ACL Manager - UserGuide PDF

User Guide for ACL Manager
Software Release 1.6

CiscoWorks
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Customer Order Number: DOC-7816005=
Text Part Number: 78-16005-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT
NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT
ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR
THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION
PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO
LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as
part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE
PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED
OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR
INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks
of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet,
ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo,
Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel,
EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys,
MGX, MICA, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar,
ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient,
TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply
a partnership relationship between Cisco and any other company. (0402R)
Copyright 2004 Cisco Systems, Inc. All rights reserved.
C O N T E N T S
Preface xvii
Audience xvii
Conventions xviii
Product Documentation xix
Related Documentation xxi
Additional Information Online xxiii
Obtaining Documentation xxiii
Cisco.com xxiii
Ordering Documentation xxiv
Documentation Feedback xxiv
Obtaining Technical Assistance xxiv
Cisco TAC Website xxv
Opening a TAC Case xxv
TAC Case Priority Definitions xxvi
Obtaining Additional Publications and Information xxvi
CHAPTER
ACL Manager Overview 1-1

ACL Terms and Definitions 1-1
What is ACL Manager? 1-4
ACL Manager Components 1-4
Benefits of ACL Manager 1-5
ACL Manager Functionality 1-7
ACL Manager Tools 1-8
ACL Manager Privilege Levels 1-9
78-16005-01
iii
Contents
Privilege Levels and Tasks 1-10
CHAPTER
ACL Definitions and Uses 2-1

Creating ACLs and Templates 2-1
ACL and Template Attributes 2-2
Name, Number, and Type Attributes 2-3
Other Attributes 2-4
ACL Properties (Use Details) 2-4
ACL Uses 2-6
Use Modes and Contexts 2-6
CHAPTER
Getting Started 3-1

Before You Begin 3-2
Setting Up Resource Manager Essentials 3-2
ACL Manager Functions 3-3
Starting ACL Manager 3-8
Populating the Devices Folder 3-9
Deleting Devices 3-11
Saving a Device View 3-11
Opening a Device View 3-12
Navigating in the ACL Manager Main Window 3-13
My Changes Folder 3-15
Imported Entities Folder 3-16
Devices Folder 3-16
Out-of-Band Changes Folder 3-17
Using the Find Feature 3-17
ACL Manager Menus 3-17
File Menu 3-18
Edit Menu 3-20
iv
78-16005-01
Contents
View Menu 3-21

ACL Menu 3-22
Versioning Menu 3-23
Tools Menu 3-24
Using the Device State Icons 3-25
Using the Toolbar 3-27
Using Keyboard Shortcuts 3-29
Keyboard Shortcuts for ACL Manager Window 3-29
Keyboard Shortcuts for ACL Manager Dialog Boxes - Windows 3-31
Keyboard Shortcuts for ACL Manager Dialog Boxes - Solaris 3-31
Printing 3-32
Performing a Complete Workflow Cycle 3-32
Verifying Device Configuration Changes 3-33
Downloading the Changes to the Devices 3-36
Verifying That the Download was Successful 3-36
Managing Out-of-Band Changes to Device Configuration 3-37
Checking for Out-of-Band Changes on Devices 3-37
Viewing the Out-of-Band Changes Report 3-39
Resolving Out-of-Band Changes 3-41
High-level Workflow for Resolving Out-of-Band Changes 3-42
Resolving Out-of-Band Changes Based on Their Type 3-44
Using the Diff/Merge with Out-of-Band Changes Dialog Box and Merge
Editor 3-50
Backing Up and Restoring ACL Manager Data 3-54
Device Support in ACL Manager 3-54
CHAPTER
Viewing and Editing ACLs 4-1

Creating ACLs 4-2
Creating a New ACL by Copying and Pasting an Existing ACL 4-4

78-16005-01
Contents
Versioning ACLs 4-5

Defining ACL Uses 4-6
Viewing Existing ACLs 4-6
Editing ACLs 4-7
Deleting ACLs 4-9
Manipulating ACEs 4-10
Inserting a New ACE 4-10
Appending a New ACE 4-12
Inserting a Template 4-12
Appending a Comment 4-14
Inserting a Comment 4-15
Downloading Comments 4-17
Making Remark ACEs Downloadable 4-17
Reordering ACEs 4-19
Editing ACEs 4-20
Specifying Source and Destination Addresses 4-22
Specifying Source and Destination Ports 4-23
Specifying Protocol 4-24
Specifying ICMP-Type 4-24
Using the ACE Editor Buttons 4-25
Editing IP ACE Attributes 4-26
Editing IP Extended ACE Attributes 4-28
Editing IP Extended General Attributes 4-28
Editing IP Extended Advanced Attributes 4-31
Editing IP Extended Other Attributes 4-34
Editing RATE LIMIT MAC ACE Attributes 4-37
Editing RATE LIMIT PRECEDENCE ACE Attributes 4-38
Saving ACEs as a Template 4-38
Viewing the Configuration Changes 4-40
vi
78-16005-01
Contents
Optimizing the ACL 4-40

Using Time Range Definitions 4-40
Versioning Time Range Definitions 4-41
Creating a Time Range Definition 4-42
Time Range Definition Absolute 4-42
Time Range Definition Periodic 4-44
Time Range Definitions Absolute and Periodic 4-46
Editing a Time Range Definition 4-47
Associating an ACE with a Time Range 4-48
Viewing Associated ACLs on the Device 4-49
Configuring the Time Zone on a Device 4-50
Downloading Time-based ACEs to the Device 4-51
Expiry Type for Time-based ACEs 4-51
Automatic Expiry 4-51
Manual Expiry 4-51
Time Range E-mail Notification 4-52
Configuring Time Range E-mail 4-52
Time Range E-mail Format 4-53
Marking ACLs for Download 4-54
Printing the ACL/ACE 4-55
Managing VLAN Access Control Lists (VACLS) 4-55
Editing VACEs 4-57
Editing IP VACE Attributes 4-57
Editing MAC VACE Attributes 4-66
Creating Object Groups for PIX ACLs 4-68
CHAPTER
Using the Class Manager 5-1

Class Manager Overview 5-1
Class Manager Editors 5-2

78-16005-01
vii
Contents
Starting the Class Manager 5-3

Using the Class Manager Toolbar 5-4
Creating and Inserting Class Folders 5-4
Using Services and Service Classes 5-5
Workflow for Using Service Classes 5-5
Creating a Service Class 5-6
Editing a Service Class 5-8
Using Network Classes 5-8
Workflow for Using Network Classes 5-9
Creating a Network Class 5-10
Editing a Network Class 5-13
Marking a Master Version of a Class 5-13
Identifying Class Uses 5-14
Identifying Service Class Uses 5-15
Identifying Network Class Uses 5-18
Handling Invalid Class Uses 5-21
Using the Class Manager: Example 5-23
CHAPTER
Using the Template Manager 6-1

Starting the Template Manager 6-2
Using the Template Manager Toolbar 6-3
Static Templates and Variable Templates 6-3
The Workflow for Templates 6-4
Workflow for a Static Template 6-4
Workflow for a Variable Template 6-5
Creating Templates 6-6
Creating a Static Template and Adding ACEs 6-6
Creating a Variable Template and Adding ACEs 6-8
Creating a Variable Template Instance and Assigning Values 6-10
viii
78-16005-01
Contents
Reconciling Instances of Variable Templates 6-12

Including Another Template Within Your Template 6-14
Marking a Master Version of a Template or an Instance 6-15
Editing an Existing Template 6-17
Editing the Contents of a Template 6-17
Creating and Inserting Template Folders 6-18
Using a Template in an ACL 6-19
Identifying Devices and Templates That Use an ACL Template 6-20
Handling Invalid Template Device Uses and Template Nested Uses 6-23
Updating Logical Entities 6-26
Saving Selected Template ACEs as a New Template 6-27
Viewing the Template Device Use Summary 6-28
Deleting a Template 6-29
CHAPTER
Creating and Using Policies 7-1

Role-based Access for Policies 7-1
Creating a Policy 7-2
Verifying an ACL/Template Against a Policy 7-4
Viewing Policy Verification Details 7-8
Mandating Policy Verification 7-10
CHAPTER
Searching for and Replacing ACLM Entities 8-1

Searching for Entities 8-2
Search Results Pane 8-4
Using the ACL Manager Device Selector 8-5
Using the Template Folder Browser 8-6
Forming a Search Filter 8-6
Regular Expressions 8-7
78-16005-01
ix
Contents
Operators 8-7
List of Search Attributes 8-9
Using the Standard Search Context GUI 8-13
Replacing Entities 8-15
Undoing a Check Out 8-18
Using the Standard Replace Context GUI 8-19
CHAPTER
Controlling Access Using ACL Manager Roles 9-1
Populating ACL Manager with Role-based Data 9-2

Adding Users 9-3
Adding Devices 9-3
Managing User Groups 9-4
Creating a User Group 9-4
Modifying a User Group 9-8
Deleting a User Group 9-12
Viewing all User Groups 9-15
Managing Device Groups 9-16
Creating a Device Group 9-17
Modifying a Device Group 9-21
Deleting a Device Group 9-25
Viewing all Device Groups 9-28
Managing Tasks 9-29
Task Relationships 9-30
Assigning Device Groups to Tasks or Modifying Assignments 9-31
Using the Open User Group Option 9-35
CHAPTER
10
Versioning ACL Manager Entities 10-1

Versioning Workflow 10-3
Version Indicators 10-5
78-16005-01
Contents
Getting the Latest Version of an Entity 10-5

Getting a Specific Version of an Entity 10-6
Checking Out Entities 10-7
Checking Out a Specific Version of an Entity 10-9
Undoing the Check Out of an Entity 10-9
Checking In Entities 10-10
Merging a Branch With a Main Line Version 10-12
Merging Using the Merge Editor 10-13
Merging Using the Merge Editor: Example 10-16
Merging Without Using the Merge Editor 10-20
Merging Without Using the Merge Editor: Example 10-20
Viewing the Version Graph of an Entity 10-23
Comparing an Entity with its Latest Version 10-25
Comparing Any Two Versions of an Entity 10-26
Viewing Version Details of an Entity 10-27
Viewing Details of a Specific Version of an Entity 10-29
Viewing the Versioning History of an ACL Manager Entity 10-30
Using the Version Diff Viewer 10-32
CHAPTER
11
Approving or Rejecting Changes 11-1

Processing Change Requests 11-2
Viewing Pending Change Requests 11-3
Approving or Rejecting Change Requests 11-5
Change Request Status 11-7
Viewing Details of a Changed Entity 11-8
Viewing Processed Changes 11-11
E-mail Notification of Change 11-13
Enabling or Disabling Change Approval 11-14

