User Guide For Acl Manager: Software Release 1.5 Ciscoworks

User Guide for ACL Manager
Software Release 1.5 CiscoWorks
Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100
Customer Order Number: DOC-7815202= Text Part Number: 78-15202-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, iQ Net Readiness Scorecard, Networking Academy, and ScriptShare are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0303R) User Guide for ACL Manager Copyright 2003, Cisco Systems, Inc. All rights reserved.
C O N T E N T S
Preface xi Audience xi Conventions xi Product Documentation xii Related Documentation xiv Obtaining Documentation xvi Cisco.com xvi Documentation CD-ROM xvii Ordering Documentation xvii Documentation Feedback xviii Obtaining Technical Assistance xviii Cisco.com xviii Technical Assistance Center xix Cisco TAC Website xx Cisco TAC Escalation Center xx Obtaining Additional Publications and Information xxi
1
CHAPTER
ACL Manager Overview 1-1 ACL Terms and Definitions 1-1 What Is ACL Manager? 1-3 ACL Manager Components 1-4 Benefits of ACL Manager 1-4 ACL Manager Functionality 1-5 ACL Manager Tools 1-7
User Guide for ACL Manager 78-15202-01
iii
Contents
ACL Manager Privilege Levels 1-8 Privilege Levels and Tasks 1-9
2
CHAPTER
ACL Definitions and Uses 2-1 Creating ACLs and Templates 2-1 ACL and Template Attributes 2-2 Name, Number, and Type Attributes 2-3 Creation Date Attribute 2-4 Created By Attribute 2-4 Modification Date Attribute 2-4 Last Modified By Attribute 2-4 Comment Attribute 2-5 ACL Properties (Use Details) 2-5 ACL Uses 2-7 Use Modes and Contexts 2-7
CHAPTER
Getting Started 3-1 Before You Begin 3-2 Setting Up Essentials 3-4 Starting ACL Manager 3-4 Saving Scenarios 3-8 Saving Under the Existing Name 3-8 Saving Under a Different Name 3-8 Deleting Scenarios 3-10 Opening A Different Scenario 3-11 Printing 3-12 Navigating in the ACL Manager Main Window 3-12 Using the Find Feature 3-14
iv
78-15202-01
Contents
ACL Manager Menus 3-14 File Menu 3-14 Edit Menu 3-15 View Menu 3-17 ACL Menu 3-18 Tools Menu 3-18 Using the Device State Icons 3-19 Using the Toolbar 3-21 Using Keyboard Shortcuts 3-23 Keyboard Shortcuts for ACL Manager Window 3-23 Keyboard Shortcuts for ACL Manager Dialog Boxes - Windows 3-25 Keyboard Shortcuts for ACL Manager Dialog Boxes - Solaris 3-25 Performing a Complete Workflow Cycle 3-26 Verifying Device Configuration Changes 3-26 Downloading the Changes to the Devices 3-27 Verifying That the Download Was Successful 3-27 Advanced ACL Manager Topics 3-27 Stale Devices 3-27 Refreshing Devices 3-28 How to Avoid Losing Edits When Refreshing a Device 3-29 Backing up ACL Manager Data 3-30 Backing up Data on Solaris 3-30 Backing up Data on Windows Server 3-31 Restoring ACL Manager Data 3-31 Restoring Data on Solaris 3-32 Restoring Data on Windows Server 3-32
4
CHAPTER
Viewing and Editing ACLs 4-1 Viewing Existing ACLs 4-2
Contents
Creating ACLs 4-4 Defining ACL Uses 4-6 Editing ACLs 4-6 Saving ACLs as Templates 4-8 Renaming ACLs 4-9 Manipulating ACEs 4-10 Inserting a New ACE 4-10 Appending a New ACE 4-11 Inserting a Template 4-12 Appending a Comment 4-14 Inserting a Comment 4-15 Reordering ACEs 4-16 Editing ACEs 4-17 Specifying Source and Destination Addresses 4-18 Using the ACE Editor Buttons 4-20 Editing IP ACE Attributes 4-20 Editing IP Extended ACE Attributes 4-22 Editing IP Extended General Attributes 4-22 Editing IP Extended Advanced Attributes 4-24 Editing IP Extended Other Attributes 4-27 Editing IPX ACE Attributes 4-29 Editing IPX Extended ACE Attributes 4-30 Editing IPX SAP ACE Attributes 4-33 Editing IPX SUMMARY ACE Attributes 4-34 Editing RATE LIMIT MAC ACE Attributes 4-35 Editing RATE LIMIT PRECEDENCE ACE Attributes 4-36 Saving ACEs as a Template 4-37 Viewing the Configuration Changes 4-38 Optimizing the ACL 4-42
vi
78-15202-01
Contents
Editing Time Range Definitions 4-42 Time Range Definition - Absolute 4-42 Time Range Definition - Periodic 4-44 Printing the ACL/ACE 4-45
5
CHAPTER
Viewing and Editing VACLs 5-1 Viewing Existing VACLs 5-2 Creating VACLs 5-5 Defining VACL Uses 5-6 Editing VACLs 5-6 Saving VACLs as Templates 5-8 Renaming VACLs 5-9 Manipulating VACEs 5-10 Inserting a New VACE 5-10 Appending a New VACE 5-11 Inserting a Template 5-12 Appending a Comment 5-14 Inserting a Comment 5-15 Reordering VACEs 5-16 Editing VACEs 5-17 Specifying Source and Destination Addresses 5-18 Using the ACE Editor Buttons 5-19 Editing IP VACE Attributes 5-20 Editing IP General Attributes 5-21 Editing IP Advanced Attributes 5-24 Editing IP Other Attributes 5-27 Editing IPX VACE Attributes 5-28 Editing MAC VACE Attributes 5-29 Saving VACEs as a Template 5-31
78-15202-01
vii
Contents
Viewing the Configuration Changes 5-32 Optimizing the VACL 5-36 Printing the VACL/VACE 5-36
6
CHAPTER
Using the Class Manager 6-1 What Is the Class Manager? 6-1 Class Manager Editors 6-2 Invoking the Class Manager 6-3 Using the Class Manager Toolbar 6-3 Using Services and Service Classes 6-4 Creating a New Service 6-4 Editing a Service 6-6 Creating a New Service Class 6-6 Editing a Service Class 6-8 Editing a Service Class Entry 6-9 Identifying Devices That Use Service Class 6-9 Using Networks and Network Classes 6-11 Creating a New Network 6-11 Editing a Network 6-13 Creating a New Network Class 6-13 Editing a Network Class 6-15 Editing a Network Class Entry 6-16 Identifying Devices That Use Network Class 6-16 Using the Class Manager: Example 6-18
CHAPTER
Using the Template Manager 7-1 What is the Template Manager? 7-1 Starting the Template Manager 7-2 Using the Template Manager Toolbar 7-2
viii
78-15202-01
Contents
Template Attributes 7-3 Creating a New Template 7-3 Editing an Existing Template 7-5 Editing the Contents of a Template 7-5 Creating and Inserting Template Folders 7-5 Identifying Devices That Use an ACL Template 7-6
8
CHAPTER
ACL Manager Use Wizard 8-1 Defining ACL Uses 8-1 Defining an ACL Use with the Use ACL Wizard 8-2 Selecting Interfaces, Lines, SNMP Community Settings or VLANS 8-4 Selecting Interfaces for Packet Filtering with the Use ACL Wizard 8-4 Selecting Lines for Line Access with the Use ACL Wizard 8-5 SNMP Community Settings with the Use ACL Wizard 8-6 Selecting VLANs for VLAN Packet Filtering with Use ACL Wizard 8-8 Completing the Use ACL Wizard Summary 8-9 Displaying Use ACL Wizard Results 8-10 Applying an ACL Template to a Specific Device 8-12 Selecting a Template with the Template Use Wizard 8-13 Selecting a Device 8-14 Displaying ACL Creation Results (Single Device) 8-16 Applying an ACL Template to Multiple Devices 8-17 Selecting a Template 8-18 Selecting the Devices 8-19 Displaying ACL Creation Results (Multiple Devices) 8-20 Defining ACL Uses for Multiple Devices 8-22 Selecting Interfaces with the Template Use Wizard 8-23 Selecting Lines with the Template Use Wizard 8-24 SNMP Community Settings with the Template Use Wizard 8-24
ix
Contents
Selecting VLANs for VLAN Packet Filtering with Template Use Wizard 8-25
9
CHAPTER
Scheduling and Downloading 9-1 Enabling Job Approval 9-2 Scheduling Downloads 9-3 Selecting the Devices 9-5 Describing the Job and Selecting the Download Options 9-6 Selecting Job Approvers 9-7 Scheduling the Download 9-7 Verifying the Configuration Changes 9-8 Saving Changes to Disk 9-10 Browsing Job Status and Results 9-13 Job Management Integration 9-17 Viewing a Job Scenario 9-17 Editing and Resubmitting Jobs 9-18 Resubmitting a Job That Has Not Been Completed 9-18 Canceling Pending Jobs and Purging Old Jobs 9-19 What to Do If Your Download Fails 9-19
CHAPTER
10
Optimizing ACLs 10-1 What Are the ACL Optimizer and Hits Optimizer? 10-1 What Is the ACL Optimizer? 10-2 What Is the ACL Hits Optimizer? 10-3 Using the ACL Optimizer 10-4 Using the ACL Hits Optimizer 10-7 Resetting Hit Counters 10-9
INDEX
78-15202-01
Preface
This document describes how to use the Access Control List (ACL) Manager, a software tool for the management of access control lists on Cisco routers and catalyst switches. This preface describes who should read User Guide for ACL Manager, and outlines the document conventions used in this manual.
Audience
This document is for network operators, network administrators, and system administrators. To use the ACL Manager application, you should have a basic understanding of operation, management and the configuration of your network. You should understand the basic ACL structure and configuration and the concept of network and service definitions.
Conventions
This document uses the following conventions: Item Commands and keywords Variables for which you supply values Displayed session and system information Convention boldface font italic font
screen
font
xi
Preface Product Documentation
Item Information you enter Variables you enter Menu items and button names Selecting a menu item in paragraphs Selecting a menu item in tables
Convention
boldface screen font italic screen
font
boldface font Option > Network Preferences Option > Network Preferences
Note
Means reader take note. Notes contain helpful suggestions or references to material not covered in the publication.
Caution
Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data.
Product Documentation
Note
Although every effort has been made to validate the accuracy of the information in the printed and electronic documentation, you should also review the ACL Manager documentation on Cisco.com for any updates. The following product documentation is available:
Release Notes for ACL Manager 1.5 on Solaris and Windows
This document describes the new features, the supported devices and the known and resolved problems of ACL Manager 1.5, running on Solaris and Windows. It also provides troubleshooting information. This document is available in the following formats:

As a photocopied document along with the ACL Manager CD-ROM. On Cisco.com. (Select Products and Services > Network Management CiscoWorks > CiscoWorks Access Control List Manager > Versions and Options).
xii
78-15202-01
Preface Product Documentation
Installation Guide for ACL Manager, Software Release 1.5
Installation Guide for ACL Manager provides information on the ACL Manager requirements, and describes the installation procedures on Solaris and Windows. This document is available in the following formats:

PDF on the ACL Manager CD-ROM. On Cisco.com. (Select Products and Services > Network Management CiscoWorks > CiscoWorks Access Control List Manager > Versions and Options). Printed document available by order.
User Guide for ACL Manager, Software Release 1.5
User Guide for ACL Manager describes how to use ACL Manager, a software tool for the management of access control lists on Cisco routers and catalyst switches. This document is available in the following formats:

PDF on the ACL Manager CD-ROM and from the ACL Manager online help. On Cisco.com. (Select Products and Services > Network Management CiscoWorks > CiscoWorks Access Control List Manager > Versions and Options). Printed document available by order.
Context-Sensitive Online Help
You can access the help in two ways:

Select an option from the navigation tree, then click Help. Click the Help button in the dialog box.
xiii
Preface Related Documentation
Related Documentation
Note
Although every effort has been made to validate the accuracy of the information in printed and electronic documentation, you should also review Cisco product documentation on Cisco.com for any updates. ACL Manager 1.5 runs on Resource Manager Essentials 3.5. The following documentation on Resource Manager Essentials 3.5 is available:
Release Notes for Resource Manager Essentials 3.5:

Release Notes for Resource Manager Essentials on Solaris, Software Release 3.5. Release Notes for Resource Manager Essentials on Windows, Software Release 3.5
These documents are available in the following formats:

As a photocopied documents along with the product CD-ROM. On Cisco.com.
Installation Guides for Resource Manager Essentials, Software Release 3.5

Installation and Setup Guide for Resource Manager Essentials on Solaris, Software Release 3.5. Installation and Setup Guide for Resource Manager Essentials on Windows, Software Release 3.5.

PDFs on the Resource Manager Essentials CD-ROM. On Cisco.com. Printed documents available by order.
xiv
78-15202-01
Preface Related Documentation
User Guide for Resource Manager Essentials, Software Release 3.5.
Resource Manager Essentials runs on Common Services 2.2 (Includes CiscoView 5.5). This document is available in the following formats:

PDF on the Resource Manager Essentials CD-ROM and from the Resource Manager Essentials online help. On Cisco.com. Printed document available by order.
Resource Manager Essentials 3.5 runs on Common Services 2.2. The following documentation on Common Services 2.2 is available:
Release Notes Common Services 2.2:

Release Notes for Common Services 2.2 (Includes CiscoView 5.5) on Solaris. Release Notes for Common Services 2.2 (Includes CiscoView 5.5) on Windows 2000. As a photocopied documents along with the product CD-ROM. On Cisco.com.

Installation Guides for Common Services 2.2.

Installation and Setup Guide for Common Services 2.2 (Includes CiscoView 5.5) on Solaris. Installation and Setup Guide for Common Services 2.2 (Includes CiscoView 5.5) on Windows2000. PDFs on the Common Services CD-ROM. On Cisco.com. Printed documents available by order.

xv
Preface Obtaining Documentation
User Guide for Common Services 2.2.
This document is available in the following formats:

PDF on the Common Services CD-ROM and from the Common Services online help. On Cisco.com. Printed document available by order.
You can download device packages for new devices from Cisco.com and find information about all supported devices by logging into Cisco.com. Device packages are released cumulatively; that is, new device packages contain the contents of any previous packages. To determine which packages are installed on your CiscoWorks Server, select Server Configuration > About the Server > Applications and Versions. You can also obtain any published patches from the download site.
Obtaining Documentation
Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation on the World Wide Web at this URL: http://www.cisco.com/univercd/home/home.htm You can access the Cisco website at this URL: http://www.cisco.com International Cisco web sites can be accessed from this URL: http://www.cisco.com/public/countries_languages.shtml
xvi
78-15202-01
Preface Obtaining Documentation
Documentation CD-ROM
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription. Registered Cisco.com users can order the Documentation CD-ROM (product number DOC-CONDOCCD=) through the online Subscription Store: http://www.cisco.com/go/subscription
Ordering Documentation
You can find instructions for ordering documentation at this URL: http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm You can order Cisco documentation in these ways:
Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace: http://www.cisco.com/en/US/partner/ordering/index.shtml Registered Cisco.com users can order the Documentation CD-ROM (Customer Order Number DOC-CONDOCCD=) through the online Subscription Store: http://www.cisco.com/go/subscription Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, U.S.A.) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).
xvii
Preface Obtaining Technical Assistance
Documentation Feedback
You can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click Feedback at the top of the page. You can email your comments to bug-doc@cisco.com. You can submit your comments by mail by using the response card behind the front cover of your document or by writing to the following address: Cisco Systems Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883 We appreciate your comments.
Obtaining Technical Assistance

Cisco provides Cisco.com, which includes the Cisco Technical Assistance Center (TAC) Website, as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from the Cisco TAC website. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC website, including TAC tools and utilities.
Cisco.com
Cisco.com offers a suite of interactive, networked services that let you access Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world. Cisco.com provides a broad range of features and services to help you with these tasks:

Streamline business processes and improve productivity Resolve technical issues with online support Download and test software packages
xviii
78-15202-01
Order Cisco learning materials and merchandise Register for online skill assessment, training, and certification programs
To obtain customized information and service, you can self-register on Cisco.com at this URL: http://www.cisco.com
Technical Assistance Center

The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two levels of support are available: the Cisco TAC website and the Cisco TAC Escalation Center. The avenue of support that you choose depends on the priority of the problem and the conditions stated in service contracts, when applicable. We categorize Cisco TAC inquiries according to urgency:

Priority level 4 (P4)You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration. Priority level 3 (P3)Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue. Priority level 2 (P2)Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available. Priority level 1 (P1)Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.
xix
Cisco TAC Website

You can use the Cisco TAC website to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC website, go to this URL: http://www.cisco.com/tac All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC website. Some services on the Cisco TAC website require a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register: http://tools.cisco.com/RPF/register/register.do If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC website, you can open a case online at this URL: http://www.cisco.com/en/US/support/index.html If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC website so that you can describe the situation in your own words and attach any necessary files.
Cisco TAC Escalation Center

The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case. To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL: http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When you call the center, please have available your service agreement number and your product serial number.
xx
78-15202-01
Preface Obtaining Additional Publications and Information
Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
The Cisco Product Catalog describes the networking products offered by Cisco Systems as well as ordering and customer support services. Access the Cisco Product Catalog at this URL: http://www.cisco.com/en/US/products/products_catalog_links_launch.html Cisco Press publishes a wide range of networking publications. Cisco suggests these titles for new and experienced users: Internetworking Terms and Acronyms Dictionary, Internetworking Technology Handbook, Internetworking Troubleshooting Guide, and the Internetworking Design Guide. For current Cisco Press titles and other information, go to Cisco Press online at this URL: http://www.ciscopress.com Packet magazine is the Cisco monthly periodical that provides industry professionals with the latest information about the field of networking. You can access Packet magazine at this URL: http://www.cisco.com/en/US/about/ac123/ac114/ about_cisco_packet_magazine.html
iQ Magazine is the Cisco monthly periodical that provides business leaders and decision makers with the latest information about the networking industry. You can access iQ Magazine at this URL: http://business.cisco.com/prod/ tree.taf%3fasset_id=44699&public_view=true&kbns=1.html
Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in the design, development, and operation of public and private internets and intranets. You can access the Internet Protocol Journal at this URL: http://www.cisco.com/en/US/about/ac123/ ac147/about_cisco_the_internet_protocol_journal.html
TrainingCisco offers world-class networking training, with current offerings in network training listed at this URL: http://www.cisco.com/en/US/learning/le31/ learning_recommended_training_list.html.
78-15202-01
xxi
Preface Obtaining Additional Publications and Information
xxii
78-15202-01
C H A P T E R
ACL Manager Overview

ACL Manager helps you manage Access Control Lists (ACLs) on Cisco routers running IOS and catalyst switches. It presents a user-friendly graphical user interface that allows you to concentrate on the security of your network without having to learn the complex syntax of ACLs. ACL Manager runs as an additional component (an add-on) to Resource Manager Essentials (Essentials), and provides you with the means to easily address, solve, and reduce configuration problems related to ACLs. These topics introduce you to some of the concepts and features of ACL Manager:

ACL Terms and Definitions What Is ACL Manager? ACL Manager Tools ACL Manager Privilege Levels
ACL Terms and Definitions

Access Control List (ACL, ACL Definition) and Access Control Entry (ACE): An ACL consists of one or more ACEs that collectively define the network traffic profile. This profile can then be referenced by IOS features such as traffic filtering, priority or custom queuing, dynamic access control, encryption, Telnet access, and so on. Each ACE includes an action element (permit or deny) and a filter element based upon criteria such as source address, destination address, protocol, protocol-specific parameters, and so on.
1-1
Chapter 1 ACL Terms and Definitions
Note
The generic term ACL refers to both IOS ACLs and VLAN ACLs. Wherever the term VACL is used, it applies only to VLAN ACL.Wherever the term IOS ACL is used, it applies only to Router ACL. ACL Template (Template): A named set of ACEs. Templates can be inserted into ACLs (see Template Include ACE). Templates can include other templates. ACL Use: ACL Use statements in a device configuration utilize or reference an ACL for some purpose. There are over 50 possible purposes, which include, for example: IP packet filtering, line access, traffic shaping, IP multicast rate limiting, SNMP server, IPX input SAP filtering, IPX router filtering, and so on. ACL Use Modes and Contexts: IOS ACLs can be used in various IOS configuration modes: global, router, route-map, crypto-map, line, and interface. Except for global, the configuration modes have named contexts within which ACL use statements can be created in IOS. The contexts for line mode are the actual vtys (for example, console, vty 0, vty 1, and so on); the contexts for interface mode are interface names (for example, Serial 0, Ethernet 0, TokenRing 0, and so on). ACL Manager allows you to create use statements only for line, interface and global modes. ACL Manager allows you to apply these statements only for line access, packet filtering, and SNMP server access controls. VACLs can be used only for packet filtering and redirection on VLANs. For VACL uses, the mode is VLAN and the contexts are the VLANs defined on the switch. IOS ACLs: Also known as Router ACLs. They are used in routers for packet filtering on interfaces, line access, SNMP access, route maps, and other purposes. Logical View: An abstract or high-level view of ACE statements in an ACL. The logical view could show ACEs using service and network class definitions, template include statements and comments. Network: A network is a named IP address and mask combination. It is a subnet specification used in the source and destination fields of ACE statements. Network Class: A network class is a named set of IP addresses, hostnames, IP address ranges, networks, or (recursively) other network classes that ACL Manager allows you to use in ACE source or destination fields. Physical View: A low-level view of ACE statements in an ACL. The physical view maps one-to-one with the IOS/Catalyst OS commands corresponding to the ACE statements.
1-2
78-15202-01
Chapter 1
ACL Manager Overview What Is ACL Manager?
Scenario: The set of devices whose ACLs and ACL use statements you are currently editing. You can name a scenario and save it for future use. You can set the attributes of a scenario to make it editable and viewable only by you, or writable and viewable by other users besides yourself. Note that you can edit devices in multiple scenarios, simultaneously. Service: Services are named TCP or UDP ports that can be used in individual ACEs to provide a specification of the network traffic to be matched by filter criteria. Service Class: A service class consists of named port range specifications that ACL Manager allows you to use in ACE port specification fields. Service class definitions are recursive and can use other service or service class definitions. Template: See ACL Template. Template Include ACE: A special ACE that proxies for, or represents, the set of ACEs corresponding to the template. VLAN Access Lists (VACLs): VACLs are similar to Router/IOS ACLs in terms of their definition. However, they are used by Catalyst 6000 family switches to access control all packets they switch, including packets bridged within a VLAN.
What Is ACL Manager?

