chapter 2
Comment Attribute
You can insert comments when creating or modifying an ACL.
After you start ACL Manager (see Chapter 3, Getting Started), use this procedure to view the ACL properties for a particular device.
Procedure
Step 1 Step 2
Expand the folder for the device, then expand ACL Definitions. Right-click on the required ACL, then select Properties. The ACL Properties window appears (see Figure 2-2).
2-5
Figure 2-2
s
Tip
You can also view the properties by selecting the ACL to be examined, then selecting the toolbar button or View > Properties from the ACL Manager Main Menu.
2-6
78-15202-01
Chapter 2
ACL Uses
You can define ACL Use for line access, packet filtering, SNMP community access, SNMP TFTP server, and VLAN packet filtering. You can view ACL Uses of other types, such as router, route-map, and crypto-map using ACL Manager. Although you cannot create Uses of these types, if you rename an ACL that is referenced in one of these types of Uses, the Use statement is updated with the new ACL name. ACL Manager enables you to create ACLs from templates. You can also create Uses for such ACLs.
These modes correspond to router configuration modes in IOS. Except for configuration mode global, all Use modes can have one or more Use contexts associated with them. Use contexts for line and interface are the actual vtys or lines and interfaces existing on the router.
2-7
Procedure
Step 1 Step 2 Step 3
Expand the device folder in the ACL Manager Main Window, then expand ACL Uses. Expand the mode (for example, Interface). Select the specific context to be displayed (for example, Ethernet0). Information about the ACL Use appears in the right pane (see Figure 2-4).
Figure 2-4
2-8
78-15202-01
Chapter 2
The following ACL Use information appears: Attribute ACLs IOS/Catalyst OS Command Description Description The ACL used in this context. IOS/Catalyst OS command that implements the Use. Description of the Use, taken from the IOS/Catalyst OS reference manual. You cannot change this description.
2-9
2-10
78-15202-01
C H A P T E R
Getting Started
ACL Manager provides you with a launch point for performing many of the tasks involved with ACL management. You can also perform these tasks by making appropriate selections from the Essentials navigation tree. These topics describe how to get started with ACL Manager:
Before You Begin Setting Up Essentials Starting ACL Manager Saving Scenarios Deleting Scenarios Printing Navigating in the ACL Manager Main Window ACL Manager Menus Using the Toolbar Using Keyboard Shortcuts Performing a Complete Workflow Cycle Advanced ACL Manager Topics Backing up ACL Manager Data Restoring ACL Manager Data
3-1
Getting Started
ACL Manager server has been installed on a server machine with Essentials already installed. The Essentials Inventory application has been updated with device information for those devices whose ACLs you intend to manage with ACL Manager.
Note
It is strongly recommended that you become familiar with the discussion of ACL Terms and Definitions in Chapter 1 before proceeding further. Each ACL Manager selection from Essentials launches an application or performs an operation from the set of tools provided with ACL Manager. The following table describes each task, the associated tool, and the launch point from Essentials: Task Creating and editing ACLs Viewing ACLs; read-only access view of ACLs and ACL Uses in a scenario Creating ACL Uses from ACL templates Downloading ACLs and Uses to devices Browsing, deleting, and resubmitting jobs Creating, editing, and viewing ACL templates Tool ACL Manager ACL Manager Essentials Launch Point ACL Management > Edit ACLs ACL Management > View ACLs ACL Management > Use ACL Templates ACL Management > Schedule Downloads ACL Management > Browse Download Jobs Administration > ACL Management > Edit ACL Templates
3-2
78-15202-01
Chapter 3
Task Creating services, service classes, networks and network classes Resetting device hit counters before using Hits Optimizer Deleting scenarios
Essentials Launch Point Administration > ACL Management > Edit Class Definition Administration > ACL Management > Reset Hit Counter ACL Management > Delete Scenarios
Hits Resetter
Additional tools are available from within some of the above applications to assist in performing the main tasks. The following table describes the subtasks and launch points: Subtask Tool Launch Point ACL Manager, Template Manager ACL Manager, Template Manager ACL Manager, Downloader ACL Manager ACL Manager, Template Manager, Template Use Wizard ACL Manager
Creating and editing ACLs ACL Editor and templates Creating and editing ACEs ACE Editor Viewing config file differences Optimizing ACLs Browsing templates Diff Viewer Optimizer, Hits Optimizer Template Browser
3-3
Getting Started
Setting Up Essentials
You must have Essentials installed and running in order to use ACL Manager. In addition, you must populate the device inventory with the devices to be managed by ACL Manager.
Procedure
Step 1 Step 2
Install and start Essentials. See the appropriate Essentials installation manual. Select Administration > Inventory > Add Devices to populate your network inventory with the devices to be managed by ACL Manager.
Note
Ensure that Java, JavaScript, and Accept all cookies are enabled in your browser settings. If these settings are not enabled, you will not be able to log in to Essentials.
Procedure
Step 1
Select ACL Management > Edit ACLs from the Essentials navigation tree. The scenario selection window appears (see Figure 3-1). A scenario in ACL Manager, is your very own workspace. In your scenario, you can have a set of devices whose ACLs, ACL Uses and Time Ranges you wish to edit. When you create a scenario, you can set its attributes to make it editable and viewable only by you, or writable and viewable by other users besides yourself (see Global Scenario).
3-4
78-15202-01
Chapter 3
Step 2
Select or enter a scenario name. If you are using ACL Manager for the first time, there are no scenario names in either list box.
Figure 3-1 Edit ACLs Dialog Box
3-5
Getting Started
Step 3
Set the remaining fields for your scenario, as follows: Field Scenario Name Global Scenario Description Name of this scenario. Select this check box if you want this scenario to be writable by other users with network administrator privileges or above. Other users with these privileges can use this global scenario, if it is not already open. Users with network operator or approver privileges will have read-only access to this scenario. If you do not check this box, you will be the exclusive user of this scenario. Add Devices to Scenario Read Config From Device Recover Scenario Select this check box to allow devices to be added to an already existing scenario. Select this check box to synchronize the Essentials Config Archive with the devices in the scenario (get the configuration file) before starting ACL Manager. Select this check box to open the auto-saved version of the scenario instead of the last saved version; a tilde (~) is then appended to the end of the scenario name in the ACL Manager Main Window. This check box is available only if ACL Manager exited abnormally and detected an auto-save version of the scenario that you are attempting to open. Auto Save Period (in minutes) Defines how often changes to the scenario are saved. Use the autosave option for a scenario to guard against browser crashes.
Step 4
Click Next. If you are creating a new scenario, the Device Selection dialog box is displayed (see Figure 3-2).
Step 5
Select a device view from the Views column, for example, All Devices. The devices corresponding to the selected view appear in the Devices column.
3-6
78-15202-01
Chapter 3
Figure 3-2
Step 6
Select the devices for your scenario from the Devices column, then click Finish. The ACL Manager Main Window is launched (see Figure 3-5).
Note
In some browser versions, you will receive a security warning asking for permission to install and execute some code from Cisco Systems. Select Yes to proceed.
3-7
Getting Started
Saving Scenarios
After your edits are complete with respect to the creation and modification of ACL, ACE, and ACL Use statements, you can save your scenario. You can save the scenario under the name used when you opened the scenario or under a different name.
Procedure
Step 1
Select File > Save Scenario As from ACL Manager. The Save As Scenario dialog box appears (see Figure 3-3).
3-8
78-15202-01
Chapter 3
Step 2
Enter the following information, then click Save As: Field Description
Save Scenario Name by which the new scenario will be referred to. The old As scenario will still be available. Global Scenario Select this check box if you want this scenario to be writable by other users with network administrator privileges or above. Other users with these privileges can use this global scenario, if it is not already open. Users with network operator or approver privileges will have read-only access to this scenario. If you do not select this check box, you will be the exclusive user of this scenario.
Figure 3-3
Save Scenario As
3-9
Getting Started
Deleting Scenarios
To delete a scenario directly from the Essentials navigation tree:
Procedure
Step 1
Select ACL Management > Delete Scenarios. The Delete Scenarios dialog box appears (see Figure 3-4).
Figure 3-4 Delete Scenarios Dialog Box
Step 2
3-10
78-15202-01
Chapter 3
Note
Procedure
Step 1
Select File > Open Scenario from the ACL Manager Main Window. The Open Scenario dialog box appears.
Step 2 Step 3
Select a scenario name. Set the remaining fields for your scenario, as follows: Field Open in read-only mode Read Config From Device Recover Scenario Description Select this check box to ensure that the scenario can only be viewedit is then not possible to change the scenario in any way. Select this check box to synchronize the Essentials Config Archive with the devices in the scenario (get the configuration file) before starting ACL Manager. Select this check box to open the auto-saved version of the scenario instead of the last saved version. A tilde (~) is then appended to the end of the scenario name in the ACL Manager Main Window. This check box is available only if ACL Manager exited abnormally and detected an auto-save version of the scenario that you are attempting to open.
Step 4
3-11
Chapter 3 Printing
Getting Started
Printing
ACL Manager allows you to print the object and its contents. An object can be a scenario, a device or an ACL. A scenario can contain devices and the ACLs on the devices. The print option is also available in Class Manager and Template Manager.
3-12
78-15202-01
Chapter 3
The following table describes the ACL Manager Main Window: Item Folder (left pane) Description Shows a hierarchy of items starting with the scenario, the devices in the scenario, and ACLs and ACL Use contexts, in expanding and collapsing folders. To expand or collapse a folder, click the + or - icon next to the folder, or double-click the folder. Contents (right Shows the attributes of any item selected in the folder pane. pane) The contents are empty if there are no attributes associated with the selected item. Status area (bottom left) Indicates the status of the application. The following status is displayed in this area:
Loading When ACL Manager is reading the device config files and preparing to display the tree hierarchy for each device in the scenario. Ready When loading is completed.
Item count area Shows the number of items contained in the currently (bottom right) selected object:
When a scenario is selected, shows the number of devices in the current scenario. When the label ACL Definitions on a device is selected, shows the number of ACLs for that device. When an ACL is selected, shows the number of ACEs in that ACL.
Shows the view mode for viewing ACEs. If you are in an ACL context and in physical view mode, the contents pane has a gray background. No editing operations are permitted in physical view mode, except for reordering ACEs.
To modify the settings for an editable item in the folder pane, select the item and then select an appropriate command from a menu. For convenience, you can right-click some actions to display the options in a popup menu. (See specific tasks for more information.)
3-13
Getting Started
File Menu
The File menu contains: Selection Open Scenario Close Scenario Description Closes the current scenario and brings up a dialog box from which you can select another scenario to open. Closes the scenario. If the scenario has not yet been saved, you will be prompted to save it.
Save Scenario Saves the changes you made to the open scenario.
3-14
78-15202-01
Chapter 3
Selection
Description
Save Scenario Saves the changes you made to the open scenario in a new As scenario. The new scenario will be opened. The old scenario will still be left unchanged. Save ACL As Saves the selected ACL as a template (see Chapter 4, Saving ACLs as Templates). Save ACE As Saves the selected ACEs as a template (see Chapter 4, Saving ACEs as a Template). The selected ACEs are replaced with a single template include ACE. Print Prints the object and its contents. An object can be a scenario, a device or an ACL. A scenario can contain devices and the ACLs on the devices. The print option is also available in Class Manager and Template Manager. Exits the ACL Manager.
Exit
Edit Menu
The Edit menu contains: Selection Undo Description Undoes the last edit operation, if possible. Note that some editing operations are irreversible. For example, deleting an ACL Use statement, or expanding ACEs inline. Copies the current selection to the paste buffer and deletes it (see Chapter 4, Editing ACLs). You can select one or more ACLs or ACEs. Copies the current selection to the paste buffer (see Chapter 4, Editing ACLs). You can select one or more ACLs or ACEs. Pastes the contents of the paste buffer in front of the current selection. If there is no current selection, the contents are appended in the right pane at the end of the contents pane. In the case of objects that are shown as sorted (for example, ACLs and templates), the list in the contents pane is sorted again after pasting.
Cut
Copy Paste
3-15
Getting Started
Selection Delete Move ACE Up Move ACE Down Find Apply Template Use ACL
Description Deletes the current selection. The selection can be one or more devices, ACLs, ACEs, or ACL Use statements. Moves the selected ACEs up one position. Moves the selected ACEs down one position. Searches for specified text in the right (Contents) pane (see ACL Manager Menus). Launches the Template Use Wizard on the selected device (see Chapter 8, ACL Manager Use Wizard). Select the use type to create ACLs and Uses on the devices. Launches the Template Use Wizard on the selected device for the selected ACL (see Chapter 8, ACL Manager Use Wizard). Select the Use type to create a Use for the ACL. Launches the appropriate editor on the current selection. For example, if the selection is an ACL, ACL Editor will be launched. If the selection is an ACE, ACE Editor will be launched. Launches the ACL Editor to create a new ACL and inserts it into the device. Launches the ACE Editor to create a new ACE. Launches the Template Browser to insert a new template include statement into the current ACL context, before the current ACE. Launches a dialog box to insert a one-line comment into the current ACL context, before the current ACE. Launches the Time Range Editor to create a new time range definition on the device.
Edit
Insert ACL Insert ACE Include Template Insert Comment Insert Time Range
Expand Replaces the current logical ACEs selection with the physical ACE(s) Inline equivalent. This action loses all comments, and cannot be undone. Go to ACL Changes the contents pane view context from the ACL Use to the ACL being used in the selected use.
3-16
78-15202-01
Chapter 3
View Menu
The View menu contains: Selection Logical View Physical View Left Pane Refresh Device Update Device Status Description Changes the view mode to logical. Changes the view mode to physical. Makes the folder pane visible, if it was previously invisible. Executes a refresh operation on selected devices. If any device is in a STALE state, the state will change to OK. Determines the current states of the selected devices. States can be one of: OK, STALE, UNMANAGED, and UNREACHABLE. The configuration is refreshed from the device, and all changes done to the device will be lost. Replaces the current physical view with one regenerated from the current selection. The selection can be on a device, one or more ACLs, or one or more ACEs. Regeneration could involve:
Conversion of DNS hostnames to IP addresses. Expansion of networks, network classes, services, and service classes to their components. Replacement of template include statements with their constituent ACEs. Use this function if you suspect that a template, class definition, or DNS name has changed since it was last applied to a device.