78-16005-01
xi
Contents
CHAPTER
12
ACL Manager Use Wizard 12-1

Defining ACL Uses 12-1
Defining an ACL Use with the Use ACL Wizard 12-2
Selecting Interfaces, Lines, SNMP Community Settings or VLANS 12-4
Selecting Interfaces for Packet Filtering with the Use ACL Wizard 12-4
Selecting Lines for Line Access with the Use ACL Wizard 12-6
SNMP Community Settings with the Use ACL Wizard 12-8
Selecting VLANs for VLAN Packet Filtering with Use ACL Wizard 12-10
Completing the Use ACL Wizard Summary 12-11
Displaying Use ACL Wizard Results 12-12
Applying an ACL Template to a Specific Device 12-14
Selecting a Template with the Template Use Wizard 12-15
Selecting a Device 12-16
Displaying ACL Creation Results (Single Device) 12-18
Applying an ACL Template to Multiple Devices 12-20
Selecting a Template 12-20
Selecting the Devices 12-21
Displaying ACL Creation Results (Multiple Devices) 12-22
Defining ACL Uses for Multiple Devices 12-24
Selecting Interfaces with the Template Use Wizard 12-25
Selecting Lines with the Template Use Wizard 12-27
SNMP Community Settings with the Template Use Wizard 12-29
Selecting VLANs for VLAN Packet Filtering with Template Use
Wizard 12-31
Using the Use Wizard to Address Vulnerability in Your Network:
Example 12-32
CHAPTER
13
Importing Configuration 13-1

Uploading the Configuration and Viewing the Import Summary 13-2
Using the File Browser 13-7
xii
78-16005-01
Contents
Using the Config Editor 13-8

Pasting Imported Entities onto a Device 13-10
Pasting an Imported ACL onto a Device 13-10
Pasting Imported ACEs and Comments on to a Device 13-11
Pasting Imported ACEs as a Template 13-12
Using the File Import Command Line Tool 13-12
Example: File Import Command Line Tool Usage 13-14
CHAPTER
14
Validating ACEs 14-1

Performing a Validation Check on a Logical Entity 14-4
Viewing ACE Validation Details 14-7
Validating Modified ACEs 14-9
CHAPTER
15
Scheduling and Downloading 15-1

Enabling Job Approval 15-2
Scheduling Downloads 15-3
Selecting the Devices and the Changed Entities 15-6
Defining the Job and Selecting the Job Options 15-9
Scheduling the Download Using the Job Download Wizard 15-14
Viewing the Job Summary 15-17
Browsing Job Status and Viewing Results 15-20
Marking Changes for Download 15-27
Viewing Pending Marks 15-30
Scheduling Job Downloads Using the Job Browser 15-32
Job Management Integration 15-32
Rescheduling Jobs 15-33
Canceling Pending Jobs and Purging Old Jobs 15-34
What to Do if Your Download Fails 15-35

78-16005-01
xiii
Contents
CHAPTER
16
Optimizing ACLs 16-1

ACL Optimizer and Hits Optimizer 16-1
ACL Optimizer 16-2
ACL Hits Optimizer 16-3
Using the ACL Optimizer 16-4
Using the ACL Hits Optimizer 16-7
Resetting Hit Counters 16-11
Getting Hits from a Device 16-12
CHAPTER
17
Generating Reports in ACL Manager 17-1

Time Range Events in Selected Time Frame Report 17-2
Change Approval Status Report 17-3
Out-of-Band Changes Report 17-5
Role-based Access Control Reports 17-7
Approver Group Mapping for Devices and Device Groups 17-8
My Task Mapping Report 17-9
Task Mapping Report 17-11
My User Group Membership Report 17-12
User Group Membership Report 17-13
CHAPTER
18
Troubleshooting ACL Manager 18-1
CHAPTER
19
ACL Manager Usage Scenarios 5

Tracking and Mitigating Network Vulnerabilities 5
Prerequisites 6
Handling Vulnerabilties 6
Importing the Published ACL into ACL Manager 7
Creating a Template Using the Imported ACL 8
xiv
78-16005-01
Contents
Deploying the Template on Devices 9

Deploying the ACL on the Devices 11
Tracking the Template Changes 12
Modifying the Template in case of New Vulnerabilities and Deploying the
Changes 13
Easy Deployment and Tracking of ACLs for Partner Networks 15
Prerequisites 16
Creating a Variable Template 17
Creating Variable Template Instances 19
Using Variable Template Instances 21
Tracking Instances 24
Using DNS Names in an ACE and Deploying Updated DNS-IP Mappings 27
Prerequisites 28
Using DNS Names in an ACE 28
Deploying Updated DNS Name - IP Mappings 30
INDEX

78-16005-01
xv
Contents
xvi
78-16005-01
Preface
User Guide for ACL Manager describes how to use the Access Control List
(ACL) Manager, a software tool for the management of access control lists on
Cisco routers, catalyst switches, and PIX devices.
This preface describes who should read User Guide for ACL Manager and
outlines the document conventions used in this manual.
Audience
This publication is written for network operators, network administrators, and
system administrators. To use the ACL Manager application, you should have a
basic understanding of operation, management and the configuration of your
network. You should understand the basic ACL structure and configuration and
the concept of network and service definitions.

78-16005-01
xvii
Preface
Conventions
Conventions
This document uses the following conventions:
Note
Caution
Item
Convention
Commands and keywords
boldface font
Variables for which you supply values
italic font
Displayed session and system information
screen
Information you enter
boldface screen font
Variables you enter
italic screen
Menu items and button names
boldface font
Selecting a menu item in paragraphs
Option > Network Preferences
Selecting a menu item in tables
Option > Network Preferences
font
font
Means reader take note. Notes contain helpful suggestions or references to

material not covered in the publication.
Means reader be careful. In this situation, you might do something that could
result in equipment damage or loss of data.
xviii
78-16005-01
Preface
Product Documentation
Note
We sometimes update the printed and electronic documentation after original

publication. Therefore, you should also review the documentation on Cisco.com
for any updates.
Table 1 describes the product documentation that is available.
Table 1
Document Title
Release Notes for ACL
Manager 1.6
Available Formats
Printed document that was included with the product.
On Cisco.com:
a. Log into Cisco.com.
b. Go to:
http://www.cisco.com/univercd/cc/td/doc/product/
rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/
index.htm
Installation Guide for ACL
Manager
PDF on the product CD-ROM.
On Cisco.com:
b. Go to: http://www.cisco.com/univercd/cc/td/doc/product
/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/
index.htm
Printed document available by order (part number

DOC-7816006=).1

78-16005-01
xix
Preface
Table 1
Product Documentation (continued)
Document Title
Available Formats
PDF on the product CD-ROM.
On Cisco.com:
b. Go to:
http://www.cisco.com/univercd/cc/td/doc/product/
rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/
index.htm
Printed document available by order (part number

DOC-7816005=)
Supported Devices for ACL

Manager
1.
Log into Cisco.com.
2.
Go to:
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt
/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htm
Context-sensitive online help
Select an option from the navigation tree, then click Help.
Click the Help button in the dialog box.
1. See the Obtaining Documentation.
xx
78-16005-01
Preface
Related Documentation
Note

publication. Therefore, you should also review the documentation on Cisco.com
for any updates.
Table 2 describes the additional documentation that is available.
Table 2
Document Title
Available Formats
Release Notes for CiscoWorks

Common Services 2.2 (Includes
CiscoView 5.5) on Windows1
On Cisco.com:
1.
Log into Cisco.com.
2.
Go to: http://www.cisco.com/univercd/cc/td/doc/product/
rtrmgmt/cw2000/cw2000_d/comser22/index.htm
On Cisco.com:
Installation and Setup Guide for
CiscoWorks Common Services 2.2 1. Log into Cisco.com.
(includes CiscoView 5.5) on
2. Go to:
Solaris
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/
cw2000/cw2000_d/comser22/index.htm
On Cisco.com:
CiscoWorks Common Services 2.2
1. Log into Cisco.com.
includes CiscoView 5.5) on
2. Go to:
Windows
cw2000/cw2000_d/comser22/index.htm.
CiscoWorks Common Services
User Guide 2.2
On Cisco.com:
1.
Log into Cisco.com.
2.
Go to:
cw2000/cw2000_d/comser22/index.htm

78-16005-01
xxi
Preface
Table 2
Related Documentation (continued)
Document Title
Available Formats
Release Notes for Resource

Manager Essentials 3.5 on
Windows
On Cisco.com:
1.
Log into Cisco.com.
2.
Go to:
cw2000/cw2000e/e_3_x/3_5/index.htm

Resource Manager Essentials 3.5
on Solaris
On Cisco.com:
1.
Log into Cisco.com.
2.
Go to:

on Windows
On Cisco.com:
1.
Log into Cisco.com.
2.
Go to:
User Guide for Resource Manager On Cisco.com:

Essentials 3.5
1. Log into Cisco.com.
2.
Go to:
Supported Device Table for

On Cisco.com:
1.
Log into Cisco.com.
2.
Go to:
1. CiscoView 5.5 and Package Support Updater information in this document, is not applicable to the ACL Manager 1.6 release.
xxii
78-16005-01
Preface
Additional Information Online
Additional Information Online

Your application might support incremental device updates (IDUs). An IDU is a
software package that enables an application to support new devices. An IDU
might also contain bug fixes. You can download IDUs and their Readme files by
logging into Cisco.com.
Device packages are released cumulatively; that is, new device packages contain
the contents of any previous packages.
To determine which packages are installed on your CiscoWorks Server, select
Server Configuration > About the Server > Applications and Versions.
You can also obtain any published patches from the download site.
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco
also provides several ways to obtain technical assistance and other technical
resources. These sections explain how to obtain technical information from Cisco
Systems.
Cisco.com
You can access the most current Cisco documentation on the World Wide Web at
this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
http://www.cisco.com
International Cisco websites can be accessed from this URL:
http://www.cisco.com/public/countries_languages.shtml

78-16005-01
xxiii
Preface
Documentation Feedback
Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
Registered Cisco.com users (Cisco direct customers) can order Cisco product
documentation from the Ordering tool:
http://www.cisco.com/en/US/partner/ordering/index.shtml
Nonregistered Cisco.com users can order documentation through a local

account representative by calling Cisco Systems Corporate Headquarters
(California, USA) at 408 526-7208 or, elsewhere in North America, by
calling 800 553-NETS (6387).
Documentation Feedback
You can submit e-mail comments about technical documentation to
bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front
cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco
service contracts, the Cisco Technical Assistance Center (TAC) provides
24-hour-a-day, award-winning technical support services, online and over the
phone. Cisco.com features the Cisco TAC website as an online starting point for
technical assistance. If you do not hold a valid Cisco service contract, please
contact your reseller.
xxiv
78-16005-01
Preface
Obtaining Technical Assistance
Cisco TAC Website