The ACL Manager application is designed for the experienced network administrator who already understands the structure and uses of ACLs. It allows you to create, modify, and deploy ACLs to multiple devices through a Windows Explorer-type interface. ACL Manager supports IP and IPX ACLs for IOS Releases 10.3 through 12.2. With ACL Manager, you can create ACL uses for traffic filtering, line access, and SNMP server access. Although you cannot create all types of ACL uses, ACL Manager recognizes and tracks all existing types of ACL uses. This means that if an ACL is used in a category other than traffic filtering, line access, or the ACL references in those statements will be changed if the ACL name is changed. ACL Manager allows comments to be associated with an ACL or ACE, so that you can audit and track changes on a per-ACL or ACE-basis.
1-3
Chapter 1 What Is ACL Manager?
ACL Manager Components

ACL Manager maintains a device model with attributes relevant to ACL management for managed IOS devices. The device model is initialized by obtaining configuration files from Config Archive and parsing relevant statements. ACL Manager comprises a GUI that is integrated with the Essentials front-end. This interface provides the means to create, edit, and view ACLs. It is a split-panel view with the devices in the scenario represented in a tree structure in the left pane. When you select a node in the left pane, the right pane displays the contents of the selection and its attributes. The display in the right pane is context sensitive. The ACL Manager GUI also provides access to editing tools and other functions, such as the Template Manager, Class Manager, Use Wizard, and ACL Downloader and Optimizer. See ACL Manager Tools.
Benefits of ACL Manager

Network problems are frequently introduced at the time devices are configured, and fixing such problems is both expensive and time-consuming. Also, since router/switch configurations are interdependent, network complexity increases exponentially with the number of routers, and configuration problems become harder to detect and avoid. The result is either operational or latent configuration problems. ACL Manager solves these problems by providing inventory and change audit features that simplify the processes for setting up and changing device configurations. In addition, ACL construction must be extremely precise, because an incorrect filter can cause a security problem or incapacitate a network. Writing filters is time-consuming. It might be necessary to write many lines of IOS/Catalyst OS commands to configure coexisting network filters for different protocols. With ACL Managers GUI, you do not need to know IOS syntax to create ACLs. ACL Manager:

Provides a uniform interface that insulates the user from differences in ACL features for the supported IOS/Catalyst OS versions. Is easy to use and ensures high productivity for the user.
1-4
78-15202-01
Chapter 1
ACL Manager Overview What Is ACL Manager?
Supports Secure Sockets Layer (SSL) for secure client to server communication. Supports Secure Shell (SSH) for secure server to device communication. Reduces device configuration time dramatically. Reduces installation costs. Is integrated with Essentials and uses the Config Archive, Inventory, Change Audit Service, and Transport facilities. Provides a browser-based GUI and integrates the task flow with the Essentials GUI. Allows the user to fully exploit the ACL features in IOS/Catalyst OS. Reduces operation time when deploying ACLs to several devices. Provides for automated deployment of ACLs. Enables you to apply VACLs on Private VLANs. Allows novice operators to safely deploy complex ACLs previously set up through templates. Allows the enterprise to establish policies and to standardize on ACL uses through the use of templates. Avoids the drudgery of entering ACL configurations repeatedly on multiple devices by providing point-and-click copy and paste functionality. Minimizes human error in ACL creation by reducing the necessity of creating multiple ACEs, by allowing the use of classes. Improves network throughput by enabling ACL optimization. Permits the use of Domain Name System (DNS) names in ACE source and destination fields. ACL Manager will automatically perform a DNS look-up and convert these fields to the appropriate IP addresses.
ACL Manager Functionality

ACL Manager comprises a suite of modules and tools designed to simplify the management of ACLs and ACL use statements. The suite contains five major modules: ACL Manager, Template Manager, Class Manager, Template Use Wizard, and ACL Downloader. See ACL Manager Tools for a description of the tools provided by ACL Manager.
1-5
Chapter 1 What Is ACL Manager?
The ACL Manager suite is integrated with the Essentials Config Archive and Inventory applications. It uses device information from Inventory, and reads the configuration contained in the Config Archive to create a model of the ACLs and ACL use statements in the device configuration. The ACL Manager module provides a tree view to display this information in a Windows Explorer-type GUI. When you change device ACLs and ACL use statements, ACL Manager generates the appropriate IOS commands (config deltas) to implement the configuration changes. A download mechanism is provided to enable you to apply the configuration changes to the appropriate devices. The Config Archive is updated automatically after a successful ACL Manager download. ACL Manager uses Java Plug-in. The plug-in improves the performance of ACL Manager, and it is provided with the CiscoWorks application (see the topic Installing the Java Plug-in in Chapter 3 in User Guide for CiscoWorks Server). Some of the tasks that the ACL Manager suite enables you to perform include:

Identifying when an ACL was last modified and applied (Modification Date Attribute in Chapter 2). Navigating around devices to see which ACLs are defined and where they are usedeven ACL uses not supported for creation by ACL Manager are listed (Viewing Existing ACLs in Chapter 4). Creating new ACLs (Creating ACLs in Chapter 4). Editing an existing ACL and returning it to its device (Editing ACLs in Chapter 4). Reordering ACEs (Reordering ACEs in Chapter 4). Naming, renaming, and numbering ACLs; making the appropriate changes in the rest of the configuration file (Renaming ACLs in Chapter 4). Saving an ACL as a template, and associating it with a logical name (Editing ACLs in Chapter 4). Creating an alias for an ACL and using it in a device where named ACLs are not supported (Editing ACLs in Chapter 4). Naming networks and services and creating classes containing host addresses, address ranges, networks, or other classes, and using them in ACL definitions (Using the Class Manager in Chapter 6). Creating and editing templates (Using the Template Manager in Chapter 7).
1-6
78-15202-01
Chapter 1
ACL Manager Overview ACL Manager Tools
Applying ACL templates or ACLs for packet filtering or line access on devices (Defining ACL Uses in Chapter 8). Deploying ACLs on a group of devices (Scheduling Downloads in Chapter 9). Scheduling and downloading to modified ACL and ACL use statements and/or changes in meta-information, such as comments and template include statements, to devices (Scheduling Downloads in Chapter 9). Optimizing ACL statements to eliminate redundancies, compressing entries, and adjusting order of ACEs for maximum performance (Optimizing ACLs in Chapter 10).
ACL Manager Tools

ACL Manager provides the following tools for ACL development:
Class Manager, which enables you to create and edit services, service classes, networks, and network classes. You can then use these definitions in ACE source and destination fields, saving you the trouble of entering multiple IOS commands covering all possible combinations of source and destination field components. (See Chapter 6, Using the Class Manager.) Template Manager, which allows you to create and edit ACL templates. (See Chapter 7, Using the Template Manager.) Template Use Wizard and its variants, which allow you to perform the following sequence of actions: Job Browser, for displaying the status of download jobs. (See Chapter 9, Scheduling and Downloading.) Downloader for scheduling and downloading the modified ACL and ACL use statements and/or changes in meta-information such as comments, and template include statement creations, to devices. (See Chapter 9, Scheduling and Downloading.) Optimizer, for examining an ACL to see if optimization is possible after an ACL has been created or edited. (See Chapter 10,Optimizing ACLs.)
1-7
Chapter 1 ACL Manager Privilege Levels
Hits Optimizer, for reordering ACEs within an ACL in accordance with the hit-rate. (See Chapter 10,Optimizing ACLs.) Diff Viewer, for displaying the configuration changes you have made since creating the scenario. (See Chapter 10, Optimizing ACLs.)
ACL Manager Privilege Levels

ACL Manager incorporates these privilege levels defined by Essentials: Level 0
1
Directory HD
AP
Description Help Desk Approver Network Operator Network Administrator System Administrator
2 4 8
NO NA SA
ACL Manager tasks require various privilege levels, and your ability to perform these tasks depends on your assigned privilege level. You should contact your system administrator to find out your privilege level and which tasks you can access. ACL Manager tasks are usually performed with network operator or network administrator privileges. You can view the tasks that can be performed at each level by going to the Essentials navigation tree and selecting Server Configuration > Setup > Security > Permission Reports.
1-8
78-15202-01
Chapter 1
ACL Manager Overview ACL Manager Privilege Levels
Privilege Levels and Tasks

This table describes the various privilege levels and their respective tasks: Privilege Level Network Operator Task
Approver
View ACLs Use ACL Templates Browse Download Jobsbrowse and cancel download jobs Schedule Downloads View ACLs Edit ACLscreate and edit ACLs Delete Scenarios Schedule Downloads Edit ACL Templates Edit Class Definitions Reset Hit Counter View ACLs
Network Administrator
1-9
Chapter 1 ACL Manager Privilege Levels
1-10
78-15202-01
C H A P T E R
ACL Definitions and Uses

This chapter explain how to define and use ACLs and ACL templates and describe ACL Use. The topics covered are:

Creating ACLs and Templates ACL and Template Attributes ACL Properties (Use Details) ACL Uses
Creating ACLs and Templates

You can create ACLs by:

Using a combination of the ACL Editor and the ACE Editor. Using the cut, copy, and paste features; by cutting or copying ACLs or ACEs from one device or ACL and then pasting them to other devices or ACLs. Using the Template Use Wizard to create an ACL that utilizes a template. This creates a Use statement as well as the ACL definition.
Similarly, you can create templates by:

Using the Template Manager in the same way that you create an ACL using the Template Editor and the ACE Editor. Saving portions of an ACL (a set of ACEs) as a template. Saving an existing ACL as a template.
2-1
Chapter 2 ACL and Template Attributes
ACL and Template Attributes

Each ACL or template has the following attributes: Attribute Name/Number
Type
Description Name or number of the ACL or ACL template. For a VACL, number is not applicable Associated ACL type (see Name, Number, and Type Attributes). Date and time the ACL or template was created. This attribute cannot be editedit is automatically determined by ACL Manager. Name of the user who created the ACL or template. Date when the ACL or template was last modified. Name of the user who last modified the ACL or template. Comments inserted by the creator or modifier of the ACL.
Creation Date
Created By Modification Date Last Modified By Comment
After you start ACL Manager (see Chapter 3, Getting Started), you can use the following procedure to view the ACL definitions for a particular device.
Procedure
Step 1 Step 2
Expand the device folder in the ACL Manager Main Window. Select ACL Definitions. The ACLs and their attributes appear in the right pane (see Figure 2-1).
2-2
78-15202-01
Chapter 2
ACL Definitions and Uses ACL and Template Attributes
Figure 2-1
Displaying ACL Definitions
Name, Number, and Type Attributes

Each ACL must be identified by a name or a number. A number used to identify an ACL must be within a specified range of numbers that is valid for the ACL type (see the following table). IOS ACLs must be identified by a name or number. VACLs are identified by name only. You have the option of letting the ACL Manager select a number for you (the Autonumber feature). If you select Autonumber, ACL Manager will use the first available number in the appropriate range to identify the ACL. ACL Type IP Standard IP Extended IPX Standard IPX Extended IPX SAP Range 1 to 99 (also 1300 to 1399 in some IOS versions). 100 to 199 (also 2000 to 2699 in some IOS versions). 800 to 899 900 to 999 1000 to 1099
2-3
Chapter 2 ACL and Template Attributes
ACL Type IPX Summary Rate Limit MAC Rate Limit Precedence
Range 1200 to 1299 1 to 99 100 to 199
Named ACLs are not supported on some versions of device IOSs. In which case, the ACL name is shown with an automatically generated number appended to the name and enclosed in parentheses. For Rate Limit ACLs, ACL Manager distinguishes the ACL from a standard IP ACL by appending the string rate-limit to the number.
Creation Date Attribute

The creation date is inserted automatically when you create an ACL.
Created By Attribute
Your login name (for example, admin) is inserted automatically when you create an ACL.
Modification Date Attribute

The modification date is inserted automatically when you modify an ACL. When you first create an ACL, the modification date is the same as the creation date.
Last Modified By Attribute

Your login name is inserted automatically when you modify an ACL.
2-4
78-15202-01
Chapter 2
ACL Definitions and Uses ACL Properties (Use Details)
Comment Attribute
You can insert comments when creating or modifying an ACL.
ACL Properties (Use Details)

Certain elements in ACL Manager, such as devices, ACLs, and router interfaces, have associated properties. For an ACL, the properties that you see are actually its Use details, as shown in the following table: Property ACL Uses Use Context IOS/Catalyst OS Command Description Description Uses defined for the ACL. Context for the Use. IOS/Catalyst OS command that implements the Use. Description of the Use, taken from the IOS/Catalyst OS reference manual. You cannot change this description.
After you start ACL Manager (see Chapter 3, Getting Started), use this procedure to view the ACL properties for a particular device.
Procedure
Step 1 Step 2
Expand the folder for the device, then expand ACL Definitions. Right-click on the required ACL, then select Properties. The ACL Properties window appears (see Figure 2-2).
2-5
Chapter 2 ACL Properties (Use Details)
Figure 2-2
s
ACL Properties Window - Supported ACL Use
Unsupported ACL Uses are shown as OTHER. (See Figure 2-3)

Figure 2-3 ACL Properties Window - Unsupported ACL Uses
Tip
You can also view the properties by selecting the ACL to be examined, then selecting the toolbar button or View > Properties from the ACL Manager Main Menu.
2-6
78-15202-01
Chapter 2
ACL Definitions and Uses ACL Uses
ACL Uses
You can define ACL Use for line access, packet filtering, SNMP community access, SNMP TFTP server, and VLAN packet filtering. You can view ACL Uses of other types, such as router, route-map, and crypto-map using ACL Manager. Although you cannot create Uses of these types, if you rename an ACL that is referenced in one of these types of Uses, the Use statement is updated with the new ACL name. ACL Manager enables you to create ACLs from templates. You can also create Uses for such ACLs.
Use Modes and Contexts

ACL Manager detects the Use modes for ACLs in a selected device. Depending on which Uses ACL Manager detects, the following modes can appear when you select ACL Uses in the left pane:

Global Router Route Map Crypto Map Line Interface VLAN
These modes correspond to router configuration modes in IOS. Except for configuration mode global, all Use modes can have one or more Use contexts associated with them. Use contexts for line and interface are the actual vtys or lines and interfaces existing on the router.
2-7
Chapter 2 ACL Uses
To view ACL Use information for a particular device.
Procedure
Step 1 Step 2 Step 3
Expand the device folder in the ACL Manager Main Window, then expand ACL Uses. Expand the mode (for example, Interface). Select the specific context to be displayed (for example, Ethernet0). Information about the ACL Use appears in the right pane (see Figure 2-4).
Figure 2-4
Displaying ACL Use Mode - Interface
2-8
78-15202-01
Chapter 2
ACL Definitions and Uses ACL Uses
The following ACL Use information appears: Attribute ACLs IOS/Catalyst OS Command Description Description The ACL used in this context. IOS/Catalyst OS command that implements the Use. Description of the Use, taken from the IOS/Catalyst OS reference manual. You cannot change this description.
2-9
Chapter 2 ACL Uses
2-10
78-15202-01
C H A P T E R
Getting Started
ACL Manager provides you with a launch point for performing many of the tasks involved with ACL management. You can also perform these tasks by making appropriate selections from the Essentials navigation tree. These topics describe how to get started with ACL Manager:

Before You Begin Setting Up Essentials Starting ACL Manager Saving Scenarios Deleting Scenarios Printing Navigating in the ACL Manager Main Window ACL Manager Menus Using the Toolbar Using Keyboard Shortcuts Performing a Complete Workflow Cycle Advanced ACL Manager Topics Backing up ACL Manager Data Restoring ACL Manager Data
3-1
Chapter 3 Before You Begin
Getting Started
Before You Begin

Before you can begin using the ACL Manager applications or tools, you must ensure that:

ACL Manager server has been installed on a server machine with Essentials already installed. The Essentials Inventory application has been updated with device information for those devices whose ACLs you intend to manage with ACL Manager.
Note
It is strongly recommended that you become familiar with the discussion of ACL Terms and Definitions in Chapter 1 before proceeding further. Each ACL Manager selection from Essentials launches an application or performs an operation from the set of tools provided with ACL Manager. The following table describes each task, the associated tool, and the launch point from Essentials: Task Creating and editing ACLs Viewing ACLs; read-only access view of ACLs and ACL Uses in a scenario Creating ACL Uses from ACL templates Downloading ACLs and Uses to devices Browsing, deleting, and resubmitting jobs Creating, editing, and viewing ACL templates Tool ACL Manager ACL Manager Essentials Launch Point ACL Management > Edit ACLs ACL Management > View ACLs ACL Management > Use ACL Templates ACL Management > Schedule Downloads ACL Management > Browse Download Jobs Administration > ACL Management > Edit ACL Templates
Use Wizard Downloader Job Browser Template Manager
3-2
78-15202-01
Chapter 3
Getting Started Before You Begin
Task Creating services, service classes, networks and network classes Resetting device hit counters before using Hits Optimizer Deleting scenarios
Tool Class Manager
Essentials Launch Point Administration > ACL Management > Edit Class Definition Administration > ACL Management > Reset Hit Counter ACL Management > Delete Scenarios
Hits Resetter
Additional tools are available from within some of the above applications to assist in performing the main tasks. The following table describes the subtasks and launch points: Subtask Tool Launch Point ACL Manager, Template Manager ACL Manager, Template Manager ACL Manager, Downloader ACL Manager ACL Manager, Template Manager, Template Use Wizard ACL Manager
Creating and editing ACLs ACL Editor and templates Creating and editing ACEs ACE Editor Viewing config file differences Optimizing ACLs Browsing templates Diff Viewer Optimizer, Hits Optimizer Template Browser
Browsing, deleting, and/or Job Browser resubmitting jobs
3-3
Chapter 3 Setting Up Essentials
Getting Started
Setting Up Essentials
You must have Essentials installed and running in order to use ACL Manager. In addition, you must populate the device inventory with the devices to be managed by ACL Manager.
Procedure
Step 1 Step 2
Install and start Essentials. See the appropriate Essentials installation manual. Select Administration > Inventory > Add Devices to populate your network inventory with the devices to be managed by ACL Manager.
Note
Ensure that Java, JavaScript, and Accept all cookies are enabled in your browser settings. If these settings are not enabled, you will not be able to log in to Essentials.
Starting ACL Manager

ACL Manager uses Java Plug-in. The plug-in improves the performance of ACL Manager, and it is provided with the CiscoWorks application (see the topic Installing the Java Plug-in in Chapter 3 of User Guide for CiscoWorks Server). To start ACL Manager:
Procedure
Step 1
Select ACL Management > Edit ACLs from the Essentials navigation tree. The scenario selection window appears (see Figure 3-1). A scenario in ACL Manager, is your very own workspace. In your scenario, you can have a set of devices whose ACLs, ACL Uses and Time Ranges you wish to edit. When you create a scenario, you can set its attributes to make it editable and viewable only by you, or writable and viewable by other users besides yourself (see Global Scenario).
3-4
78-15202-01
Chapter 3
Getting Started Starting ACL Manager
Step 2
Select or enter a scenario name. If you are using ACL Manager for the first time, there are no scenario names in either list box.
Figure 3-1 Edit ACLs Dialog Box
3-5
Chapter 3 Starting ACL Manager
Getting Started
Step 3
Set the remaining fields for your scenario, as follows: Field Scenario Name Global Scenario Description Name of this scenario. Select this check box if you want this scenario to be writable by other users with network administrator privileges or above. Other users with these privileges can use this global scenario, if it is not already open. Users with network operator or approver privileges will have read-only access to this scenario. If you do not check this box, you will be the exclusive user of this scenario. Add Devices to Scenario Read Config From Device Recover Scenario Select this check box to allow devices to be added to an already existing scenario. Select this check box to synchronize the Essentials Config Archive with the devices in the scenario (get the configuration file) before starting ACL Manager. Select this check box to open the auto-saved version of the scenario instead of the last saved version; a tilde (~) is then appended to the end of the scenario name in the ACL Manager Main Window. This check box is available only if ACL Manager exited abnormally and detected an auto-save version of the scenario that you are attempting to open. Auto Save Period (in minutes) Defines how often changes to the scenario are saved. Use the autosave option for a scenario to guard against browser crashes.
Step 4
Click Next. If you are creating a new scenario, the Device Selection dialog box is displayed (see Figure 3-2).
Step 5
Select a device view from the Views column, for example, All Devices. The devices corresponding to the selected view appear in the Devices column.
3-6
78-15202-01
Chapter 3
Getting Started Starting ACL Manager
Figure 3-2
Device Selection Dialog Box
Step 6
Select the devices for your scenario from the Devices column, then click Finish. The ACL Manager Main Window is launched (see Figure 3-5).
Note
In some browser versions, you will receive a security warning asking for permission to install and execute some code from Cisco Systems. Select Yes to proceed.
3-7
Chapter 3 Saving Scenarios
Getting Started
Saving Scenarios
After your edits are complete with respect to the creation and modification of ACL, ACE, and ACL Use statements, you can save your scenario. You can save the scenario under the name used when you opened the scenario or under a different name.
Saving Under the Existing Name

To save the scenario using the existing name, select File > Save Scenario from ACL Manager.
Saving Under a Different Name

To save the scenario under a different name:
Procedure
Step 1
Select File > Save Scenario As from ACL Manager. The Save As Scenario dialog box appears (see Figure 3-3).
3-8
78-15202-01
Chapter 3
Getting Started Saving Scenarios
Step 2
Enter the following information, then click Save As: Field Description
Save Scenario Name by which the new scenario will be referred to. The old As scenario will still be available. Global Scenario Select this check box if you want this scenario to be writable by other users with network administrator privileges or above. Other users with these privileges can use this global scenario, if it is not already open. Users with network operator or approver privileges will have read-only access to this scenario. If you do not select this check box, you will be the exclusive user of this scenario.
Figure 3-3
Save Scenario As
3-9
Chapter 3 Deleting Scenarios
Getting Started
Deleting Scenarios
To delete a scenario directly from the Essentials navigation tree:
Procedure
Step 1
Select ACL Management > Delete Scenarios. The Delete Scenarios dialog box appears (see Figure 3-4).
Figure 3-4 Delete Scenarios Dialog Box
Step 2
Select the scenarios, then click Finish.
3-10
78-15202-01
Chapter 3
Getting Started Opening A Different Scenario
Note
You can delete global scenarios only if you created them.
Opening A Different Scenario

To start up another scenario:
Procedure
Step 1
Select File > Open Scenario from the ACL Manager Main Window. The Open Scenario dialog box appears.
Step 2 Step 3
Select a scenario name. Set the remaining fields for your scenario, as follows: Field Open in read-only mode Read Config From Device Recover Scenario Description Select this check box to ensure that the scenario can only be viewedit is then not possible to change the scenario in any way. Select this check box to synchronize the Essentials Config Archive with the devices in the scenario (get the configuration file) before starting ACL Manager. Select this check box to open the auto-saved version of the scenario instead of the last saved version. A tilde (~) is then appended to the end of the scenario name in the ACL Manager Main Window. This check box is available only if ACL Manager exited abnormally and detected an auto-save version of the scenario that you are attempting to open.
Step 4
Click Open. The new scenario is launched.
3-11
Chapter 3 Printing
Getting Started
Printing
ACL Manager allows you to print the object and its contents. An object can be a scenario, a device or an ACL. A scenario can contain devices and the ACLs on the devices. The print option is also available in Class Manager and Template Manager.
Navigating in the ACL Manager Main Window