Properties
Displays a window showing the properties of the selected object. Properties can be displayed for: devices, interfaces, and ACLs. (ACL properties are actually use details for the ACL.) Displays a window showing the current Essentials users of the selected devices and the scenario in which the devices are used.
Users
3-17
Getting Started
ACL Menu
The ACL menu contains: Selection New ACL New ACE Description Launches the ACL Editor to create a new ACL. Launches the ACE Editor to create a new ACE in the current ACL context. The new ACE is appended to the end of the list of ACEs in the contents pane. Launches the Template Browser to select a template to append a template include ACE to the current ACL context. Launches a dialog box to enter a one-line comment which is appended to the end of the list of ACEs in the contents pane. Launches the Time Range Editor to create a new time range definition on the device.
Tools Menu
The Tools menu contains: Selection ACL Use Wizard ACL Downloader Job Browser Diff Viewer Class Manager Description Launches the ACL Use Wizard (see Chapter 8, Applying an ACL Template to a Specific Device). Launches the Downloader (see Chapter 9, Scheduling and Downloading). Launches the Job Browser (see Chapter 9, Browsing Job Status and Results). Launches the Diff Viewer (see Chapter 9, Verifying the Configuration Changes). Launches the Class Manager (see Chapter 6, Using the Class Manager).
3-18
78-15202-01
Chapter 3
Description Launches the Template Manager (see Chapter 7, Using the Template Manager). Launches the Optimizer (see Chapter 10, Optimizing ACLs). Launches the Hits Optimizer (see Chapter 10, Optimizing ACLs).
Represents a router that has ACL definitions on it (if the icon is blue). Represents a stale router that has ACL definitions on it (if the icon is grey). Represents a switch that has ACL definitions on it (if the icon is blue). Represents a stale switch that has ACL definitions on it (if the icon is grey). Represents a router that has no ACL definitions on it (if the icon is blue). Represents a router that is stale, and with no ACL definitions on it (if the icon is grey). Represents a switch that has no ACL definitions on it (if the icon is in blue). Represents a stale switch that has no ACL definitions on it (if the icon is grey).
3-19
Getting Started
Icon
3-20
78-15202-01
Chapter 3
3-21
Getting Started
Icon
Description UndoUndoes last edit operation, provided that the undo is possible. Some editing operations are irreversible; for example, deleting an ACL Use statement. The action is equivalent to selecting Edit > Undo. Up One LevelChanges the left pane selection context to be at the next higher level.
Move selected ACE upMoves the selected ACEs by shifting them up one position. The action is equivalent to selecting Edit > Move ACEs Up.
Move selected ACE downMoves the selected ACEs by shifting them down one position. The action is equivalent to selecting Edit > Move ACEs Down. Template Use WizardLaunches the Use Wizard. The action is equivalent to selecting Tools > Use Wizard.
ACL DownloaderLaunches the Downloader. The action is equivalent to selecting Tools > Downloader.
Job BrowserLaunches the Job Browser. The action is equivalent to selecting Tools > Job Browser.
Class ManagerLaunches the Class Manager. The action is equivalent to selecting Tools > Class Manager.
3-22
78-15202-01
Chapter 3
Icon
Description Template ManagerLaunches the Template Manager. The action is equivalent to selecting Tools > Template Manager.
PropertiesDisplays properties of the current selection. The selection can be on a device, ACL, or interface. ACL properties are actually their uses in the device. The action is equivalent to selecting View > Properties. PrintPrints the contents of the current selection. The action is equivalent to selecting File > Print. This is available in Class Manager and Template Manager also.
Expands the current selection if it is Left pane collapsed, or collapses the current selection if it is expanded.
3-23
Getting Started
Key Enter
Action
Context
Displays the ACE Editor dialog box, if the Right pane current selection is an ACE; else expands the current selection. Opens the scenario. Saves the scenario. Prints the contents of the current selection. Searches for lines containing specific text in the right pane. Undoes changes. Both Both Both Both Both
Selects all of the permissible items in the right Both pane. Deletes the current selection and copies it to the Paste buffer. (See Editing ACLs in Chapter 4.) You can select and delete one or more ACLs or ACEs. Copies the current selection to the Paste buffer. (See Editing ACLs in Chapter 4.) Both
Ctrl+C Ctrl+V
Both
Pastes the contents of the Paste buffer before Both the current selection. If you have not selected anything in the contents pane, then they are pasted at the end of the list. Deletes the current selection. You can select Both and delete one or more devices, ACLs, ACEs, or ACL Use statements. Switches between right and left panes. Switches between the right and left panes. Exits from ACL Manager. Both Both Both
Del
3-24
78-15202-01
Chapter 3
3-25
Getting Started
Creating a scenario or opening an existing scenario (see Starting ACL Manager). Creating ACLs (see Creating ACLs in Chapter 4) or editing existing ACLs, or both (see Editing ACLs in Chapter 4). Creating and editing ACEs (see Editing ACEs in Chapter 4). Creating ACL Use statements (see Defining ACL Uses in Chapter 8). Saving the scenario (see Saving Scenarios). Viewing and verifying the changes made to the device configuration during editing (see Verifying Device Configuration Changes). Scheduling a download job and downloading the ACL and ACL Use modifications to devices (see Downloading the Changes to the Devices). Verifying that the download was completed successfully (see Verifying That the Download Was Successful).
3-26
78-15202-01
Chapter 3
Stale Devices
A device becomes stale when the ACL-related device configuration from which the scenario was derived is modified outside the scenario. This can happen in these situations:
The ACLs or ACL Use statements, or both, for a device are modified and downloaded from one scenario, but the device is still being used in one or more other scenarios. In this case, the device will become stale in the other scenarios. A device is being used in a scenario and a template used on a device is modified and downloaded (the template is synchronized) to the device from Template Manager.
User Guide for ACL Manager
78-15202-01
3-27
Getting Started
Note
A template is considered to be used on a device if any ACL on the device contains a template include statement and this ACL has been downloaded to the device. A device configuration is modified from the command line interface (CLI) while the device is being used in one or more other scenarios. An attempted download fails and rollback fails. The device status may change to stale in scenarios containing that device.
The device status will be changed to stale (that is, its icon is grayed out and its status is set to stale) when:
A View > Update device Status operation is performed. The scenario is immediately closed then reopened after any of the above events caused it to become stale. The scenario is modified and a download is attempted. Thirty seconds have elapsed since the configuration file was changed on the device.
Note
Any edits made to the stale device in the client scenario will be lost on refreshing.
Refreshing Devices
Three device configuration states are relevant to ACL Manager:
The actual configuration on the device. The configuration in the device model on the server (the base scenario). The configuration in the user scenario.
Ideally, the configuration on the device is always synchronized with the device in the base scenario. However, asynchronous changes on the device can happen outside the scope of ACL Manager. For example, devices can be accessed and configurations modified directly through the CLI.
3-28
78-15202-01
Chapter 3
To provide a current version of the device config, the configuration in the base scenario is reconciled with the device:
Whenever a scenario is created or opened for editing (provided that the Read Config from Device option is selected when the scenario is opened). After a completely successful or partially successful download. When a device refresh is requested.
The representation of ACLs and ACL Use statements in user scenarios are based on a device configuration that was obtained from the device when the scenario was created. If the device configuration from which a user scenario was derived is modified outside the scenariofor example, through the CLI, or by another scenario being downloaded while the device in the original scenario is being editedthen the basis for the edits in the original scenario is invalidated. If this happens, ACL Manager sets the device status to stale. You can continue to make modifications to the device but will be unable to download them to the device. You must refresh a stale device before attempting to download ACL and ACL Use statement modifications to it. Refreshing a device reconciles the device configuration in the scenario with the configuration on the device. You could lose modifications on a device that becomes stale unless you take the precautions described in How to Avoid Losing Edits When Refreshing a Device.
Saving edited and newly created ACLs in the paste buffer Refreshing the device Pasting back the saved ACLs
Alternatively, you could save the scenario under another namethis preserves the edits in the scenario with the new name. Only edits made to ACL definitions can be saved before a stale device is refreshed. Edits to ACL Use statements cannot be saved.
3-29
Getting Started
Note
ACL Manager data comprising scenarios, templates, services, service classes, networks, and network classes are backed up. Jobs will not be backed up.
Procedure
Step 1 Step 2 Step 3 Step 4
Log in as the super user. Set the NMSROOT variable to CiscoWorks install directory. Enter $NMSROOT /bin/pdterm
AclmServer
Enter $NMSROOT /bin/perl $NMSROOT/bin/aclmbackup.pl to back up the ACL Manager. You can specify the folder into which the data should be backed up, as a command line parameter. For example, you can enter: $NMSROOT/bin/perl $NMSROOT/bin/aclmbackup.pl /aclmbackup where /aclmbackup is the back up folder. If you do not specify the folder as a command line parameter, the system will prompt you to specify a folder to back up the data.
Step 5
After the back up is complete, enter $NMSROOT/bin/pdexec restart the ACL Manager server.
AclmServer
to
3-30
78-15202-01
Chapter 3
Procedure
Step 1 Step 2 Step 3 Step 4
Ensure that you have correct permissions to access CiscoWorks installation directories. Set the NMSROOT variable to CiscoWorks install directory. Enter %NMSROOT%\bin\pdterm
AclmServer
Enter %NMSROOT% \bin\perl %NMSROOT%\bin\aclmbackup.pl to back up the ACL Manager data. You can specify the folder into which the data should be backed up, as a command line parameter. For example, you can enter: %NMSROOT%\bin\perl %NMSROOT%\bin\aclmbackup.pl d:\aclmbackup where d:\aclmbackup is the back up folder. If you do not specify the folder as a command line parameter, the system will prompt you to specify a folder to back up the data.
Step 5
After the back up is complete, enter %NMSROOT%\bin\pdexec restart the ACL Manager server.
AclmServer
to
Warning
ACL Manager data comprising scenarios, templates, services, service classes, networks, and network classes are restored. Existing data including jobs will be deleted during the restore operation.
3-31
Getting Started
Procedure
Step 1 Step 2 Step 3
Enter $NMSROOT /bin/perl $NMSROOT/bin/aclmrestore.pl to restore the ACL Manager data. You can specify the folder into which the data should be restored, as a command line parameter. For example, you can enter: $NMSROOT/bin/perl $NMSROOT/bin/aclmrestore.pl /aclmrestore where /aclmrestore is the restore folder. If you do not specify the folder as a command line parameter, the system will prompt you to specify a folder to restore the data.
Step 4
After the restore is complete, enter $NMSROOT/bin/pdexec restart the ACL Manager server.
AclmServer
to
Procedure
Step 1 Step 2
Ensure that you have administrator privileges to access CiscoWorks installation directories. Enter %NMSROOT%\bin\pdterm
AclmServer
3-32
78-15202-01
Chapter 3
Step 3
Enter %NMSROOT%\bin\perl %NMSROOT%\bin\aclmrestore.pl to restore the ACL Manager data. You can specify the folder into which the data should be restored, as a command line parameter. For example, you can enter: %NMSROOT%\bin\perl %NMSROOT%\bin\aclmrestore.pl d:\aclmrestore where d:\aclmrestore is the restore folder. If you do not specify the folder as a command line parameter, the system will prompt you to specify a folder to restore the data.
Step 4
After the restore is complete, enter %NMSROOT%\bin\pdexec restart the ACL Manager server.
AclmServer
to
3-33
Getting Started
3-34
78-15202-01
C H A P T E R
Viewing Existing ACLs Creating ACLs Defining ACL Uses Editing ACLs Saving ACLs as Templates Renaming ACLs Manipulating ACEs Editing ACEs Saving ACEs as a Template Viewing the Configuration Changes Editing Time Range Definitions Optimizing the ACL Printing the ACL/ACE
4-1
Procedure
Step 1
Select ACL Management > View ACLs from Essentials to display the View ACLs dialog box (see Figure 4-1).
Figure 4-1 View ACLs Dialog Box
4-2
78-15202-01
Chapter 4
Step 2
Select a scenario and select Read config from Device to synchronize the Config Archive with the devices in the scenario (get the configuration file). The ACL Manager Main Window appears.
Step 3
Carry out this procedure from the ACL Manager Main Window.
Procedure
Step 1 Step 2
Expand the device folder in the ACL Manager Main Window. Select ACL Definitions. The ACL definitions for the device are displayed in the right pane (see Figure 4-2).
Figure 4-2
Viewing ACLs
4-3
Creating ACLs
ACLs are created under the ACL Definition folder for a particular device. After you create an ACL, you can add ACEs to it.
Procedure
Step 1
Expand the device folder in the ACL Manager Main Window, then select ACL Definitions. The ACL definitions appear in the right pane (see Figure 4-2).
Step 2
Select ACL Definitions, then select New ACL from the ACL Definitions popup menu. The ACL Editor dialog box appears (see Figure 4-3).
Figure 4-3 ACL Editor Dialog
Step 3
4-4
78-15202-01
Chapter 4
Field Type
Description Specifies the type of ACL that can be created on the selected router, for example: IP, IP_EXTENDED, IPX, IPX_EXTENDED, IPX_SAP, IPX_SUMMARY, RATE_LIMIT_MAC, RATE_LIMIT_PRECEDENCE. Select a type from the drop-down list box. (Only those types supported for the device IOS version and feature-set are available from the drop-down list.) After the ACL is created, you cannot change the type. Select Autonumber if you want the ACL Manager to select the first available number for you. NameIf the IOS version of the selected device does not support named ACLs, ACL Manager generates a unique number, and associates the ACL name with this number as an alias. NumberIf Autonumber is not checked, enter a unique number that identifies the ACL.