The Cisco TAC website provides online documents and tools for troubleshooting
and resolving technical issues with Cisco products and technologies. The Cisco
TAC website is available 24 hours a day, 365 days a year. The Cisco TAC website
is located at this URL:
http://www.cisco.com/tac
Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID
and password. If you have a valid service contract but do not have a login ID or
password, register at this URL:
http://tools.cisco.com/RPF/register/register.do
Opening a TAC Case

Using the online TAC Case Open Tool is the fastest way to open P3 and P4 cases.
(P3 and P4 cases are those in which your network is minimally impaired or for
which you require product information.) After you describe your situation, the
TAC Case Open Tool automatically recommends resources for an immediate
solution. If your issue is not resolved using the recommended resources, your case
will be assigned to a Cisco TAC engineer. The online TAC Case Open Tool is
located at this URL:
http://www.cisco.com/tac/caseopen
For P1 or P2 cases (P1 and P2 cases are those in which your production network
is down or severely degraded) or if you do not have Internet access, contact Cisco
TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2
cases to help keep your business operations running smoothly.
To open a case by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447
For a complete listing of Cisco TAC contacts, go to this URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

78-16005-01
xxv
Preface
Obtaining Additional Publications and Information
TAC Case Priority Definitions

To ensure that all cases are reported in a standard format, Cisco has established
case priority definitions.
Priority 1 (P1)Your network is down or there is a critical impact to your
business operations. You and Cisco will commit all necessary resources around
the clock to resolve the situation.
Priority 2 (P2)Operation of an existing network is severely degraded, or
significant aspects of your business operation are negatively affected by
inadequate performance of Cisco products. You and Cisco will commit full-time
resources during normal business hours to resolve the situation.
Priority 3 (P3)Operational performance of your network is impaired, but most
business operations remain functional. You and Cisco will commit resources
during normal business hours to restore service to satisfactory levels.
Priority 4 (P4)You require information or assistance with Cisco product
capabilities, installation, or configuration. There is little or no effect on your
business operations.

Information about Cisco products, technologies, and network solutions is
available from various online and printed sources.
Cisco Marketplace provides a variety of Cisco books, reference guides, and

logo merchandise. Go to this URL to visit the company store:
http://www.cisco.com/go/marketplace/
The Cisco Product Catalog describes the networking products offered by

Cisco Systems, as well as ordering and customer support services. Access the
Cisco Product Catalog at this URL:
http://cisco.com/univercd/cc/td/doc/pcat/
Cisco Press publishes a wide range of general networking, training and

certification titles. Both new and experienced users will benefit from these
publications. For current Cisco Press titles and other information, go to Cisco
Press online at this URL:
http://www.ciscopress.com
xxvi
78-16005-01
Preface
Packet magazine is the Cisco quarterly publication that provides the latest
networking trends, technology breakthroughs, and Cisco products and
solutions to help industry professionals get the most from their networking
investment. Included are networking deployment and troubleshooting tips,
configuration examples, customer case studies, tutorials and training,
certification information, and links to numerous in-depth online resources.
You can access Packet magazine at this URL:
http://www.cisco.com/packet
iQ Magazine is the Cisco bimonthly publication that delivers the latest

information about Internet business strategies for executives. You can access
iQ Magazine at this URL:
http://www.cisco.com/go/iqmagazine
Internet Protocol Journal is a quarterly journal published by Cisco Systems

for engineering professionals involved in designing, developing, and
operating public and private internets and intranets. You can access the
Internet Protocol Journal at this URL:
http://www.cisco.com/ipj
TrainingCisco offers world-class networking training. Current offerings in

network training are listed at this URL:
http://www.cisco.com/en/US/learning/index.html

78-16005-01
xxvii
Preface
xxviii
78-16005-01
C H A P T E R
ACL Manager Overview

ACL Manager helps you manage Access Control Lists (ACLs) on Cisco routers
running IOS, Catalyst switches running Catalyst OS, and PIX devices running
PIX OS. It presents a user-friendly graphical user interface that allows you to
concentrate on the security of your network without learning the complex syntax
of ACLs.
ACL Manager allows you to easily address, solve, and reduce configuration
problems related to ACLs.
These topics introduce you to some of the concepts and features of ACL Manager:
ACL Terms and Definitions
What is ACL Manager?
ACL Manager Tools
ACL Manager Privilege Levels

Access Control Entry (ACE): An Access Control Entry (ACE) is an individual
permit or deny statement within an Access Control List (ACL).
Each ACE includes an action element (permit or deny) and a filter element
based upon criteria such as source address, destination address, protocol,
protocol-specific parameters, and so on.

78-16005-01
1-1
Chapter 1
Access Control List (ACL, ACL Definition): An Access Control List (ACL)
consists of one or more Access Control Entries (ACEs) that collectively define the
network traffic profile. This profile can then be referenced by IOS, Catalyst OS,
or PIX OS features such as traffic filtering, priority or custom queuing, dynamic
access control, encryption, Telnet access, and so on.
The generic term ACL refers to IOS ACLs, VLAN ACLs, and PIX ACLs.
Wherever the term VACL is used, it applies only to VLAN ACL. Wherever the
term IOS ACL is used, it applies only to Router ACL. Wherever the term PIX ACL
is used, it applies only to an ACL on a PIX device.
ACL Manager Entity: A generic term used in ACL Manager for ACEs, ACLs,
ACL Uses, Time Ranges, Templates, Networks, Network Classes, Services and
Service Classes.
ACL Template (Template): A named set of ACEs. Templates can be inserted into
ACLs (see Template Include ACE on page 1-3). Templates can include other
templates.
ACL Use: ACL Use statements in a device configuration utilize or reference an
ACL for some purpose. There are over 50 possible purposes, which include, for
example: IP packet filtering, line access, traffic shaping, IP multicast rate
limiting, SNMP server, and so on.
ACL Use Modes and Contexts: ACLs can be used in various IOS configuration
modes: global, router, route-map, crypto-map, line, and interface.
Except for global, the configuration modes have named contexts within which
ACL Use statements can be created in IOS. The contexts for line mode are the
actual vtys (for example, console, vty 0, vty 1, and so on). The contexts for
interface mode are interface names (for example, Serial 0, Ethernet 0,
TokenRing 0, and so on).
ACL Manager allows you to create Use statements only for line, interface and
global modes. ACL Manager allows you to apply these statements only for line
access, packet filtering, and SNMP server access controls. VACLs can be used
only for packet filtering and redirection on VLANs. For VACL Uses, the mode is
VLAN and the contexts are the VLANs defined on the switch.
Device View: A set of devices grouped according to common attributes or
user-defined characteristics. You can use views to monitor groups of devices.
IOS ACLs: Also known as Router ACLs. They are used in routers for packet
filtering on interfaces, line access, SNMP access, route maps, and other purposes.
1-2
78-16005-01
Chapter 1

Logical View: An abstract or high-level view of ACE statements in an ACL. The

logical view could show ACEs using service and network class definitions,
template include statements and comments.
Network: A network is a named IP address and mask combination. It is a subnet
specification used in the source and destination fields of ACE statements.
Network Class: A network class is a named set of IP addresses, hostnames, IP
address ranges, or networks that ACL Manager allows you to use in ACE source
or destination fields.
Out-of-band Change: Out-of-Band (OOB) changes are the ACL-related changes
that have been made to the device configuration outside ACL Manager, directly
on the device.
Physical View: A low-level view of ACE statements in an ACL. The physical
view, maps one-to-one with the IOS, Catalyst OS, or PIX OS commands
corresponding to the ACE statements.
PIX ACLs: PIX ACLs are similar to Router/IOS ACLs in terms of their
definition, but they are used by PIX devices to access control packets.
Service: Services are named TCP or UDP ports that can be used in individual
ACEs to provide a specification of the network traffic to be matched by filter
criteria.
Service Class: A service class consists of named port range specifications that
ACL Manager allows you to use in ACE port specification fields.
Template: See ACL Template on page 1-2.
Template Include ACE: A special ACE that proxies for, or represents, the set of
ACEs corresponding to the template.
View: See Device View on page 1-2.
VLAN Access Lists (VACLs): VACLs are similar to Router/IOS ACLs in terms
of their definition, but they are used by Catalyst 6000 family switches to access
control all packets it switches, including packets bridged within a VLAN.

78-16005-01
1-3
Chapter 1

The ACL Manager application is designed for the experienced network
administrator who already understands the structure and uses of ACLs. It allows
you to create, modify, and deploy ACLs to multiple devices through a Windows
Explorer-type interface. ACL Manager supports ACLs for:
IOS releases 10.3 through 12.2
CatOS releases 5.3 through 7.6
PIXOS releases 5.1 through 6.3
Using ACL Manager, you can create ACL uses for traffic filtering, line access, and
SNMP server access. Although you cannot create all types of ACL uses,
ACL Manager recognizes and tracks all existing types of ACL uses (such as
router, route-map, and crypto-map). This means that if you rename an ACL that
is referenced in uses other than traffic filtering or line access, the use statement is
updated with the new ACL name.
ACL Manager allows comments to be associated with an ACL or ACE, so that you
can audit and track the changes on an ACL or ACE.
ACL Manager Components

ACL Manager maintains a device model with attributes relevant to ACL
management for managed devices (routers, switches and PIX devices). The device
model is initialized by obtaining configuration files from Config Archive and
parsing relevant statements.
ACL Manager comprises a GUI that is integrated with the CiscoWorks desktop.
This split-panel interface provides the means to create, edit, and view ACLs.
When you select a node in the left pane, the right pane displays the contents of the
node and its attributes. The display in the right pane is context sensitive.
The ACL Manager GUI also provides access to editing tools and other functions,
such as the Template Manager, Class Manager, Policy Verification Wizard, ACE
Validator, Use Wizard, ACL Downloader, Optimizer, and Hits Optimizer. See
ACL Manager Tools.
1-4
78-16005-01
Chapter 1

Benefits of ACL Manager

Network problems are frequently introduced when devices are configured, and
fixing such problems is both expensive and time-consuming. Also, since
router/switch configurations are interdependent, network complexity increases
exponentially with the number of routers, and configuration problems become
harder to detect and avoid.
The result is either operational or latent configuration problems. ACL Manager
solves these problems by providing inventory and change audit features that
simplify the processes for setting up and changing device configurations.
In addition, ACL construction must be extremely precise. This is because an
incorrect filter can cause a security problem or incapacitate a network. Writing
filters is time-consuming. It might be necessary to write many lines of IOS,
Catalyst OS, or PIX OS commands to configure coexisting network filters for
different protocols. With ACL Managers GUI, you need not know IOS, Catalyst
OS, or PIX OS syntax to create ACLs.
ACL Manager:
Provides a uniform interface that insulates the user from any differences in
ACL features for the supported IOS, Catalyst OS, and PIX OS versions.
Is easy to use and ensures high productivity for the user.
Supports Secure Sockets Layer (SSL) for secure client to server

communication.
Supports Secure Shell (SSH) for secure server to device communication.
Maintains versions of ACL manager entities.
Reduces device configuration time dramatically.
Reduces installation costs.
Provides greater security through a role-based model.
Enables controlling and tracking of all changes made to ACLs, ACL uses,
templates, etc.
Allows monitoring of the system by logging all the changes made during a
user session.
Enables easy access to information about devices and the changes made to
them, through the reports generation feature.