The ACL Manager Main Window is shown in Figure 3-5.
Figure 3-5 ACL Manager Main Window
3-12
78-15202-01
Chapter 3
Getting Started Navigating in the ACL Manager Main Window
The following table describes the ACL Manager Main Window: Item Folder (left pane) Description Shows a hierarchy of items starting with the scenario, the devices in the scenario, and ACLs and ACL Use contexts, in expanding and collapsing folders. To expand or collapse a folder, click the + or - icon next to the folder, or double-click the folder. Contents (right Shows the attributes of any item selected in the folder pane. pane) The contents are empty if there are no attributes associated with the selected item. Status area (bottom left) Indicates the status of the application. The following status is displayed in this area:
Loading When ACL Manager is reading the device config files and preparing to display the tree hierarchy for each device in the scenario. Ready When loading is completed.
Item count area Shows the number of items contained in the currently (bottom right) selected object:

When a scenario is selected, shows the number of devices in the current scenario. When the label ACL Definitions on a device is selected, shows the number of ACLs for that device. When an ACL is selected, shows the number of ACEs in that ACL.
View mode area (bottom center)
Shows the view mode for viewing ACEs. If you are in an ACL context and in physical view mode, the contents pane has a gray background. No editing operations are permitted in physical view mode, except for reordering ACEs.
To modify the settings for an editable item in the folder pane, select the item and then select an appropriate command from a menu. For convenience, you can right-click some actions to display the options in a popup menu. (See specific tasks for more information.)
3-13
Chapter 3 Using the Find Feature
Getting Started
Using the Find Feature

Use the Edit > Find feature to search for lines containing specific text in the right (Contents) pane. Enter the characters to be searched for in the Find dialog box, and click Find. Case is ignored unless you select the Match Case check box. Lines in the Contents pane containing the defined characters are highlighted. All the entries in the right pane that contain the search text are highlighted.
ACL Manager Menus

The pull-down menus available from the ACL Manager Main Window are: Menu File Edit View ACL Tools Help Description Operations at the scenario level, and other disk file oriented operations such as saving ACLs and saving ACEs as templates. Operations that change the contents of the active view. Operations that affect the active view display. Operations that are related to ACLs and ACEs. Tools to assist in the tasks of ACL management. Operations related to online help.
File Menu
The File menu contains: Selection Open Scenario Close Scenario Description Closes the current scenario and brings up a dialog box from which you can select another scenario to open. Closes the scenario. If the scenario has not yet been saved, you will be prompted to save it.
Save Scenario Saves the changes you made to the open scenario.
3-14
78-15202-01
Chapter 3
Getting Started ACL Manager Menus
Selection
Description
Save Scenario Saves the changes you made to the open scenario in a new As scenario. The new scenario will be opened. The old scenario will still be left unchanged. Save ACL As Saves the selected ACL as a template (see Chapter 4, Saving ACLs as Templates). Save ACE As Saves the selected ACEs as a template (see Chapter 4, Saving ACEs as a Template). The selected ACEs are replaced with a single template include ACE. Print Prints the object and its contents. An object can be a scenario, a device or an ACL. A scenario can contain devices and the ACLs on the devices. The print option is also available in Class Manager and Template Manager. Exits the ACL Manager.
Exit
Edit Menu
The Edit menu contains: Selection Undo Description Undoes the last edit operation, if possible. Note that some editing operations are irreversible. For example, deleting an ACL Use statement, or expanding ACEs inline. Copies the current selection to the paste buffer and deletes it (see Chapter 4, Editing ACLs). You can select one or more ACLs or ACEs. Copies the current selection to the paste buffer (see Chapter 4, Editing ACLs). You can select one or more ACLs or ACEs. Pastes the contents of the paste buffer in front of the current selection. If there is no current selection, the contents are appended in the right pane at the end of the contents pane. In the case of objects that are shown as sorted (for example, ACLs and templates), the list in the contents pane is sorted again after pasting.
Cut
Copy Paste
3-15
Chapter 3 ACL Manager Menus
Getting Started
Selection Delete Move ACE Up Move ACE Down Find Apply Template Use ACL
Description Deletes the current selection. The selection can be one or more devices, ACLs, ACEs, or ACL Use statements. Moves the selected ACEs up one position. Moves the selected ACEs down one position. Searches for specified text in the right (Contents) pane (see ACL Manager Menus). Launches the Template Use Wizard on the selected device (see Chapter 8, ACL Manager Use Wizard). Select the use type to create ACLs and Uses on the devices. Launches the Template Use Wizard on the selected device for the selected ACL (see Chapter 8, ACL Manager Use Wizard). Select the Use type to create a Use for the ACL. Launches the appropriate editor on the current selection. For example, if the selection is an ACL, ACL Editor will be launched. If the selection is an ACE, ACE Editor will be launched. Launches the ACL Editor to create a new ACL and inserts it into the device. Launches the ACE Editor to create a new ACE. Launches the Template Browser to insert a new template include statement into the current ACL context, before the current ACE. Launches a dialog box to insert a one-line comment into the current ACL context, before the current ACE. Launches the Time Range Editor to create a new time range definition on the device.
Edit
Insert ACL Insert ACE Include Template Insert Comment Insert Time Range
Expand Replaces the current logical ACEs selection with the physical ACE(s) Inline equivalent. This action loses all comments, and cannot be undone. Go to ACL Changes the contents pane view context from the ACL Use to the ACL being used in the selected use.
3-16
78-15202-01
Chapter 3
Getting Started ACL Manager Menus
View Menu
The View menu contains: Selection Logical View Physical View Left Pane Refresh Device Update Device Status Description Changes the view mode to logical. Changes the view mode to physical. Makes the folder pane visible, if it was previously invisible. Executes a refresh operation on selected devices. If any device is in a STALE state, the state will change to OK. Determines the current states of the selected devices. States can be one of: OK, STALE, UNMANAGED, and UNREACHABLE. The configuration is refreshed from the device, and all changes done to the device will be lost. Replaces the current physical view with one regenerated from the current selection. The selection can be on a device, one or more ACLs, or one or more ACEs. Regeneration could involve:

Recompute Physical View
Conversion of DNS hostnames to IP addresses. Expansion of networks, network classes, services, and service classes to their components. Replacement of template include statements with their constituent ACEs. Use this function if you suspect that a template, class definition, or DNS name has changed since it was last applied to a device.
Properties
Displays a window showing the properties of the selected object. Properties can be displayed for: devices, interfaces, and ACLs. (ACL properties are actually use details for the ACL.) Displays a window showing the current Essentials users of the selected devices and the scenario in which the devices are used.
Users
3-17
Chapter 3 ACL Manager Menus
Getting Started
ACL Menu
The ACL menu contains: Selection New ACL New ACE Description Launches the ACL Editor to create a new ACL. Launches the ACE Editor to create a new ACE in the current ACL context. The new ACE is appended to the end of the list of ACEs in the contents pane. Launches the Template Browser to select a template to append a template include ACE to the current ACL context. Launches a dialog box to enter a one-line comment which is appended to the end of the list of ACEs in the contents pane. Launches the Time Range Editor to create a new time range definition on the device.
New Include Template New Comment New Time Range
Tools Menu
The Tools menu contains: Selection ACL Use Wizard ACL Downloader Job Browser Diff Viewer Class Manager Description Launches the ACL Use Wizard (see Chapter 8, Applying an ACL Template to a Specific Device). Launches the Downloader (see Chapter 9, Scheduling and Downloading). Launches the Job Browser (see Chapter 9, Browsing Job Status and Results). Launches the Diff Viewer (see Chapter 9, Verifying the Configuration Changes). Launches the Class Manager (see Chapter 6, Using the Class Manager).
3-18
78-15202-01
Chapter 3
Getting Started Using the Device State Icons
Selection Template Manager Optimizer Hits Optimizer
Description Launches the Template Manager (see Chapter 7, Using the Template Manager). Launches the Optimizer (see Chapter 10, Optimizing ACLs). Launches the Hits Optimizer (see Chapter 10, Optimizing ACLs).
Using the Device State Icons

The table describes the ACL Manager Device State icons: Icon Description Represents an ACL definition.
Represents a router that has ACL definitions on it (if the icon is blue). Represents a stale router that has ACL definitions on it (if the icon is grey). Represents a switch that has ACL definitions on it (if the icon is blue). Represents a stale switch that has ACL definitions on it (if the icon is grey). Represents a router that has no ACL definitions on it (if the icon is blue). Represents a router that is stale, and with no ACL definitions on it (if the icon is grey). Represents a switch that has no ACL definitions on it (if the icon is in blue). Represents a stale switch that has no ACL definitions on it (if the icon is grey).
3-19
Chapter 3 Using the Device State Icons
Getting Started
Icon
Description Represents a router that is either unreachable, or is not in the database.
Represents a switch that is either unreachable, or is not in the database.
Represents an unsupported device.
Represents an interface to which an ACL has been applied.
Represents a Line/Router/Route Map to which an ACL has been applied.
Represents an interface to which an ACL has not been applied.
Represents a Line/Router/Route Map to which an ACL has not been applied.
3-20
78-15202-01
Chapter 3
Getting Started Using the Toolbar
Using the Toolbar

The table describes the ACL Manager toolbar icons: Icon Description Open ScenarioCloses the scenario and opens a dialog box from which you can open another scenario for editing. The action is equivalent to selecting File > Open Scenario. Save ScenarioSaves the open scenario to disk (on the server). The action is equivalent to selecting File > Save Scenario. New ACLBrings up the ACL Editor (see Creating ACLs in Chapter 4). The action is equivalent to selecting ACL > New ACL. CutDeletes the current selection and copies it into the paste buffer (see Editing ACLs in Chapter 4). The selection can be on one or more ACLs or ACEs. The action is equivalent to selecting Edit > Cut. CopyCopies the current selection into the paste buffer (see Editing ACLs in Chapter 4). The action is equivalent to selecting Edit > Copy. PastePastes the contents of the paste buffer in front of the current selection. If there is no current selection, the contents are appended to the end of the contents pane. The action is equivalent to selecting Edit > Paste. DeleteDeletes the current selection. The selection can be on one or more devices, ACLs, ACEs, or ACL Use statements. The action is equivalent to selecting Edit > Delete.
3-21
Chapter 3 Using the Toolbar
Getting Started
Icon
Description UndoUndoes last edit operation, provided that the undo is possible. Some editing operations are irreversible; for example, deleting an ACL Use statement. The action is equivalent to selecting Edit > Undo. Up One LevelChanges the left pane selection context to be at the next higher level.
Move selected ACE upMoves the selected ACEs by shifting them up one position. The action is equivalent to selecting Edit > Move ACEs Up.
Move selected ACE downMoves the selected ACEs by shifting them down one position. The action is equivalent to selecting Edit > Move ACEs Down. Template Use WizardLaunches the Use Wizard. The action is equivalent to selecting Tools > Use Wizard.
ACL DownloaderLaunches the Downloader. The action is equivalent to selecting Tools > Downloader.
Job BrowserLaunches the Job Browser. The action is equivalent to selecting Tools > Job Browser.
Class ManagerLaunches the Class Manager. The action is equivalent to selecting Tools > Class Manager.
3-22
78-15202-01
Chapter 3
Getting Started Using Keyboard Shortcuts
Icon
Description Template ManagerLaunches the Template Manager. The action is equivalent to selecting Tools > Template Manager.
PropertiesDisplays properties of the current selection. The selection can be on a device, ACL, or interface. ACL properties are actually their uses in the device. The action is equivalent to selecting View > Properties. PrintPrints the contents of the current selection. The action is equivalent to selecting File > Print. This is available in Class Manager and Template Manager also.
Using Keyboard Shortcuts

The following keyboard shortcuts are available in ACL Manager.
Keyboard Shortcuts for ACL Manager Window

You can use these shortcuts in the ACL Manager left and right panes. Key Up Arrow Down Arrow Right Arrow Left arrow Enter Action Moves up the hierarchy Moves down the hierarchy. Expands the current selection if it is collapsed; else selects the first subfolder. Collapses the current selection if it is expanded; else selects the parent folder. Context Left pane Left pane Left pane Left pane
Expands the current selection if it is Left pane collapsed, or collapses the current selection if it is expanded.
3-23
Chapter 3 Using Keyboard Shortcuts
Getting Started
Key Enter
Action
Context
Displays the ACE Editor dialog box, if the Right pane current selection is an ACE; else expands the current selection. Opens the scenario. Saves the scenario. Prints the contents of the current selection. Searches for lines containing specific text in the right pane. Undoes changes. Both Both Both Both Both
Ctrl+O Ctrl+S Ctrl+P Ctrl+F Ctrl+Z Ctrl+A Ctrl+X
Selects all of the permissible items in the right Both pane. Deletes the current selection and copies it to the Paste buffer. (See Editing ACLs in Chapter 4.) You can select and delete one or more ACLs or ACEs. Copies the current selection to the Paste buffer. (See Editing ACLs in Chapter 4.) Both
Ctrl+C Ctrl+V
Both
Pastes the contents of the Paste buffer before Both the current selection. If you have not selected anything in the contents pane, then they are pasted at the end of the list. Deletes the current selection. You can select Both and delete one or more devices, ACLs, ACEs, or ACL Use statements. Switches between right and left panes. Switches between the right and left panes. Exits from ACL Manager. Both Both Both
Del
Tab Shift+Tab Alt+F4
3-24
78-15202-01
Chapter 3
Getting Started Using Keyboard Shortcuts
Keyboard Shortcuts for ACL Manager Dialog Boxes - Windows

You can use these shortcuts in the ACL Manager dialog boxes, in Windows. Key Tab Shift+tab Escape Ctrl+A Ctrl+X Ctrl+C Ctrl+V Ctrl+Z Del Action Moves forward through options. Moves backward through options. Closes the current dialog box without saving the entries. Selects all the text in the current text field. Deletes the current selection and copies it to the system clipboard. Copies the current selection to the system clipboard. Pastes the contents of the system clipboard. Undoes changes. Deletes highlighted text.
Keyboard Shortcuts for ACL Manager Dialog Boxes - Solaris

You can use these shortcuts in the ACL Manager dialog boxes, in Solaris. Key Tab Shift+tab Escape Shift+Del Ctrl+Ins Shift+Ins Ctrl+Z Del Action Moves forward through options. Moves backward through options. Closes the current dialog box without saving the entries. Deletes the current selection and copies it to the system clipboard. Copies the current selection to the system clipboard. Pastes the contents of the system clipboard. Undoes changes. Deletes highlighted text.
3-25
Chapter 3 Performing a Complete Workflow Cycle
Getting Started
Performing a Complete Workflow Cycle

The typical ACL Manager workflow involves this sequence of tasks:
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8
Creating a scenario or opening an existing scenario (see Starting ACL Manager). Creating ACLs (see Creating ACLs in Chapter 4) or editing existing ACLs, or both (see Editing ACLs in Chapter 4). Creating and editing ACEs (see Editing ACEs in Chapter 4). Creating ACL Use statements (see Defining ACL Uses in Chapter 8). Saving the scenario (see Saving Scenarios). Viewing and verifying the changes made to the device configuration during editing (see Verifying Device Configuration Changes). Scheduling a download job and downloading the ACL and ACL Use modifications to devices (see Downloading the Changes to the Devices). Verifying that the download was completed successfully (see Verifying That the Download Was Successful).
Verifying Device Configuration Changes

You can view the changes made after you created the scenario using the Diff Viewer. With Diff Viewer, you can see new, deleted, and modified ACLs and ACL Uses. You can also see the new IOS/Catalyst OS configuration that represents the ACLs and ACL Uses for the devices in your scenario as well as the IOS/Catalyst OS config deltas. IOS/Catalyst OS deltas represent the commands that are to be downloaded to the devices in your scenario in order to implement the changes to the device configuration. See Viewing the Configuration Changes in Chapter 4 for full information on launching and using the Diff Viewer.
3-26
78-15202-01
Chapter 3
Getting Started Advanced ACL Manager Topics
Downloading the Changes to the Devices

After saving the scenario and verifying the changes to be downloaded to the devices that were modified in your scenario, you can schedule a job to download the IOS/Catalyst OS commands to the devices. See Chapter 9, Scheduling and Downloading, for further information.
Verifying That the Download Was Successful

After scheduling the download, you can monitor the job status using the Job Browser. Your job can be in one of states: Pending, Running, Waiting for approval, Rejected, Failed, Pending (Approved), Success, Partial Success, Cancelled, and Aborted. Use the Job Browser to find out if your job failed. If the job failed, you can find out why, and resubmit the job. If the job has not yet started, you can edit the job parameters, make changes to the job scenario, and submit the modified job. See Chapter 9, Scheduling and Downloading, for further information.
Advanced ACL Manager Topics

This section contains topics relating to the advanced use of ACL Manager.
Stale Devices
A device becomes stale when the ACL-related device configuration from which the scenario was derived is modified outside the scenario. This can happen in these situations:
The ACLs or ACL Use statements, or both, for a device are modified and downloaded from one scenario, but the device is still being used in one or more other scenarios. In this case, the device will become stale in the other scenarios. A device is being used in a scenario and a template used on a device is modified and downloaded (the template is synchronized) to the device from Template Manager.
78-15202-01
3-27
Chapter 3 Advanced ACL Manager Topics
Getting Started
Note
A template is considered to be used on a device if any ACL on the device contains a template include statement and this ACL has been downloaded to the device. A device configuration is modified from the command line interface (CLI) while the device is being used in one or more other scenarios. An attempted download fails and rollback fails. The device status may change to stale in scenarios containing that device.
The device status will be changed to stale (that is, its icon is grayed out and its status is set to stale) when:

A View > Update device Status operation is performed. The scenario is immediately closed then reopened after any of the above events caused it to become stale. The scenario is modified and a download is attempted. Thirty seconds have elapsed since the configuration file was changed on the device.
You can download to a stale device.
Note
Any edits made to the stale device in the client scenario will be lost on refreshing.
Refreshing Devices
Three device configuration states are relevant to ACL Manager:

The actual configuration on the device. The configuration in the device model on the server (the base scenario). The configuration in the user scenario.
Ideally, the configuration on the device is always synchronized with the device in the base scenario. However, asynchronous changes on the device can happen outside the scope of ACL Manager. For example, devices can be accessed and configurations modified directly through the CLI.
3-28
78-15202-01
Chapter 3
Getting Started Advanced ACL Manager Topics
To provide a current version of the device config, the configuration in the base scenario is reconciled with the device:

Whenever a scenario is created or opened for editing (provided that the Read Config from Device option is selected when the scenario is opened). After a completely successful or partially successful download. When a device refresh is requested.
The representation of ACLs and ACL Use statements in user scenarios are based on a device configuration that was obtained from the device when the scenario was created. If the device configuration from which a user scenario was derived is modified outside the scenariofor example, through the CLI, or by another scenario being downloaded while the device in the original scenario is being editedthen the basis for the edits in the original scenario is invalidated. If this happens, ACL Manager sets the device status to stale. You can continue to make modifications to the device but will be unable to download them to the device. You must refresh a stale device before attempting to download ACL and ACL Use statement modifications to it. Refreshing a device reconciles the device configuration in the scenario with the configuration on the device. You could lose modifications on a device that becomes stale unless you take the precautions described in How to Avoid Losing Edits When Refreshing a Device.
How to Avoid Losing Edits When Refreshing a Device

You can avoid losing edits prior to refreshing a stale device by:

Saving edited and newly created ACLs in the paste buffer Refreshing the device Pasting back the saved ACLs
Alternatively, you could save the scenario under another namethis preserves the edits in the scenario with the new name. Only edits made to ACL definitions can be saved before a stale device is refreshed. Edits to ACL Use statements cannot be saved.
3-29
Chapter 3 Backing up ACL Manager Data
Getting Started
Backing up ACL Manager Data

You can back up ACL Manager data on Solaris, and Windows server. You need to follow the procedure described to run the backup script from the CiscoWorks server command line.
Note
ACL Manager data comprising scenarios, templates, services, service classes, networks, and network classes are backed up. Jobs will not be backed up.
Backing up Data on Solaris

To back up data on Solaris:
Procedure
Step 1 Step 2 Step 3 Step 4
Log in as the super user. Set the NMSROOT variable to CiscoWorks install directory. Enter $NMSROOT /bin/pdterm
AclmServer
to stop the ACL Manager server.
Enter $NMSROOT /bin/perl $NMSROOT/bin/aclmbackup.pl to back up the ACL Manager. You can specify the folder into which the data should be backed up, as a command line parameter. For example, you can enter: $NMSROOT/bin/perl $NMSROOT/bin/aclmbackup.pl /aclmbackup where /aclmbackup is the back up folder. If you do not specify the folder as a command line parameter, the system will prompt you to specify a folder to back up the data.
Step 5
After the back up is complete, enter $NMSROOT/bin/pdexec restart the ACL Manager server.
AclmServer
to
3-30
78-15202-01
Chapter 3
Getting Started Restoring ACL Manager Data
Backing up Data on Windows Server

To back up data on Windows server:
Procedure
Ensure that you have correct permissions to access CiscoWorks installation directories. Set the NMSROOT variable to CiscoWorks install directory. Enter %NMSROOT%\bin\pdterm
AclmServer
Enter %NMSROOT% \bin\perl %NMSROOT%\bin\aclmbackup.pl to back up the ACL Manager data. You can specify the folder into which the data should be backed up, as a command line parameter. For example, you can enter: %NMSROOT%\bin\perl %NMSROOT%\bin\aclmbackup.pl d:\aclmbackup where d:\aclmbackup is the back up folder. If you do not specify the folder as a command line parameter, the system will prompt you to specify a folder to back up the data.
Step 5
After the back up is complete, enter %NMSROOT%\bin\pdexec restart the ACL Manager server.
AclmServer
to
Restoring ACL Manager Data

You can restore ACL Manager data on Solaris, and Windows server. To do this, run the restore script from the command line.
Warning
ACL Manager data comprising scenarios, templates, services, service classes, networks, and network classes are restored. Existing data including jobs will be deleted during the restore operation.
3-31
Chapter 3 Restoring ACL Manager Data
Getting Started
Restoring Data on Solaris

To restore data on Solaris:
Procedure
Log in as the super user. Enter $NMSROOT /bin/pdterm