Comment
Step 4
Click OK.
Note
You can select ACL > New ACE from the ACL Manager Main Window to insert ACE entries into the new ACL.
Tip
You can also start the ACL Editor dialog box by clicking the New ACL toolbar icon or by selecting ACL > New ACL from the ACL Manager Main Window.
4-5
Editing ACLs
You can use the ACL editor to change the ACL name or comments about the ACL. If you have not yet started ACL Manager, you need to display the ACL Manager Main Window using this procedure.
Procedure
Step 1 Step 2
Select ACL Management > Edit ACLs from Essentials to display the Edit ACLs dialog box (see Figure 4-4). Select a scenario, then click Next. The ACL Manager Main Window appears.
4-6
78-15202-01
Chapter 4
Figure 4-4
Carry out the following procedure from the ACL Manager Main Window.
Procedure
Step 1 Step 2
Expand the device folder in the ACL Manager Main Window. Select ACL Definitions. The ACLs appear in the right pane (see Figure 4-2).
4-7
Step 3
Right-click on the required ACL, then select Edit. The ACL Editor dialog box appears (see Figure 4-3).
Step 4
Enter the fields (see Creating ACLs for field descriptions), then click OK.
Tip
You can insert a comment into an ACL using ACL > New Comment.
Procedure
Step 1 Step 2
Expand the device folder in the ACL Manager Main Window. Select ACL Definitions. The ACLs appear in the right pane (see Figure 4-2). Select the ACL to save. Select File > Save ACL As to display the Save As Template dialog box (see Figure 4-5). Select the template directory to hold the new template. Enter the new template name, then click OK.
4-8
78-15202-01
Chapter 4
Figure 4-5
Renaming ACLs
You can rename or renumber an existing ACL. Any ACL uses that reference the existing ACL are changed to reflect the new name.
Procedure
Step 1 Step 2
Expand the device folder in the ACL Manager Main Window. Select ACL Definitions. The ACLs appear in the right pane (see Figure 4-2).
4-9
Step 3
Right-click on the ACL to be renamed, then select Edit. The ACL Editor dialog box appears (see Figure 4-3).
Step 4
Change the information in the Name or number field, then click OK.
Manipulating ACEs
The ACL Manager provides many features for manipulating ACE entries for a particular ACL definition. You can:
Insert a new ACE Insert a template include ACE Insert comments into an ACE Reorder ACEs Insert a comment ACE
Procedure
Step 1 Step 2 Step 3
Expand the device folder in the ACL Manager Main Window. Expand ACL Definitions. Select the required ACL definition. The ACEs appear in the right pane (see Figure 4-6). Right-click on the ACE above which the new ACE is to be inserted, then select Insert ACE. The ACE Editor dialog box appears.
Step 4
4-10
78-15202-01
Chapter 4
Step 5 Step 6
Enter the parameters for the new ACL. See Editing ACEs. Click OK.
Figure 4-6
Viewing ACEs
Procedure
Step 1 Step 2 Step 3
Expand the device folder in the ACL Manager Main Window. Expand ACL Definitions. Right-click on the required ACL definition, then select New ACE. The ACE Editor dialog box appears.
4-11
Step 4 Step 5
Enter the parameters for the new ACE. See Editing ACEs. Click OK. For information on editing ACE attributes, see Editing ACEs.
Inserting a Template
You can insert a template into an ACL by creating a template include ACE that references the template.
Procedure
Step 1 Step 2
Expand the device folder in the ACL Manager Main Window. Select ACL Definitions. The ACLs for the device appear in the right pane (see Figure 4-2). Right-click on the required ACL, then select New Include Template. The Template Selection window box appears (see Figure 4-7). Only templates appropriate to the ACL appear. Select the template to include. Click Expand to display a window showing the template details (see Figure 4-8). Click OK. The include template ACE is inserted, or is appended to the end of the ACL if you made no selection (see Figure 4-9).
Step 3
Step 4 Step 5
4-12
78-15202-01
Chapter 4
Figure 4-7
Template Selection
Figure 4-8
Expanded Template
4-13
Figure 4-9
Inserted Template
Appending a Comment
Use the Comment Editor to append a comment to the end of an ACL or ACL template. You can also use the Comment Editor to insert a comment after an ACE (see Inserting a Comment).
Procedure
Step 1 Step 2 Step 3
Expand the device folder in the ACL Manager Main Window. Expand ACL Definitions. Right-click on the required ACL, then select New Comment. The Comment Editor dialog box appears (Figure 4-10).
4-14
78-15202-01
Chapter 4
Step 4
Enter a one-line comment, then click OK. The comment is appended with the prefix !. Figure 4-11 shows a comment inserted at the end of an ACL.
Note
On devices supporting Remark ACEs, Comments ACEs will be converted into Remark ACEs in the physical view. Otherwise, they are ignored.
Inserting a Comment
Use the Comment Editor to insert a comment after an ACE. You can also use the Comment Editor to append a comment at the end of an ACL or ACL template (see Appending a Comment).
Procedure
Step 1 Step 2 Step 3
Expand the device folder in the ACL Manager Main Window. Expand ACL Definitions. Select the ACL. The ACEs appear in the right pane.
4-15
Step 4
Right-click on the required ACE, then select Insert Comment. The Comment Editor dialog box appears (Figure 4-10).
Step 5
Reordering ACEs
Use the Move ACE Up and Move ACE Down toolbar buttons to move selected ACEs up or down.
Procedure
Step 1 Step 2
Expand the device folder in the ACL Manager Main Window. Expand ACL Definitions.
4-16
78-15202-01
Chapter 4
Step 3
Select the required ACL definition. The ACEs appear in the right pane (see Figure 4-6).
Step 4
Select the ACE to move. (You can select multiple ACEs using Shift and Control keys.)
To move the ACEs up one position, click the Move ACE Up icon.
To move the ACEs down one position, click the Move ACE Down icon.
Note
If you try to reorder ACEs while in physical mode, a warning message appears if the reorder changes the ACL semantics.
Editing ACEs
Use the ACE Editor to edit an ACE.
Procedure
Step 1 Step 2 Step 3
Expand the device folder ACL Manager Main Window. Expand ACL Definitions. Select the required ACL definition. The ACEs appear in the right pane (see Figure 4-6).
4-17
Step 4
Right-click on the ACE to be edited, then select Edit. The ACE Editor dialog box appears.
Tip
You can start the ACE Editor dialog box from the Edit menu by selecting Edit > Edit. The format of the ACE editor dialog box and attributes that can be edited depend on the IOS ACL protocol type, as described in these sections:
Editing IP ACE Attributes Editing IP Extended ACE Attributes Editing IPX ACE Attributes Editing IPX Extended ACE Attributes Editing IPX SAP ACE Attributes Editing IPX SUMMARY ACE Attributes Editing RATE LIMIT MAC ACE Attributes Editing RATE LIMIT PRECEDENCE ACE Attributes
4-18
78-15202-01
Chapter 4
To specify a network or network class as the source or destination address, use the following procedure.
Procedure
Step 1 Step 2 Step 3
Click Source Address or Destination Address to open the Network/Class selector dialog box (see Figure 4-12). Select the desired network or network class. Click OK when you have finished.
4-19
Prev
Next
4-20
78-15202-01
Chapter 4
You can edit the fields as follows: Field Permission Description Radio button that determines whether the ACE is a permit or deny statement. Defines the source address in the ACE. This field is mandatory. Defines the wildcard mask to be applied to the source address. This field is optional. You can add a comment about this ACE. The comment appears in-line. This field is optional.
Log Options Enable this checkbox to log packets that match this ACE. Source Address Source Wildcard Mask Comment
4-21
Editing IP Extended General Attributes Editing IP Extended Advanced Attributes Editing IP Extended Other Attributes
4-22
78-15202-01
Chapter 4
You can edit the fields as follows: Field Protocol Description Drop-down list box that allows you to select from various protocols, such as TCP, IP, ICMP, IGMP. You can also enter a protocol name or number. Radio button that determines whether the ACE is a permit or deny statement. Enable this checkbox to log packets that match this ACE. Defines the source address in the ACE. The keyword any is allowed. This field is mandatory. Defines the wildcard mask for the source address. This field is optional.
Destination Defines the destination address in the ACE. The keyword any is Address allowed. This field is mandatory. Destination Defines the wildcard mask for the destination address.This field is optional. Wildcard Mask Destination If the protocol selected is TCP or UDP, this field specifies the Port destination port for this ACE. The port relationship is assumed to be =. Comment You can add a comment about this ACE. The comments will appear in-line. This field is optional.
4-23
4-24
78-15202-01
Chapter 4
You can edit the fields as follows: Field TCP flags Description Select these check boxes to cause the TCP packets to be filtered according to the setting of the appropriate flags (ACK, FIN, PSH, RST, SYN, and URG). Selecting ACK and RST is equivalent to checking Established. This field is not available on all IOS versions. Source Port Select an operator from the drop-down list box to define the Operator operation to be performed on the source:
eq (equal to) neq (not equal to) gt (greater than) lt (less than) range none
This field is available only if the protocol selected in the General tab is TCP or UDP. Only the eq operator is available if Service Class is selected. Source Port Defines the source port or the start of a range of ports if you Start selected range as the relation. You can enter a port name or select a name from the drop-down list box. Source Port Applies only if the source operator is range. You can enter a port End name or select a name from the drop-down list box.
4-25
Description Select an operator from the drop-down list box to define the operation to be performed on the destination:
eq (equal to) neq (not equal to) gt (greater than) lt (less than) range or none
This field is available only if the protocol selected in the General tab is TCP or UDP. Only the eq operator is available if Service Class is selected. Destination Port Start Destination Port End ICMP Type Defines the destination port or the start of a range of ports if you selected range as the relation. You can enter a port name or select a name from the drop-down list box. Applies only if the destination operator is range. You can enter a port name or select a name from the drop-down list box. ICMP packets can be filtered by message type (a number in the range 0 to 255). This field is optional.
ICMP Code ICMP packets that are filtered by message type can also be matched by the message code (a number in the range 0 to 255). This field is optional. ICMP Message IGMP Type ICMP packets can be filtered by a message name, or message type and code name. Select the message name from the list displayed in the drop-down list box. This field is optional. IGMP packets can be filtered by message type (a number in the range 0 to 15 or a message name in the drop-down list box). This field is optional.
4-26
78-15202-01
Chapter 4
You can edit the fields as follows: Field Precedence Description Packets can be filtered by precedence level, as specified by a number in the range 0 to 7, or by name. You can select a name from the drop-down list box. Packets can be filtered by type of service level, as specified by a number in the range 0 to 15, or by name. You can select a name from the drop-down list box.
User Guide for ACL Manager 78-15202-01
TOS
4-27
Field
Description
Differentiated Packets can be filtered by a DSCP value. This value is specified Services Code by a number in the range 0 to 63 or by name. You can select a Point (DSCP) name from the drop-down list box. Fragments Dynamic Name Dynamic Timeout (minutes) Time Range Name Filters non-initial fragments of IP packets. This field is optional. Specifies the name of a dynamic access list. This field is optional. Specifies a maximum time limit (in minutes) that a temporary access list entry can remain within the dynamic access list. The default is infinite and allows an entry to remain permanently. This field is optional. Specifies a named time range, which combines at most one fixed interval and zero, or more, periodic intervals during which this ACL entry is in effect. This range must have been already set up on the device (available only on IOS releases later than 12.0(1)T).
Evaluate ACL Select this check box to nest a reflexive access list within an ACL. Enter the name of a reflexive ACL. This field is optional. Reflexive ACL Select this check box if this entry should create and insert dynamic entries into a reflexive ACL. This is used to filter IP traffic so that TCP or UDP session traffic is permitted through the firewall only if the session originated from within the internal network. This field is optional. Reflexive access list entries expire after no packets in the session have been detected for a certain length of time (the timeout period, in minutes). If you do not specify a timeout for the reflexive list, the list uses the global timeout value. This field is optional.
4-28
78-15202-01
Chapter 4
You can edit the fields as follows: Field Permission Source Network
Description
Radio button that determines whether the ACE is a permit or deny statement. Defines the source IPX network in the ACE. The keyword any is allowed. This field is mandatory.
4-29
Field Source Node Source Mask Destination Network Destination Node Destination Mask
Description
Defines the source IPX node in the ACE. This field is optional. Defines the wildcard mask to be applied to the source IPX node. This field is optional. Defines the destination IPX network of the ACE. The keyword any is allowed. This field is optional. Defines the destination IPX node of the ACE. This field is optional. Defines the wildcard mask to be applied to the destination IPX node. This field is optional.
4-30
78-15202-01
Chapter 4
You can edit the fields as follows: Field Protocol Permission Description Select a protocol (any, ncp, netbios, rip, sap, spx) from the drop-down list box. This field is mandatory. Radio button that determines whether the ACE is a permit or deny statement.
User Guide for ACL Manager 78-15202-01
4-31
Field Logging
Time Range Specifies a named time range, that is a combination of at most one Name fixed interval and zero or more periodic intervals during which this ACL entry is in effect. This time range must have already been set up on the device (available only on IOS releases later than 12.0(1)T). Source Network Source Network Mask Source Node Source Node Mask Source Socket Destination Network Destination Network Mask Destination Node Destination Node Mask Destination Socket Defines the source network address. This field is mandatory. Defines the wildcard mask to be applied to the source network address. This field is optional. Defines the source node. This field is optional. Defines the wildcard mask to be applied to the source node address. This field is optional. Defines the source socket. Click on the drop-down list box to select the socket. This field is optional. Defines the destination network address. This field is mandatory. Defines the wildcard mask to be applied to the destination network address. This field is optional. Defines the destination node. This field is optional. Defines the wildcard mask to be applied to the destination node address. This field is optional. Defines the destination socket. Click on the drop-down list box to select the socket. This field is optional.