78-16005-01
1-5
Chapter 1
Easily detects changes directly applied to device configuration (using telnet,

etc.)
Is integrated with Resource Manager Essentials and uses the Config Archive,
Inventory, Change Audit Service, and Transport facilities.
Provides a browser-based GUI and integrates the task flow with the Resource
Manager Essentials GUI.
Allows you to fully exploit the ACL features in IOS, Catalyst OS, and PIX
OS.
Reduces operation time when deploying ACLs to several devices.
Provides for automated deployment of ACLs.
Enables you to apply VACLs on Private VLANs.
Allows novice operators to safely deploy, previously set up, complex ACLs,
through flexible templates. Templates also allow users to establish policies
and to standardize on ACL uses.
Supports policy verification. Enables you to create and enforce policies. (A

policy is a set of rules that specifies tasks (ACEs) that you must include in the
ACL.)
Enables you to perform a check for the validity of ACEs within a ACL,
VACL, or a template.
Removes the drudgery of entering ACL configurations repeatedly on multiple

devices by providing point-and-click copy and paste functionality.
Minimizes human error in ACL creation by reducing the necessity of creating

multiple ACEs. It does this by allowing the use of classes.
Improves network throughput by enabling ACL optimization.
Permits the use of Domain Name System (DNS) names in ACE source and
destination fields. ACL Manager will automatically perform a DNS look-up
and convert these fields to the appropriate IP addresses.
1-6
78-16005-01
Chapter 1

ACL Manager Functionality

ACL Manager comprises a suite of modules and tools designed to simplify the
management of ACLs and ACL Use statements. The suite contains five major
modules: ACL Manager, Template Manager, Class Manager, Use Wizard, and
ACL Downloader. See ACL Manager Tools for a description of the tools
provided by ACL Manager.
The ACL Manager suite is integrated with the Resource Manager Essentials
Config Archive and Inventory applications. It uses device information from
Inventory, and reads the configuration contained in the Config Archive to create
a model of the ACLs and ACL Use statements in the device configuration.
The ACL Manager module provides a tree view to display this information in a
Windows Explorer-type GUI. When you change device ACLs and ACL Use
statements, ACL Manager generates the appropriate IOS, Catalyst OS, or PIX OS
commands (config deltas) to implement the configuration changes.
A download mechanism is provided to enable you to apply the configuration
changes to the appropriate devices. The Config Archive is updated automatically
after a successful ACL Manager download.
ACL Manager uses Java Plug-in. The plug-in improves the performance of
ACL Manager, and it is provided with the CiscoWorks application. (See the topic
Installing the Java Plug-in in Chapter 3 of the User Guide for CiscoWorks
Server).
Some of the tasks that the ACL Manager suite enables you to perform include:
Identifying when an ACL was last modified and applied (Other Attributes
in Chapter ).
Navigating around devices to see which ACLs are defined and where they are
usedeven ACL Uses that are not supported for creation by ACL Manager
are listed (Viewing Existing ACLs in Chapter 4).
Creating new ACLs (Creating ACLs in Chapter 4).
Editing an existing ACL and returning it to its device (Editing ACLs in

Chapter 4).
Reordering ACEs (Reordering ACEs in Chapter 4).
Naming, renaming, and numbering ACLs. Making the appropriate changes in

the rest of the configuration file (Deleting ACLs in Chapter 4).

78-16005-01
1-7
Chapter 1
ACL Manager Tools
Saving an ACL as a template, and associating it with a logical name (Editing

ACLs in Chapter 4).
Creating an alias for an ACL and using it in a device where named ACLs
are not supported (Editing ACLs in Chapter 4).
Naming networks and services and creating classes containing host

addresses, address ranges, networks, or other classes, and using them in ACL
definitions (Using the Class Manager in Chapter 5).
Creating and editing templates (Using the Template Manager in Chapter 6).
Applying ACL templates or ACLs for packet filtering or line access on

devices (Defining ACL Uses in Chapter 12).
Deploying ACLs on a group of devices (Scheduling Downloads in

Chapter 15).
Scheduling and downloading to modified ACL and ACL Use statements

and/or changes in meta-information, such as comments and template include
statements, to devices (Scheduling Downloads in Chapter 15).
Optimizing ACL statements to eliminate redundancies, compressing entries,

and adjusting order of ACEs for maximum performance (Optimizing ACLs
in Chapter 16).
ACL Manager Tools

ACL Manager provides the following tools for ACL development:
Class ManagerEnables you to create and edit services, service classes,

networks, and network classes. You can then use these definitions in ACE
source and destination fields, saving you the trouble of entering multiple IOS,
Catalyst OS, or PIX OS commands covering all possible combinations of
source and destination field components (see Chapter 5, Using the Class
Manager).
Template ManagerEnables you to create and edit ACL templates (see

Chapter 6, Using the Template Manager).
Use Wizard and its variantsEnable you to define ACL uses, (see
Chapter 12, ACL Manager Use Wizard).
Job BrowserDisplays the status of download jobs (see Chapter 15,

Scheduling and Downloading).
1-8
78-16005-01
Chapter 1

DownloaderEnables you to schedule and download the modified ACL and

ACL Use statements and/or changes in meta-information such as comments,
and template include statement creations, to devices (see Chapter 15,
OptimizerEnables you to examine an ACL to see if optimization is possible

after an ACL has been created or edited (see Chapter 16, Optimizing
ACLs).
Hits OptimizerReorders ACEs within an ACL in accordance with the

hit-rate (see Chapter 16, Optimizing ACLs).
Diff ViewerDisplays the configuration changes you have made to ACLs

(see Chapter 16, Optimizing ACLs).

ACL Manager incorporates the privilege levels defined by Resource Manager
Essentials.
Level
Directory
Description
HD
Help Desk
AP
Approver
NO
Network Operator
NA
Network Administrator
SA
System Administrator
ACL Manager tasks require various privilege levels, and your ability to perform
these tasks depends on your assigned privilege level. You should contact your
system administrator to find out your privilege level and which tasks you can
access.
ACL Manager tasks are usually performed with network operator or network
administrator privileges. You can view the tasks that can be performed at each
level by going to the CiscoWorks desktop and selecting
Server Configuration > Setup > Security > Permission Reports.

78-16005-01
1-9
Chapter 1
Privilege Levels and Tasks

This table describes the various privilege levels and their respective tasks:
Privilege Level
Network Operator
Approver
Network Administrator
Task
View ACLs
Use ACL Templates
Browse Download Jobsbrowse

and cancel download jobs
Approve/Reject Job Downloads
View ACLs
Edit ACLscreate and edit ACLs
Schedule Downloads
Edit ACL Templates
Edit Class Definitions
Reset Hit Counter
View ACLs
1-10
78-16005-01
C H A P T E R
ACL Definitions and Uses

This chapter explain how to define and use ACLs and ACL templates and describe
ACL use. The topics covered are:
Creating ACLs and Templates
ACL and Template Attributes
ACL Properties (Use Details)
ACL Uses
Creating ACLs and Templates

You can create ACLs in several ways:
Using a combination of the ACL Editor and the ACE Editor.
Using the cut, copy, and paste features; by cutting or copying ACLs or ACEs
from one device or ACL and then pasting them to other devices or ACLs.
Using the import feature to import ACLs. ACL Manager allows you to import
Cisco device configurations that conform to the IOS, Catalyst OS and PIX
formats, from an external source.
Similarly, there are several ways you can create templates:
Using the Template Manager in the same way that you create an ACL using
the Template Editor and the ACE Editor.
Saving portions of an ACL (a set of ACEs) as a template.

78-16005-01
2-1
Chapter 2
Saving an existing ACL as a template.
Importing ACEs and saving them as a template.

Each ACL or template has the following attributes:
Attribute
Description
Name/Number
Name or number of the ACL (IOS or PIX), or the ACL

template.
For a VACL, number is not applicable.
Version
Version and the state of the ACL. For example, Checked

In, Checked Out.
Type
Associated ACL type (see Name, Number, and Type

Attributes).
After you start ACL Manager (see Chapter 3, Getting Started), you can use the
following procedure to view the ACL definitions for a particular device.
To view ACLs and their attributes:
Procedure
Step 1
Expand the Devices folder in the ACL Manager Main Window.
Step 2
Select the device, and then select ACL Definitions.

The ACLs and their attributes appear in the right pane (see Figure 2-1).
2-2
78-16005-01
Chapter 2

Figure 2-1
Displaying ACL Definitions
Name, Number, and Type Attributes

Each ACL must be identified by a name or a number. A number used to identify
an ACL must be within a specified range of numbers that is valid for the ACL type
(see the following table).
IOS and PIX ACLs can be identified by either a name or a number. VACLs are
identified by name only.
You have the option of letting the ACL Manager select a number for you (the
Autonumber feature). If you select Autonumber, ACL Manager uses the first
available number in the appropriate range to identify the ACL.
ACL Type
Range
IP Standard
1 to 99 (also 1300 to 1399 in some IOS

versions).
IP Extended
100 to 199 (also 2000 to 2699 in some

IOS versions).

78-16005-01
2-3
Chapter 2
ACL Type
Range
Rate Limit MAC
1 to 99
Rate Limit
Precedence
100 to 199
Named ACLs are not supported on some versions of device IOS. In which case,
the ACL name is shown with an automatically generated number appended to the
name and enclosed in parentheses.
For Rate Limit ACLs, ACL Manager distinguishes the ACL from a standard IP
ACL by appending the string rate-limit to the number.
Other Attributes
The Version attribute is also displayed in the ACL Manager Main Window,
besides the Name/Number and the Type attribute, The Version column of the
window displays the versions of the ACLs in the ACL definitions folder and also
their state that is whether the ACLs are checked in, checked out, etc.