AclmServer
Enter $NMSROOT /bin/perl $NMSROOT/bin/aclmrestore.pl to restore the ACL Manager data. You can specify the folder into which the data should be restored, as a command line parameter. For example, you can enter: $NMSROOT/bin/perl $NMSROOT/bin/aclmrestore.pl /aclmrestore where /aclmrestore is the restore folder. If you do not specify the folder as a command line parameter, the system will prompt you to specify a folder to restore the data.
Step 4
After the restore is complete, enter $NMSROOT/bin/pdexec restart the ACL Manager server.
AclmServer
to
Restoring Data on Windows Server

To restore data on Windows server:
Procedure
Step 1 Step 2
Ensure that you have administrator privileges to access CiscoWorks installation directories. Enter %NMSROOT%\bin\pdterm
AclmServer
3-32
78-15202-01
Chapter 3
Getting Started Restoring ACL Manager Data
Step 3
Enter %NMSROOT%\bin\perl %NMSROOT%\bin\aclmrestore.pl to restore the ACL Manager data. You can specify the folder into which the data should be restored, as a command line parameter. For example, you can enter: %NMSROOT%\bin\perl %NMSROOT%\bin\aclmrestore.pl d:\aclmrestore where d:\aclmrestore is the restore folder. If you do not specify the folder as a command line parameter, the system will prompt you to specify a folder to restore the data.
Step 4
After the restore is complete, enter %NMSROOT%\bin\pdexec restart the ACL Manager server.
AclmServer
to
3-33
Chapter 3 Restoring ACL Manager Data
Getting Started
3-34
78-15202-01
C H A P T E R
Viewing and Editing ACLs

These topics describe how to view and edit ACLs and ACEs:

Viewing Existing ACLs Creating ACLs Defining ACL Uses Editing ACLs Saving ACLs as Templates Renaming ACLs Manipulating ACEs Editing ACEs Saving ACEs as a Template Viewing the Configuration Changes Editing Time Range Definitions Optimizing the ACL Printing the ACL/ACE
4-1
Chapter 4 Viewing Existing ACLs
Viewing Existing ACLs

You can display all ACLs on a particular device in the ACL Manager Main Window contents pane. If you have not yet started ACL Manager, you need to display the ACL Manager Main Window, using this procedure.
Procedure
Step 1
Select ACL Management > View ACLs from Essentials to display the View ACLs dialog box (see Figure 4-1).
Figure 4-1 View ACLs Dialog Box
4-2
78-15202-01
Chapter 4
Viewing and Editing ACLs Viewing Existing ACLs
Step 2
Select a scenario and select Read config from Device to synchronize the Config Archive with the devices in the scenario (get the configuration file). The ACL Manager Main Window appears.
Step 3
Carry out this procedure from the ACL Manager Main Window.
Procedure
Step 1 Step 2
Expand the device folder in the ACL Manager Main Window. Select ACL Definitions. The ACL definitions for the device are displayed in the right pane (see Figure 4-2).
Figure 4-2
Viewing ACLs
4-3
Chapter 4 Creating ACLs
Creating ACLs
ACLs are created under the ACL Definition folder for a particular device. After you create an ACL, you can add ACEs to it.
Procedure
Step 1
Expand the device folder in the ACL Manager Main Window, then select ACL Definitions. The ACL definitions appear in the right pane (see Figure 4-2).
Step 2
Select ACL Definitions, then select New ACL from the ACL Definitions popup menu. The ACL Editor dialog box appears (see Figure 4-3).
Figure 4-3 ACL Editor Dialog
Step 3
Enter the following information:
4-4
78-15202-01
Chapter 4
Viewing and Editing ACLs Creating ACLs
Field Type
Description Specifies the type of ACL that can be created on the selected router, for example: IP, IP_EXTENDED, IPX, IPX_EXTENDED, IPX_SAP, IPX_SUMMARY, RATE_LIMIT_MAC, RATE_LIMIT_PRECEDENCE. Select a type from the drop-down list box. (Only those types supported for the device IOS version and feature-set are available from the drop-down list.) After the ACL is created, you cannot change the type. Select Autonumber if you want the ACL Manager to select the first available number for you. NameIf the IOS version of the selected device does not support named ACLs, ACL Manager generates a unique number, and associates the ACL name with this number as an alias. NumberIf Autonumber is not checked, enter a unique number that identifies the ACL.
Autonumber Name or Number
Comment
Step 4
Enter comments to be associated with this ACL.
Click OK.
Note
You can select ACL > New ACE from the ACL Manager Main Window to insert ACE entries into the new ACL.
Tip
You can also start the ACL Editor dialog box by clicking the New ACL toolbar icon or by selecting ACL > New ACL from the ACL Manager Main Window.
4-5
Chapter 4 Defining ACL Uses
Defining ACL Uses

Use one of the ACL Use wizards to create an ACL Use (see Chapter 8, ACL Manager Use Wizard).
Editing ACLs
You can use the ACL editor to change the ACL name or comments about the ACL. If you have not yet started ACL Manager, you need to display the ACL Manager Main Window using this procedure.
Procedure
Step 1 Step 2
Select ACL Management > Edit ACLs from Essentials to display the Edit ACLs dialog box (see Figure 4-4). Select a scenario, then click Next. The ACL Manager Main Window appears.
4-6
78-15202-01
Chapter 4
Viewing and Editing ACLs Editing ACLs
Figure 4-4
Edit ACLs Dialog Box
Carry out the following procedure from the ACL Manager Main Window.
Procedure
Step 1 Step 2
Expand the device folder in the ACL Manager Main Window. Select ACL Definitions. The ACLs appear in the right pane (see Figure 4-2).
4-7
Chapter 4 Saving ACLs as Templates
Step 3
Right-click on the required ACL, then select Edit. The ACL Editor dialog box appears (see Figure 4-3).
Step 4
Enter the fields (see Creating ACLs for field descriptions), then click OK.
Tip
You can insert a comment into an ACL using ACL > New Comment.
Saving ACLs as Templates

You can save an ACL as a new template. (To save ACEs as a template, see Saving ACEs as a Template.)
Procedure
Step 1 Step 2
Expand the device folder in the ACL Manager Main Window. Select ACL Definitions. The ACLs appear in the right pane (see Figure 4-2). Select the ACL to save. Select File > Save ACL As to display the Save As Template dialog box (see Figure 4-5). Select the template directory to hold the new template. Enter the new template name, then click OK.
4-8
78-15202-01
Chapter 4
Viewing and Editing ACLs Renaming ACLs
Figure 4-5
Save As Template Dialog Box
Renaming ACLs
You can rename or renumber an existing ACL. Any ACL uses that reference the existing ACL are changed to reflect the new name.
Procedure
Step 1 Step 2
4-9
Chapter 4 Manipulating ACEs
Step 3
Right-click on the ACL to be renamed, then select Edit. The ACL Editor dialog box appears (see Figure 4-3).
Step 4
Change the information in the Name or number field, then click OK.
Manipulating ACEs
The ACL Manager provides many features for manipulating ACE entries for a particular ACL definition. You can:

Insert a new ACE Insert a template include ACE Insert comments into an ACE Reorder ACEs Insert a comment ACE
Inserting a New ACE

You can insert a new ACE above the selected ACE.
Procedure
Expand the device folder in the ACL Manager Main Window. Expand ACL Definitions. Select the required ACL definition. The ACEs appear in the right pane (see Figure 4-6). Right-click on the ACE above which the new ACE is to be inserted, then select Insert ACE. The ACE Editor dialog box appears.
Step 4
4-10
78-15202-01
Chapter 4
Viewing and Editing ACLs Manipulating ACEs
Step 5 Step 6
Enter the parameters for the new ACL. See Editing ACEs. Click OK.
Figure 4-6
Viewing ACEs
Appending a New ACE

You can append a new ACE to the end of the current list.
Procedure
Expand the device folder in the ACL Manager Main Window. Expand ACL Definitions. Right-click on the required ACL definition, then select New ACE. The ACE Editor dialog box appears.
4-11
Step 4 Step 5
Enter the parameters for the new ACE. See Editing ACEs. Click OK. For information on editing ACE attributes, see Editing ACEs.
Inserting a Template
You can insert a template into an ACL by creating a template include ACE that references the template.
Procedure
Step 1 Step 2
Expand the device folder in the ACL Manager Main Window. Select ACL Definitions. The ACLs for the device appear in the right pane (see Figure 4-2). Right-click on the required ACL, then select New Include Template. The Template Selection window box appears (see Figure 4-7). Only templates appropriate to the ACL appear. Select the template to include. Click Expand to display a window showing the template details (see Figure 4-8). Click OK. The include template ACE is inserted, or is appended to the end of the ACL if you made no selection (see Figure 4-9).
Step 3
Step 4 Step 5
4-12
78-15202-01
Chapter 4
Figure 4-7
Template Selection
Figure 4-8
Expanded Template
4-13
Figure 4-9
Inserted Template
Appending a Comment
Use the Comment Editor to append a comment to the end of an ACL or ACL template. You can also use the Comment Editor to insert a comment after an ACE (see Inserting a Comment).
Procedure
Expand the device folder in the ACL Manager Main Window. Expand ACL Definitions. Right-click on the required ACL, then select New Comment. The Comment Editor dialog box appears (Figure 4-10).
4-14
78-15202-01
Chapter 4
Step 4
Enter a one-line comment, then click OK. The comment is appended with the prefix !. Figure 4-11 shows a comment inserted at the end of an ACL.
Figure 4-10 Insert Comment Dialog Box
Note
On devices supporting Remark ACEs, Comments ACEs will be converted into Remark ACEs in the physical view. Otherwise, they are ignored.
Inserting a Comment
Use the Comment Editor to insert a comment after an ACE. You can also use the Comment Editor to append a comment at the end of an ACL or ACL template (see Appending a Comment).
Procedure
Expand the device folder in the ACL Manager Main Window. Expand ACL Definitions. Select the ACL. The ACEs appear in the right pane.
4-15
Step 4
Right-click on the required ACE, then select Insert Comment. The Comment Editor dialog box appears (Figure 4-10).
Step 5
Enter your comment, then click OK.
Figure 4-11 Inserted Comment
Reordering ACEs
Use the Move ACE Up and Move ACE Down toolbar buttons to move selected ACEs up or down.
Procedure
Step 1 Step 2
Expand the device folder in the ACL Manager Main Window. Expand ACL Definitions.
4-16
78-15202-01
Chapter 4
Viewing and Editing ACLs Editing ACEs
Step 3
Select the required ACL definition. The ACEs appear in the right pane (see Figure 4-6).
Step 4
Select the ACE to move. (You can select multiple ACEs using Shift and Control keys.)
To move the ACEs up one position, click the Move ACE Up icon.
To move the ACEs down one position, click the Move ACE Down icon.
Note
If you try to reorder ACEs while in physical mode, a warning message appears if the reorder changes the ACL semantics.
Editing ACEs
Use the ACE Editor to edit an ACE.
Procedure
Expand the device folder ACL Manager Main Window. Expand ACL Definitions. Select the required ACL definition. The ACEs appear in the right pane (see Figure 4-6).
4-17
Chapter 4 Editing ACEs
Step 4
Right-click on the ACE to be edited, then select Edit. The ACE Editor dialog box appears.
Tip
You can start the ACE Editor dialog box from the Edit menu by selecting Edit > Edit. The format of the ACE editor dialog box and attributes that can be edited depend on the IOS ACL protocol type, as described in these sections:

Editing IP ACE Attributes Editing IP Extended ACE Attributes Editing IPX ACE Attributes Editing IPX Extended ACE Attributes Editing IPX SAP ACE Attributes Editing IPX SUMMARY ACE Attributes Editing RATE LIMIT MAC ACE Attributes Editing RATE LIMIT PRECEDENCE ACE Attributes
Specifying Source and Destination Addresses

Most ACE types require you to specify a source address, a destination address, or both. To specify an IP address or hostname as the source or destination address, enter it directly into the appropriate ACE editor field.
4-18
78-15202-01
Chapter 4
To specify a network or network class as the source or destination address, use the following procedure.
Procedure
Click Source Address or Destination Address to open the Network/Class selector dialog box (see Figure 4-12). Select the desired network or network class. Click OK when you have finished.
Figure 4-12 Network/Class Selector
4-19
Using the ACE Editor Buttons

The following table explains the buttons at the bottom of the ACE Editor dialog boxes: Button Expand Description Expands the ACE. Expansion of the ACE shows the ACE physical viewthe actual IOS statements that implement the ACE. For example, if the source address field class translates to n IP addresses and the destination field class expands to m IP addresses, there will be nxm entries in the expanded ACE and in the actual IOS statements that implement the ACE. New Saves the current ACE and starts editing a new one. You can then save changes to the current ACE and carry the settings into the new ACE or discard them. If you save, ACL Manager Main Window is updated to display the saved ACE. Saves the current ACE and loads the previous one from the ACL. You can then save changes to the current ACE or discard them. If you save, the ACL Manager Main Window is updated to display the saved ACE. Saves the current ACE and loads the next one from the ACL. You then have the option to save changes made to the current ACE. If you save, the ACL Manager Main Window is updated to display the saved ACE.
Prev
Next
Editing IP ACE Attributes

Select an ACE that belongs to a standard IP ACL. Start the ACE Editor on this ACE (see Figure 4-13). The ACE being edited is shown in the display area above the Expand button.
4-20
78-15202-01
Chapter 4
Figure 4-13 ACE Editor Dialog Box - IP
You can edit the fields as follows: Field Permission Description Radio button that determines whether the ACE is a permit or deny statement. Defines the source address in the ACE. This field is mandatory. Defines the wildcard mask to be applied to the source address. This field is optional. You can add a comment about this ACE. The comment appears in-line. This field is optional.
Log Options Enable this checkbox to log packets that match this ACE. Source Address Source Wildcard Mask Comment
4-21
Editing IP Extended ACE Attributes

Select an ACE that belongs to an IP Extended ACL, then start the ACE Editor on this ACE. There are three tabbed sections, each with a different format, as described in these topics:

Editing IP Extended General Attributes Editing IP Extended Advanced Attributes Editing IP Extended Other Attributes
Editing IP Extended General Attributes

Click the General tab to display the IP Extended (General) attributes that can be edited (see Figure 4-14). The ACE being edited is displayed above the Expand button.
Figure 4-14 ACE Editor Dialog Box - IP Extended (General)
4-22
78-15202-01
Chapter 4
You can edit the fields as follows: Field Protocol Description Drop-down list box that allows you to select from various protocols, such as TCP, IP, ICMP, IGMP. You can also enter a protocol name or number. Radio button that determines whether the ACE is a permit or deny statement. Enable this checkbox to log packets that match this ACE. Defines the source address in the ACE. The keyword any is allowed. This field is mandatory. Defines the wildcard mask for the source address. This field is optional.
Permission Log Options Source Address Source Wildcard Mask
Destination Defines the destination address in the ACE. The keyword any is Address allowed. This field is mandatory. Destination Defines the wildcard mask for the destination address.This field is optional. Wildcard Mask Destination If the protocol selected is TCP or UDP, this field specifies the Port destination port for this ACE. The port relationship is assumed to be =. Comment You can add a comment about this ACE. The comments will appear in-line. This field is optional.
4-23
Editing IP Extended Advanced Attributes

Click the Advanced tab to display the IP Extended (Advanced) attributes that can be edited (see Figure 4-15). The ACE being edited appears above the Expand button.
Figure 4-15 ACE Edit Dialog Box - IP Extended (Advanced)
4-24
78-15202-01
Chapter 4
You can edit the fields as follows: Field TCP flags Description Select these check boxes to cause the TCP packets to be filtered according to the setting of the appropriate flags (ACK, FIN, PSH, RST, SYN, and URG). Selecting ACK and RST is equivalent to checking Established. This field is not available on all IOS versions. Source Port Select an operator from the drop-down list box to define the Operator operation to be performed on the source:

eq (equal to) neq (not equal to) gt (greater than) lt (less than) range none
This field is available only if the protocol selected in the General tab is TCP or UDP. Only the eq operator is available if Service Class is selected. Source Port Defines the source port or the start of a range of ports if you Start selected range as the relation. You can enter a port name or select a name from the drop-down list box. Source Port Applies only if the source operator is range. You can enter a port End name or select a name from the drop-down list box.
4-25
Field Destination Port Operator
Description Select an operator from the drop-down list box to define the operation to be performed on the destination:

eq (equal to) neq (not equal to) gt (greater than) lt (less than) range or none
This field is available only if the protocol selected in the General tab is TCP or UDP. Only the eq operator is available if Service Class is selected. Destination Port Start Destination Port End ICMP Type Defines the destination port or the start of a range of ports if you selected range as the relation. You can enter a port name or select a name from the drop-down list box. Applies only if the destination operator is range. You can enter a port name or select a name from the drop-down list box. ICMP packets can be filtered by message type (a number in the range 0 to 255). This field is optional.
ICMP Code ICMP packets that are filtered by message type can also be matched by the message code (a number in the range 0 to 255). This field is optional. ICMP Message IGMP Type ICMP packets can be filtered by a message name, or message type and code name. Select the message name from the list displayed in the drop-down list box. This field is optional. IGMP packets can be filtered by message type (a number in the range 0 to 15 or a message name in the drop-down list box). This field is optional.
4-26
78-15202-01
Chapter 4
Editing IP Extended Other Attributes

Click the Other tab to display the IP Extended (Other) attributes that can be edited (see Figure 4-16). The ACE being edited is displayed in the window above the Expand button. To select either the IP Precedence/TOS or the DSCP options, click the radio button next to the appropriate option. After you have selected either of these options, you may choose a name from the drop-down list box.
Figure 4-16 ACE Editor Dialog Box - IP Extended (Other)
You can edit the fields as follows: Field Precedence Description Packets can be filtered by precedence level, as specified by a number in the range 0 to 7, or by name. You can select a name from the drop-down list box. Packets can be filtered by type of service level, as specified by a number in the range 0 to 15, or by name. You can select a name from the drop-down list box.
TOS
4-27
Field
Description
Differentiated Packets can be filtered by a DSCP value. This value is specified Services Code by a number in the range 0 to 63 or by name. You can select a Point (DSCP) name from the drop-down list box. Fragments Dynamic Name Dynamic Timeout (minutes) Time Range Name Filters non-initial fragments of IP packets. This field is optional. Specifies the name of a dynamic access list. This field is optional. Specifies a maximum time limit (in minutes) that a temporary access list entry can remain within the dynamic access list. The default is infinite and allows an entry to remain permanently. This field is optional. Specifies a named time range, which combines at most one fixed interval and zero, or more, periodic intervals during which this ACL entry is in effect. This range must have been already set up on the device (available only on IOS releases later than 12.0(1)T).
Evaluate ACL Select this check box to nest a reflexive access list within an ACL. Enter the name of a reflexive ACL. This field is optional. Reflexive ACL Select this check box if this entry should create and insert dynamic entries into a reflexive ACL. This is used to filter IP traffic so that TCP or UDP session traffic is permitted through the firewall only if the session originated from within the internal network. This field is optional. Reflexive access list entries expire after no packets in the session have been detected for a certain length of time (the timeout period, in minutes). If you do not specify a timeout for the reflexive list, the list uses the global timeout value. This field is optional.
Reflexive Timeout (minutes)
4-28
78-15202-01
Chapter 4
Editing IPX ACE Attributes

Select an ACL with IPX protocol and open the ACE Editor to display the attributes that can be edited (see Figure 4-17). The ACE being edited appears above the Expand button.
Figure 4-17 ACE Editor Dialog Box - IPX
You can edit the fields as follows: Field Permission Source Network
Description
Radio button that determines whether the ACE is a permit or deny statement. Defines the source IPX network in the ACE. The keyword any is allowed. This field is mandatory.
4-29
Field Source Node Source Mask Destination Network Destination Node Destination Mask
Description
Defines the source IPX node in the ACE. This field is optional. Defines the wildcard mask to be applied to the source IPX node. This field is optional. Defines the destination IPX network of the ACE. The keyword any is allowed. This field is optional. Defines the destination IPX node of the ACE. This field is optional. Defines the wildcard mask to be applied to the destination IPX node. This field is optional.
Editing IPX Extended ACE Attributes

Select an ACL with IPX Extended protocol and open the ACE Editor to display the attributes that can be edited (see Figure 4-18). The ACE being edited appears above the Expand button.
4-30
78-15202-01
Chapter 4
Figure 4-18 ACE Editor Dialog Box - IPX Extended
You can edit the fields as follows: Field Protocol Permission Description Select a protocol (any, ncp, netbios, rip, sap, spx) from the drop-down list box. This field is mandatory. Radio button that determines whether the ACE is a permit or deny statement.
4-31
Field Logging
Description If the IOS permits this function, enables logging.
Time Range Specifies a named time range, that is a combination of at most one Name fixed interval and zero or more periodic intervals during which this ACL entry is in effect. This time range must have already been set up on the device (available only on IOS releases later than 12.0(1)T). Source Network Source Network Mask Source Node Source Node Mask Source Socket Destination Network Destination Network Mask Destination Node Destination Node Mask Destination Socket Defines the source network address. This field is mandatory. Defines the wildcard mask to be applied to the source network address. This field is optional. Defines the source node. This field is optional. Defines the wildcard mask to be applied to the source node address. This field is optional. Defines the source socket. Click on the drop-down list box to select the socket. This field is optional. Defines the destination network address. This field is mandatory. Defines the wildcard mask to be applied to the destination network address. This field is optional. Defines the destination node. This field is optional. Defines the wildcard mask to be applied to the destination node address. This field is optional. Defines the destination socket. Click on the drop-down list box to select the socket. This field is optional.
4-32
78-15202-01
Chapter 4
Editing IPX SAP ACE Attributes

Select an ACL with IPX SAP protocol and open the ACE Editor to display the attributes that can be edited (see Figure 4-19). The ACE being edited appears above the Expand button.
Figure 4-19 ACE Editor Dialog Box - IPX SAP
You can edit the fields as follows: Field Permission Network Network Mask Node Node Mask Description Radio button that determines whether the ACE is a permit or deny statement. Defines the network in the ACE. This field is mandatory. Defines the wildcard mask to be applied to the network address. This field is optional. Defines the node in the ACE. This field is optional. Defines an wildcard mask to be applied to the node. This field is optional.
4-33
Field Service Type Server Name
Description Select a service type on which to filter from the drop-down list box. This field is optional. Defines the name of the server that provides the service. This field is optional.
Editing IPX SUMMARY ACE Attributes

Select an ACL with IPX SUMMARY protocol and open the ACE Editor to display the attributes that can be edited (see Figure 4-20). The ACE being edited appears above the Expand button.
Figure 4-20 ACE Editor Dialog - IPX SUMMARY
4-34
78-15202-01
Chapter 4
You can edit the fields as follows: Field Permission Network Network Mask Interface Name Ticks Area Count Description Radio button that determines whether the ACE is a permit or deny statement. Defines the network in the ACE. This field is mandatory. Defines the wildcard mask to be applied to the network address. This field is optional. Defines the interface name. You can select the interface from the drop-down list box. This field is optional. Metrics assigned to the route summary. This field is optional. Maximum number of NLSP areas to which the router summary can be redistributed. This field is optional.
Editing RATE LIMIT MAC ACE Attributes