4-32
78-15202-01
Chapter 4
You can edit the fields as follows: Field Permission Network Network Mask Node Node Mask Description Radio button that determines whether the ACE is a permit or deny statement. Defines the network in the ACE. This field is mandatory. Defines the wildcard mask to be applied to the network address. This field is optional. Defines the node in the ACE. This field is optional. Defines an wildcard mask to be applied to the node. This field is optional.
4-33
Description Select a service type on which to filter from the drop-down list box. This field is optional. Defines the name of the server that provides the service. This field is optional.
4-34
78-15202-01
Chapter 4
You can edit the fields as follows: Field Permission Network Network Mask Interface Name Ticks Area Count Description Radio button that determines whether the ACE is a permit or deny statement. Defines the network in the ACE. This field is mandatory. Defines the wildcard mask to be applied to the network address. This field is optional. Defines the interface name. You can select the interface from the drop-down list box. This field is optional. Metrics assigned to the route summary. This field is optional. Maximum number of NLSP areas to which the router summary can be redistributed. This field is optional.
4-35
You can edit the fields as follows: Field MAC Address Description Defines the MAC address.
4-36
78-15202-01
Chapter 4
You can edit the fields as follows: Field Precedence Description Select this check box if packets are to be filtered by precedence level. You can specify a number in the range from 0 to 7 or a name. Select this check box if packets are to be matched by mask for filtering by precedence level. Enter the precedence mask (a two-digit hexadecimal number).
Precedence Mask
Procedure
Step 1 Step 2 Step 3
Expand the device folder ACL Manager Main Window. Expand ACL Definitions. Select the required ACL definition. The ACEs for the definition appear in the right pane (see Figure 4-6). Select the ACEs to form the new template. You cannot select noncontiguous ACEs to save as a template. Select File > Save ACEs As to display the Save As Template dialog box (see Figure 4-5). Select the template directory to hold the new template. Enter the new template name, then click OK. The selected ACEs are replaced by an include template statement in the ACL.
4-37
Procedure
Step 1
Select Tools > Diff Viewer from the ACL Manager Main Window, to display the Config Diff View window (see Figure 4-23).
Figure 4-23 Config Diff View Window
Step 2 Step 3
Select the device whose configuration changes you want to examine. Select the ACL or ACL use to view (see Figure 4-24).
4-38
78-15202-01
Chapter 4
In this example, there are three changes from the original configuration for ACL 100 in device aclm7505-1:
Step 4
Click Config to view the complete new configuration file (see Figure 4-25).
4-39
Step 5 Step 6
Click OK to return to the Config Diff View. Click Delta to view configuration file changes since the last download. This shows the configuration commands that will be sent to the device to make the required changes to the device configuration (see Figure 4-26).
Step 7
4-40
78-15202-01
Chapter 4
4-41
Note
Optimization changes the order of ACEs only if it does not change the ACL semantics in any way.
Right-click on the Time Range Definition, then select New Time Range. You can also select ACL > New Time Range. The Time Range window appears (see Figure 4-27).
Click the Absolute tab to display the attributes that can be set. The Time Range window appears (see Figure 4-27).
4-42
78-15202-01
Chapter 4
Step 2 Step 3
Enter the Name for the time range definition. This is a mandatory field. Enter the values for the absolute time range in the Start group: Field Time Day Month Year Description Start time in hours and minutes. Day (1 through 31). Select the month from the drop-down list. Year.
Step 4
Enter the values for the absolute time range in the End group.
4-43
Step 5
Click OK.
Click the Periodic tab to display the attributes that can be set. The Time Range window appears (see Figure 4-28).
Step 2
Enter the Name for the time range definition. This is a mandatory field.
4-44
78-15202-01
Chapter 4
Step 3
Enter the values for the periodic time range in the Start group: Field Days Time Description Day (Monday through Sunday). Start time in hours and minutes.
Step 4 Step 5
Enter the values for the periodic time range in the End group. Click Add to add the Start and End values selected to the Periodic Time Ranges list. To Remove an existing Periodic Time Range, select the time range and click Remove. To Change values for an existing Periodic Time Range, select the time range and click Change.
Step 6
Click OK.
4-45
4-46
78-15202-01
C H A P T E R
5-1
Editing VACLs Saving VACLs as Templates Renaming VACLs Manipulating VACEs Editing VACEs Saving VACEs as a Template Viewing the Configuration Changes Optimizing the VACL Printing the VACL/VACE
Procedure
Step 1
Select ACL Management > View ACLs from Essentials to display the View ACLs dialog box (see Figure 5-1).
5-2
78-15202-01
Chapter 5
Figure 5-1
Step 2
Select a scenario and select Read config from Device to synchronize the Config Archive with the devices in the scenario (get the configuration file). The ACL Manager Main Window appears.
5-3
To view VACLs:
Procedure
Step 1 Step 2
Expand the device folder in the ACL Manager Main Window. Select ACL Definitions. The VACL definitions for the device appear in the right pane (see Figure 5-2).
Figure 5-2
Viewing VACLs
5-4
78-15202-01
Chapter 5
Creating VACLs
VACLs are created under the ACL Definition folder for a particular device. After you create a VACL, you can add VACEs to it.
Procedure
Step 1
Expand the device folder in the ACL Manager Main Window, then select ACL Definitions. The VACL definitions appear in the right pane (see Figure 5-2).
Step 2
Select ACL Definitions, then select New ACL from the ACL Definitions popup menu. The ACL Editor dialog box appears (see Figure 5-3).
Figure 5-3 ACL Editor Dialog Box
Step 3
Enter the following information: Field Type Description Specifies the type of VACL that you can create on the device. Select a type from the drop-down list box. (The VACL types supported are VACL_IP, VACL_IPX, and VACL_MAC.) You cannot change the type after the VACL is created.
5-5
Description Specify the name of the VACL in the Name field. Enter comments to be associated with this VACL.
Click OK.
Note
You can select ACL > New ACE from the ACL Manager Main Window to insert VACE entries into the new VACL.
Tip
You can also start the ACL Editor dialog box by clicking the New ACL toolbar icon or by selecting ACL > New ACL from the ACL Manager Main Window.
Editing VACLs
You can use the ACL editor to change the VACL name or comments about the VACL. If you have not yet started ACL Manager, you need to display the ACL Manager Main Window using this procedure.
Procedure
Step 1
Select ACL Management > Edit ACLs from Essentials to display the Edit ACLs dialog box (see Figure 5-4).
5-6
78-15202-01
Chapter 5
Step 2
Select a scenario, then click Next. The ACL Manager Main Window appears.
Figure 5-4
Carry out this procedure from the ACL Manager Main Window.
5-7
Procedure
Step 1 Step 2
Expand the device folder in the ACL Manager Main Window. Select ACL Definitions. The VACLs appear in the right pane (see Figure 5-2).
Step 3
Right-click on the required VACL, then select Edit. The ACL Editor dialog box appears (see Figure 5-3). Enter the fields (see Creating VACLs for field descriptions), then click OK.
Step 4
Tip
You can insert a comment into a VACL using ACL > New Comment.
Procedure
Step 1 Step 2
Expand the device folder in the ACL Manager Main Window. Select ACL Definitions. The ACLs appear in the right pane (see Figure 5-2).
Select the VACL to save. Select File > Save ACL As to display the Save As Template dialog box (see Figure 5-5). Select the template directory to hold the new template. Enter the new template name, then click OK.
5-8
78-15202-01
Chapter 5
Figure 5-5
Renaming VACLs
You can rename an existing VACL. Any VACL uses that reference the existing VACL are changed to reflect the new name.
Procedure
Step 1 Step 2
Expand the device folder in the ACL Manager Main Window. Select ACL Definitions. The VACLs appear in the right pane (see Figure 5-2).
5-9
Step 3
Right-click on the VACL to be renamed, then select Edit. The ACL Editor dialog box appears (see Figure 5-3).
Step 4
Manipulating VACEs
ACL Manager allows you to manipulate VACE entries for a particular VACL definition. You can:
Insert a new VACE Insert a template include VACE Insert comments into an VACE Reorder VACEs Insert a comment VACE
Procedure
Step 1 Step 2 Step 3
Expand the device folder in the ACL Manager Main Window. Expand ACL Definitions. Select the required VACL definition. The VACEs appear in the right pane (see Figure 5-6). Right-click on the VACE above which the new VACE is to be inserted, then select Insert ACE. The ACE Editor dialog box appears.
Step 4
5-10
78-15202-01
Chapter 5
Step 5 Step 6
Enter the parameters for the new VACL. See Editing VACEs. Click OK.
Figure 5-6
Viewing VACEs
Procedure
Step 1 Step 2 Step 3
Expand the device folder in the ACL Manager Main Window. Expand ACL Definitions. Right-click on the required VACL definition, then select New ACE. The ACE Editor dialog box appears.
Step 4
Enter the parameters for the new VACE. See Editing VACEs.
5-11
Step 5
Click OK. For information on editing ACE attributes, see Editing VACEs.
Inserting a Template
You can insert a template into a VACL by creating a template include VACE that references the template.
Procedure
Step 1 Step 2
Expand the device folder in the ACL Manager Main Window. Select ACL Definitions. The VACLs for the device appear in the right pane (see Figure 5-2).
Step 3
Right-click on the required VACL, then select New Include Template. The Template Selection window box appears (see Figure 5-7). Only templates appropriate to the VACL type are displayed.
Select the template to include. Click Expand to display a window showing the template details (see Figure 5-8). Click OK. The include template VACE is inserted, or is appended to the end of the VACL if you made no selection (see Figure 5-9).
5-12
78-15202-01
Chapter 5
Figure 5-7
Template Selection
Figure 5-8
Expanded Template
5-13
Figure 5-9
Inserted Template
Appending a Comment
Use the Comment Editor to append a comment to the end of a VACL or VACL template. You can also use the Comment Editor to insert a comment after a VACE (see Inserting a Comment).
Procedure
Step 1 Step 2 Step 3
Expand the device folder in the ACL Manager Main Window. Expand ACL Definitions. Right-click on the required VACL, then select New Comment. The Comment Editor dialog box appears (Figure 5-10).
Step 4
Enter a one-line comment, then click OK. The comment is appended with the prefix !. Figure 5-11 shows a comment inserted at the end of a VACL.
5-14
78-15202-01
Chapter 5
Inserting a Comment
Use the Comment Editor to insert a comment after a VACE. You can also use the Comment Editor to append a comment at the end of a VACL or VACL template (see Appending a Comment).
Procedure
Step 1 Step 2 Step 3
Expand the device folder in the ACL Manager Main Window. Expand ACL Definitions. Select the VACL. The VACEs appear in the right pane.
Step 4
Right-click on the required VACE, then select Insert Comment. The Comment Editor dialog box appears (Figure 5-10). Enter your comment, then click OK.
Step 5
5-15
Reordering VACEs
Use the Move ACE Up and Move ACE Down toolbar buttons to move selected VACEs up or down.
Procedure
Step 1 Step 2 Step 3
Expand the device folder in the ACL Manager Main Window. Expand ACL Definitions. Select the required VACL definition. The VACEs appear in the right pane (see Figure 5-6).
Step 4
Select the VACE to move. (You can select multiple VACEs using Shift and Control keys.) To move the VACEs up one position, click the Move ACE Up icon.
5-16
78-15202-01
Chapter 5
To move the VACEs down one position, click the Move ACE Down icon.
Note
If you try to reorder VACEs while in physical mode, a warning message appears if the reorder changes the VACL semantics.
Editing VACEs
You can use the ACE Editor to edit a VACE.
Procedure
Step 1 Step 2 Step 3
Expand the device folder ACL Manager Main Window. Expand ACL Definitions. Select the required VACL definition. The VACEs appear in the right pane (see Figure 5-6). Right-click on the VACE to be edited, then select Edit or double-click the VACE to be edited. The ACE Editor dialog box appears.
Step 4
Tip
You can start the ACE Editor dialog box from the Edit menu by selecting Edit > Edit.
5-17
The format of the ACE editor dialog box and attributes that can be edited depend on the VACL protocol type, as described in these sections:
Editing IP VACE Attributes Editing IPX VACE Attributes Editing MAC VACE Attributes
Procedure
Step 1 Step 2 Step 3
Click Source Address or Destination Address to open the Network/Class selector dialog box (see Figure 5-12). Select the desired network or network class. Click OK when you have finished.
5-18
78-15202-01
Chapter 5
5-19
Button Prev
Description Saves the current VACE and load the previous one from the VACL. You can then save changes to the current VACE or discard them. If you save the changes, the ACL Manager Main Window is updated to display the saved VACE. Saves the current VACE and load the next one from the VACL. You then have the option to save changes made to the current VACE. If you save the changes, the ACL Manager Main Window is updated to display the saved VACE.
Next
On switches running Cat OS 6.1 or higher, with Supervisor Engine II and PFC II, in the IP VACL that you create, the first IP VACE, by default, is permit arp. The attributes of an ARP VACE are:
You can change the permission to Permit or Deny. You cannot re-order the ARP VACE. You cannot do the following edit operations on the ARP VACE:
Cut. Copy. Paste. Delete.
5-20
78-15202-01
Chapter 5
When you apply a VACL IP Template on a VLAN, an ARP VACE is embedded as the first VACE in the VACL that is created. You can download an ARP VACE to a switch along with other VACEs, but not by itself.
On switches running Cat OS 6.2 or higher, with Supervisor Engine II and PFC II, for an ARP VACE, you can also enable logging, but with only the Deny permission.
5-21
You can edit the fields as follows: Field Protocol Description Drop-down list box that allows you to select from various protocols, such as TCP, IP, ICMP, IGMP. You can also enter a protocol name or number (0-255). Radio button that determines whether the VACE is a Permit or Deny or Redirect to Ports statement. If you choose to redirect to ports, then specify the port information. On switches running Cat OS 6.2 or higher, with Supervisor Engine II and PFC II, you can enable logging by checking the Log option, but only with the Deny permission. Captures the packets that are switched normally. This field is optional. The Permit radio button must also be enabled. You should setup the capture ports separately, using the command line interface of the device.