Certain elements in ACL Manager, such as devices, ACLs, and router interfaces,
have associated properties. For an ACL, the properties that you see are actually
its Use details, as shown in the following table:
Property
Description
ACL Uses
Uses defined for the ACL.
Use Context
Context for the Use.
IOS/Catalyst OS
Command
IOS/Catalyst OS command that implements the Use.
Description
Description of the Use, taken from the IOS/Catalyst OS

reference manual. You cannot change this description.
2-4
78-16005-01
Chapter 2

After you start ACL Manager (see Chapter 3, Getting Started), follow this
procedure to view the ACL properties for a particular device.
Procedure
Step 1
Step 2
Select the device, then expand ACL Definitions.
Step 3
Right-click on the required ACL, then select Properties.

The ACL Properties window appears (see Figure 2-2).
Figure 2-2
ACL Properties WindowSupported ACL Uses
Unsupported ACL Uses are shown as OTHER. (See Figure 2-3)

Figure 2-3
ACL Properties WindowUnsupported ACL Uses

78-16005-01
2-5
Chapter 2
ACL Uses
Tip
You can also view the properties by selecting the ACL to be examined and then
selecting the toolbar button or View > Properties from the ACL Manager Main
Menu.
ACL Uses
You can define ACL Uses for line access, packet filtering, SNMP community
access, SNMP TFTP server, and VLAN packet filtering.
You can view ACL Uses of other types, such as router, route-map, and crypto-map
using ACL Manager.
Use Modes and Contexts

ACL Manager detects the Use modes for ACLs in a selected device. Depending
on which Uses ACL Manager detects, the following modes can appear when you
select ACL Uses in the left pane:
Global
Router
Route Map
Crypto Map
Line
Interface
VLAN
These modes correspond to router configuration modes in IOS. Except for

configuration mode global, all Use modes can have one or more Use contexts
associated with them. Use contexts for line and interface are the actual vtys or
lines and interfaces existing on the router.
2-6
78-16005-01
Chapter 2

ACL Uses
Use this procedure to view ACL Use information for a particular device:
Procedure
Step 1
Expand the Devices folder in the ACL Manager Main Window, select the device,
then expand ACL Uses.
Step 2
Expand the mode (for example, Interface).
Step 3
Select the specific context to be displayed (for example, Ethernet0).

Information about the ACL Use appears in the right pane (see Figure 2-4).
Figure 2-4
Displaying ACL Use ModeInterface

78-16005-01
2-7
Chapter 2
ACL Uses
The attributes of the ACL Use information are:

Attribute
Description
ACLs
ACL used in this context.
IOS Command
IOS command that implements the use.
Description
Description of the Use, taken from the IOS

reference manual. You cannot change this
description.
2-8
78-16005-01
C H A P T E R
Getting Started
ACL Manager provides you with a launch point for performing many of the tasks
involved with ACL management.
These topics describe how to get started with ACL Manager:
Before You Begin
ACL Manager Functions
Starting ACL Manager
Printing
Navigating in the ACL Manager Main Window
Using the Device State Icons
ACL Manager Menus
Using the Toolbar
Using Keyboard Shortcuts
Performing a Complete Workflow Cycle
Managing Out-of-Band Changes to Device Configuration
Backing Up and Restoring ACL Manager Data

78-16005-01
3-1
Chapter 3
Getting Started
Before You Begin
Before You Begin

Before you can begin using the ACL Manager applications or tools, you must
ensure that:
Note
ACL Manager server has been installed on a server machine with RME
already installed (see Setting Up Resource Manager Essentials).
The RME Inventory application has been updated with device information for
those devices whose ACLs you intend to manage with ACL Manager.
Enable the Role-based Access Control feature, if required. (For details about
how to enable this feature, see the Installation Guide for ACL Manager).
We strongly recommend that you become familiar with the discussion of ACL
Terms and Definitions in Chapter 1 before proceeding further.
Setting Up Resource Manager Essentials

You must have Resource Manager Essentials (RME) installed and running in
order to use ACL Manager. In addition, you must populate the device inventory
with those devices to be managed by ACL Manager.
To set up Resource Manager Essentials:
Procedure
Step 1
Install and start RME.

See the appropriate RME installation guide for details.
Step 2
From the CiscoWorks desktop, select Resource Manager Essentials >

Administration > Inventory > Add Devices to populate your network inventory
with the devices to be managed by the ACL Manager.
Step 3
Ensure that Java, JavaScript, and Accept all cookies are enabled in your browser
settings.
If these settings are not enabled, you will not be able to log in to RME.
3-2
78-16005-01
Chapter 3
Getting Started

The ACL Manager functions are located in the ACL Manager drawer on the
CiscoWorks desktop. See Figure 3-1.
Figure 3-1
ACL Manager
The options available within the ACL Manager drawer are:
Edit ACLs
Edit ACL Templates
Edit Class Definition
Out-of-Band Changes
Job Management
ACL Manager Reports
Administration
Each ACL Manager selection launches an application or performs an operation

from the set of tools provided by ACL Manager.

78-16005-01
3-3
Chapter 3
Getting Started
Table 3-1 describes each task, the associated tool, and the launch point from the
ACL Manager drawer on the CiscoWorks desktop:
Table 3-1
Task
Tool
ACL Manager Launch Point
Creating and editing ACLs
ACL Manager
Edit ACLs
Creating, editing, and viewing ACL templates Template

Manager
Edit ACL Templates
Creating services, service classes, networks

and network classes
Class Manager
Edit Class Definition
Listing Out-of-Band changes
ACL Manager
Out-of-Band Changes
Handling Out-of-Band changes
ACL Manager
Edit ACLs
Managing ACL Manager jobs (using the Job

Browser or the Pending Marks Browser.)
ACL Manager
Job Management
Generating ACL Manager reports
ACL Manager
ACL Manager Reports
ACL Manager
Administering ACL Manager (resetting the
hit counter). If Role-based Access Control
and Change Approval have been enabled, the
administrative tasks associated with these
features also appear here.
Administration
Table 3-2 describes the subtasks, and the launch points, from the ACL Manager
drawer on the CiscoWorks desktop:
Table 3-2
Subtask
Navigation Path
Browsing, deleting, and resubmitting jobs
ACL Manager > Job Management > Job Browser
Viewing changed entities that are marked for ACL Manager > Job Management > Pending Marks
downloading, scheduling downloads of
Browser
marked entities
Generating Time Range Changes report
ACL Manager > ACL Manager Reports > Time Range

Changes
3-4
78-16005-01
Chapter 3
Getting Started
Subtask
Navigation Path
Generating Out-of-Band Changes report
ACL Manager > ACL Manager Reports > Out-of-Band

Changes
Resetting device hit counters before using

Hits Optimizer
ACL Manager > Administration > Reset Hit Counter
Table 3-3 provides the launch points for the Role-based Administration task and
its subtasks, from the ACL Manager drawer on the CiscoWorks desktop.
Note
These tasks and sub-tasks appear within the ACL Manager drawer only if you
have enabled Role-based Access Control at the time of installing ACL Manager.
To enable Role-based Access Control, see the Installation Guide for ACL
Manager.
Table 3-3
Rolebased Administration Task
Navigation Path
Role-based Administration
ACL Manager > Administration > Rolebased Administration.
Rolebased Administration Subtask
Navigation Path
User Management Subtask
Creating user groups
ACL Manager > Administration > User Management > Create User
Group
Modifying user groups
ACL Manager > Administration > User Management > Modify

User Group
Deleting user groups
ACL Manager > Administration > User Management > Delete User
Group
Viewing all user groups
ACL Manager > Administration > User Management > Show All
User Groups
Device Management Subtask
Creating device groups
ACL Manager > Administration > Device Management > Create

Device Group
Modifying device groups
ACL Manager > Administration > Device Management > Modify

Device Group

78-16005-01
3-5
Chapter 3
Getting Started
Table 3-3
Rolebased Administration Task
Navigation Path
Role-based Administration
ACL Manager > Administration > Rolebased Administration.
Rolebased Administration Subtask
Navigation Path
Deleting device groups
ACL Manager > Administration > Device Management > Delete

Device Group
Viewing all device groups
ACL Manager > Administration > Device Management > Show All
Device Groups
Task Management Subtasks
Assigning or modifying tasks
ACL Manager > Administration > Tasks Management >

Assign/Modify Tasks
Table 3-4 provides the launch points for the Change Approval task and its
subtasks, from the ACL Manager drawer on the CiscoWorks desktop.
Note
These tasks and sub-tasks appear within the ACL Manager drawer only if you
have enabled Change Approval at the time of installing ACL Manager.
To enable Change Approval, see the Installation Guide for ACL Manager.
Table 3-4
Change Approval Task
Navigation Path
Change Approval
ACL Manager > Administration > Change Approval
Change Approval Subtask
Navigation Path
Approving or rejecting changes

to ACL Manager entities
ACL Manager > Administration > Change Approval >

Approve Reject Changes
Viewing processing changes

Processed Changes
Configuring change approval

Configure Change Approval
3-6
78-16005-01
Chapter 3
Getting Started
Table 3-5 provides the launch points for the Reports for Change Approval and
Role-Based Access Control, from the ACL Manager drawer on the CiscoWorks
desktop.
Note
These ACL Manager Reports appear within the ACL Manager drawer only if you
have enabled Role-based Access Control or Change Approval at the time of
installing ACL Manager.
To enable Role-based Access Control or Change Approval, see the Installation
Guide for ACL Manager.
Table 3-5
Task
Navigation Path
Generating Change Approval

Status report
ACL Manager > ACL Manager Reports > Change Approval Status
Generating Approver Group

Mapping report for devices
ACL Manager > ACL Manager Reports > Approver Group

Mapping
Generating My Task Mapping

report
ACL Manager > ACL Manager Reports > My Task Mapping
Generating Task Mapping report ACL Manager > ACL Manager Reports > Task Mapping
Generating My User Group
Membership report
ACL Manager > ACL Manager Reports > My User Group

Membership
Generating User Group

Membership report
ACL Manager > ACL Manager Reports > User Group Membership

78-16005-01
3-7
Chapter 3
Getting Started

ACL Manager uses Java Plug-in. This plug-in improves the performance of
ACL Manager, and it is provided with the CiscoWorks application (see the topic
Installing the Java Plug-in in Chapter 3 of User Guide for CiscoWorks Server).
To start ACL Manager:
Procedure
Step 1
Select ACL Manager > Edit ACLs.