Select an ACL with RATE LIMIT MAC protocol and open the ACE Editor to display the attributes that can be edited (see Figure 4-21). The ACE being edited appears above the Expand button.
Figure 4-21 ACE Editor Dialog Box - RATE LIMIT MAC
4-35
You can edit the fields as follows: Field MAC Address Description Defines the MAC address.
Editing RATE LIMIT PRECEDENCE ACE Attributes

Select an ACL with RATE LIMIT PRECEDENCE protocol and open the ACE Editor to display the attributes that can be edited (see Figure 4-22).
Figure 4-22 ACE Editor Dialog Box - RATE LIMIT PRECEDENCE
4-36
78-15202-01
Chapter 4
Viewing and Editing ACLs Saving ACEs as a Template
You can edit the fields as follows: Field Precedence Description Select this check box if packets are to be filtered by precedence level. You can specify a number in the range from 0 to 7 or a name. Select this check box if packets are to be matched by mask for filtering by precedence level. Enter the precedence mask (a two-digit hexadecimal number).
Precedence Mask
Saving ACEs as a Template

You can save selected ACEs as a new template. For information on saving ACLs as a template, see Saving ACLs as Templates.
Procedure
Expand the device folder ACL Manager Main Window. Expand ACL Definitions. Select the required ACL definition. The ACEs for the definition appear in the right pane (see Figure 4-6). Select the ACEs to form the new template. You cannot select noncontiguous ACEs to save as a template. Select File > Save ACEs As to display the Save As Template dialog box (see Figure 4-5). Select the template directory to hold the new template. Enter the new template name, then click OK. The selected ACEs are replaced by an include template statement in the ACL.
4-37
Chapter 4 Viewing the Configuration Changes
Viewing the Configuration Changes

Use this procedure to view the changes you have made to ACLs or ACL use in the device configuration.
Procedure
Step 1
Select Tools > Diff Viewer from the ACL Manager Main Window, to display the Config Diff View window (see Figure 4-23).
Figure 4-23 Config Diff View Window
Step 2 Step 3
Select the device whose configuration changes you want to examine. Select the ACL or ACL use to view (see Figure 4-24).
4-38
78-15202-01
Chapter 4
Viewing and Editing ACLs Viewing the Configuration Changes
Figure 4-24 Config Diff View Window - Selecting the ACL
In this example, there are three changes from the original configuration for ACL 100 in device aclm7505-1:
Step 4
ACE 4 is inserted ACE 5 is deleted ACE 11 is deleted
Click Config to view the complete new configuration file (see Figure 4-25).
4-39
Figure 4-25 New Configuration File
Step 5 Step 6
Click OK to return to the Config Diff View. Click Delta to view configuration file changes since the last download. This shows the configuration commands that will be sent to the device to make the required changes to the device configuration (see Figure 4-26).
Step 7
Click OK to return to the Config Diff View.
4-40
78-15202-01
Chapter 4
Viewing and Editing ACLs Viewing the Configuration Changes
Figure 4-26 Configuration File Changes
4-41
Chapter 4 Optimizing the ACL
Optimizing the ACL

After you have created or edited the ACL, ACL Manager examines the ACEs and performs redundancy checks, such as removing redundant ACEs. You can also use the Optimizer to determine if further optimization is possible (see Chapter 10, Optimizing ACLs).
Note
Optimization changes the order of ACEs only if it does not change the ACL semantics in any way.
Editing Time Range Definitions

You can use the time range definition to control the frequency and/or absolute time range for the ACL to be applied on an interface/line. There are two tabbed sections, each with a different format as described in these topics:

Time Range Definition - Absolute Time Range Definition - Periodic
Right-click on the Time Range Definition, then select New Time Range. You can also select ACL > New Time Range. The Time Range window appears (see Figure 4-27).
Time Range Definition - Absolute

Procedure
Step 1
Click the Absolute tab to display the attributes that can be set. The Time Range window appears (see Figure 4-27).
4-42
78-15202-01
Chapter 4
Viewing and Editing ACLs Editing Time Range Definitions
Figure 4-27 Time Range Editor - Absolute
Step 2 Step 3
Enter the Name for the time range definition. This is a mandatory field. Enter the values for the absolute time range in the Start group: Field Time Day Month Year Description Start time in hours and minutes. Day (1 through 31). Select the month from the drop-down list. Year.
Step 4
Enter the values for the absolute time range in the End group.
4-43
Chapter 4 Editing Time Range Definitions
Step 5
Click OK.
Time Range Definition - Periodic

Procedure
Step 1
Click the Periodic tab to display the attributes that can be set. The Time Range window appears (see Figure 4-28).
Figure 4-28 Time Range Editor - Periodic
Step 2
Enter the Name for the time range definition. This is a mandatory field.
4-44
78-15202-01
Chapter 4
Viewing and Editing ACLs Printing the ACL/ACE
Step 3
Enter the values for the periodic time range in the Start group: Field Days Time Description Day (Monday through Sunday). Start time in hours and minutes.
Step 4 Step 5
Enter the values for the periodic time range in the End group. Click Add to add the Start and End values selected to the Periodic Time Ranges list. To Remove an existing Periodic Time Range, select the time range and click Remove. To Change values for an existing Periodic Time Range, select the time range and click Change.
Step 6
Click OK.
Printing the ACL/ACE

You can print the selected ACLs or ACEs to any printer. The printing interface will depend on the native operating system running the ACL Manager.
4-45
Chapter 4 Printing the ACL/ACE
4-46
78-15202-01
C H A P T E R
Viewing and Editing VACLs

VLAN Access Control Lists (VACLs) are used by Catalyst 6000 family switches to access control all packets it switches, including packets bridged within a VLAN. Earlier, switches operated at only at Layer 2. Switches switched traffic within a VLAN and routers routed traffic between VLANs. Catalyst 6000 family switches with the Multilayer Switch Feature Card (MSFC) can accelerate packet routing between (among if there are more than two VLANs) VLANs by using Layer 3 switching or Multilayer Switching (MLS). To be able to support VACLs, the Catalyst 6000 family of switches should contain the PFC hardware module. The switch first bridges the packet. The packet is then routed internally without going to the router, and then the packet is bridged again to send it to its destination. During this process, the switch can access control all packets to switches, including packets bridged within a VLAN. VACLs are used to impose access-control mechanism on packets entering VLAN. Standard and extended IOS ACLs are used as a packet classification mechanism and are used to filter packets going in and out of router configuration. You can create VACLs for filtering packets that belong to the IP, IPX, and MAC protocols. ACL Manager also allows you to apply VACLs on Private VLANs. These topics describe how to view and edit VACLs and VACEs:

Viewing Existing VACLs Creating VACLs Defining VACL Uses
5-1
Chapter 5 Viewing Existing VACLs
Editing VACLs Saving VACLs as Templates Renaming VACLs Manipulating VACEs Editing VACEs Saving VACEs as a Template Viewing the Configuration Changes Optimizing the VACL Printing the VACL/VACE
Viewing Existing VACLs

You can display all VACLs on a particular device in the ACL Manager Main Window contents pane. If you have not yet started ACL Manager, you need to display the ACL Manager Main Window, using this procedure.
Procedure
Step 1
Select ACL Management > View ACLs from Essentials to display the View ACLs dialog box (see Figure 5-1).
5-2
78-15202-01
Chapter 5
Viewing and Editing VACLs Viewing Existing VACLs
Figure 5-1
View ACLs Dialog Box
Step 2
Select a scenario and select Read config from Device to synchronize the Config Archive with the devices in the scenario (get the configuration file). The ACL Manager Main Window appears.
5-3
Chapter 5 Viewing Existing VACLs
To view VACLs:
Procedure
Step 1 Step 2
Expand the device folder in the ACL Manager Main Window. Select ACL Definitions. The VACL definitions for the device appear in the right pane (see Figure 5-2).
Figure 5-2
Viewing VACLs
5-4
78-15202-01
Chapter 5
Viewing and Editing VACLs Creating VACLs
Creating VACLs
VACLs are created under the ACL Definition folder for a particular device. After you create a VACL, you can add VACEs to it.
Procedure
Step 1
Expand the device folder in the ACL Manager Main Window, then select ACL Definitions. The VACL definitions appear in the right pane (see Figure 5-2).
Step 2
Select ACL Definitions, then select New ACL from the ACL Definitions popup menu. The ACL Editor dialog box appears (see Figure 5-3).
Figure 5-3 ACL Editor Dialog Box
Step 3
Enter the following information: Field Type Description Specifies the type of VACL that you can create on the device. Select a type from the drop-down list box. (The VACL types supported are VACL_IP, VACL_IPX, and VACL_MAC.) You cannot change the type after the VACL is created.
5-5
Chapter 5 Defining VACL Uses
Field Name Comment

Step 4
Description Specify the name of the VACL in the Name field. Enter comments to be associated with this VACL.
Click OK.
Note
You can select ACL > New ACE from the ACL Manager Main Window to insert VACE entries into the new VACL.
Tip
You can also start the ACL Editor dialog box by clicking the New ACL toolbar icon or by selecting ACL > New ACL from the ACL Manager Main Window.
Defining VACL Uses

Use one of the ACL Use wizards to create a VACL Use (see Chapter 8, ACL Manager Use Wizard).
Editing VACLs
You can use the ACL editor to change the VACL name or comments about the VACL. If you have not yet started ACL Manager, you need to display the ACL Manager Main Window using this procedure.
Procedure
Step 1
Select ACL Management > Edit ACLs from Essentials to display the Edit ACLs dialog box (see Figure 5-4).
5-6
78-15202-01
Chapter 5
Viewing and Editing VACLs Editing VACLs
Step 2
Select a scenario, then click Next. The ACL Manager Main Window appears.
Figure 5-4
Edit ACLs Dialog Box
Carry out this procedure from the ACL Manager Main Window.
5-7
Chapter 5 Saving VACLs as Templates
Procedure
Step 1 Step 2
Expand the device folder in the ACL Manager Main Window. Select ACL Definitions. The VACLs appear in the right pane (see Figure 5-2).
Step 3
Right-click on the required VACL, then select Edit. The ACL Editor dialog box appears (see Figure 5-3). Enter the fields (see Creating VACLs for field descriptions), then click OK.
Step 4
Tip
You can insert a comment into a VACL using ACL > New Comment.
Saving VACLs as Templates

You can save a VACL as a new template. (To save VACEs as a template, see Saving VACEs as a Template.)
Procedure
Step 1 Step 2
Select the VACL to save. Select File > Save ACL As to display the Save As Template dialog box (see Figure 5-5). Select the template directory to hold the new template. Enter the new template name, then click OK.
5-8
78-15202-01
Chapter 5
Viewing and Editing VACLs Renaming VACLs
Figure 5-5
Save As Template Dialog Box
Renaming VACLs
You can rename an existing VACL. Any VACL uses that reference the existing VACL are changed to reflect the new name.
Procedure
Step 1 Step 2
Expand the device folder in the ACL Manager Main Window. Select ACL Definitions. The VACLs appear in the right pane (see Figure 5-2).
5-9
Chapter 5 Manipulating VACEs
Step 3
Right-click on the VACL to be renamed, then select Edit. The ACL Editor dialog box appears (see Figure 5-3).
Step 4
Change the information in the Name, then click OK.
Manipulating VACEs
ACL Manager allows you to manipulate VACE entries for a particular VACL definition. You can:

Insert a new VACE Insert a template include VACE Insert comments into an VACE Reorder VACEs Insert a comment VACE
Inserting a New VACE

You can insert a new VACE above the selected VACE.
Procedure
Expand the device folder in the ACL Manager Main Window. Expand ACL Definitions. Select the required VACL definition. The VACEs appear in the right pane (see Figure 5-6). Right-click on the VACE above which the new VACE is to be inserted, then select Insert ACE. The ACE Editor dialog box appears.
Step 4
5-10
78-15202-01
Chapter 5
Viewing and Editing VACLs Manipulating VACEs
Step 5 Step 6
Enter the parameters for the new VACL. See Editing VACEs. Click OK.
Figure 5-6
Viewing VACEs
Appending a New VACE

You can append a new VACE to the end of the current list.
Procedure
Expand the device folder in the ACL Manager Main Window. Expand ACL Definitions. Right-click on the required VACL definition, then select New ACE. The ACE Editor dialog box appears.
Step 4
Enter the parameters for the new VACE. See Editing VACEs.
5-11
Step 5
Click OK. For information on editing ACE attributes, see Editing VACEs.
Inserting a Template
You can insert a template into a VACL by creating a template include VACE that references the template.
Procedure
Step 1 Step 2
Expand the device folder in the ACL Manager Main Window. Select ACL Definitions. The VACLs for the device appear in the right pane (see Figure 5-2).
Step 3
Right-click on the required VACL, then select New Include Template. The Template Selection window box appears (see Figure 5-7). Only templates appropriate to the VACL type are displayed.
Select the template to include. Click Expand to display a window showing the template details (see Figure 5-8). Click OK. The include template VACE is inserted, or is appended to the end of the VACL if you made no selection (see Figure 5-9).
5-12
78-15202-01
Chapter 5
Figure 5-7
Template Selection
Figure 5-8
Expanded Template
5-13
Figure 5-9
Inserted Template
Appending a Comment
Use the Comment Editor to append a comment to the end of a VACL or VACL template. You can also use the Comment Editor to insert a comment after a VACE (see Inserting a Comment).
Procedure
Expand the device folder in the ACL Manager Main Window. Expand ACL Definitions. Right-click on the required VACL, then select New Comment. The Comment Editor dialog box appears (Figure 5-10).
Step 4
Enter a one-line comment, then click OK. The comment is appended with the prefix !. Figure 5-11 shows a comment inserted at the end of a VACL.
5-14
78-15202-01
Chapter 5
Figure 5-10 Comment Editor Dialog Box
Inserting a Comment
Use the Comment Editor to insert a comment after a VACE. You can also use the Comment Editor to append a comment at the end of a VACL or VACL template (see Appending a Comment).
Procedure
Expand the device folder in the ACL Manager Main Window. Expand ACL Definitions. Select the VACL. The VACEs appear in the right pane.
Step 4
Right-click on the required VACE, then select Insert Comment. The Comment Editor dialog box appears (Figure 5-10). Enter your comment, then click OK.
Step 5
5-15
Figure 5-11 Inserted Comment
Reordering VACEs
Use the Move ACE Up and Move ACE Down toolbar buttons to move selected VACEs up or down.
Procedure
Expand the device folder in the ACL Manager Main Window. Expand ACL Definitions. Select the required VACL definition. The VACEs appear in the right pane (see Figure 5-6).
Step 4
Select the VACE to move. (You can select multiple VACEs using Shift and Control keys.) To move the VACEs up one position, click the Move ACE Up icon.
5-16
78-15202-01
Chapter 5
Viewing and Editing VACLs Editing VACEs
To move the VACEs down one position, click the Move ACE Down icon.
Note
If you try to reorder VACEs while in physical mode, a warning message appears if the reorder changes the VACL semantics.
Editing VACEs
You can use the ACE Editor to edit a VACE.
Procedure
Expand the device folder ACL Manager Main Window. Expand ACL Definitions. Select the required VACL definition. The VACEs appear in the right pane (see Figure 5-6). Right-click on the VACE to be edited, then select Edit or double-click the VACE to be edited. The ACE Editor dialog box appears.
Step 4
Tip
You can start the ACE Editor dialog box from the Edit menu by selecting Edit > Edit.
5-17
Chapter 5 Editing VACEs
The format of the ACE editor dialog box and attributes that can be edited depend on the VACL protocol type, as described in these sections:

Editing IP VACE Attributes Editing IPX VACE Attributes Editing MAC VACE Attributes
Specifying Source and Destination Addresses

Most VACE types require you to specify a source address, a destination address, or both. To specify an IP address or hostname as the source or destination address, enter it directly into the appropriate ACE editor field. To specify a network or network class as the source or destination address, use this procedure.
Procedure
Click Source Address or Destination Address to open the Network/Class selector dialog box (see Figure 5-12). Select the desired network or network class. Click OK when you have finished.
5-18
78-15202-01
Chapter 5
Figure 5-12 Network/Class Selector
Using the ACE Editor Buttons

The following table explains the buttons at the bottom of the ACE Editor dialog boxes: Button Expand Description Expands the VACE. Expansion of the VACE shows the VACE physical viewthe actual Catalyst OS statements that implement the VACE. For example, if the source address field class translates to n IP addresses and the destination field class expands to m IP addresses, there will be nxm entries in the expanded VACE and in the actual Catalyst OS statements that implement the VACE. New Saves the current VACE and start editing a new one. You can then save changes to the current VACE and carry the settings into the new VACE or discard them. If you save the changes, the ACL Manager Main Window is updated to display the saved VACE.
5-19
Button Prev
Description Saves the current VACE and load the previous one from the VACL. You can then save changes to the current VACE or discard them. If you save the changes, the ACL Manager Main Window is updated to display the saved VACE. Saves the current VACE and load the next one from the VACL. You then have the option to save changes made to the current VACE. If you save the changes, the ACL Manager Main Window is updated to display the saved VACE.
Next
Editing IP VACE Attributes

To edit IP VACE attributes, select a VACE that belongs to an IP VACL, then start the ACE Editor on this VACE. There are three tabbed sections, each with a different format, as described in these topics:

Editing IP General Attributes Editing IP Advanced Attributes Editing IP Other Attributes
On switches running Cat OS 6.1 or higher, with Supervisor Engine II and PFC II, in the IP VACL that you create, the first IP VACE, by default, is permit arp. The attributes of an ARP VACE are:

You can change the permission to Permit or Deny. You cannot re-order the ARP VACE. You cannot do the following edit operations on the ARP VACE:
Cut. Copy. Paste. Delete.
5-20
78-15202-01
Chapter 5
You cannot save the following as a template:

An IP VACL containing an ARP VACE. An ARP VACE. A set of VACEs containing an ARP VACE.
When you apply a VACL IP Template on a VLAN, an ARP VACE is embedded as the first VACE in the VACL that is created. You can download an ARP VACE to a switch along with other VACEs, but not by itself.
On switches running Cat OS 6.2 or higher, with Supervisor Engine II and PFC II, for an ARP VACE, you can also enable logging, but with only the Deny permission.
Editing IP General Attributes

Click the General tab to display the IP General attributes that can be edited (see Figure 5-13). The VACE being edited appears above the Expand button.
5-21
Figure 5-13 ACE Editor Dialog Box - IP General
You can edit the fields as follows: Field Protocol Description Drop-down list box that allows you to select from various protocols, such as TCP, IP, ICMP, IGMP. You can also enter a protocol name or number (0-255). Radio button that determines whether the VACE is a Permit or Deny or Redirect to Ports statement. If you choose to redirect to ports, then specify the port information. On switches running Cat OS 6.2 or higher, with Supervisor Engine II and PFC II, you can enable logging by checking the Log option, but only with the Deny permission. Captures the packets that are switched normally. This field is optional. The Permit radio button must also be enabled. You should setup the capture ports separately, using the command line interface of the device.
Permission
Log Options Capture Options
5-22
78-15202-01
Chapter 5
Field Source Address Source Wildcard Mask
Description Defines the source address in the VACE. The keyword any is allowed. This field is mandatory. Defines the wildcard mask for the source address. This field is optional.
Destination Defines the destination address in the VACE. The keyword any Address is allowed. This field is mandatory if the permission is redirect or if you select the capture option, or if you do not select IP as a protocol. Destination Defines the wildcard mask for the destination address.This field Wildcard is optional. Mask Destination If you select TCP or UDP as the protocol, this field specifies the Port destination port for this VACE. The port relationship is assumed to be =. Comment You can add a comment about this VACE. The comments will appear in-line. This field is optional.
5-23
Editing IP Advanced Attributes

Click the Advanced tab to display the IP Advanced attributes that can be edited (see Figure 5-14). The VACE being edited appears above the Expand button.
Figure 5-14 ACE Edit Dialog Box - IP Advanced
5-24
78-15202-01
Chapter 5
You can edit the fields as follows: Field TCP flags Description Select the established checkbox to cause the TCP packets to be filtered if they belong to the established TCP session.
Source Port Select an operator from the drop-down list box to define the Operator operation to be performed on the source:

eq (equal to) neq (not equal to) gt (greater than) lt (less than) range none
This field is available only if you have selected TCP or UDP as the protocol in the General tab. Only the eq operator is available if a Service Class is selected. Source Port Defines the source port or the start of a range of ports if you Start selected range as the relation. You can enter a port name or select a name from the drop-down list box. Source Port Applies only if the source operator is range. You can enter a port End name or select a name from the drop-down list box.
5-25
Field Destination Port Operator
Description Select an operator from the drop-down list box to define the operation to be performed on the destination:

eq (equal to) neq (not equal to) gt (greater than) lt (less than) range or none
This field is available only if you have selected TCP or UDP as the protocol in the General tab. Only the eq operator is available if a Service Class is selected. Destination Port Start Destination Port End Defines the destination port or the start of a range of ports if you selected range as the relation. You can enter a port name or select a name from the drop-down list box. Applies only if the destination operator is range. You can enter a port name or select a name from the drop-down list box.
ICMP Type ICMP packets can be filtered by message type (a number in the range 0 to 255). This field is optional. ICMP Code ICMP packets that are filtered by message type can also be matched by the message code (a number in the range 0 to 255). This field is optional. ICMP Message ICMP packets can be filtered by a message name, or message type and code name. Select the message name from the list displayed in the drop-down list box. This field is optional.
IGMP Type IGMP packets can be filtered by message type (a number in the range 0 to 15 or a message name in the drop-down list box). This field is optional.
5-26
78-15202-01
Chapter 5
Editing IP Other Attributes

Click the Other tab to display the IP Other attributes that can be edited (see Figure 5-15). The VACE being edited appears in the window above the Expand button.
Figure 5-15 ACE Editor Dialog Box - IP Other
You can edit the fields as follows: Field Precedence Description Packets can be filtered by precedence level, as specified by a number in the range 0 to 7, or by name. You can also select a name from the drop-down list box. Packets can be filtered by type of service level, as specified by a number in the range 0 to 15, or by name. You can also select a name from the drop-down list box.
TOS
5-27
Editing IPX VACE Attributes