Permission
5-22
78-15202-01
Chapter 5
Description Defines the source address in the VACE. The keyword any is allowed. This field is mandatory. Defines the wildcard mask for the source address. This field is optional.
Destination Defines the destination address in the VACE. The keyword any Address is allowed. This field is mandatory if the permission is redirect or if you select the capture option, or if you do not select IP as a protocol. Destination Defines the wildcard mask for the destination address.This field Wildcard is optional. Mask Destination If you select TCP or UDP as the protocol, this field specifies the Port destination port for this VACE. The port relationship is assumed to be =. Comment You can add a comment about this VACE. The comments will appear in-line. This field is optional.
5-23
5-24
78-15202-01
Chapter 5
You can edit the fields as follows: Field TCP flags Description Select the established checkbox to cause the TCP packets to be filtered if they belong to the established TCP session.
Source Port Select an operator from the drop-down list box to define the Operator operation to be performed on the source:
eq (equal to) neq (not equal to) gt (greater than) lt (less than) range none
This field is available only if you have selected TCP or UDP as the protocol in the General tab. Only the eq operator is available if a Service Class is selected. Source Port Defines the source port or the start of a range of ports if you Start selected range as the relation. You can enter a port name or select a name from the drop-down list box. Source Port Applies only if the source operator is range. You can enter a port End name or select a name from the drop-down list box.
5-25
Description Select an operator from the drop-down list box to define the operation to be performed on the destination:
eq (equal to) neq (not equal to) gt (greater than) lt (less than) range or none
This field is available only if you have selected TCP or UDP as the protocol in the General tab. Only the eq operator is available if a Service Class is selected. Destination Port Start Destination Port End Defines the destination port or the start of a range of ports if you selected range as the relation. You can enter a port name or select a name from the drop-down list box. Applies only if the destination operator is range. You can enter a port name or select a name from the drop-down list box.
ICMP Type ICMP packets can be filtered by message type (a number in the range 0 to 255). This field is optional. ICMP Code ICMP packets that are filtered by message type can also be matched by the message code (a number in the range 0 to 255). This field is optional. ICMP Message ICMP packets can be filtered by a message name, or message type and code name. Select the message name from the list displayed in the drop-down list box. This field is optional.
IGMP Type IGMP packets can be filtered by message type (a number in the range 0 to 15 or a message name in the drop-down list box). This field is optional.
5-26
78-15202-01
Chapter 5
You can edit the fields as follows: Field Precedence Description Packets can be filtered by precedence level, as specified by a number in the range 0 to 7, or by name. You can also select a name from the drop-down list box. Packets can be filtered by type of service level, as specified by a number in the range 0 to 15, or by name. You can also select a name from the drop-down list box.
TOS
5-27
5-28
78-15202-01
Chapter 5
You can edit the fields as follows: Field Protocol Permission Description Select a protocol (any, ncp, rip, sap, spx) from the drop-down list box. This field is mandatory. Radio button that determines whether the VACE is a Permit or Deny or Redirect to Ports statement. If you choose to redirect to ports, then specify the port information. Select the checkbox to ensure packets are switched normally and captured. This field is optional. The Permit radio button must also be selected. Defines the source network address. This field is mandatory. Defines the destination network address. This field is mandatory. Defines the wildcard mask to be applied to the destination network address. This field is optional. Defines the destination node. This field is optional. Defines the wildcard mask to be applied to the destination node address. This field is optional.
Capture
Source Network Destination Network Destination Network Mask Destination Node Destination Node Mask
5-29
You can edit the fields as follows: Field Permission Capture Description Radio button that determines whether the VACE is a Permit or Deny statement. Select the checkbox to ensure packets are switched normally and captured. This field is optional. The Permit radio button must also be selected. Defines the source address. This field is mandatory. Defines the wildcard mask to be applied to the source address. This field is optional. Defines the destination address. This field is mandatory.
5-30
78-15202-01
Chapter 5
Description Defines the wildcard mask to be applied to the destination address. This field is optional. Name or number that matches the ethertype for Ethernet-encapsulated packets. This field is optional. Defines the wildcard mask to be applied to the destination node address. This field is optional.
Procedure
Step 1 Step 2 Step 3
Expand the device folder ACL Manager Main Window. Expand ACL Definitions. Select the required VACL definition. The VACEs for the definition appear in the right pane (see Figure 5-6).
Step 4
Select the VACEs to form the new template. You cannot select non contiguous VACEs to save as a template. Select File > Save ACEs As to display the Save As Template dialog box (see Figure 5-5). Select the template directory to hold the new template. Enter the new template name, then click OK. The selected VACEs are replaced by an include template statement in the VACL.
5-31
Procedure
Step 1
Select Tools > Diff Viewer from the ACL Manager Main Window, to display the Config Diff View window (see Figure 5-18).
Figure 5-18 Config Diff View Window
Step 2 Step 3
Select the device whose configuration changes you want to examine. Select the VACL to view (see Figure 5-19).
5-32
78-15202-01
Chapter 5
In this example, there are three changes from the original configuration for VACL test-02 in device 192.168.242.146.
Step 4
Click Config to view the complete new configuration file (see Figure 5-20).
5-33
Step 5 Step 6
Click OK to return to the Config Diff View. Click Delta to view configuration file changes since the last download. This shows the configuration commands that will be sent to the device to make the required changes to the device configuration (see Figure 5-21).
5-34
78-15202-01
Chapter 5
Step 7
5-35
5-36
78-15202-01
C H A P T E R
What Is the Class Manager? Invoking the Class Manager Using Services and Service Classes Using Networks and Network Classes Using the Class Manager: Example
6-1
Similarly, if you create a network class called Engineering_Hosts, containing the host machines Eng1, Eng2, and Eng3; and another network class called Marketing_Hosts, containing the host machines Mkt1 and Mkt2, you could now create the ACE by entering:
permit ip from Engineering_Hosts to Marketing_Hosts
In IOS, this single statement translates into the equivalent of the following six statements:
permit permit permit permit permit permit ip ip ip ip ip ip from from from from from from host host host host host host Eng1 Eng1 Eng2 Eng2 Eng3 Eng3 to to to to to to Mkt1 Mkt2 Mkt1 Mkt2 Mkt1 Mkt2
You can also use Class Manager to create named TCP or UDP ports or port ranges (services and service classes) for use in ACEs.
Network Editor Network Class Editor Network Class Entry Editor Service Editor Service Class Editor Service Class Entry Editor
The Class Manager editors allow you to create the appropriate Class Manager entities. You can create a new service using the Service Editor (see Creating a New Service). However, some services are predefined and cannot be modified. You can create a service class consisting of one or more services or port ranges (see Creating a New Service Class). Similarly, you can create a network class (see Creating a New Network Class) using a range of IP addresses, DNS host names, networks, and other network classes. You can also create a named network (see Creating a New Network).
6-2
78-15202-01
Chapter 6
Tip
You can open the Class Manager window directly from Essentials by selecting Administration > ACL Management > Edit Class Definition.
Figure 6-1 Class Manager Window
New ServiceOpens a dialog box to create a new service. New Service ClassOpens a dialog box to create a new service class.
6-3
New NetworkOpens a dialog box to create a new network. New Network ClassOpens a dialog box to create a new network class.
Creating a New Service Editing a Service Creating a New Service Class Editing a Service Class Editing a Service Class Entry
Note
You cannot edit a default service; you can edit only user-defined services.
Procedure
Step 1
Select Services in the Class Manager left pane (see Figure 6-1).
6-4
78-15202-01
Chapter 6
Step 2
Click on the New Service icon in the Class Manager toolbar. The Service Editor dialog box appears (see Figure 6-2).
Figure 6-2
Step 3
Set the appropriate fields, as follows: Field Protocol Name Port Number Description Protocol for the service; either TCP or UDP. Name to be given to the service definition. Port number.
Step 4
6-5
Editing a Service
Use this procedure to edit an existing service definition from the Class Manager window.
Procedure
Step 1
Select the Services folder in the left pane (see Figure 6-1). The service definitions are displayed in the right pane. Right-click on the service to edit, then select Edit. The Service Editor dialog box appears (see Figure 6-2).
Step 2
Step 3
Procedure
Step 1 Step 2
Select the Service Classes folder in the left pane. Click on the New Service Class icon. The Service Class Editor dialog box appears (see Figure 6-3).
6-6
78-15202-01
Chapter 6
Figure 6-3
Step 3
Set the appropriate fields, as follows: Field Name Protocol Port Range Service Classes Description Name of the service class. Protocol for the service; either TCP or UDP. Defines a range (lowest and highest) of port addresses to be added to the service class. Lists all defined service classes for this protocol.
6-7
Description Lists all defined services that can be added to this service class. Shows the classes, services and port ranges belonging to this service class. Click Add to add an item from a left pane into Classes/Services/Ranges. Click Remove to remove an item from Classes/Services/Ranges.
Step 4
Procedure
Step 1
Select the Service Class folder in the left pane (see Figure 6-1). The service classes appear in the right pane. Right-click on the service class to be edited, then select Edit. The Service Class Editor dialog box appears (see Figure 6-3).
Step 2
Step 3
6-8
78-15202-01
Chapter 6
Using the Class Manager Identifying Devices That Use Service Class
Procedure
Step 1 Step 2
Select the Service Class folder in the left pane, then select the service class to be edited. Right-click the service class entry to be edited, then select Edit. The Service Class Entry Editor dialog box appears. Make your changes, then click OK.
Step 3
Procedure
Step 1
From the ACL Manager Main Window, select Tools > Class Manager. The Class Manager window appears.
Step 2 Step 3
Expand the Service Classes folder to show all service classes. Expand the required service class, then select Service Class Device Uses. The devices and ACLs using this service class appear in the right pane (see Figure 6-4).
6-9
Figure 6-4
Description Identifies the device to which the Service Class has been applied. Shows the number or name of the ACL using the Service Class on this device. Shows whether the current Service Class contents have changed since the last download of this ACL to the device. If the service class instance for device(s) is invalid, then you can choose the invalid device(s), right-click on the selected device(s) and select Synch Service Class on device(s) to update the service class definition on the device(s).
Tip
You can also start the Class Manager Main Window from Essentials by selecting Administration > ACL Management > Edit Class Definitions.
6-10
78-15202-01
Chapter 6
Creating a New Network Editing a Network Creating a New Network Class Editing a Network Class Editing a Network Class Entry
Procedure
Step 1 Step 2
Click Networks in the left pane (see Figure 6-1). Click on the New Network icon in the Class Manager toolbar. The Network Editor dialog box appears (see Figure 6-5).
6-11
Figure 6-5
Step 3
Set the appropriate fields, as follows: Field Network name IP address Mask Description Name to be given to the network definition. Network IP address. Mask (IP dotted notation).
Step 4
6-12
78-15202-01
Chapter 6
Editing a Network
Use this procedure to edit an existing network definition from the Class Manager window. To create a new network, (see Creating a New Network).
Procedure
Step 1
Select the Networks folder in the left pane (see Figure 6-1). The network definitions are displayed in the right pane. Right-click on the network to edit, then select Edit. The Network Editor dialog box appears (see Figure 6-5).
Step 2
Step 3
Procedure
Step 1 Step 2
Select the Network Classes folder in the left pane (see Figure 6-1). Click on the New Network Class icon. The Network Class Editor dialog box appears (see Figure 6-6).
6-13
Figure 6-6
Step 3
Set the appropriate fields, as follows: Field Name Hosts Description Network class name. Name of a host to be added to the network class.
Address Range Defines a range of IP addresses to be added to the network class. Network Classes Lists all defined network classes that can be added to this network class.
6-14
78-15202-01
Chapter 6
Description Lists all defined networks that can be added to this network class. Shows the hosts and address ranges defined so far in this network class.
Click Add to add a field from a left pane to a right pane. Click Remove to remove a field from the right pane.
Procedure
Step 1
Select the Network Class folder in the left pane (see Figure 6-1). The network classes appear in the right pane. Right-click on the network class to be edited, then select Edit. The Network Class Editor dialog box appears (see Figure 6-6). Make your changes, then click OK.
Step 2
Step 3
6-15
Procedure
Step 1 Step 2
Select the Network Class folder in the left pane, then select the network class to be edited. Right-click the network class entry to be edited, then select Edit. The Network Class Entry Editor dialog box appears. Make your changes, then click OK.
Step 3
Procedure
Step 1
From the ACL Manager Main Window, select Tools > Class Manager. The Class Manager window appears.
Step 2 Step 3
Expand the Network Classes folder to show all Network classes. Expand the required network class, then select Network Class Device Uses. The devices and ACLs using this network class are displayed in the right pane (see Figure 6-7).
6-16
78-15202-01
Chapter 6
Using the Class Manager Identifying Devices That Use Network Class
Figure 6-7
Description Identifies the device to which the Network Class has been applied. Shows the number or name of the ACL using the Network Class on this device. Shows whether the current Network Class contents have changed since the last download of this ACL to the device. If the network class instance for device(s) is invalid, then you can choose the invalid device(s), right-click on the selected device(s) and select Synch Network Class on device(s) to update the network class definition on the device(s).
Tip
You can also start the Class Manager main window from Essentials by selecting Administration > ACL Management > Edit Class Definitions.
6-17
Procedure
Step 1
Create a network definition called MainDataCenter. Use the IP dot notation address and a network mask to define a range of IP addresses (see Figure 6-8).
Figure 6-8 Example - Network Definition
Step 2
Use the Network Class Editor to define a network class containing all the end host addresses of the workstations used in the group called USR-Finance (see Figure 6-9).