The ACL Manager Main Window appears (see Figure 3-2).
Figure 3-2
Note
ACL Manager Main Window
In some browser versions, you will get a security warning asking for
permission to install and execute some code from Cisco Systems. Select
Yes to proceed.
3-8
78-16005-01
Chapter 3
Getting Started
The ACL Manager Main Window is a central point within ACL Manager for
managing ACL Manager entities such as ACLs, time ranges, ACL uses, object
groups, etc. You can also store imported entities, view and manage your specific
changes to ACL Manager entities, and resolve Out-of-Band changes. For more
information see Navigating in the ACL Manager Main Window.
Step 2
Navigate to the Root > Devices folder.
Step 3
Right-click on the Devices folder and select Add Device(s) from the pop-up
menu. For more information, see Populating the Devices Folder.
The Device Selector dialog box appears.
Step 4
Select a device view from the Views column, for example, All Devices.
The devices corresponding to the selected view appear in the Devices column.
Step 5
Select the required devices from the Devices column, then click Add.
The devices appear in the Selected Devices column.
Step 6
Click OK.
The selected devices appear in the Devices folder of the ACL Manager Main
Window.
Populating the Devices Folder

You can add devices to your Devices folder using the Add Devices option. You
can select one, many, or all devices from a selected device view. (A view is a
named set of devices.)
You can also populate the Devices folder using the Open Device View option. You
can open a required Device View and get the entire list of devices in that view, in
your Devices folder in the ACL Manager Main Window. You cannot select a
subset of devices from a selected view, using the Open Device View option.
For details see Opening a Device View.

78-16005-01
3-9
Chapter 3
Getting Started
To add devices, in the ACL Manager Main Window:
Procedure
Step 1
Right-click on the Devices folder and select Add Device(s) from the pop-up
menu.
The Device Selector dialog box appears with these options:
FilterAllows you to select devices using basic and custom filter criteria.
The basic filter criteria allows you to filter by domain name, device type,
or software version.
The custom filtering option allows you to define your own filter criteria.
If you check the User Filter option, all future view selections will use the
current filter settings.
Step 2
Previous SelectionLists previously selected devices.
All DevicesList all managed devices already integrated into the server.
My Private ViewsLists the private device views that you have created. A
Private View contains the groups of devices that you had previously saved as
a Private view. See Saving a Device View.
Custom ViewsLists the custom device views that you and other users have
created.
System ViewsLists pre-defined, dynamic device views (by device

category).
Select a device view from the Views column, for example, My Private Views.
Step 3
Select all the devices from the view, or a subset of the devices in the view, and
click Add.
Step 4
Click OK.
The selected devices appear in the Devices folder of the ACL Manager Main
Window.
3-10
78-16005-01
Chapter 3
Getting Started
Deleting Devices
Deleting a device from the Devices folder in the ACL Manager Main Window will
not delete any changes that you may have made to the device. These changes are
stored in the My Changes folder of the ACL Manager Main Window.
To delete a device from the Devices folder:
Procedure
Step 1
Select the device and select the delete key on your keyboard.
A message appears that deleting the device will not delete your changes:
Deleting the selected devices will not delete your changes. All your
changes are still available in the My Changes folder. Do you want
to continue?
Step 2
Confirm the deletion by clicking OK in the message box.

The device is deleted. However your changes to the device, are stored in the My
Changes folder in the ACL Manager Main Window.
In the My Changes folder, if you select a change made to a deleted device and
select File > Explore from the ACL Manager Main Menu, the deleted device is
restored to the Devices folder.
Saving a Device View

You can save a set of devices in the ACL Manager Main Window, as a private or
custom Device View.
Procedure
Step 1
Select the Devices folder in the ACL Manager Main Window, and right-click on it.
A pop-up menu appears.
Step 2
Select Save As Device View.

The Save As Private/Custom Static Device View dialog box appears.
78-16005-01
3-11
Chapter 3
Getting Started
Step 3
Step 4
Select the View typeCustom or Private.
Custom View View that you or other users can select.
Private View View that only you can select.
Enter a name for the view.

You can also enter a description for the view.
To overwrite an existing view, select Overwrite an existing view.
Step 5
Click OK.
Opening a Device View

You can open a required Device View and get the entire list of devices in that view,
in your Devices folder in the ACL Manager Main Window.
Procedure
Step 1
Select the Devices folder in the ACL Manager Main Window, and right-click on it.
Step 2
Select Open Device View.

The Device Selector dialog box appears.
You can select a view from the following views in the Devices column:
My Private ViewsLists the device views that you have created. A Private
View contains the groups of devices that you had previously saved as a Private
view. See Saving a Device View
Custom ViewsLists the custom device views that you and the other users
have created.
System ViewsLists pre-defined, dynamic device views (by device

category).
After you select a view, the devices in the view appear in the Devices column. You
cannot select a subset of devices from a view.
3-12
78-16005-01
Chapter 3
Getting Started
Step 3
Click OK.
All the devices in the view that you selected, appear in the Devices folder in the
ACL Manager Main Window.
Navigating in the ACL Manager Main Window

The ACL Manager Main Window is shown in Figure 3-3.
Figure 3-3
ACL Manager Main WindowFolders Expanded
The following table describes the ACL Manager Main Window:

Item
Description
Folder (left
pane)
Displays a hierarchy of folders within the Root folder:
My Changes (see My Changes Folder).
Imported Entities (see Imported Entities Folder).
Devices (see Devices Folder).
Out-of-Band Changes (see Out-of-Band Changes

Folder).
78-16005-01
3-13
Chapter 3
Getting Started
Item
Description
Contents (right Displays the attributes of any item selected in the folder pane.
pane)
The folder pane is blank if there are no attributes associated
with the selected item.
For example, in the left pane, if you select:
The My Changes folder, the device, the context, the

entity name, the entity type, and version details are
displayed.
The Imported Entities folder, the device type is

displayed.
The Devices folder, the device name, status, and status

details are displayed.
The Out-of-Band Changes folder, the device name, entity

name, the entity type, the change type, the detection
time, and the unique ID of the Out-of-Band change, are
displayed.
Line numbers are displayed for each of the ACL Manager

entities in the right pane.
You can turn off the line number option by clicking on the
Close icon (x icon) in the line number header of the column
(or by selecting View > Show/Hide Line Numbers in the ACL
Manager Main Menu). To display the line numbers again,
select View > Show/Hide Line Numbers in the ACL Manager
Main Menu.
Status area
(bottom left)
Indicates the status of the application.

For example if you are adding devices to the Devices folder,
the following status appears in this area:
Adding DevicesWhile ACL Manager is adding

devices.
ReadyWhen the devices are added.
3-14
78-16005-01
Chapter 3
Getting Started
Item
Description
Item count area Shows the number of items contained in the currently
(bottom right) selected object. For example, when an ACL is selected,
shows the number of ACEs in that ACL.
View mode
area (bottom
center)
Shows the view mode for viewing ACEs. If you are in an ACL
context and in physical view mode, the contents pane has a
gray background. You cannot perform any editing in the
physical view mode, except reordering ACEs.
To modify the settings for an editable item in the folder pane, select the item and
then select an appropriate command from a menu. For convenience, you can
right-click some actions to display the options in a popup menu.
My Changes Folder
The My Changes folder stores all the ACL Manager entities that you have made
changes to. These entities will be in any one of these states:
New
Checked out
Pending (If Change approval has been enabled).
After an entity is checked in, it disappears from the My Changes folder.

For example, to see a changed entity (an ACL), in its device context:
Procedure
Step 1
Select the ACL and right-click.
Step 2
Select Explore from the pop-up menu that appears.

ACL Manager navigates to the specified ACL in the Devices folder of the ACL
Manager Main Window, and highlight it.
If you have deleted the device from the Devices folder, ACL Manager adds the
device and then highlights the selected ACL in the context of the device.

78-16005-01
3-15
Chapter 3
Getting Started
Imported Entities Folder

The Imported Entities folder contains entities that were imported. You can use the
File Import Wizard in ACL Manager to import configurations Cisco Device
Configurations that conform to the IOS, Catalyst OS and PIX formats, from an
external source.
After you import the configurations, ACL Manager parses them and places them
in a folder, Imported Entities, under the Root folder. This folder is a temporary
storage of the imported configurations, from where they are pasted onto devices
(see Chapter 13, Importing Configuration).
Devices Folder
The Devices folder contains all the devices that you have selected. This folder is
common to IOS, Catalyst OS and PIX devices.
To see the following folders, double-click on the devices in the Devices folder.
ACL Definitions
ACL Uses
Time Ranges
Object Groups
To expand or collapse a folder, click the + or - icon next to the folder, or

double-click the folder.
For more information, also see:
Deleting Devices
Saving a Device View
Opening a Device View
3-16
78-16005-01
Chapter 3
Getting Started
ACL Manager Menus
Out-of-Band Changes Folder

Out-of Band (OOB) changes are the ACL-related changes that have been made to
the device configuration outside ACL Manager, directly on the device. You can
launch the ACL Manager Main Window and check for Out-of Band changes on
the devices in the Devices folder. To do this, select File > Check for Out-of-Band
Changes, from the ACL Manager Main Menu.
All the Out-of Band changes detected by ACL Manager are stored in the
Out-of-Band Changes folder in the ACL Manager Main Window.
For more information, see Managing Out-of-Band Changes to Device
Configuration.
Using the Find Feature

Use the Edit > Find feature to find lines containing specific text in the right
(Contents) pane. Enter the characters in the Find dialog box, and click Find. This
search is case insensitive unless you select the Match Case check box.
Lines in the Contents pane containing the defined characters are highlighted.
ACL Manager Menus

The pull-down menus available from the ACL Manager Main Window are:
Menu
Description/Operations
File
Operations at the device level, and other disk file oriented operations such as saving
ACLs and saving ACEs as templates. See File Menu.
Edit
Operations that change the contents of the active view. See Edit Menu.
View
Operations that affect the active view display. See View Menu.
ACL
Operations that are related to ACLs and ACEs. See ACL Menu.
Versioning
Operations for versioning ACL Manager entities. See Versioning Menu.