Select a VACL with IPX protocol and open the ACE Editor to display the attributes that can be edited (see Figure 5-16). The VACE being edited appears above the Expand button.
5-28
78-15202-01
Chapter 5
You can edit the fields as follows: Field Protocol Permission Description Select a protocol (any, ncp, rip, sap, spx) from the drop-down list box. This field is mandatory. Radio button that determines whether the VACE is a Permit or Deny or Redirect to Ports statement. If you choose to redirect to ports, then specify the port information. Select the checkbox to ensure packets are switched normally and captured. This field is optional. The Permit radio button must also be selected. Defines the source network address. This field is mandatory. Defines the destination network address. This field is mandatory. Defines the wildcard mask to be applied to the destination network address. This field is optional. Defines the destination node. This field is optional. Defines the wildcard mask to be applied to the destination node address. This field is optional.
Capture
Source Network Destination Network Destination Network Mask Destination Node Destination Node Mask
Editing MAC VACE Attributes

Select a MAC VACE and open the ACE Editor to display the attributes that can be edited (see Figure 5-17). The VACE being edited appears above the Expand button.
5-29
You can edit the fields as follows: Field Permission Capture Description Radio button that determines whether the VACE is a Permit or Deny statement. Select the checkbox to ensure packets are switched normally and captured. This field is optional. The Permit radio button must also be selected. Defines the source address. This field is mandatory. Defines the wildcard mask to be applied to the source address. This field is optional. Defines the destination address. This field is mandatory.
Source Address Source Mask Destination Address

5-30
78-15202-01
Chapter 5
Viewing and Editing VACLs Saving VACEs as a Template
Field Destination Mask Ethertype Destination Node Mask
Description Defines the wildcard mask to be applied to the destination address. This field is optional. Name or number that matches the ethertype for Ethernet-encapsulated packets. This field is optional. Defines the wildcard mask to be applied to the destination node address. This field is optional.
Saving VACEs as a Template

You can save selected VACEs as a new template. For information on saving VACLs as a template, see Saving VACLs as Templates.
Procedure
Expand the device folder ACL Manager Main Window. Expand ACL Definitions. Select the required VACL definition. The VACEs for the definition appear in the right pane (see Figure 5-6).
Step 4
Select the VACEs to form the new template. You cannot select non contiguous VACEs to save as a template. Select File > Save ACEs As to display the Save As Template dialog box (see Figure 5-5). Select the template directory to hold the new template. Enter the new template name, then click OK. The selected VACEs are replaced by an include template statement in the VACL.
5-31
Viewing the Configuration Changes

Use this procedure to view the changes you have made to VACLs or ACL use in the device configuration.
Procedure
Step 1
Select Tools > Diff Viewer from the ACL Manager Main Window, to display the Config Diff View window (see Figure 5-18).
Figure 5-18 Config Diff View Window
Step 2 Step 3
Select the device whose configuration changes you want to examine. Select the VACL to view (see Figure 5-19).
5-32
78-15202-01
Chapter 5
Viewing and Editing VACLs Viewing the Configuration Changes
Figure 5-19 Config Diff View Window - Selecting the VACL
In this example, there are three changes from the original configuration for VACL test-02 in device 192.168.242.146.
Step 4
VACE 2 is changed VACE 3 is deleted
Click Config to view the complete new configuration file (see Figure 5-20).
5-33
Figure 5-20 New Configuration File
Step 5 Step 6
Click OK to return to the Config Diff View. Click Delta to view configuration file changes since the last download. This shows the configuration commands that will be sent to the device to make the required changes to the device configuration (see Figure 5-21).
5-34
78-15202-01
Chapter 5
Viewing and Editing VACLs Viewing the Configuration Changes
Figure 5-21 Configuration File Changes
Step 7
Click OK to return to the Config Diff View.
5-35
Chapter 5 Optimizing the VACL
Optimizing the VACL

After you have created or edited the VACL, ACL Manager examines the VACEs and performs redundancy checks such as removing redundant VACEs. You can also use the Optimizer to determine if further optimization is possible (see Chapter 10, Optimizing ACLs). Optimization changes the order of VACEs only if it does not change the VACL semantics in any way.
Printing the VACL/VACE

You can print the selected VACLs or VACE to any printer. The printing interface will depend on the native operating system running the ACL Manager.
5-36
78-15202-01
C H A P T E R
Using the Class Manager

The Class Manager provides the means to lessen the time-consuming task of defining individual ACEs and to improve the consistency of the ACEs. These topics describe the Class Manager and how it works:

What Is the Class Manager? Invoking the Class Manager Using Services and Service Classes Using Networks and Network Classes Using the Class Manager: Example
What Is the Class Manager?

You can use the Class Manager to define networks, network classes, services, and service classes. These can be used within ACEs in an ACL or a template. For example, suppose you use the Class Manager to define a network class called users, consisting of IP address ranges and hostnames of host machines belonging to a set of users, and another network class called fileservers, consisting of IP address ranges and hostnames for a set of server machines. You can now use the ACE editor in ACL Manager to create a single statement that replaces the multiple statements that would otherwise be necessary to achieve the same effect by entering:
permit tcp ftp from @users to @fileservers
6-1
Chapter 6 What Is the Class Manager?
Similarly, if you create a network class called Engineering_Hosts, containing the host machines Eng1, Eng2, and Eng3; and another network class called Marketing_Hosts, containing the host machines Mkt1 and Mkt2, you could now create the ACE by entering:
permit ip from Engineering_Hosts to Marketing_Hosts
In IOS, this single statement translates into the equivalent of the following six statements:
permit permit permit permit permit permit ip ip ip ip ip ip from from from from from from host host host host host host Eng1 Eng1 Eng2 Eng2 Eng3 Eng3 to to to to to to Mkt1 Mkt2 Mkt1 Mkt2 Mkt1 Mkt2
You can also use Class Manager to create named TCP or UDP ports or port ranges (services and service classes) for use in ACEs.
Class Manager Editors

There are six Class Manager editors:

Network Editor Network Class Editor Network Class Entry Editor Service Editor Service Class Editor Service Class Entry Editor
The Class Manager editors allow you to create the appropriate Class Manager entities. You can create a new service using the Service Editor (see Creating a New Service). However, some services are predefined and cannot be modified. You can create a service class consisting of one or more services or port ranges (see Creating a New Service Class). Similarly, you can create a network class (see Creating a New Network Class) using a range of IP addresses, DNS host names, networks, and other network classes. You can also create a named network (see Creating a New Network).
6-2
78-15202-01
Chapter 6
Using the Class Manager Invoking the Class Manager
Invoking the Class Manager

You need to start the Class Manager before creating or editing network and service classes. Select Tools > Class Manager from the ACL Manager Main Window. The Class Manager window appears (see Figure 6-1).
Tip
You can open the Class Manager window directly from Essentials by selecting Administration > ACL Management > Edit Class Definition.
Figure 6-1 Class Manager Window
Using the Class Manager Toolbar

The icons specific to the Class Manager toolbar are:

New ServiceOpens a dialog box to create a new service. New Service ClassOpens a dialog box to create a new service class.
6-3
Chapter 6 Using Services and Service Classes
New NetworkOpens a dialog box to create a new network. New Network ClassOpens a dialog box to create a new network class.
Using Services and Service Classes

The ACL Manager maintains a list of names of well-known TCP and UDP port numbers. You can create new port number to name associations using Class Manager. These are known as services. You cannot edit well-known services, but you can rename and change the port number of services that you create. You can reduce the complexity of setting up ACLs by creating Service Classes. Service classes comprise sets of TCP or UDP ports or port ranges. These classes are used in an ACL or ACL template to reduce the time-consuming task of defining individual ACEs for a given set of services or sockets. You can perform these operations on services and service classes:

Creating a New Service Editing a Service Creating a New Service Class Editing a Service Class Editing a Service Class Entry
Creating a New Service

Use this procedure to create a new service from the Class Manager window. To edit an existing service definition, (see Editing a Service).
Note
You cannot edit a default service; you can edit only user-defined services.
Procedure
Step 1
Select Services in the Class Manager left pane (see Figure 6-1).
6-4
78-15202-01
Chapter 6
Using the Class Manager Using Services and Service Classes
Step 2
Click on the New Service icon in the Class Manager toolbar. The Service Editor dialog box appears (see Figure 6-2).
Figure 6-2
Service Editor Dialog Box
Step 3
Set the appropriate fields, as follows: Field Protocol Name Port Number Description Protocol for the service; either TCP or UDP. Name to be given to the service definition. Port number.
Step 4
Click OK when you have finished.
6-5
Editing a Service
Use this procedure to edit an existing service definition from the Class Manager window.
Procedure
Step 1
Select the Services folder in the left pane (see Figure 6-1). The service definitions are displayed in the right pane. Right-click on the service to edit, then select Edit. The Service Editor dialog box appears (see Figure 6-2).
Step 2
Step 3
Make your changes, then click OK.
Creating a New Service Class

Use this procedure to create a new service class from the Class Manager window. To edit an existing service class, see (Editing a Service Class).
Procedure
Step 1 Step 2
Select the Service Classes folder in the left pane. Click on the New Service Class icon. The Service Class Editor dialog box appears (see Figure 6-3).
6-6
78-15202-01
Chapter 6
Using the Class Manager Using Services and Service Classes
Figure 6-3
Service Class Editor Dialog Box
Step 3
Set the appropriate fields, as follows: Field Name Protocol Port Range Service Classes Description Name of the service class. Protocol for the service; either TCP or UDP. Defines a range (lowest and highest) of port addresses to be added to the service class. Lists all defined service classes for this protocol.
6-7
Field Services Classes/ Services/ Ranges
Description Lists all defined services that can be added to this service class. Shows the classes, services and port ranges belonging to this service class. Click Add to add an item from a left pane into Classes/Services/Ranges. Click Remove to remove an item from Classes/Services/Ranges.
Step 4
Click OK to apply the changes and close the dialog box.
Editing a Service Class

Use this procedure to edit an existing service class from the Class Manager window. To create a new service class, see (Creating a New Service Class).
Procedure
Step 1
Select the Service Class folder in the left pane (see Figure 6-1). The service classes appear in the right pane. Right-click on the service class to be edited, then select Edit. The Service Class Editor dialog box appears (see Figure 6-3).
Step 2
Step 3
6-8
78-15202-01
Chapter 6
Using the Class Manager Identifying Devices That Use Service Class
Editing a Service Class Entry

Use this procedure to edit an existing or new service class entry from the Class Manager window.
Procedure
Step 1 Step 2
Select the Service Class folder in the left pane, then select the service class to be edited. Right-click the service class entry to be edited, then select Edit. The Service Class Entry Editor dialog box appears. Make your changes, then click OK.
Step 3
Identifying Devices That Use Service Class

You can use the Class Manager to identify all devices that use Service Class.
Procedure
Step 1
From the ACL Manager Main Window, select Tools > Class Manager. The Class Manager window appears.
Step 2 Step 3
Expand the Service Classes folder to show all service classes. Expand the required service class, then select Service Class Device Uses. The devices and ACLs using this service class appear in the right pane (see Figure 6-4).
6-9
Chapter 6 Identifying Devices That Use Service Class
Figure 6-4
Viewing Devices That Use Service Class
Field Device ACL Number / Name Service Class Instance Valid
Description Identifies the device to which the Service Class has been applied. Shows the number or name of the ACL using the Service Class on this device. Shows whether the current Service Class contents have changed since the last download of this ACL to the device. If the service class instance for device(s) is invalid, then you can choose the invalid device(s), right-click on the selected device(s) and select Synch Service Class on device(s) to update the service class definition on the device(s).
Tip
You can also start the Class Manager Main Window from Essentials by selecting Administration > ACL Management > Edit Class Definitions.
6-10
78-15202-01
Chapter 6
Using the Class Manager Using Networks and Network Classes
Using Networks and Network Classes

A network is defined by an IP address, a network mask, and its name. You can perform these operations on networks and network classes:

Creating a New Network Editing a Network Creating a New Network Class Editing a Network Class Editing a Network Class Entry
Creating a New Network

Use these procedure to create or edit a network from the Class Manager window. To edit an existing network, (see Editing a Network).
Procedure
Step 1 Step 2
Click Networks in the left pane (see Figure 6-1). Click on the New Network icon in the Class Manager toolbar. The Network Editor dialog box appears (see Figure 6-5).
6-11
Chapter 6 Using Networks and Network Classes
Figure 6-5
Network Editor Dialog Box
Step 3
Set the appropriate fields, as follows: Field Network name IP address Mask Description Name to be given to the network definition. Network IP address. Mask (IP dotted notation).
Step 4
6-12
78-15202-01
Chapter 6
Editing a Network
Use this procedure to edit an existing network definition from the Class Manager window. To create a new network, (see Creating a New Network).
Procedure
Step 1
Select the Networks folder in the left pane (see Figure 6-1). The network definitions are displayed in the right pane. Right-click on the network to edit, then select Edit. The Network Editor dialog box appears (see Figure 6-5).
Step 2
Step 3
Creating a New Network Class

Use the procedure to create a new network class from the Class Manager window. To edit an existing network class definition, (see Editing a Network Class).
Procedure
Step 1 Step 2
Select the Network Classes folder in the left pane (see Figure 6-1). Click on the New Network Class icon. The Network Class Editor dialog box appears (see Figure 6-6).
6-13
Chapter 6 Using Networks and Network Classes
Figure 6-6
Network Class Editor Dialog Box
Step 3
Set the appropriate fields, as follows: Field Name Hosts Description Network class name. Name of a host to be added to the network class.
Address Range Defines a range of IP addresses to be added to the network class. Network Classes Lists all defined network classes that can be added to this network class.
6-14
78-15202-01
Chapter 6
Field Networks Hosts/Address Ranges
Description Lists all defined networks that can be added to this network class. Shows the hosts and address ranges defined so far in this network class.
When setting the above fields, you can:

Step 4
Click Add to add a field from a left pane to a right pane. Click Remove to remove a field from the right pane.
Click OK to apply the changes and close the dialog box.
Editing a Network Class

Use this procedure to edit an existing network class from the Class Manager window.
Procedure
Step 1
Select the Network Class folder in the left pane (see Figure 6-1). The network classes appear in the right pane. Right-click on the network class to be edited, then select Edit. The Network Class Editor dialog box appears (see Figure 6-6). Make your changes, then click OK.
Step 2
Step 3
6-15
Chapter 6 Identifying Devices That Use Network Class
Editing a Network Class Entry

Use this procedure to edit an existing network class entry from the Class Manager window.
Procedure
Step 1 Step 2
Select the Network Class folder in the left pane, then select the network class to be edited. Right-click the network class entry to be edited, then select Edit. The Network Class Entry Editor dialog box appears. Make your changes, then click OK.
Step 3
Identifying Devices That Use Network Class

You can use the Class Manager to identify all devices that use Network Class.
Procedure
Step 1
From the ACL Manager Main Window, select Tools > Class Manager. The Class Manager window appears.
Step 2 Step 3
Expand the Network Classes folder to show all Network classes. Expand the required network class, then select Network Class Device Uses. The devices and ACLs using this network class are displayed in the right pane (see Figure 6-7).
6-16
78-15202-01
Chapter 6
Using the Class Manager Identifying Devices That Use Network Class
Figure 6-7
Viewing Devices That Use Network Class
Field Device ACL Number / Name Network Class Instance Valid
Description Identifies the device to which the Network Class has been applied. Shows the number or name of the ACL using the Network Class on this device. Shows whether the current Network Class contents have changed since the last download of this ACL to the device. If the network class instance for device(s) is invalid, then you can choose the invalid device(s), right-click on the selected device(s) and select Synch Network Class on device(s) to update the network class definition on the device(s).
Tip
You can also start the Class Manager main window from Essentials by selecting Administration > ACL Management > Edit Class Definitions.
6-17
Chapter 6 Using the Class Manager: Example
Using the Class Manager: Example

This example shows how to use Class Manager to create a complex ACL with one logical ACE, but multiple physical ACEs.
Procedure
Step 1
Create a network definition called MainDataCenter. Use the IP dot notation address and a network mask to define a range of IP addresses (see Figure 6-8).
Figure 6-8 Example - Network Definition
Step 2
Use the Network Class Editor to define a network class containing all the end host addresses of the workstations used in the group called USR-Finance (see Figure 6-9).
6-18
78-15202-01
Chapter 6
Using the Class Manager Using the Class Manager: Example
Figure 6-9
Example - Workstation Addresses
Step 3
Create a service class called StandardServices, that includes the desired range of services (for example, pop2, pop3, Telnet, ftp-data, ftp, and port range 1024 to 1034). Use ACL Manager, the ACE editor, and the Network/Class Selector to create one logical ACE of the form:
permit tcp standardservice from @USR-Finance to @MainDataCenter
Step 4
This can be interpreted as permitting TCP traffic for all 11 source addresses specified in the class @USR-Finance to the destination address specified by MainDataCenter on the ports specified by the StandardServices.
6-19
Chapter 6 Using the Class Manager: Example
6-20
78-15202-01
C H A P T E R
Using the Template Manager

Use the Template Manager to define and apply ACL policies for filtering traffic. These topics describe the Template Manager and how it works:

What is the Template Manager? Starting the Template Manager Creating a New Template Editing an Existing Template Creating and Inserting Template Folders Identifying Devices That Use an ACL Template
What is the Template Manager?

Use the Template Manager to create, modify, and use templates across scenarios. Only users with administrator privileges can create templates, but all users can view and use them. Once they are created, templates are saved in a directory hierarchy. If you change the base template, you can instruct the Template Manager to update all the devices to which a given template has been applied. You can apply templates created with the Template Manager by accessing the ACL Manager Use Wizard (refer to Chapter 8, ACL Manager Use Wizard). You can also modify an ACL or set of ACEs you saved in a template. Multiple sessions of the Template Manager can run at the same time.
7-1
Chapter 7 Starting the Template Manager
Starting the Template Manager

This section explains how to start the Template Manager. Select Tools > Template Manager from the ACL Manager Main Window. The Template Manager window appears (see Figure 7-1).
Figure 7-1 Template Manager Window
Tip
You can also start the Template Manager from Essentials by selecting Administration > ACL Management > Edit ACL Templates.
Using the Template Manager Toolbar

The icons specific to the Template Manager toolbar are:

New TemplateOpens a dialog box to create a new template. New FolderOpens a dialog box to create a new template folder in the template directory.
7-2
78-15202-01
Chapter 7
Using the Template Manager Creating a New Template
Template Attributes
The template attributes appear in the right pane. Field Name Type Description The name of the template. The ACL type (IP, IP_EXTENDED, IPX, IPX_EXTENDED, IPX_SAP, IPX_SUMMARY, RATE_LIMIT_MAC, RATE_LIMIT_PRECEDENCE, VACL_IP, VACL_IPX, and VACL_MAC). Date and time the template was created. Name of the person who created the template. Date and time the template was last modified. Name of user who last modified the template. Comments inserted by user during creation or modification.
Creation Date Created By Modification Date Last Modified By Description
Creating a New Template

Use this procedure to create a new template from the Template Manager window. To edit an existing template, refer to Editing an Existing Template.
Procedure
Step 1 Step 2
Select the Template root directory or the folder in which you want the new template to reside (see Figure 7-1). Click on the New Template icon in the toolbar. The Template Editor dialog box appears (see Figure 7-2).
7-3
Chapter 7 Creating a New Template
Figure 7-2
Template Editor Dialog Box
Step 3
Set the appropriate fields as follows: Field Type Description The ACL type (IP, IP_EXTENDED, IPX, IPX_EXTENDED, IPX_SAP, IPX_SUMMARY, RATE_LIMIT_MAC, RATE_LIMIT_PRECEDENCE, VACL_IP, VACL_IPX, VACL_MAC). Name to be given to the new template. Comments on the new template.
Name Comment
Step 4
You can also save ACLs and ACEs as templates (see Chapter 4, Viewing and Editing ACLs).
7-4
78-15202-01
Chapter 7
Using the Template Manager Editing an Existing Template
Editing an Existing Template

Use this procedure to edit an existing template from the Template Manager window. To edit a new template, refer to Creating a New Template.
Procedure
Step 1 Step 2
Expand the folder containing the template to edit. Right-click on the template, then select Edit. The Template Editor dialog box appears (see Figure 7-2).
Step 3
Make your changes, then click OK. You can also insert a comment into a templates ACEs (see Appending a Comment in Chapter 6, Using the Class Manager.)
Editing the Contents of a Template

See:

Manipulating ACEs of Viewing and Editing ACLs in Chapter 4. Manipulating VACEs of Viewing and Editing VACLs in Chapter 5.
Creating and Inserting Template Folders

You can create or insert new folders under the Template root directory or under an existing folder.
Procedure
Step 1 Step 2
Select the Template root directory or the folder in which you want the new folder to reside (see Figure 7-1). Click on the New Folder icon in the Template Manager toolbar. The New Folder dialog box appears (see Figure 7-3).
78-15202-01
7-5
Chapter 7 Identifying Devices That Use an ACL Template
Figure 7-3
New Folder Dialog Box
Step 3
Enter the name for the new folder, then click OK.
Identifying Devices That Use an ACL Template

You can use the ACL Template Manager to identify all devices that use an ACL Template.
Procedure
Step 1
From the ACL Manager Main Window, select Tools > Template Manager. The Template Manager window appears. Expand the template folder to show all templates, if necessary.
Step 2
7-6
78-15202-01
Chapter 7
Using the Template Manager Identifying Devices That Use an ACL Template
Step 3
Expand the required template, then select Template Device Uses. The devices and ACLs using this template appear in the right pane (see Figure 7-4).
Figure 7-4
Viewing Devices That Use an ACL Template
Field Device ACL Number / Name Template Instance Valid
Description Identifies the device to which the ACL template has been applied. Shows the number or name of the ACL using the template on this device. Shows whether the current template contents have changed since the last download of this ACL to the device. If the template instance for device(s) is invalid, then choose the invalid device(s), right-click on the selected device(s) and select Synch Template on device(s).
7-7
Chapter 7 Identifying Devices That Use an ACL Template
Tip
You can also start the Template Manager Main Window from Essentials by selecting Administration > ACL Management > Edit ACL Templates.
7-8
78-15202-01
C H A P T E R
ACL Manager Use Wizard

This chapter describes how to:
Create ACLs from previously created templates. See:

Applying an ACL Template to a Specific Device Applying an ACL Template to Multiple Devices
Define Uses for previously created ACLs, or ACLs that have been newly created from templates. See Defining ACL Uses
Defining ACL Uses

From the ACL Manager Main Window, you can use the Use ACL wizard to apply device ACLs to control packet filtering, line access, SNMP community access, SNMP TFTP server, and VLAN packet filtering. Packet filtering, line access, SNMP community access, and SNMP TFTP server are applicable to Router ACLs. VLAN packet filtering is applicable to VACLs.
8-1
You can define a Use for an ACL by.