6-18
78-15202-01
Chapter 6
Figure 6-9
Step 3
Create a service class called StandardServices, that includes the desired range of services (for example, pop2, pop3, Telnet, ftp-data, ftp, and port range 1024 to 1034). Use ACL Manager, the ACE editor, and the Network/Class Selector to create one logical ACE of the form:
permit tcp standardservice from @USR-Finance to @MainDataCenter
Step 4
This can be interpreted as permitting TCP traffic for all 11 source addresses specified in the class @USR-Finance to the destination address specified by MainDataCenter on the ports specified by the StandardServices.
6-19
6-20
78-15202-01
C H A P T E R
What is the Template Manager? Starting the Template Manager Creating a New Template Editing an Existing Template Creating and Inserting Template Folders Identifying Devices That Use an ACL Template
7-1
Tip
You can also start the Template Manager from Essentials by selecting Administration > ACL Management > Edit ACL Templates.
New TemplateOpens a dialog box to create a new template. New FolderOpens a dialog box to create a new template folder in the template directory.
7-2
78-15202-01
Chapter 7
Template Attributes
The template attributes appear in the right pane. Field Name Type Description The name of the template. The ACL type (IP, IP_EXTENDED, IPX, IPX_EXTENDED, IPX_SAP, IPX_SUMMARY, RATE_LIMIT_MAC, RATE_LIMIT_PRECEDENCE, VACL_IP, VACL_IPX, and VACL_MAC). Date and time the template was created. Name of the person who created the template. Date and time the template was last modified. Name of user who last modified the template. Comments inserted by user during creation or modification.
Procedure
Step 1 Step 2
Select the Template root directory or the folder in which you want the new template to reside (see Figure 7-1). Click on the New Template icon in the toolbar. The Template Editor dialog box appears (see Figure 7-2).
7-3
Figure 7-2
Step 3
Set the appropriate fields as follows: Field Type Description The ACL type (IP, IP_EXTENDED, IPX, IPX_EXTENDED, IPX_SAP, IPX_SUMMARY, RATE_LIMIT_MAC, RATE_LIMIT_PRECEDENCE, VACL_IP, VACL_IPX, VACL_MAC). Name to be given to the new template. Comments on the new template.
Name Comment
Step 4
You can also save ACLs and ACEs as templates (see Chapter 4, Viewing and Editing ACLs).
7-4
78-15202-01
Chapter 7
Procedure
Step 1 Step 2
Expand the folder containing the template to edit. Right-click on the template, then select Edit. The Template Editor dialog box appears (see Figure 7-2).
Step 3
Make your changes, then click OK. You can also insert a comment into a templates ACEs (see Appending a Comment in Chapter 6, Using the Class Manager.)
Manipulating ACEs of Viewing and Editing ACLs in Chapter 4. Manipulating VACEs of Viewing and Editing VACLs in Chapter 5.
Procedure
Step 1 Step 2
Select the Template root directory or the folder in which you want the new folder to reside (see Figure 7-1). Click on the New Folder icon in the Template Manager toolbar. The New Folder dialog box appears (see Figure 7-3).
User Guide for ACL Manager
78-15202-01
7-5
Figure 7-3
Step 3
Enter the name for the new folder, then click OK.
Procedure
Step 1
From the ACL Manager Main Window, select Tools > Template Manager. The Template Manager window appears. Expand the template folder to show all templates, if necessary.
Step 2
7-6
78-15202-01
Chapter 7
Using the Template Manager Identifying Devices That Use an ACL Template
Step 3
Expand the required template, then select Template Device Uses. The devices and ACLs using this template appear in the right pane (see Figure 7-4).
Figure 7-4
Description Identifies the device to which the ACL template has been applied. Shows the number or name of the ACL using the template on this device. Shows whether the current template contents have changed since the last download of this ACL to the device. If the template instance for device(s) is invalid, then choose the invalid device(s), right-click on the selected device(s) and select Synch Template on device(s).
7-7
Tip
You can also start the Template Manager Main Window from Essentials by selecting Administration > ACL Management > Edit ACL Templates.
7-8
78-15202-01
C H A P T E R
Define Uses for previously created ACLs, or ACLs that have been newly created from templates. See Defining ACL Uses
8-1
Defining an ACL Use with the Use ACL Wizard. Selecting Interfaces, Lines, SNMP Community Settings or VLANS. Completing the Use ACL Wizard Summary. Displaying Use ACL Wizard Results.
Right-click on the ACL to be applied, then select Use ACL. The Use Selection window appears (see Figure 8-1). You can also display the ACL Use Selection dialog box by clicking the Create Uses button in the ACL Results dialog box.
If you have created or selected an IOS ACL, (see Figure 8-1), select one of these from the Use Selection window
Packet Filtering Line Access SNMP Community Access SNMP TFTP Server.
If the ACL created or selected is a VACL, a VACL, select VLAN Packet Filtering from the Use Selection window. (In such a case, the Use Selection window displays only VLAN Packet Filtering).
8-2
78-15202-01
Chapter 8
Figure 8-1
Use Selection
Step 2
Click Next. Based on your Use selection in Step 1, the following dialog boxes are displayed:
Interface Selection dialog box If you selected packet filtering. (See Selecting Interfaces for Packet Filtering with the Use ACL Wizard). Line Selection dialog box If you selected line access. (See Selecting Lines for Line Access with the Use ACL Wizard). SNMP Community Setting dialog box If you selected SNMP Community Access. (See SNMP Community Settings with the Use ACL Wizard).
8-3
Summary dialog box If you selected SNMP TFTP Server. (See Completing the Use ACL Wizard Summary). VLAN Selection dialog box If you selected VLAN Packet Filtering. (See Selecting VLANs for VLAN Packet Filtering with Use ACL Wizard).
Interfaces. (See Selecting Interfaces for Packet Filtering with the Use ACL Wizard). Lines. (See Selecting Lines for Line Access with the Use ACL Wizard). SNMP Community Settings. (See SNMP Community Settings with the Use ACL Wizard). VLANs. (See Selecting VLANs for VLAN Packet Filtering with Use ACL Wizard).
Selecting Interfaces for Packet Filtering with the Use ACL Wizard
To select interfaces for packet filtering:
Procedure
Step 1
From the Interface Selection window, (see Figure 8-2), select the incoming (In) and outgoing (Out) interfaces of the device for which you are defining the Use.
8-4
78-15202-01
Chapter 8
Figure 8-2
Interface Selection
Step 2
Click Next to display the Summary dialog box (see Completing the Use ACL Wizard Summary).
Selecting Lines for Line Access with the Use ACL Wizard
Procedure
Step 1
From the Line Selection window (see Figure 8-3), select the incoming (In) and outgoing (Out) lines to which you want to apply the ACL.
8-5
Figure 8-3
Line Selection
Step 2
Click Next to display the Summary dialog box (see Completing the Use ACL Wizard Summary).
In the SNMP Community Settings dialog box (see Figure 8-4), enter the Community String. This is a mandatory field.
8-6
78-15202-01
Chapter 8
Figure 8-4
Step 2
Enter the View Name. This is an optional field. You should provide a view name that already exists on the device. For some IOS versions, if you specify a view name that does not exist on the device, the view name does not get created, and the download fails.
Step 3 Step 4
Select Access Type. By default, Access Type is read only. You can select Read/Write mode if required. Click Next. The Summary dialog box appears for the selections made for this ACL (see Completing the Use ACL Wizard Summary).
8-7
Selecting VLANs for VLAN Packet Filtering with Use ACL Wizard
Procedure
Step 1
Select the VLAN(s) for the device (see Figure 8-5) from the Use Selection dialog box.
Figure 8-5 VLAN Selection
Step 2
Click Next. The Summary dialog box appears (see Completing the Use ACL Wizard Summary).
8-8
78-15202-01
Chapter 8
Procedure
Step 1
From the Summary dialog box, select the Overwrite existing ACL Uses? check box to overwrite an existing ACL use on any of the following:
Selected interfaces on the device (for packet filtering) Selected lines on the device (for line access) SNMP Community String on the device (for SNMP Community Settings)
User Guide for ACL Manager
78-15202-01
8-9
Step 2
SNMP TFTP Server list on the device (for SNMP TFTP Server) VLAN on the device (for VLAN Packet Filtering)
Click Finish to display the Results window (see Displaying Use ACL Wizard Results).
OK If the ACL Use is successfully created on the selected interface or lines or devices. Failed If the ACL Use cannot be successfully created on the selected interface or lines or devices.
or
Procedure
Step 1
8-10
78-15202-01
Chapter 8
Figure 8-7
Step 2
Click Close to exit the Use ACL wizard. If you had selected:
Packet Filtering The ACL is now installed for packet filtering on the specified interfaces. Line Access The ACL is now installed for line access on the specified lines. SNMP Community Access The ACL is now installed for the device. SNMP TFTP Server list The ACL is now installed for the device. VLAN Packet Filtering The ACL is now installed for the selected VLAN.
8-11
If you want to check the Use statements, go to the ACL Manager Main Window and navigate to:
Interfaces For Packet filtering Lines For line access Global For SNMP Community settings and SNMP TFTP serve VLANs For VLAN packet filtering
To invoke the ACL Use Selection dialog box again, you can click Create Uses. See Defining an ACL Use with the Use ACL Wizard.
Packet filtering On selected interfaces Line access On selected lines SNMP community access On selected VLANs SNMP TFTP server On selected VLANs VLAN packet filtering On selected VLANs
For more information on templates, see Chapter 7 You can create an ACL from an existing template on a specific device, and create a Use for it by:
Step 1 Step 2 Step 3 Step 4
Selecting a Template with the Template Use Wizard. Selecting a Device. Displaying ACL Creation Results (Single Device). Defining an ACL Use with the Use ACL Wizard.
8-12
78-15202-01
Chapter 8
In the ACL Manager Main Window, select the device on which you want to create an ACL, from the template, then select Apply Template. The Template Selection window appears (see Figure 8-8).
From the Template Selection window (see Figure 8-8), select the template to be applied.
Figure 8-8 Template Selection
8-13
If you want to view the contents of the template, click Expand. The expanded template appears in the ACE Expanded window (see Figure 8-9).
Figure 8-9 Expanded Template
Click Close when you are finished, to exit the ACE Expanded window.
Step 2
Click Next, in the Template Selection window. The Device Selection dialog box appears with the selected device highlighted (see Selecting a Device).
Selecting a Device
Procedure
Step 1
In the Device Selection dialog box (see Figure 8-10), the device that you selected in the ACL Manager Main Window, for applying the template, is highlighted.
8-14
78-15202-01
Chapter 8
Step 2 Step 3
Select the Overwrite existing ACLs? check box to overwrite an existing ACL. Either:
Select Autonumber the New ACL for generating a number automatically for the new ACL. This option is selected by default. Deselect Autonumber the New ACL and enter the ACL name or number in the ACL name or number text field.
or
Step 4
Click Finish. The ACL Results window appears, with the details of the ACL that you have created (see Displaying ACL Creation Results (Single Device)).
8-15
Click Close if you only want to create an ACL out of the template. Click Create Uses to create Uses for such newly created ACLs.
or
When you click the Create Uses button, the Selection dialog box (Figure 8-1) appears. (See Defining an ACL Use with the Use ACL Wizard). For the complete workflow to create uses for packet filtering, line access, SNMP Community Access, SNMP TFTP Server or VLAN filtering, see the section, Defining ACL Uses.
8-16
78-15202-01
Chapter 8
Select ACL Management > Use ACL Templates from Essentials to bring up the Use Templates dialog box. (see Figure 8-12).
Figure 8-12 Use Templates
Step 2
Select a scenario.
8-17
Step 3
Select the Read config from Device check box to synchronize the Config Archive with the devices in the scenario (get the configuration file) before starting ACL Manager. The Template Selection Window appears.
If you are already in ACL Manager Main Window, display the Template Selection Window by selecting Tools > ACL Use Wizard from the ACL Manager Main Window. You can apply a template to multiple devices by:
Step 1 Step 2 Step 3 Step 4
Selecting a Template. Selecting the Devices .Displaying ACL Creation Results (Multiple Devices) Defining ACL Uses for Multiple Devices.
For more information on templates, see Chapter 8 Using the Template Manager.
Selecting a Template
Procedure
Step 1
From the Template Selection dialog box (see Figure 8-8), select the template to be applied. If you want to see the contents of the template, click Expand. The ACE Expanded dialog box appears with the details of the expanded template (see Figure 8-9). Click Close when you are finished in the ACE Expanded dialog box. Click Next in the Template Selection dialog box.
Step 2
8-18
78-15202-01
Chapter 8
The Device Selection dialog box appears with the selected device highlighted (see Selecting the Devices).
From the Device Selection window (see Figure 8-13), select the required devices to which the template will be applied.
Figure 8-13 Devices Selection
Step 2
Select the Overwrite existing ACLs? check box to overwrite an existing ACL.
8-19
Select Autonumber the New ACL for generating a number automatically for the new ACL. This option is selected by default. If you select this option, a different ACL number may be generated on each device.
or
Step 3
Deselect Autonumber the New ACL and enter the ACL name or number in the ACL name or Number text field.
Click Finish. The ACL Results dialog box appears, with the details of the ACLs that you have created (see Displaying ACL Creation Results (Multiple Devices)).
Procedure
Step 1
View the results of the ACL creation, in the Results dialog box (see Figure 8-14).
8-20
78-15202-01
Chapter 8
The ACL Creation field displays Failed if the ACL was not created successfully. Otherwise, it displays OK.
OK If the ACL Use is successfully created on the selected interface or lines or devices. Failed If the ACL Use cannot be successfully created on the selected interface or lines or devices.
or
8-21
Step 2
Either:
Click Close to exit the Results dialog box, after creating ACLs out of the template, Click Create Uses to create uses for the newly created ACLs,.
or
The Use Selection dialog box appears (see Figure 8-1). For details see, Defining ACL Uses for Multiple Devices.
If you have created or selected an IOS ACL, (see Figure 8-1), select one of these from the Use Selection window
Packet Filtering Line Access SNMP Community Access SNMP TFTP Server.