78-16005-01
3-17
Chapter 3
Getting Started
ACL Manager Menus
Menu
Description/Operations
Tools
Tools to assist in the tasks of ACL management. See Tools Menu.
Help
Operations related to online help such as, details on the ACL Manager release version,
copyright, browser JVM version, and Operating System.
File Menu
The File menu contains:
Selection
Description
Explore
Takes you to the device context. When you select a changed entity from the
My Changes Folder or the Out-of-Band Changes folder in the ACL Manager
Main Window, this option takes you to the device on which the changed
entity exists, and highlights it.
Add Device(s)
Opens the Device Selector dialog box to enable you to add devices. The
devices that you add, appear in the Device folder in the ACL Manager Main
Window (see Populating the Devices Folder).
Open Device View
Opens the Device Selector dialog box to enable you to open existing device
views. The devices from the view that you selected, appear in the Device
folder in the ACL Manager Main Window (see Opening a Device View).
Save As Device View
Opens the Save As Private/Custom Static device View dialog box to enable
you to save a set of devices as a Custom View or a Private View (see Saving
a Device View).
Check for Out of Band

Changes
Checks for out-of-band changes on a selected device. The Out-of-Band

changes that ACL Manager detects, are stored in the Out-of-Band Changes
folder in the ACL Manager Main Window (see Viewing the Out-of-Band
Changes Report).
Save ACL As
Saves the selected ACL as a template (see Chapter 4, Deleting ACLs).
Save ACE As
Saves the selected ACEs as a template (see Chapter 4, Saving ACEs as a

Template). The selected ACEs are replaced with a single template include
ACE.
3-18
78-16005-01
Chapter 3
Getting Started
ACL Manager Menus
Selection
Description
Copy to System
Clipboard
Copies the selected ACEs (or ACLs, templates, or policies) as text, to the
system clipboard. You can select non-contiguous ACEs (or ACLs, templates,
or policies). The logical or physical view for an ACL is preserved during the
copy operation.
For example, an ACE with a network class in the logical view would appear
as follows:
access-list 100 permit tcp network-class @/apac/mynetwork any
If more than one ACL (or template or policy) is selected and copied, they
would appear as text separated by !.
For named IOS ACLs, the ACL name is copied only if you have selected the
entire ACL, or all of its ACEs.
Paste from System
Clipboard
Inserts text from system clipboard as ACEs, into the appropriate location
within an ACL (or template or policy). ACL Manager validates the syntax of
the pasted text.
You cannot edit more than one ACL (or template or policy) at a time, using
this operation.
When an ACL (or template or policy) is selected, the ACEs are appended to
the selected entity.
You cannot paste into the physical view of an ACL.
Import
Opens the File Import Wizard. Use this wizard to import configuration files
from an external source, into ACL Manager (see Chapter 13, Importing
Configuration).
Print
Prints the object and its contents. An object can be the Root folder, any folder
within the Root folder in the ACL Manager Main Window, a device, or an
ACL. The Print option is also available in Class Manager and Template
Manager (see Printing).
Exit
Exits ACL Manager.

78-16005-01
3-19
Chapter 3
Getting Started
ACL Manager Menus
Edit Menu
The Edit menu contains:
Selection
Description
Paste
Pastes the contents of the paste buffer in front of the current selection. If there is
no current selection, the contents are appended in the right pane at the end of the
contents pane.
In the case of objects that are shown as sorted (for example, ACLs and
templates), the list in the contents pane is sorted again after pasting.
Undo
Undoes the last edit operation, if possible. However, some editing operations are
irreversible; for example, deleting an ACL use statement.
Cut
Copies the current selection to the paste buffer and deletes it (see Chapter 4,
Editing ACLs). You can select one or more ACLs or ACEs.
Copy
Copies the current selection to the paste buffer (see Chapter 4, Editing ACLs).
You can select one or more ACLs or ACEs.
Move ACE Down
Moves the selected ACEs down one position.
Find
Searches for specified text in the right (Contents) pane (see ACL Manager
Menus).
Search
Searches for specific versioned entities. For example, ACLs, Global Uses,
Interface Uses, Time Ranges and Templates.
Replaces
Replaces entities. For example, ACLs, Global Uses, Interface Uses, Time Ranges
and Templates.
Apply Template
Launches the ACL Use Selection dialog box to allow you to specify a template
for a device.
Use ACL
Launches the ACL Use Selection wizard to allow you to select a use for an ACL.
Edit
Launches the appropriate editor on the current selection. For example, if the
selection is an ACL, ACL Editor will be launched. If the selection is an ACE,
ACE Editor will be launched.
Insert ACL
Launches the ACL Editor to create a new ACL and inserts it into the device.
Insert ACE
Launches the ACE Editor to create a new ACE.
Include Template
Launches the Template Browser to insert a new template include statement into
the current ACL context, before the current ACE.
3-20
78-16005-01
Chapter 3
Getting Started
ACL Manager Menus
Selection
Description
Insert Comment
Launches a dialog box to insert a one-line comment into the current ACL context,
before the current ACE.
Insert Time Range
Launches the Time Range Editor to create a new time range definition on the
device.
Show Associated
ACLs
Launches the Associated ACLs on Device dialog box. This allows you to view
all the versions of ACLs that are associated with a version of a Time Range that
is currently on the device.
Go to ACL
Changes the contents pane view context from the ACL use to the ACL being used
in the selected use.
View Menu
The View menu contains:
Selection
Description
Logical View
Changes the view mode to logical.
Physical View
Changes the view mode to physical.
Left Pane
Makes the folder pane visible, if it was previously invisible.
Properties
Displays a window showing the properties of the selected object.

Properties can be displayed for: devices, interfaces, and ACLs. (ACL
properties are actually Use details for the ACL.)
Show/Hide Line Numbers Displays or hides line numbers of ACL Manager entities in the right pane
of the main windows of ACL Manager, Template Manager and Class
Manager.
Go to Line
Opens the Go to Line dialog box for you to specify the line number of the
ACL Manager entity that you want to go to. When you click OK in the Go
to Line dialog box, the line corresponding to the line number that you
specified, is highlighted.

78-16005-01
3-21
Chapter 3
Getting Started
ACL Manager Menus
ACL Menu
The ACL menu contains:
Selection
Description
New ACL
Launches the ACL Editor to create a new ACL.
New ACE
Launches the ACE Editor to create a new ACE in the current ACL context.
The new ACE is appended to the end of the list of ACEs in the contents pane.
New Include Template
Launches the Template Browser to select a template to append a template

Include ACE to the current ACL context.
New Comment
Launches a dialog box to enter a one-line comment which is appended to the

end of the list of ACEs in the contents pane.
New Time Range
Launches the Time Range Editor to create a new time range definition on the
device.
New Object Group
Launches the Object group dialog box.
Show ACL Changes
Highlights (in pale lavender), all the modifications that you made to the
ACEs within an entity.
Mark All Comments
Selects all downloadable comments for downloading to a device.
Unmark All Comments
Unmarks (releases) all the downloadable comments that were marked for
downloading to a device.
Show Out-of-Band
Changes
Shows you the Out-of-Band changes on the device.
Diff/Merge with
Out-of-Band Changes
Opens the Diff Viewer. This allows you to view the differences between the
Out-of-Band change on a device, and the ACL Manager baseline
configuration.
3-22
78-16005-01
Chapter 3
Getting Started
ACL Manager Menus
Selection
Description
Reject Out-of-Band
Changes
Opens the Job Download Wizard to allow you to reject the Out-of-Band
change.
Mark for Download
You can select one or more ACLs and mark them for download. After you
successfully mark the ACLs, you can:
Make an immediate download, using the Job Download Wizard,

or
Use the Pending Marks Browser to select the changed ACLs and
schedule their download at another time.
This option is useful when the IP address for a hostname has been changed,
and the changed IP address needs to be downloaded to the device.
Versioning Menu
The Versioning menu contains:
Selection
Description
Get Latest Version
Gets the latest version of an ACL Manager entity onto your view. This is also
applicable at the device level. Here, it will fetch the latest version of all entities
on to your view. This will include newly created entities.
Check Out
Launches the Check Out dialog box, to check out the selected ACL Manager
entities.
Show Changes
Launches the Diff Viewer to show the changes that you have made on an
ACL Manager entity.
Check In
Launches the Check In dialog box, to check in the selected ACL Manager
entities.
Undo Check Out
Cancels the check out, for the selected ACL Manager entities.
Get Baseline Version
Gets the baseline version (the last successfully downloaded version) of an ACL
Manager entity on to your view. This menu item is applicable only for entities
that exist on a device. This is also applicable at the device level, wherein it will
fetch the baseline version of all entities on to your view.

78-16005-01
3-23
Chapter 3
Getting Started
ACL Manager Menus
Selection
Description
History
Displays the version history details of a selected entity. This window allows
you to view the ACEs in a specified version of an ACL, view the Diffs between
two versions, check out a version, and view version details.
Version Graph
Displays the versioning history in a graphical format.

This window allows you to view the ACEs in a specified version of an ACL,
view the Diffs between two versions, check out a version, delete a version, and
view version details.
Compare with Latest

Version
Launches the Diff Viewer to display the differences between the latest version
of the ACL Manager entity and the version currently on a device.
Version Details
Launches the Version Details window to display the details of a selected

version of an ACL Manager entity.
Tools Menu
The Tools menu contains:
Selection
Description
ACL Use Wizard
Launches the ACL Use Wizard (see Chapter 12, Defining ACL Uses).
ACL Downloader
Launches the Downloader (see Chapter 15, Scheduling and

Downloading).
Job Browser
Launches the Job Browser (see Chapter 15, Browsing Job Status and
Viewing Results).
Mark Changes for

Download
Launches the Mark Changes for Download dialog box. You can mark a
required version of an entity, to be downloaded to a device (see Chapter 15,
Pending Marks Browser Launches the Pending Marks Browser. You can view the marks that are
pending for the various changed entities (see Chapter 15, Scheduling and
Downloading).
Class Manager
Launches the Class Manager (see Chapter 5, Using the Class Manager).
Template Manager
Launches the Template Manager (see Chapter 6, Using the Template

Manager).
Optimizer
Launches the Optimizer (see Chapter 16, Optimizing ACLs).

3-24
78-16005-01
Chapter 3
Getting Started
Selection
Description
Get Hits from Device
Displays a report of the hits on a device.
Hits Optimizer
Launches the Hits Optimizer (see Chapter 16, Optimizing ACLs).
ACE Validator
Launches the ACE Validation Results dialog box (see Chapter 14,
Validating ACEs).
Diff Viewer
Launches the Diff Viewer (see Chapter 15, Defining the Job and Selecting
the Job Options).
Verify Policy
Launches the Policy Browser (see Chapter 7, Creating a Policy).
Update Logical Entities Updates the logical entities within ACLs and templates (see Chapter 6,
Using the Template Manager).
Resolve DNS Names
Resolves the DNS names contained within an ACL or a template, into their
IP addresses.
Resolve IP Address
Resolves the IP addresses contained within an ACL or a template into their

DNS names.

This table describes the ACL Manager Device State icons:
Icon
Description
An ACL definition.
A router that has ACL definitions on it (if the icon is blue).

A stale router that has ACL definitions on it (if the icon is gray).
A switch that has ACL definitions on it (if the icon is blue).

A stale switch that has ACL definitions on it (if the icon is gray).