Defining an ACL Use with the Use ACL Wizard. Selecting Interfaces, Lines, SNMP Community Settings or VLANS. Completing the Use ACL Wizard Summary. Displaying Use ACL Wizard Results.
Right-click on the ACL to be applied, then select Use ACL. The Use Selection window appears (see Figure 8-1). You can also display the ACL Use Selection dialog box by clicking the Create Uses button in the ACL Results dialog box.
Defining an ACL Use with the Use ACL Wizard

Procedure
Step 1
If you have created or selected an IOS ACL, (see Figure 8-1), select one of these from the Use Selection window

Packet Filtering Line Access SNMP Community Access SNMP TFTP Server.
If the ACL created or selected is a VACL, a VACL, select VLAN Packet Filtering from the Use Selection window. (In such a case, the Use Selection window displays only VLAN Packet Filtering).
8-2
78-15202-01
Chapter 8
ACL Manager Use Wizard Defining ACL Uses
Figure 8-1
Use Selection
Step 2
Click Next. Based on your Use selection in Step 1, the following dialog boxes are displayed:

Interface Selection dialog box If you selected packet filtering. (See Selecting Interfaces for Packet Filtering with the Use ACL Wizard). Line Selection dialog box If you selected line access. (See Selecting Lines for Line Access with the Use ACL Wizard). SNMP Community Setting dialog box If you selected SNMP Community Access. (See SNMP Community Settings with the Use ACL Wizard).
8-3
Summary dialog box If you selected SNMP TFTP Server. (See Completing the Use ACL Wizard Summary). VLAN Selection dialog box If you selected VLAN Packet Filtering. (See Selecting VLANs for VLAN Packet Filtering with Use ACL Wizard).
Selecting Interfaces, Lines, SNMP Community Settings or VLANS

Based on your selection of the ACL Use in the Use ACL window, you can specify the following for the Use that you want to create:

Interfaces. (See Selecting Interfaces for Packet Filtering with the Use ACL Wizard). Lines. (See Selecting Lines for Line Access with the Use ACL Wizard). SNMP Community Settings. (See SNMP Community Settings with the Use ACL Wizard). VLANs. (See Selecting VLANs for VLAN Packet Filtering with Use ACL Wizard).
Selecting Interfaces for Packet Filtering with the Use ACL Wizard
To select interfaces for packet filtering:
Procedure
Step 1
From the Interface Selection window, (see Figure 8-2), select the incoming (In) and outgoing (Out) interfaces of the device for which you are defining the Use.
8-4
78-15202-01
Chapter 8
Figure 8-2
Interface Selection
Step 2
Click Next to display the Summary dialog box (see Completing the Use ACL Wizard Summary).
Selecting Lines for Line Access with the Use ACL Wizard
Procedure
Step 1
From the Line Selection window (see Figure 8-3), select the incoming (In) and outgoing (Out) lines to which you want to apply the ACL.
8-5
Figure 8-3
Line Selection
Step 2
Click Next to display the Summary dialog box (see Completing the Use ACL Wizard Summary).
SNMP Community Settings with the Use ACL Wizard

Procedure
Step 1
In the SNMP Community Settings dialog box (see Figure 8-4), enter the Community String. This is a mandatory field.
8-6
78-15202-01
Chapter 8
Figure 8-4
SNMP Community Access Settings
Step 2
Enter the View Name. This is an optional field. You should provide a view name that already exists on the device. For some IOS versions, if you specify a view name that does not exist on the device, the view name does not get created, and the download fails.
Step 3 Step 4
Select Access Type. By default, Access Type is read only. You can select Read/Write mode if required. Click Next. The Summary dialog box appears for the selections made for this ACL (see Completing the Use ACL Wizard Summary).
8-7
Selecting VLANs for VLAN Packet Filtering with Use ACL Wizard
Procedure
Step 1
Select the VLAN(s) for the device (see Figure 8-5) from the Use Selection dialog box.
Figure 8-5 VLAN Selection
Step 2
Click Next. The Summary dialog box appears (see Completing the Use ACL Wizard Summary).
8-8
78-15202-01
Chapter 8
Completing the Use ACL Wizard Summary

The Summary dialog box (see Figure 8-6) displays the selections of interfaces made for the ACL that will be applied to the device.
Figure 8-6 Summary
Procedure
Step 1
From the Summary dialog box, select the Overwrite existing ACL Uses? check box to overwrite an existing ACL use on any of the following:

Selected interfaces on the device (for packet filtering) Selected lines on the device (for line access) SNMP Community String on the device (for SNMP Community Settings)
78-15202-01
8-9
Step 2
SNMP TFTP Server list on the device (for SNMP TFTP Server) VLAN on the device (for VLAN Packet Filtering)
Click Finish to display the Results window (see Displaying Use ACL Wizard Results).
Displaying Use ACL Wizard Results

The Results window displays the results of creating the Use on the selected interfaces (for packet filtering) or lines (for line access) or device (for SNMP Community Access and SNMP TFTP Server) or VLAN (for VLAN Packet Filtering). The Use Creation field displays either:
OK If the ACL Use is successfully created on the selected interface or lines or devices. Failed If the ACL Use cannot be successfully created on the selected interface or lines or devices.
or
Procedure
Step 1
Examine the Results window (see Figure 8-7).
8-10
78-15202-01
Chapter 8
Figure 8-7
Use ACL Results
Step 2
Click Close to exit the Use ACL wizard. If you had selected:

Packet Filtering The ACL is now installed for packet filtering on the specified interfaces. Line Access The ACL is now installed for line access on the specified lines. SNMP Community Access The ACL is now installed for the device. SNMP TFTP Server list The ACL is now installed for the device. VLAN Packet Filtering The ACL is now installed for the selected VLAN.
8-11
Chapter 8 Applying an ACL Template to a Specific Device
If you want to check the Use statements, go to the ACL Manager Main Window and navigate to:

Interfaces For Packet filtering Lines For line access Global For SNMP Community settings and SNMP TFTP serve VLANs For VLAN packet filtering
To invoke the ACL Use Selection dialog box again, you can click Create Uses. See Defining an ACL Use with the Use ACL Wizard.
Applying an ACL Template to a Specific Device

From the ACL Manager Main Window, you can create an ACL from an existing template on a specific device, using the Template Use Wizard. You can use this wizard to create Uses for the newly created ACLs, as follows:

Packet filtering On selected interfaces Line access On selected lines SNMP community access On selected VLANs SNMP TFTP server On selected VLANs VLAN packet filtering On selected VLANs
For more information on templates, see Chapter 7 You can create an ACL from an existing template on a specific device, and create a Use for it by:
Selecting a Template with the Template Use Wizard. Selecting a Device. Displaying ACL Creation Results (Single Device). Defining an ACL Use with the Use ACL Wizard.
8-12
78-15202-01
Chapter 8
ACL Manager Use Wizard Applying an ACL Template to a Specific Device
In the ACL Manager Main Window, select the device on which you want to create an ACL, from the template, then select Apply Template. The Template Selection window appears (see Figure 8-8).
Selecting a Template with the Template Use Wizard

Procedure
Step 1
From the Template Selection window (see Figure 8-8), select the template to be applied.
Figure 8-8 Template Selection
8-13
If you want to view the contents of the template, click Expand. The expanded template appears in the ACE Expanded window (see Figure 8-9).
Figure 8-9 Expanded Template
Click Close when you are finished, to exit the ACE Expanded window.
Step 2
Click Next, in the Template Selection window. The Device Selection dialog box appears with the selected device highlighted (see Selecting a Device).
Selecting a Device
Procedure
Step 1
In the Device Selection dialog box (see Figure 8-10), the device that you selected in the ACL Manager Main Window, for applying the template, is highlighted.
8-14
78-15202-01
Chapter 8
ACL Manager Use Wizard Applying an ACL Template to a Specific Device
Figure 8-10 Device Selection
Step 2 Step 3
Select the Overwrite existing ACLs? check box to overwrite an existing ACL. Either:
Select Autonumber the New ACL for generating a number automatically for the new ACL. This option is selected by default. Deselect Autonumber the New ACL and enter the ACL name or number in the ACL name or number text field.
or
Step 4
Click Finish. The ACL Results window appears, with the details of the ACL that you have created (see Displaying ACL Creation Results (Single Device)).
8-15
Displaying ACL Creation Results (Single Device)

The ACL Creation Results dialog box (see Figure 8-11) displays the details of the ACLs that you have created by applying a template.
Figure 8-11 Apply Template to Device
Click Close if you only want to create an ACL out of the template. Click Create Uses to create Uses for such newly created ACLs.
or
When you click the Create Uses button, the Selection dialog box (Figure 8-1) appears. (See Defining an ACL Use with the Use ACL Wizard). For the complete workflow to create uses for packet filtering, line access, SNMP Community Access, SNMP TFTP Server or VLAN filtering, see the section, Defining ACL Uses.
8-16
78-15202-01
Chapter 8
ACL Manager Use Wizard Applying an ACL Template to Multiple Devices
Applying an ACL Template to Multiple Devices

From the ACL Manager Main Window, you can create an ACL from an existing template on multiple devices, using the Template Use Wizard. If you have not yet started ACL Manager:
Step 1
Select ACL Management > Use ACL Templates from Essentials to bring up the Use Templates dialog box. (see Figure 8-12).
Figure 8-12 Use Templates
Step 2
Select a scenario.
8-17
Chapter 8 Applying an ACL Template to Multiple Devices
Step 3
Select the Read config from Device check box to synchronize the Config Archive with the devices in the scenario (get the configuration file) before starting ACL Manager. The Template Selection Window appears.
If you are already in ACL Manager Main Window, display the Template Selection Window by selecting Tools > ACL Use Wizard from the ACL Manager Main Window. You can apply a template to multiple devices by:
Selecting a Template. Selecting the Devices .Displaying ACL Creation Results (Multiple Devices) Defining ACL Uses for Multiple Devices.
For more information on templates, see Chapter 8 Using the Template Manager.
Selecting a Template
Procedure
Step 1
From the Template Selection dialog box (see Figure 8-8), select the template to be applied. If you want to see the contents of the template, click Expand. The ACE Expanded dialog box appears with the details of the expanded template (see Figure 8-9). Click Close when you are finished in the ACE Expanded dialog box. Click Next in the Template Selection dialog box.
Step 2
8-18
78-15202-01
Chapter 8
The Device Selection dialog box appears with the selected device highlighted (see Selecting the Devices).
Selecting the Devices

Procedure
Step 1
From the Device Selection window (see Figure 8-13), select the required devices to which the template will be applied.
Figure 8-13 Devices Selection
Step 2
Select the Overwrite existing ACLs? check box to overwrite an existing ACL.
8-19
Select Autonumber the New ACL for generating a number automatically for the new ACL. This option is selected by default. If you select this option, a different ACL number may be generated on each device.
or
Step 3
Deselect Autonumber the New ACL and enter the ACL name or number in the ACL name or Number text field.
Click Finish. The ACL Results dialog box appears, with the details of the ACLs that you have created (see Displaying ACL Creation Results (Multiple Devices)).
Displaying ACL Creation Results (Multiple Devices)

The Results dialog box displays the results of the ACLs that you have created by applying the template on multiple devices.
Procedure
Step 1
View the results of the ACL creation, in the Results dialog box (see Figure 8-14).
8-20
78-15202-01
Chapter 8
Figure 8-14 ACL Creation Results
The ACL Creation field displays Failed if the ACL was not created successfully. Otherwise, it displays OK.
OK If the ACL Use is successfully created on the selected interface or lines or devices. Failed If the ACL Use cannot be successfully created on the selected interface or lines or devices.
or
8-21
Step 2
Either:
Click Close to exit the Results dialog box, after creating ACLs out of the template, Click Create Uses to create uses for the newly created ACLs,.
or
The Use Selection dialog box appears (see Figure 8-1). For details see, Defining ACL Uses for Multiple Devices.
Defining ACL Uses for Multiple Devices

Procedure
Step 1
If you have created or selected an IOS ACL, (see Figure 8-1), select one of these from the Use Selection window

Packet Filtering Line Access SNMP Community Access SNMP TFTP Server.
If you have created or selected a VACL, select VLAN Packet Filtering from the Use Selection window. (In such a case, the Use Selection window displays only VLAN Packet Filtering).
Step 2
Click Next. Based on your Use selection in Step 1, the following dialog boxes are displayed:

Interface Selection dialog box If you selected packet filtering. (See Selecting Interfaces with the Template Use Wizard). Line Selection dialog box If you selected line access. (See Selecting Lines with the Template Use Wizard). SNMP Community Setting dialog box If you selected SNMP Community Access. (See SNMP Community Settings with the Template Use Wizard).
8-22
78-15202-01
Chapter 8
Summary dialog box If you selected SNMP TFTP Server. (See Completing the Use ACL Wizard Summary). The summary will appear for all the selected devices. VLAN Selection dialog box If you selected VLAN Packet Filtering (see Selecting VLANs for VLAN Packet Filtering with Template Use Wizard).
Step 3 Step 4
View the Summary. (See Completing the Use ACL Wizard Summary). Display the results for the ACL Uses. If you had selected:

Packet Filtering The ACL is now installed for packet filtering on the specified interfaces on the selected devices. Line Access The ACL is now installed for line access on the specified lines on the selected devices. SNMP Community Access The ACL is now installed for the selected devices. SNMP TFTP Server list The ACL is now installed for the selected devices. VLAN Packet Filtering The ACL is now installed for the selected VLAN on the selected devices.
Selecting Interfaces with the Template Use Wizard

Procedure
Step 1
From the Interface Selection window for the first device, select the incoming (In) and outgoing (Out) interfaces of the device. To select the same interfaces on all subsequent devices, select Treat all subsequent devices exactly like this device? If you select this option and subsequent devices do not have the specified interfaces, the subsequent devices will be skipped. Click Next.
8-23
Step 2
Repeat Step 1 for all devices. After you have selected the last device, the Summary dialog box appears (see Completing the Use ACL Wizard Summary).
Selecting Lines with the Template Use Wizard

Procedure
Step 1
From the Line Selection window for the first device, select the incoming (In) and outgoing (Out) lines of the device to which the template will be applied. To select the same lines on all subsequent devices, select Treat all subsequent devices exactly like this device? If you select this option and subsequent devices do not have the specified lines, the subsequent devices will be skipped. Click Next. Repeat Step 1 for all devices. After you have selected the last device, the Summary dialog box appears (see Completing the Use ACL Wizard Summary).
Step 2
SNMP Community Settings with the Template Use Wizard

Procedure
Step 1 Step 2
Enter the Community String. This is a mandatory field. Enter the View Name. This is an optional field. You should provide a view name that already exists on the device. For some IOS versions, if you specify a view name that does not exist on the device, the view name does not get created, and the download fails.
8-24
78-15202-01
Chapter 8
Step 3
Select Access Type. By default, Access Type is read only. You can select Read/Write mode if required. To select the same settings on all subsequent devices, select Treat all subsequent devices exactly like this device?
Step 4 Step 5
Click Next. Repeat Step 5 as required. After you select the last device, the Summary dialog box appears (see Completing the Use ACL Wizard Summary).
Selecting VLANs for VLAN Packet Filtering with Template Use Wizard
Procedure
Step 1
Select the VLAN(s) of the device. To select the same settings on all subsequent devices, select Treat all subsequent devices exactly like this device? If you select this option and subsequent devices do not have the specified VLAN(s), the subsequent devices will be skipped. Click Next. Repeat Step 3 as required. After you select the last device, the Summary dialog box appears (see Completing the Use ACL Wizard Summary).
Step 2
8-25
8-26
78-15202-01
C H A P T E R
Scheduling and Downloading

An ACL job definition is a set of devices and commands associated with the devices that you must download to reconfigure the devices. With the ACL Manager scheduling mechanism, you can schedule the downloadimmediately or at a specified date and time. You can get approval of a job download before scheduling a download. The scheduled job is sent to the server; and when the scheduled time arrives, the server downloads the configuration changes, to the affected devices. Alternatively, you can save the configuration changes as files on the server and use them for any purpose, including manually changing the device configuration. These topics describe how to use the Downloader and the Job Browser:

Enabling Job Approval Scheduling Downloads Saving Changes to Disk Browsing Job Status and Results Viewing a Job Scenario Editing and Resubmitting Jobs Canceling Pending Jobs and Purging Old Jobs What to Do If Your Download Fails
9-1
Chapter 9 Enabling Job Approval
Enabling Job Approval

Configure the ACL Manager for Job Approval.Your login determines whether you can use this option.
Procedure
Step 1 Step 2
Select Resource Manager Essentials > Administration > Job Approval > Edit Preferences. Select the ACL Manager tab (see Figure 9-1).
Figure 9-1 Edit PreferencesACL Manager
Step 3 Step 4
Select the Enable Job Approval check box to enable or disable Job Approval in ACL Manager. Click Apply to apply the changes.
Note
To receive email notification, set the SMTP server on Windows 2000 server using Resource Manager Essentials > System Configuration.
9-2
78-15202-01
Chapter 9
Scheduling and Downloading Scheduling Downloads
Scheduling Downloads
You can use the Schedule Config Download Job dialog box to select devices and schedule downloads. If you have not yet started ACL Manager, you need to display the Schedule Config Download Job dialog box using this procedure.
Procedure
Step 1
Select ACL Management > Schedule Downloads from Essentials to display the Schedule Downloads dialog box (see Figure 9-2).
Figure 9-2 Schedule Downloads Dialog Box
9-3
Chapter 9 Scheduling Downloads
Step 2
Select a scenario, then select Read config from Device to synchronize the Config Archive with the devices in the scenario (get the configuration file). The Schedule Config Download Job dialog box appears (see Figure 9-3). If you are already in the ACL Manager Main Window, do one of the following to display the Schedule Config Download Job dialog box:

Select Tools > ACL Downloader. Click on the ACL Downloader toolbar icon
Figure 9-3
Schedule Config Download Job Dialog Box
9-4
78-15202-01
Chapter 9
Procedure
To download an ACL job:
Step 1 Step 2 Step 3 Step 4 Step 5
Select the devices. Select the download options to apply. Select the approver. Verify the configuration changes to be downloaded. Schedule the download.
When an ACL job is scheduled on a scenario, a copy of the scenario is made to avoid conflicting changes. The only operation you can perform on the scenario is to view it in ACL Manager Job Browser (as described in Viewing a Job Scenario).
Selecting the Devices

Use the Schedule Config Download Job dialog box to prepare the download and select the devices to be downloaded. The Schedule Config Download Job dialog box displays all devices that you modified in the current scenario. Using the Add and Remove buttons, select the devices to which you want to download the ACLs and ACL Uses (and meta-information such as comments and template include statements).
9-5
Describing the Job and Selecting the Download Options

Procedure
Step 1
Enter the job description and select the download options in the Schedule Config Download Job dialog box. ACL Manager improves the download time of config commands by allowing you to use TFTP, in addition to the Telnet protocol. You can choose the protocol you want to use for download in the Schedule Config Download job dialog box. ACL Manager supports TFTP downloads on both catalyst switches and routers.
Step 2
Enter a job description in the Job Description field. Use a description you can locate easily if you want to browse the jobs later.
Select Use SSH for secure server to device communication while downloading the configuration commands. The download succeeds only if the device to which you are downloading has been configured for SSH communication. Select Use Telnet to specify Telnet as the protocol for downloading configuration commands. or Select Use TFTP to specify TFTP as the protocol for downloading configuration commands. If you choose Use TFTP, the Rollback and Abort on Error options will be disabled. This is because the error status of each command cannot be known owing to the bulk transfer of configuration changes to a device via TFTP. You can use TFTP or Telnet protocols with the Use SSH option enabled. If the device download order does not matter, select Download in Parallel. (The download will proceed more quickly). If the order is important, ensure that the check box is not selected. The order of the download will be the order in which the devices appear in the right column. To copy the running configuration to the routers startup files after the download is complete, select Write to NVRAM.
9-6
78-15202-01
Chapter 9
To attempt to revert to the routers original configuration if an error occurs during the download, select Rollback. Any changes made before the error occurred will be removed. (Rollback is selected automatically if you select Abort on Error.) To revert to the routers original configuration, remove any changes, and abort the download if an error occurs, select Abort on Error. An attempt will be made to revert router configurations back to their original state.
Note
The Save to Disk option is used to save the configuration changes or the complete configuration. For more information, see Saving Changes to Disk.
Selecting Job Approvers

Use the Schedule Config Download Job dialog box to select the job approver. Select the Approver from the approver-list. When the ACL Manager job is scheduled, the users on the job approver-list are notified by email. One of the approvers must approve the job before it can run.
Note
You can by-pass the Job Approval, if you have both Network Administrator and Approver privileges.
Scheduling the Download

Use the Schedule Config Download Job dialog box to schedule the download. To specify the Download Schedule:

Click Immediate to run the job as soon as possible. Click At, then enter a date and time for the job to run in the future.
9-7
Verifying the Configuration Changes

Use the Diffs feature in the Schedule Config Download Job dialog box to verify the configuration changes.
Procedure
Step 1
Before downloading the changes you made in your scenario, verify them by clicking Diffs. The Config Diff View dialog box displays the modified objects to be downloaded (see Figure 9-4). If you change only the meta-information, (such as comments or template include statements) and do not change the device config, the device will still be marked as modified. However, you will not see any diffs when you start the Diff Viewer. Any changes that do not result in a changed physical view will not appear in the Diff Viewer (such as saving a set of ACEs as a template).
Figure 9-4 Config Diff Dialog Box
9-8
78-15202-01
Chapter 9
Step 2 Step 3
Select a device to see all your configuration changes. Select a modified ACL or ACL use. The original and new configurations appear in the Original Config and the Modified Config columns (see Figure 9-5).

To display the entire proposed configuration, click Config. To display only the configuration commands to be sent while downloading your scenario, click Delta.
Config Diff View for a Specified Device
Figure 9-5
Step 4 Step 5
Click Close. Confirm your choice by clicking OK in the Schedule Config Download Job dialog box. If you have not saved the scenario, a message asks whether you want to save it.
9-9
Chapter 9 Saving Changes to Disk
Step 6
Click OK to save the scenario. A new window displays the ID of the scheduled job.
Step 7
Click OK to dismiss the dialog box.
You can use the Job ID to track the status of the job. ACL Manager alerts you if there is a problem with a job schedule time or if the scenario has not been saved.