If you have created or selected a VACL, select VLAN Packet Filtering from the Use Selection window. (In such a case, the Use Selection window displays only VLAN Packet Filtering).
Step 2
Click Next. Based on your Use selection in Step 1, the following dialog boxes are displayed:
Interface Selection dialog box If you selected packet filtering. (See Selecting Interfaces with the Template Use Wizard). Line Selection dialog box If you selected line access. (See Selecting Lines with the Template Use Wizard). SNMP Community Setting dialog box If you selected SNMP Community Access. (See SNMP Community Settings with the Template Use Wizard).
8-22
78-15202-01
Chapter 8
Summary dialog box If you selected SNMP TFTP Server. (See Completing the Use ACL Wizard Summary). The summary will appear for all the selected devices. VLAN Selection dialog box If you selected VLAN Packet Filtering (see Selecting VLANs for VLAN Packet Filtering with Template Use Wizard).
Step 3 Step 4
View the Summary. (See Completing the Use ACL Wizard Summary). Display the results for the ACL Uses. If you had selected:
Packet Filtering The ACL is now installed for packet filtering on the specified interfaces on the selected devices. Line Access The ACL is now installed for line access on the specified lines on the selected devices. SNMP Community Access The ACL is now installed for the selected devices. SNMP TFTP Server list The ACL is now installed for the selected devices. VLAN Packet Filtering The ACL is now installed for the selected VLAN on the selected devices.
From the Interface Selection window for the first device, select the incoming (In) and outgoing (Out) interfaces of the device. To select the same interfaces on all subsequent devices, select Treat all subsequent devices exactly like this device? If you select this option and subsequent devices do not have the specified interfaces, the subsequent devices will be skipped. Click Next.
8-23
Step 2
Repeat Step 1 for all devices. After you have selected the last device, the Summary dialog box appears (see Completing the Use ACL Wizard Summary).
From the Line Selection window for the first device, select the incoming (In) and outgoing (Out) lines of the device to which the template will be applied. To select the same lines on all subsequent devices, select Treat all subsequent devices exactly like this device? If you select this option and subsequent devices do not have the specified lines, the subsequent devices will be skipped. Click Next. Repeat Step 1 for all devices. After you have selected the last device, the Summary dialog box appears (see Completing the Use ACL Wizard Summary).
Step 2
Enter the Community String. This is a mandatory field. Enter the View Name. This is an optional field. You should provide a view name that already exists on the device. For some IOS versions, if you specify a view name that does not exist on the device, the view name does not get created, and the download fails.
8-24
78-15202-01
Chapter 8
Step 3
Select Access Type. By default, Access Type is read only. You can select Read/Write mode if required. To select the same settings on all subsequent devices, select Treat all subsequent devices exactly like this device?
Step 4 Step 5
Click Next. Repeat Step 5 as required. After you select the last device, the Summary dialog box appears (see Completing the Use ACL Wizard Summary).
Selecting VLANs for VLAN Packet Filtering with Template Use Wizard
Procedure
Step 1
Select the VLAN(s) of the device. To select the same settings on all subsequent devices, select Treat all subsequent devices exactly like this device? If you select this option and subsequent devices do not have the specified VLAN(s), the subsequent devices will be skipped. Click Next. Repeat Step 3 as required. After you select the last device, the Summary dialog box appears (see Completing the Use ACL Wizard Summary).
Step 2
8-25
8-26
78-15202-01
C H A P T E R
Enabling Job Approval Scheduling Downloads Saving Changes to Disk Browsing Job Status and Results Viewing a Job Scenario Editing and Resubmitting Jobs Canceling Pending Jobs and Purging Old Jobs What to Do If Your Download Fails
9-1
Procedure
Step 1 Step 2
Select Resource Manager Essentials > Administration > Job Approval > Edit Preferences. Select the ACL Manager tab (see Figure 9-1).
Figure 9-1 Edit PreferencesACL Manager
Step 3 Step 4
Select the Enable Job Approval check box to enable or disable Job Approval in ACL Manager. Click Apply to apply the changes.
Note
To receive email notification, set the SMTP server on Windows 2000 server using Resource Manager Essentials > System Configuration.
9-2
78-15202-01
Chapter 9
Scheduling Downloads
You can use the Schedule Config Download Job dialog box to select devices and schedule downloads. If you have not yet started ACL Manager, you need to display the Schedule Config Download Job dialog box using this procedure.
Procedure
Step 1
Select ACL Management > Schedule Downloads from Essentials to display the Schedule Downloads dialog box (see Figure 9-2).
Figure 9-2 Schedule Downloads Dialog Box
9-3
Step 2
Select a scenario, then select Read config from Device to synchronize the Config Archive with the devices in the scenario (get the configuration file). The Schedule Config Download Job dialog box appears (see Figure 9-3). If you are already in the ACL Manager Main Window, do one of the following to display the Schedule Config Download Job dialog box:
Select Tools > ACL Downloader. Click on the ACL Downloader toolbar icon
Figure 9-3
9-4
78-15202-01
Chapter 9
Procedure
To download an ACL job:
Step 1 Step 2 Step 3 Step 4 Step 5
Select the devices. Select the download options to apply. Select the approver. Verify the configuration changes to be downloaded. Schedule the download.
When an ACL job is scheduled on a scenario, a copy of the scenario is made to avoid conflicting changes. The only operation you can perform on the scenario is to view it in ACL Manager Job Browser (as described in Viewing a Job Scenario).
9-5
Enter the job description and select the download options in the Schedule Config Download Job dialog box. ACL Manager improves the download time of config commands by allowing you to use TFTP, in addition to the Telnet protocol. You can choose the protocol you want to use for download in the Schedule Config Download job dialog box. ACL Manager supports TFTP downloads on both catalyst switches and routers.
Step 2
Enter a job description in the Job Description field. Use a description you can locate easily if you want to browse the jobs later.
Select Use SSH for secure server to device communication while downloading the configuration commands. The download succeeds only if the device to which you are downloading has been configured for SSH communication. Select Use Telnet to specify Telnet as the protocol for downloading configuration commands. or Select Use TFTP to specify TFTP as the protocol for downloading configuration commands. If you choose Use TFTP, the Rollback and Abort on Error options will be disabled. This is because the error status of each command cannot be known owing to the bulk transfer of configuration changes to a device via TFTP. You can use TFTP or Telnet protocols with the Use SSH option enabled. If the device download order does not matter, select Download in Parallel. (The download will proceed more quickly). If the order is important, ensure that the check box is not selected. The order of the download will be the order in which the devices appear in the right column. To copy the running configuration to the routers startup files after the download is complete, select Write to NVRAM.
9-6
78-15202-01
Chapter 9
To attempt to revert to the routers original configuration if an error occurs during the download, select Rollback. Any changes made before the error occurred will be removed. (Rollback is selected automatically if you select Abort on Error.) To revert to the routers original configuration, remove any changes, and abort the download if an error occurs, select Abort on Error. An attempt will be made to revert router configurations back to their original state.
Note
The Save to Disk option is used to save the configuration changes or the complete configuration. For more information, see Saving Changes to Disk.
Note
You can by-pass the Job Approval, if you have both Network Administrator and Approver privileges.
Click Immediate to run the job as soon as possible. Click At, then enter a date and time for the job to run in the future.
9-7
Procedure
Step 1
Before downloading the changes you made in your scenario, verify them by clicking Diffs. The Config Diff View dialog box displays the modified objects to be downloaded (see Figure 9-4). If you change only the meta-information, (such as comments or template include statements) and do not change the device config, the device will still be marked as modified. However, you will not see any diffs when you start the Diff Viewer. Any changes that do not result in a changed physical view will not appear in the Diff Viewer (such as saving a set of ACEs as a template).
Figure 9-4 Config Diff Dialog Box
9-8
78-15202-01
Chapter 9
Step 2 Step 3
Select a device to see all your configuration changes. Select a modified ACL or ACL use. The original and new configurations appear in the Original Config and the Modified Config columns (see Figure 9-5).
To display the entire proposed configuration, click Config. To display only the configuration commands to be sent while downloading your scenario, click Delta.
Config Diff View for a Specified Device
Figure 9-5
Step 4 Step 5
Click Close. Confirm your choice by clicking OK in the Schedule Config Download Job dialog box. If you have not saved the scenario, a message asks whether you want to save it.
9-9
Step 6
Click OK to save the scenario. A new window displays the ID of the scheduled job.
Step 7
You can use the Job ID to track the status of the job. ACL Manager alerts you if there is a problem with a job schedule time or if the scenario has not been saved.
The device configuration does not change until a job runs and config changes are downloaded to the device. You can view proposed configuration changes by selecting Tools > Diff Viewer from the ACL Manager Main Window. The job will run only if the configuration on the device matches the configuration on the device when your scenario was initially created. If you schedule a job and someone changes the device configuration in the meantime, the job will fail. If you selected Write to NVRAM and the download is not successful. For example, if a partial ACL is applied, or a download causes the router to disconnect from the network, the routers startup files are not updated.
Procedure
Step 1
To display the Schedule Config Download Job dialog box, select one of the following:
ACL Management > Schedule Downloads from Essentials. Tools > ACL Downloader from the ACL Manager Main Window.
9-10
78-15202-01
Chapter 9
Click on the ACL Downloader toolbar icon in the ACL Manager Main Window.
The Schedule Config Download Job dialog box displays a list of all devices you modified (see Figure 9-3).
Step 2 Step 3 Step 4
Select the router(s), using the Add and Remove buttons, to which the ACLs are to be downloaded. Select Save to Disk to save the router configuration files to a standard disk directory without downloading a job. Do one of the following:
Click the Complete Config radio button to save the entire configuration. Click the Delta Config radio button to save the config deltas (the actual commands that will be downloaded to the device in order to implement the ACLs and ACL Uses in your scenario).
To verify the configuration changes, select one or more devices, then click Diffs. (See Verifying the Configuration Changes.) To save the configuration files on the server, click OK. The Save In dialog box appears. (see Figure 9-6)
9-11
Figure 9-6
Step 5
Select the path where you want to save the configuration changes files. By default, the configurations are saved in c:\program files\CSCOpx. You can also enter a location to save the configuration files in the Target Directory field.
Note
On Windows 2000 systems, in the Schedule Config Download Job dialog box, you can navigate to any directory, till the root of the default C:\ drive, to save the configuration changes files. If you want to save the files in any other location on any other drive, enter the complete path in the Target Directory field.
The configuration files are saved in the output directory. Contact your system administrator for access to these directories. If you decide to proceed with the download, start a new download. See Scheduling Downloads.
9-12
78-15202-01
Chapter 9
Procedure
Step 1
To display the Job Browser dialog box, select one of the following:
ACL Management > Browse Download Jobs from Essentials. Tools > Job Browser from the ACL Manager Main Window.
The Job Browser dialog box displays all scheduled jobs (see Figure 9-7).
Figure 9-7 Job Browser Dialog Box
9-13
Step 2
To display jobs filtered by Job Status or Job User, make your selection, then click Refresh. The columns in the Job Browser dialog box are: Column Job ID Job Status Description Scheduled At Finish Time User Approver Scenario Description Unique number assigned to this task at creation time. This number is never reused. Current state or last run result of the job. Information you entered in the Job Description field of the Schedule Config Download Job dialog box. Date and time the job is scheduled to run. Date and time the job completed. Name of the user who created the job. Name of the approver who has to approve the job. Name of the job scenario you created from the scenario whose changes are to be downloaded.
The Job Status column can display these values: Status Running Pending Waiting for approval Pending (Approved) Rejected Cancelled Aborted Failed Meaning Job is running. Job has not started. Job is waiting for approval from one of the approvers. Job has been approved and has not started. Job was rejected by one of the approvers. Job was canceled by user. Job was aborted by server. Download failed on all devices. Click Results to obtain more information.
9-14
78-15202-01
Chapter 9
Meaning Download failed on one or more devices. Click Results to obtain more information. Job downloaded successfully on all devices.
To view the job status by device, select the job then click Results. The Job Results window displays the status for all devices for that job (see Figure 9-8). The Status column can have these values: Status Download verify failed Meaning Download configuration does not match device configuration (device became stale after download started). Device is stale before download started. Download failed, then the attempt to rollback to previous configuration failed. All other download failures. Job is running. Job has not started. Job is waiting for approval from one of the approvers. Job has been approved and has not started. Job was rejected by one of the approvers.
Pre download failure Rollback failed Download failed Running Pending Waiting for approval Pending (Approved) Rejected
9-15
Figure 9-8
Job Results
Step 4
Click Device Results to obtain detailed information about the device (see Figure 9-9).
Figure 9-9 Device Results
Step 5
Click Diff to view the Config Diff dialog box (see Figure 9-4).
9-16
78-15202-01
Chapter 9
Note
You need to use the Job Resource Manager (JRM) of CiscoWorks to browse jobs, release resources, stop and remove jobs. Select CiscoWorks Server > Administration > Job Management.
Procedure
Step 1
To display the Job Browser dialog box (see Figure 9-7), select one of the following:
ACL Management > Job Browser from Essentials. Tools > Job Browser from the ACL Manager Main Window.
Step 2
Highlight the job whose associated scenario you want to view, then click Open. The ACL Manager Main Window appears, displaying the contents of the specified scenario (see Figure 9-10).
9-17
Procedure
Step 1
To display the Job Browser dialog box, select one of the following:
ACL Management > Job Browser from Essentials. Tools > Job Browser from the ACL Manager Main Window.
9-18
78-15202-01
Chapter 9
Scheduling and Downloading Canceling Pending Jobs and Purging Old Jobs
Step 2
Select the uncompleted job, then click Edit. The Schedule Config Download Job dialog box appears, displaying the job details.
Step 3
Change the download options, schedule the date and time, and click OK.
Procedure
Step 1
To display the Job Browser dialog box, select one of the following:
ACL Management > Job Browser from Essentials. Tools > Job Browser from the ACL Manager Main Window.