The device configuration does not change until a job runs and config changes are downloaded to the device. You can view proposed configuration changes by selecting Tools > Diff Viewer from the ACL Manager Main Window. The job will run only if the configuration on the device matches the configuration on the device when your scenario was initially created. If you schedule a job and someone changes the device configuration in the meantime, the job will fail. If you selected Write to NVRAM and the download is not successful. For example, if a partial ACL is applied, or a download causes the router to disconnect from the network, the routers startup files are not updated.
Saving Changes to Disk

You can use the Schedule Config Download Job dialog box to save your configuration changes as files on the server without downloading them.
Procedure
Step 1
To display the Schedule Config Download Job dialog box, select one of the following:

ACL Management > Schedule Downloads from Essentials. Tools > ACL Downloader from the ACL Manager Main Window.
9-10
78-15202-01
Chapter 9
Scheduling and Downloading Saving Changes to Disk
Click on the ACL Downloader toolbar icon in the ACL Manager Main Window.
The Schedule Config Download Job dialog box displays a list of all devices you modified (see Figure 9-3).
Select the router(s), using the Add and Remove buttons, to which the ACLs are to be downloaded. Select Save to Disk to save the router configuration files to a standard disk directory without downloading a job. Do one of the following:

Click the Complete Config radio button to save the entire configuration. Click the Delta Config radio button to save the config deltas (the actual commands that will be downloaded to the device in order to implement the ACLs and ACL Uses in your scenario).
To verify the configuration changes, select one or more devices, then click Diffs. (See Verifying the Configuration Changes.) To save the configuration files on the server, click OK. The Save In dialog box appears. (see Figure 9-6)
9-11
Chapter 9 Saving Changes to Disk
Figure 9-6
Save In Dialog Box
Step 5
Select the path where you want to save the configuration changes files. By default, the configurations are saved in c:\program files\CSCOpx. You can also enter a location to save the configuration files in the Target Directory field.
Note
On Windows 2000 systems, in the Schedule Config Download Job dialog box, you can navigate to any directory, till the root of the default C:\ drive, to save the configuration changes files. If you want to save the files in any other location on any other drive, enter the complete path in the Target Directory field.
The configuration files are saved in the output directory. Contact your system administrator for access to these directories. If you decide to proceed with the download, start a new download. See Scheduling Downloads.
9-12
78-15202-01
Chapter 9
Scheduling and Downloading Browsing Job Status and Results
Browsing Job Status and Results

The ACL Manager Job Browser displays job status and results. The Job Browser also provides device-level details about a job.
Procedure
Step 1
To display the Job Browser dialog box, select one of the following:

ACL Management > Browse Download Jobs from Essentials. Tools > Job Browser from the ACL Manager Main Window.
The Job Browser dialog box displays all scheduled jobs (see Figure 9-7).
Figure 9-7 Job Browser Dialog Box
9-13
Chapter 9 Browsing Job Status and Results
Step 2
To display jobs filtered by Job Status or Job User, make your selection, then click Refresh. The columns in the Job Browser dialog box are: Column Job ID Job Status Description Scheduled At Finish Time User Approver Scenario Description Unique number assigned to this task at creation time. This number is never reused. Current state or last run result of the job. Information you entered in the Job Description field of the Schedule Config Download Job dialog box. Date and time the job is scheduled to run. Date and time the job completed. Name of the user who created the job. Name of the approver who has to approve the job. Name of the job scenario you created from the scenario whose changes are to be downloaded.
The Job Status column can display these values: Status Running Pending Waiting for approval Pending (Approved) Rejected Cancelled Aborted Failed Meaning Job is running. Job has not started. Job is waiting for approval from one of the approvers. Job has been approved and has not started. Job was rejected by one of the approvers. Job was canceled by user. Job was aborted by server. Download failed on all devices. Click Results to obtain more information.
9-14
78-15202-01
Chapter 9
Scheduling and Downloading Browsing Job Status and Results
Status Partial success Success

Step 3
Meaning Download failed on one or more devices. Click Results to obtain more information. Job downloaded successfully on all devices.
To view the job status by device, select the job then click Results. The Job Results window displays the status for all devices for that job (see Figure 9-8). The Status column can have these values: Status Download verify failed Meaning Download configuration does not match device configuration (device became stale after download started). Device is stale before download started. Download failed, then the attempt to rollback to previous configuration failed. All other download failures. Job is running. Job has not started. Job is waiting for approval from one of the approvers. Job has been approved and has not started. Job was rejected by one of the approvers.
Pre download failure Rollback failed Download failed Running Pending Waiting for approval Pending (Approved) Rejected
9-15
Chapter 9 Browsing Job Status and Results
Figure 9-8
Job Results
Step 4
Click Device Results to obtain detailed information about the device (see Figure 9-9).
Figure 9-9 Device Results
Step 5
Click Diff to view the Config Diff dialog box (see Figure 9-4).
9-16
78-15202-01
Chapter 9
Scheduling and Downloading Viewing a Job Scenario
Job Management Integration

The Job Browser of ACL Manager is now integrated with the Job Resource Manager (JRM) using the CiscoWorks Job Management task. This allows you to get information such as, details of an ACL Manager job, free resources locked by it, and remove job. (For details of ACL Manager Job, see Browsing Job Status and Results, see Figure 9-8).
Note
You need to use the Job Resource Manager (JRM) of CiscoWorks to browse jobs, release resources, stop and remove jobs. Select CiscoWorks Server > Administration > Job Management.
Viewing a Job Scenario

When you create a job, the server creates a read-only copy of the scenario whose changes are to be downloaded. This new scenario is called the job scenario. Using the Job Manager, you can view scenarios for both pending or completed jobs.
Procedure
Step 1
To display the Job Browser dialog box (see Figure 9-7), select one of the following:

ACL Management > Job Browser from Essentials. Tools > Job Browser from the ACL Manager Main Window.
Step 2
Highlight the job whose associated scenario you want to view, then click Open. The ACL Manager Main Window appears, displaying the contents of the specified scenario (see Figure 9-10).
9-17
Chapter 9 Editing and Resubmitting Jobs
Figure 9-10 Viewing a Downloaded ACL Manager Scenario
Editing and Resubmitting Jobs

You can edit and resubmit scheduled jobs that have or have not been completed using the ACL Manager Job Browser.
Resubmitting a Job That Has Not Been Completed

You can resubmit a job that has not completed by rescheduling it using the Job Browser.
Procedure
Step 1

9-18
78-15202-01
Chapter 9
Scheduling and Downloading Canceling Pending Jobs and Purging Old Jobs
Step 2
Select the uncompleted job, then click Edit. The Schedule Config Download Job dialog box appears, displaying the job details.
Step 3
Change the download options, schedule the date and time, and click OK.
Canceling Pending Jobs and Purging Old Jobs

To cancel a scheduled ACL job or purge old ACL jobs, use the ACL Manager Job Browser. All jobs remain until you remove them.
Procedure
Step 1

Step 2 Step 3
Select the jobs you want to cancel or purge. Click Delete.
What to Do If Your Download Fails

A download can fail for a number of reasons. Two common reasons are:

Loss of connectivity to the device during download A device becoming stale because another user in another scenario downloaded changes to the device after you had scheduled the download
When this happens, the device icon is grayed out. However, you can change the status from stale to OK in order for the download to proceed.
9-19
Chapter 9 Canceling Pending Jobs and Purging Old Jobs
Note
If you refresh a stale device, you will lose your edits. If your download fails because the device is stale, do the following to save your changes and attempt to download again:
Procedure
Step 1
Back up the scenario containing your edits and the stale device under a different name by selecting File > Save Scenario As from the ACL Manager Main Window. Reopen the original scenario.
Step 2
Note Step 3 Step 4
Make sure that Read Config from Device is selected.
Refresh any stale devices and save the scenario. Open the backup scenario.
Note
Make sure Read Config from Device is not checked. Select the Open in Read Only Mode check box.
Step 5
Copy the data from the device.
Note Step 6 Step 7
Only ACLs can be copied.
Switch to the original scenario and paste the data back to the device, overwriting the ACLs. Download your changes to the device, as described in Scheduling Downloads.
9-20
78-15202-01
C H A P T E R
10
Optimizing ACLs
These topics describe optimization and how you can optimize your ACLs for better performance:

What Are the ACL Optimizer and Hits Optimizer? Using the ACL Optimizer Using the ACL Hits Optimizer Resetting Hit Counters
What Are the ACL Optimizer and Hits Optimizer?

When an ACL is used on one or more interfaces in a network device, network traffic performance through the device can be degraded for these reasons:
Each packet through an interface may be compared against all the ACE statements in an ACL used on the interface until one of the statements is a hit. The ACE statements are examined in sequence.
To improve device performance, the ACL Optimizer minimizes the number of ACEs that must be compared. The ACL Hits Optimizer re-arranges ACEs in an order in which the most frequently-hit ACEs are placed first. Using ACL Optimizer or Hits Optimizer changes the physical view of the ACL, but not the logical view. Any change made to the logical view (including re-ordering ACEs) will re-create the physical view, hence the optimizations will be lost and need to be re-done.
10-1
Chapter 10 What Are the ACL Optimizer and Hits Optimizer?
Optimizing ACLs
What Is the ACL Optimizer?

The goal of the ACL Optimizer is to minimize the number of ACEs in an ACL. It accomplishes this by:
Removing covered ACEs; in the following example, the second original ACE covers the first. Optimized ACEs permit ip from 205.178.18.0/0.0.0.255
Original ACEs permit ip from host 205.178.18.5 permit ip from 205.178.18.0/0.0.0.255
Merging maskable ACE address ranges; in the following example, the original ACEs address ranges are contiguous and maskable: Optimized ACEs permit ip from 205.178.18.8/0.0.0.7
Original ACEs permit ip from host 205.178.18.8 permit ip from host 205.178.18.9 permit ip from host 205.178.18.10 permit ip from host 205.178.18.11 permit ip from host 205.178.18.12 permit ip from host 205.178.18.13 permit ip from host 205.178.18.14 permit ip from host 205.178.18.15
Merging covered ACE port ranges; in the following example, the port range for the second original ACE combines with the port range of the first original ACE to cover the entire set of port ranges: Optimized ACEs permit tcp between 0 and 65535 from 205.178.18.5
Original ACEs permit tcp gt 25 from host 205.178.18.5 permit tcp lt 50 from 205.178.18.5
10-2
78-15202-01
Chapter 10
Optimizing ACLs What Are the ACL Optimizer and Hits Optimizer?
Removing redundant ACEs. Optimized ACEs permit ip from any
Original ACEs permit ip from any deny ip from 205.178.18.5
Removing duplicate ACEs. Optimized ACEs permit ip from host 205.178.18.5 permit ip from host 205.178.18.10
Original ACEs permit ip from host 205.178.18.5 permit ip from host 205.178.18.5 permit ip from host 205.178.18.10
What Is the ACL Hits Optimizer?

The goal of the ACL Hits Optimizer is to place the most frequently hit ACEs ahead of the less frequently hit ACEs. A hit occurs when an ACE statement matches a network packet; IOS tracks the number of times a statement is hit. ACL Manager reorders the ACE accordingly, as follows: Original ACEs (# Hits) Optimized ACEs
permit ip from host 205.178.18.5 (300) deny ip from host 205.178.18.100 deny ip from host 205.178.18.100 (500) permit ip from host 205.178.18.5 Reordering ACEs is performed only if the new order does not change ACL semantics. For example, ACL Manager would not reorder ACEs in the following example: Original ACEs (# Hits) Incorrectly Reordered ACEs
deny ip from host 205.178.18.5 (300) permit ip from 205.178.18.0/0.0.0.255 permit ip from deny ip from host 205.178.18.5 205.178.18.0/0.0.0.255 (500)
10-3
Chapter 10 Using the ACL Optimizer
Optimizing ACLs
ACL Manager would not perform this reorder because doing so would change the ACL semantics, which were to deny packets from host 205.178.18.5 and allow them from the rest of the subnet.
Note
Standard IP ACLs and VACLs do not support Hit Counters, so the Hits Optimizer is not available for these types of ACLs.
Using the ACL Optimizer

Use the ACL Optimizer to minimize the number of ACEs in an ACL and improve router performance.
Procedure
Step 1
From the ACL Manager Main Window, select the ACL to optimize. In Figure 10-1, ACL 100 is selected.
Figure 10-1 ACL to be Optimized
10-4
78-15202-01
Chapter 10
Optimizing ACLs Using the ACL Optimizer
Step 2
Select Optimizer from the ACL pop-up window. The Optimizer completes optimization and a high-level report appears (see Figure 10-2).
Figure 10-2 ACL Optimizer
Step 3
Click Details to view more information (see Figure 10-3).
10-5
Chapter 10 Using the ACL Optimizer
Optimizing ACLs
Figure 10-3 ACL Manager Optimizer Details
Step 4 Step 5
If you are satisfied with the optimization, click Done to return to the previous display. Click Apply to apply the optimization.
10-6
78-15202-01
Chapter 10
Optimizing ACLs Using the ACL Hits Optimizer
Using the ACL Hits Optimizer

Use the ACL Hits Optimizer to place the most frequently hit ACEs ahead of the less frequently hit ACEs, improving network traffic throughput. Hits optimization is applicable only to the IP Extended type of ACLs.
Procedure
Step 1
From the ACL Manager Main Window, select the ACL to optimize. In Figure 10-4, ACL 100 is selected.
Figure 10-4 ACL to be Hit Optimized
Step 2
Right-click and select Hits Optimizer. The Hits Optimizer completes optimization and a high-level report appears (see Figure 10-5).
10-7
Chapter 10 Using the ACL Hits Optimizer
Optimizing ACLs
Figure 10-5 Hits Optimizer
Step 3
Click Details to view more information (see Figure 10-6).
10-8
78-15202-01
Chapter 10
Optimizing ACLs Resetting Hit Counters
Figure 10-6 Hits Optimizer - Details
Step 4 Step 5
If you are satisfied with the optimization, click Done to return to the previous display. Click Apply to apply the optimization.
Resetting Hit Counters

You can reset the hit counters to zero from Essentials.
Procedure
Step 1
From Essentials, select Administration > ACL Management > Reset Hit Counter (see Figure 10-7).
10-9
Chapter 10 Resetting Hit Counters
Optimizing ACLs
Figure 10-7 Reset Hit Counter Dialog Box
Step 2 Step 3
Select All Devices, then select those devices for which you want the hit counter reset to zero. Click Finish.
10-10
78-15202-01
I N D EX
A
ACE Editor buttons, using 4-20 ACEs (Access Control Entries) (see also ACLs) 2-1 ACE Editor buttons, using 4-20 comments appending 4-14 inserting 4-15 editing 4-17 IP ACE attributes 4-20 IP Extended ACE attributes 4-22 IPX ACE attributes 4-29 IPX Extended ACE attributes 4-30 IPX SAP ACE attributes 4-33 IPX SUMMARY ACE attributes 4-34 RATE LIMIT MAC ACE attributes 4-35 RATE LIMIT PRECEDENCE ACE attributes 4-36 source and destination addresses, specifying 4-18 manipulating 4-10 new appending 4-11 inserting 4-10 printing 4-45
reordering 4-16 templates inserting 4-12 saving as 4-37 ACL Hits Optimizer, description 10-3 ACL Manager benefits of 1-4 components 1-4 description 1-3 functionality 1-5 overview 1-1 terms and definitions 1-1 tools 1-7 ACL Optimizer description 10-2 using 10-4 ACLs (Access Control Lists) 4-1 (see also ACEs) 4-10 ACL use statement, definition 1-2 configuration changes, viewing 4-38 creating overview 2-1 procedure 4-4 definitions and uses 2-1 Diff Viewer, using 4-38
IN-1
Index
editing 4-6 existing, viewing 4-2 optimizing 10-1 ACL Hits Optimizer, using 10-7 ACL Optimizer, description 10-1 ACL Optimizer, using 10-4 hit counters, resetting 10-9 Hits Optimizer, defined 10-1 redundancy checks 4-42 printing 4-45 properties (use details) 2-5 renaming 4-9 templates attributes of 2-2 creating 2-1 saving as 4-8 time range definitions, editing 4-42 Absolute 4-42 Periodic 4-44 uses 2-7 defining 4-6 description 2-7 modes and contexts, description 2-7 advanced topics in ACL Manager 3-27 avoiding loss of edits when refreshing a device 3-29 refreshing devices 3-28 stale devices 3-27
B
backing up data 3-30 on Solaris 3-30 on Windows 2000 3-31
C
cautions significance of xii Cisco.com, accessing xvi CiscoWorks Server in backing up ACLM data 3-30 JRM, and job management 9-17 Class Manager 6-1 description 6-1 devices that use network class, identifying 6-16 service class, identifying 6-9 editors 6-2 invoking 6-3 networks and network classes, using 6-11 network, creating a new 6-11 network, editing 6-13 network class, creating a new 6-13 network class, editing 6-15 network class entry, editing 6-16 services and service classes, using 6-4 service, creating a new 6-4
IN-2
78-15202-01
Index
service, editing 6-6 service class, creating a new 6-6 service class, editing 6-8 service class entry, editing 6-9 toolbar, using 6-3 using (example) 6-18 comments Comment, template attribute 2-5 in ACEs appending 4-14 inserting 4-15 in VACEs appending 5-14 inserting 5-15 Config Diff dialog box, illustration 9-8
actual 9-7 configuration changes, verifying 9-8 devices, selecting 9-5 download options, selecting 9-6 job approvers, selecting 9-7 describing 9-6 TFTP, and 9-6
E
editing ACEs 4-17 IP ACE attributes 4-20 IP Extended ACE attributes 4-22 IPX ACE attributes 4-29 IPX Extended ACE attributes 4-30 IPX SAP ACE attributes 4-33 IPX SUMMARY ACE attributes 4-34 RATE LIMITE MAC ACE attributes 4-35 RATE LIMIT PRECEDENCE ACE attributes 4-36 source and deestination addresses 4-18 ACLs 4-6 ACL time range definitions 4-42 Class Manager network class entries 6-16 network classes 6-15 Edit menu 3-15 jobs
D
deleting scenarios 3-10 documentation feedback, submitting electronically xviii obtaining xvi CD-ROM xvii Cisco.com xvi ordering xvii obtaining updated xvi other Cisco publications and information xxi related xii downloads, scheduling 9-3
78-15202-01
IN-3
Index
and resubmitting 9-18 incomplete jobs, resubmitting 9-18 templates, existing 7-5 VACEs 5-17 ACE Editor buttons, using 5-19 IP VACE attributes 5-20 IPX VACE attributes 5-28 MAC attributes 5-29 source and destination addresses 5-18 VACLs 5-6 Essentials, setting up 3-4
I
IOS ACLs, definition 1-2
J
Java Plug-in, and improving ACL Manager performance 3-4 Job Browser dialog box, illustration 9-13 jobs approval, enabling 9-2 cancelling pending 9-19 editing and resubmitting 9-18
F
failed downloads, handling 9-19 Find feature, using 3-14
editing and resubmitting an incomplete job 9-18 job management integration 9-17 purging old 9-19 scenarios, viewing 9-17 status and results, browsing 9-13
G
getting started 3-1 glossary 1-1
K
keyboard shortcuts, using 3-23
H
help xviii Cisco.com xviii TAC xix Escalation Center xx website xx
ACL Manager dialog boxes Solaris 3-25 Windows 3-25 ACL Manager window 3-23 key words 1-1 ACL, ACE 1-1 ACL templates 1-2
IN-4
78-15202-01
Index
ACL use modes and contexts 1-2 ACL use statement 1-2 IOS ACLs 1-2 logical view 1-2 network 1-2 network class 1-2 physical view 1-2 scenario 1-3 service 1-3 service class 1-3 Template Include ACE 1-3 VLAN Access Lists (VACLs) 1-3
network, definition 1-2 network class, definition 1-2
P
physical view, definition 1-2 preparing to use ACL Manager 3-2 printing 3-12 privilege levels overview 1-8 user levels and tasks 1-9
R L
refreshing devices 3-28 logical view, definition 1-2 refreshing devices while avoiding loss of edits 3-29 restoring data 3-31 on Solaris 3-32 on Windows 2000 3-32
M
menus 3-14 ACL menu 3-18 Edit menu 3-15 File menu 3-14 Tools menu 3-18 View menu 3-17
S
Save In dialog box, illustration 9-12 saving changes to disk 9-10 scenarios definition 1-3
N
navigating in the main window 3-12
opening a different 3-11 saving 3-8
IN-5
Index
under a different name 3-8 under the existing name 3-8 viewing 9-17 Schedule Config Download Job dialog box, illustration 9-4 Schedule Downloads dialog box, illustration 9-3 scheduling and downloading 9-1 service, definition 1-3 service class, definition 1-3 stale devices 3-27 starting ACL Manager 3-4
starting 7-2 template attributes (table) 7-3 toolbar, using 7-2 templates attributes of Comment 2-5 Created By 2-4 Creation Date 2-4 Last Modified By 2-4 Modification Date 2-4 Name, Number, and Type 2-3 creating a new 7-3 definition 1-2
T
TAC (Technical Assistance Center) xix Escalation Center xx website xx technical support xviii Cisco.com xviii TAC xix Escalation Center xx website xx Telnet, and improved download time of config commands 9-6 Template Include ACE, definition 1-3 Template Manager 7-1 description 7-1 devices that use an ACL template, identifying 7-6
editing an existing 7-5 folders, creating and inserting 7-5 template folders, creating and inserting 7-5 terms and definitions 1-1 TFTP, and improved down load time of config commands 9-6 toolbars, using ACL Manager 3-21 Class Manager 6-3 Template Manager 7-2 typographical conventions used in this document xi
U
use modes and contexts, definition 1-2 Use wizards 8-1
IN-6
78-15202-01
Index
ACL uses, defining Use ACL Wizard, using 8-4 Use ACL Wizard results, displaying 8-10 Use ACL Wizard Summary, completing 8-9
(see also VACEs) 5-10 configuration changes, viewing 5-32 creating 5-5 definition 1-3 Diff Viewer, using 5-32 editing 5-6 optimizing 5-36 printing 5-36 renaming 5-9 saving as templates 5-8 uses, defining 5-6 viewing existing 5-2 viewing ACL configuration changes 4-38 ACLs, existing 4-2 job scenarios 9-17 VACL configuration changes 5-32 VACLs, existing 5-2
V
VACEs (VLAN Access Control Entries) (see also VACLs) 5-1 comments appending 5-14 inserting 5-15 editing 5-17 ACE Editor buttons, using 5-19 IP VACE attributes 5-20 IPX VACE attributes 5-28 MAC attributes 5-29 source and destination addresses, specifying 5-18 manipulating 5-10 new appending 5-11 inserting 5-10 printing 5-36 reordering 5-16 templates inserting 5-12 saving as 5-31 VACLs (VLAN Access Control Lists) 5-1
W
workflow cycle, performing a complete 3-26 changes to the devices, downloading 3-27 device configuration changes, verifying 3-26 download success, verifying 3-27
IN-7
Index
IN-8
78-15202-01

User Guide For Acl Manager: Software Release 1.5 Ciscoworks

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

User Guide For Acl Manager: Software Release 1.5 Ciscoworks

Hochgeladen von

Copyright:

Verfügbare Formate

User Guide for ACL Manager

Software Release 1.5 CiscoWorks

User Guide for ACL Manager 78-15202-01