Step 2 Step 3
Loss of connectivity to the device during download A device becoming stale because another user in another scenario downloaded changes to the device after you had scheduled the download
When this happens, the device icon is grayed out. However, you can change the status from stale to OK in order for the download to proceed.
9-19
Note
If you refresh a stale device, you will lose your edits. If your download fails because the device is stale, do the following to save your changes and attempt to download again:
Procedure
Step 1
Back up the scenario containing your edits and the stale device under a different name by selecting File > Save Scenario As from the ACL Manager Main Window. Reopen the original scenario.
Step 2
Refresh any stale devices and save the scenario. Open the backup scenario.
Note
Make sure Read Config from Device is not checked. Select the Open in Read Only Mode check box.
Step 5
Switch to the original scenario and paste the data back to the device, overwriting the ACLs. Download your changes to the device, as described in Scheduling Downloads.
9-20
78-15202-01
C H A P T E R
10
Optimizing ACLs
These topics describe optimization and how you can optimize your ACLs for better performance:
What Are the ACL Optimizer and Hits Optimizer? Using the ACL Optimizer Using the ACL Hits Optimizer Resetting Hit Counters
Each packet through an interface may be compared against all the ACE statements in an ACL used on the interface until one of the statements is a hit. The ACE statements are examined in sequence.
To improve device performance, the ACL Optimizer minimizes the number of ACEs that must be compared. The ACL Hits Optimizer re-arranges ACEs in an order in which the most frequently-hit ACEs are placed first. Using ACL Optimizer or Hits Optimizer changes the physical view of the ACL, but not the logical view. Any change made to the logical view (including re-ordering ACEs) will re-create the physical view, hence the optimizations will be lost and need to be re-done.
10-1
Optimizing ACLs
Removing covered ACEs; in the following example, the second original ACE covers the first. Optimized ACEs permit ip from 205.178.18.0/0.0.0.255
Merging maskable ACE address ranges; in the following example, the original ACEs address ranges are contiguous and maskable: Optimized ACEs permit ip from 205.178.18.8/0.0.0.7
Original ACEs permit ip from host 205.178.18.8 permit ip from host 205.178.18.9 permit ip from host 205.178.18.10 permit ip from host 205.178.18.11 permit ip from host 205.178.18.12 permit ip from host 205.178.18.13 permit ip from host 205.178.18.14 permit ip from host 205.178.18.15
Merging covered ACE port ranges; in the following example, the port range for the second original ACE combines with the port range of the first original ACE to cover the entire set of port ranges: Optimized ACEs permit tcp between 0 and 65535 from 205.178.18.5
Original ACEs permit tcp gt 25 from host 205.178.18.5 permit tcp lt 50 from 205.178.18.5
10-2
78-15202-01
Chapter 10
Optimizing ACLs What Are the ACL Optimizer and Hits Optimizer?
Removing duplicate ACEs. Optimized ACEs permit ip from host 205.178.18.5 permit ip from host 205.178.18.10
Original ACEs permit ip from host 205.178.18.5 permit ip from host 205.178.18.5 permit ip from host 205.178.18.10
permit ip from host 205.178.18.5 (300) deny ip from host 205.178.18.100 deny ip from host 205.178.18.100 (500) permit ip from host 205.178.18.5 Reordering ACEs is performed only if the new order does not change ACL semantics. For example, ACL Manager would not reorder ACEs in the following example: Original ACEs (# Hits) Incorrectly Reordered ACEs
deny ip from host 205.178.18.5 (300) permit ip from 205.178.18.0/0.0.0.255 permit ip from deny ip from host 205.178.18.5 205.178.18.0/0.0.0.255 (500)
10-3
Optimizing ACLs
ACL Manager would not perform this reorder because doing so would change the ACL semantics, which were to deny packets from host 205.178.18.5 and allow them from the rest of the subnet.
Note
Standard IP ACLs and VACLs do not support Hit Counters, so the Hits Optimizer is not available for these types of ACLs.
Procedure
Step 1
From the ACL Manager Main Window, select the ACL to optimize. In Figure 10-1, ACL 100 is selected.
Figure 10-1 ACL to be Optimized
10-4
78-15202-01
Chapter 10
Step 2
Select Optimizer from the ACL pop-up window. The Optimizer completes optimization and a high-level report appears (see Figure 10-2).
Figure 10-2 ACL Optimizer
Step 3
10-5
Optimizing ACLs
Step 4 Step 5
If you are satisfied with the optimization, click Done to return to the previous display. Click Apply to apply the optimization.
10-6
78-15202-01
Chapter 10
Procedure
Step 1
From the ACL Manager Main Window, select the ACL to optimize. In Figure 10-4, ACL 100 is selected.
Figure 10-4 ACL to be Hit Optimized
Step 2
Right-click and select Hits Optimizer. The Hits Optimizer completes optimization and a high-level report appears (see Figure 10-5).
10-7
Optimizing ACLs
Step 3
10-8
78-15202-01
Chapter 10
Step 4 Step 5
If you are satisfied with the optimization, click Done to return to the previous display. Click Apply to apply the optimization.
Procedure
Step 1
From Essentials, select Administration > ACL Management > Reset Hit Counter (see Figure 10-7).
10-9
Optimizing ACLs
Step 2 Step 3
Select All Devices, then select those devices for which you want the hit counter reset to zero. Click Finish.
10-10
78-15202-01
I N D EX
A
ACE Editor buttons, using 4-20 ACEs (Access Control Entries) (see also ACLs) 2-1 ACE Editor buttons, using 4-20 comments appending 4-14 inserting 4-15 editing 4-17 IP ACE attributes 4-20 IP Extended ACE attributes 4-22 IPX ACE attributes 4-29 IPX Extended ACE attributes 4-30 IPX SAP ACE attributes 4-33 IPX SUMMARY ACE attributes 4-34 RATE LIMIT MAC ACE attributes 4-35 RATE LIMIT PRECEDENCE ACE attributes 4-36 source and destination addresses, specifying 4-18 manipulating 4-10 new appending 4-11 inserting 4-10 printing 4-45
reordering 4-16 templates inserting 4-12 saving as 4-37 ACL Hits Optimizer, description 10-3 ACL Manager benefits of 1-4 components 1-4 description 1-3 functionality 1-5 overview 1-1 terms and definitions 1-1 tools 1-7 ACL Optimizer description 10-2 using 10-4 ACLs (Access Control Lists) 4-1 (see also ACEs) 4-10 ACL use statement, definition 1-2 configuration changes, viewing 4-38 creating overview 2-1 procedure 4-4 definitions and uses 2-1 Diff Viewer, using 4-38
IN-1
Index
editing 4-6 existing, viewing 4-2 optimizing 10-1 ACL Hits Optimizer, using 10-7 ACL Optimizer, description 10-1 ACL Optimizer, using 10-4 hit counters, resetting 10-9 Hits Optimizer, defined 10-1 redundancy checks 4-42 printing 4-45 properties (use details) 2-5 renaming 4-9 templates attributes of 2-2 creating 2-1 saving as 4-8 time range definitions, editing 4-42 Absolute 4-42 Periodic 4-44 uses 2-7 defining 4-6 description 2-7 modes and contexts, description 2-7 advanced topics in ACL Manager 3-27 avoiding loss of edits when refreshing a device 3-29 refreshing devices 3-28 stale devices 3-27
B
backing up data 3-30 on Solaris 3-30 on Windows 2000 3-31
C
cautions significance of xii Cisco.com, accessing xvi CiscoWorks Server in backing up ACLM data 3-30 JRM, and job management 9-17 Class Manager 6-1 description 6-1 devices that use network class, identifying 6-16 service class, identifying 6-9 editors 6-2 invoking 6-3 networks and network classes, using 6-11 network, creating a new 6-11 network, editing 6-13 network class, creating a new 6-13 network class, editing 6-15 network class entry, editing 6-16 services and service classes, using 6-4 service, creating a new 6-4
IN-2
78-15202-01
Index
service, editing 6-6 service class, creating a new 6-6 service class, editing 6-8 service class entry, editing 6-9 toolbar, using 6-3 using (example) 6-18 comments Comment, template attribute 2-5 in ACEs appending 4-14 inserting 4-15 in VACEs appending 5-14 inserting 5-15 Config Diff dialog box, illustration 9-8
actual 9-7 configuration changes, verifying 9-8 devices, selecting 9-5 download options, selecting 9-6 job approvers, selecting 9-7 describing 9-6 TFTP, and 9-6
E
editing ACEs 4-17 IP ACE attributes 4-20 IP Extended ACE attributes 4-22 IPX ACE attributes 4-29 IPX Extended ACE attributes 4-30 IPX SAP ACE attributes 4-33 IPX SUMMARY ACE attributes 4-34 RATE LIMITE MAC ACE attributes 4-35 RATE LIMIT PRECEDENCE ACE attributes 4-36 source and deestination addresses 4-18 ACLs 4-6 ACL time range definitions 4-42 Class Manager network class entries 6-16 network classes 6-15 Edit menu 3-15 jobs
User Guide for ACL Manager
D
deleting scenarios 3-10 documentation feedback, submitting electronically xviii obtaining xvi CD-ROM xvii Cisco.com xvi ordering xvii obtaining updated xvi other Cisco publications and information xxi related xii downloads, scheduling 9-3
78-15202-01
IN-3
Index
and resubmitting 9-18 incomplete jobs, resubmitting 9-18 templates, existing 7-5 VACEs 5-17 ACE Editor buttons, using 5-19 IP VACE attributes 5-20 IPX VACE attributes 5-28 MAC attributes 5-29 source and destination addresses 5-18 VACLs 5-6 Essentials, setting up 3-4
I
IOS ACLs, definition 1-2
J
Java Plug-in, and improving ACL Manager performance 3-4 Job Browser dialog box, illustration 9-13 jobs approval, enabling 9-2 cancelling pending 9-19 editing and resubmitting 9-18
F
failed downloads, handling 9-19 Find feature, using 3-14
editing and resubmitting an incomplete job 9-18 job management integration 9-17 purging old 9-19 scenarios, viewing 9-17 status and results, browsing 9-13
G
getting started 3-1 glossary 1-1
K
keyboard shortcuts, using 3-23
H
help xviii Cisco.com xviii TAC xix Escalation Center xx website xx
ACL Manager dialog boxes Solaris 3-25 Windows 3-25 ACL Manager window 3-23 key words 1-1 ACL, ACE 1-1 ACL templates 1-2
IN-4
78-15202-01
Index
ACL use modes and contexts 1-2 ACL use statement 1-2 IOS ACLs 1-2 logical view 1-2 network 1-2 network class 1-2 physical view 1-2 scenario 1-3 service 1-3 service class 1-3 Template Include ACE 1-3 VLAN Access Lists (VACLs) 1-3
P
physical view, definition 1-2 preparing to use ACL Manager 3-2 printing 3-12 privilege levels overview 1-8 user levels and tasks 1-9
R L
refreshing devices 3-28 logical view, definition 1-2 refreshing devices while avoiding loss of edits 3-29 restoring data 3-31 on Solaris 3-32 on Windows 2000 3-32
M
menus 3-14 ACL menu 3-18 Edit menu 3-15 File menu 3-14 Tools menu 3-18 View menu 3-17
S
Save In dialog box, illustration 9-12 saving changes to disk 9-10 scenarios definition 1-3
N
navigating in the main window 3-12
IN-5
Index
under a different name 3-8 under the existing name 3-8 viewing 9-17 Schedule Config Download Job dialog box, illustration 9-4 Schedule Downloads dialog box, illustration 9-3 scheduling and downloading 9-1 service, definition 1-3 service class, definition 1-3 stale devices 3-27 starting ACL Manager 3-4
starting 7-2 template attributes (table) 7-3 toolbar, using 7-2 templates attributes of Comment 2-5 Created By 2-4 Creation Date 2-4 Last Modified By 2-4 Modification Date 2-4 Name, Number, and Type 2-3 creating a new 7-3 definition 1-2
T
TAC (Technical Assistance Center) xix Escalation Center xx website xx technical support xviii Cisco.com xviii TAC xix Escalation Center xx website xx Telnet, and improved download time of config commands 9-6 Template Include ACE, definition 1-3 Template Manager 7-1 description 7-1 devices that use an ACL template, identifying 7-6
editing an existing 7-5 folders, creating and inserting 7-5 template folders, creating and inserting 7-5 terms and definitions 1-1 TFTP, and improved down load time of config commands 9-6 toolbars, using ACL Manager 3-21 Class Manager 6-3 Template Manager 7-2 typographical conventions used in this document xi
U
use modes and contexts, definition 1-2 Use wizards 8-1
IN-6
78-15202-01
Index
ACL uses, defining Use ACL Wizard, using 8-4 Use ACL Wizard results, displaying 8-10 Use ACL Wizard Summary, completing 8-9
(see also VACEs) 5-10 configuration changes, viewing 5-32 creating 5-5 definition 1-3 Diff Viewer, using 5-32 editing 5-6 optimizing 5-36 printing 5-36 renaming 5-9 saving as templates 5-8 uses, defining 5-6 viewing existing 5-2 viewing ACL configuration changes 4-38 ACLs, existing 4-2 job scenarios 9-17 VACL configuration changes 5-32 VACLs, existing 5-2
V
VACEs (VLAN Access Control Entries) (see also VACLs) 5-1 comments appending 5-14 inserting 5-15 editing 5-17 ACE Editor buttons, using 5-19 IP VACE attributes 5-20 IPX VACE attributes 5-28 MAC attributes 5-29 source and destination addresses, specifying 5-18 manipulating 5-10 new appending 5-11 inserting 5-10 printing 5-36 reordering 5-16 templates inserting 5-12 saving as 5-31 VACLs (VLAN Access Control Lists) 5-1
W
workflow cycle, performing a complete 3-26 changes to the devices, downloading 3-27 device configuration changes, verifying 3-26 download success, verifying 3-27
IN-7
Index
IN-8
78-15202-01