78-16005-01
3-25
Chapter 3
Getting Started
Icon
Description
A router that has no ACL definitions on it (if the icon is blue).
A router that is stale, and which has no ACL definitions on it (if the icon is gray).
A switch that has no ACL definitions on it (if the icon is in blue).
A stale switch that has no ACL definitions on it (if the icon is gray).
A router that is either unreachable, or is not in the database.
A switch that is either unreachable, or is not in the database.
An unsupported device.
An interface to which an ACL has been applied.
A Line/Router/Route Map to which an ACL has been applied.
An interface to which an ACL has not been applied.
A Line/Router/Route Map to which an ACL has not been applied.
3-26
78-16005-01
Chapter 3
Getting Started
Using the Toolbar
Icon
Description
Time-based ACE in:
An active state (if the icon is green).
A not activated state (if the icon is white).
A passive state (if the icon is yellow).
An expired state (if the icon is red).
A PIX object group.
A PIX device.
Using the Toolbar

The table describes the ACL Manager toolbar icons:
Icon
Description
New ACLDisplays the ACL Editor (see Creating ACLs in Chapter 4). This action
is equivalent to selecting ACL > New ACL.
CutDeletes the current selection and copies it into the paste buffer (see Editing
ACLs in Chapter 4). The selection can be on one or more ACLs or ACEs. This action
is equivalent to selecting Edit > Cut.
CopyCopies the current selection into the paste buffer (see Editing ACLs in
Chapter 4). This action is equivalent to selecting Edit > Copy.

78-16005-01
3-27
Chapter 3
Getting Started
Using the Toolbar
Icon
Description
PastePastes the contents of the paste buffer in front of the current selection. If there
is no current selection, the contents are appended to the end of the contents pane. This
action is equivalent to selecting Edit > Paste.
DeleteDeletes the current selection. The selection can be on one or more devices,
ACLs, ACEs, or ACL use statements. This action is equivalent to selecting Edit >
Delete.
UndoUndoes last edit operation, provided that the undo is possible. Some editing
operations are irreversible; for example, deleting an ACL use statement. This action is
equivalent to selecting Edit > Undo.
Up One LevelChanges the left pane selection context to be at the next higher level.
Move selected ACE upMoves the selected ACEs by shifting them up one position.
This action is equivalent to selecting Edit > Move ACEs Up.
Move selected ACE downMoves the selected ACEs by shifting them down one
position. This action is equivalent to selecting Edit > Move ACEs Down.
ACL Use WizardLaunches the ACL Use Wizard.
ACL DownloaderLaunches the Downloader. This action is equivalent to selecting

Tools > Downloader.
3-28
78-16005-01
Chapter 3
Getting Started
Icon
Description
Job BrowserLaunches the Job Browser. This action is equivalent to selecting
Tools > Job Browser.
Class ManagerLaunches the Class Manager. This action is equivalent to selecting

Tools > Class Manager.
Template ManagerLaunches the Template Manager. This action is equivalent to

selecting Tools > Template Manager.
PropertiesDisplays properties of the current selection. The selection can be on a

device, ACL, or interface. ACL properties are actually their uses in the device. This
action is equivalent to selecting View > Properties.
PrintPrints the contents of the current selection. The action is equivalent to selecting
File > Print. This is available in Class Manager and Template Manager also.

The following keyboard shortcuts are available in ACL Manager.
Keyboard Shortcuts for ACL Manager Window

You can use these shortcuts in the ACL Manager left and right panes.
Key
Action
Context
Up Arrow
Moves up the hierarchy
Left pane
Down Arrow
Moves down the hierarchy.
Left pane

78-16005-01
3-29
Chapter 3
Getting Started
Key
Action
Context
Right Arrow
Expands the current selection if it is collapsed; else selects the first Left pane
subfolder.
Left arrow
Collapses the current selection if it is expanded; else selects the

parent folder.
Left pane
Enter
Expands the current selection if it is collapsed, or collapses the

current selection if it is expanded.
Left pane
Enter
Displays the ACE Editor dialog box, if the current selection is an

ACE; else expands the current selection.
Right pane
Ctrl+P
Prints the contents of the current selection.
Both
Ctrl+F
Searches.
Both
Ctrl+H
Replaces.
Both
Ctrl+Z
Undoes changes.
Both
Ctrl+A
Selects all of the permissible items in the right pane.
Both
Ctrl+X
Deletes the current selection and copies it to the Paste buffer. (See Both
Editing ACLs in Chapter 4.)You can select and delete one or
more ACLs or ACEs.
Ctrl+C
Copies the current selection to the Paste buffer. (See Editing

ACLs in Chapter 4.)
Ctrl+V
Pastes the contents of the Paste buffer before the current selection. Both
If you have not selected anything in the contents pane, then the
contents is pasted at the end of the list.
Del
Deletes the current selection. You can select and delete one or more Both
devices, ACLs, ACEs, or ACL Use statements.
Tab
Switches between right and left panes.
Both
Shift+Tab
Switches between the right and left panes.
Both
Alt+F4
Exits from ACL Manager.
Both
Both
3-30
78-16005-01
Chapter 3
Getting Started
Keyboard Shortcuts for ACL Manager Dialog Boxes - Windows

You can use these shortcuts in the ACL Manager dialog boxes, if you are using
Windows:
Key
Action
Tab
Moves forward through options.
Shift+tab
Moves backward through options.
Escape
Closes the current dialog box without saving the entries.
Ctrl+A
Selects all the text in the current text field.
Ctrl+X
Deletes the current selection and copies it to the system clipboard.
Ctrl+C
Copies the current selection to the system clipboard.
Ctrl+V
Pastes the contents of the system clipboard.
Ctrl+Z
Undoes changes.
Del
Deletes highlighted text.
Keyboard Shortcuts for ACL Manager Dialog Boxes - Solaris

You can use these shortcuts in the ACL Manager dialog boxes if you are using
Solaris.
Key
Action
Tab
Moves forward through options.
Shift+tab
Moves backward through options.
Escape
Closes the current dialog box without saving the entries.
Shift+Del
Deletes the current selection and copies it to the system clipboard.
Ctrl+Ins
Copies the current selection to the system clipboard.
Shift+Ins
Pastes the contents of the system clipboard.
Ctrl+Z
Undoes changes.
Del
Deletes highlighted text.

78-16005-01
3-31
Chapter 3
Getting Started
Printing
Printing
ACL Manager allows you to print an object and its contents. An object can be the
Root folder, or any folder within the Root folder in the ACL Manager Main
Window, a device or an ACL. The Print option is also available in Class Manager
and Template Manager.

The typical ACL Manager workflow involves this sequence of tasks:
Procedure
Step 1
Starting ACL Manager and adding devices (see Starting ACL Manager).
Step 2
Creating ACLs (see Creating ACLs in Chapter 4) or editing existing ACLs, or

both (see Editing ACLs in Chapter 4).
Step 3
Creating and editing ACEs (see Editing ACEs in Chapter 4).
Step 4
Creating ACL use statements (see Defining ACL Uses in Chapter 12).
Step 5
Viewing and verifying the changes made to the device configuration during
editing (seeVerifying Device Configuration Changes), checking for
Out-of-Band changes (see Managing Out-of-Band Changes to Device
Configuration).
Step 6
Scheduling a download job and downloading the ACL and ACL use modifications
to devices (see Downloading the Changes to the Devices).
Step 7
Verifying that the download was completed successfully (see Verifying That the
Download was Successful).
3-32
78-16005-01
Chapter 3
Getting Started
Verifying Device Configuration Changes

You can view the changes made to ACL entities. You can see new, deleted, and
modified ACLs, ACL Uses, and Time Ranges, using the Diff View.
You can also see the new IOS, Catalyst OS, or PIX OS configuration that
represents the ACLs and ACL Uses for the devices, as well as the IOS, Catalyst
OS, or PIX OS config deltas.
IOS, Catalyst OS, or PIX OS deltas represent the commands that are to be
downloaded to the devices in order to implement the changes to the device
configuration.
To view the changes you have made to ACLs, VACLs, ACL Uses, and Time
Ranges in the device configuration:
Procedure
Step 1
Select Tools > Diff Viewer from the ACL Manager Main Window, to display the
Config Diff View window (see Figure 3-4).
Figure 3-4
Config Diff View Window
Only the entities that have been changed appear in this window.
78-16005-01
3-33
Chapter 3
Getting Started
Step 2
Select the device whose configuration changes you want to examine.

The original and modified configuration of all the changed entities, for the
selected device, appear in the original Config and the Modified Config columns
(see Figure 3-5).
If you want to view the configuration changes for an ACL, VACL, ACL Use or
Time Range, select its folder.
Figure 3-5
Config Diff View WindowDisplaying the Diffs
In this example, there are three changes from the original configuration for ACL
100 in device aclm7505-1:
ACE 4 is inserted
ACE 5 is deleted
ACE 11 is deleted
3-34
78-16005-01
Chapter 3
Getting Started
The differences between the original configuration and the modified

configuration are represented as follows:
Change
Representation
Changed
Lines
Change Bar and red text.
Inserted Lines Plus sign and green text.

Deleted Lines
Minus sign and blue text.
Unchanged
Lines
Black text.
If you want to view only those configuration commands that will be downloaded
to the device, click Delta (see Figure 3-6).
Figure 3-6
Configuration File Changes

78-16005-01
3-35
Chapter 3
Getting Started
To return to the Config Diff View, click the OK button.

If you want to print the original and the modified configuration details, click
Print.
To verify the differences in device configuration before downloading the changes

to the device, you can open the Config Diff Viewer from:
The Select Changed Entities Pane of the Job Download Wizard (see
Chapter 15, Selecting the Devices and the Changed Entities to open the
Diff Viewer through the Select Changed Entities Pane).
The Mark Changes for Download dialog box (see Chapter 15, Marking
Changes for Download to open the Diff Viewer through the
Mark Changes for Download dialog box).
When you open the Diff Viewer from these windows, you must first select the
changed entities for which you want to see the configuration differences.
If you do not select the check box for All Entities, or the specific changed entities,
the Config Diff Viewer does not show any Diffs.
Downloading the Changes to the Devices

After make the required changes to ACL Manager entities, and verifying the
changes to be downloaded to the devices, you can schedule a job to download the
IOS, Catalyst OS, or PIX OS commands to the devices.
See Chapter 15, Scheduling and Downloading, for further information.
Verifying That the Download was Successful

After scheduling the download, you can monitor the job status using the Job
Browser. Your job can be in one of states: Pending, Running, Waiting for
Approval, Rejected, Failed, Pending (Approved), Success, Partial Success,
Cancelled, and Aborted. Use the Job Browser to find out if your job failed.
If the job failed, you can find out why, and resubmit the job. If the job has not yet
started, you can edit the job parameters, and submit the modified job.
See Chapter 15, Scheduling and Downloading, for further information.
3-36
78-16005-01
Chapter 3
Getting Started
Managing Out-of-Band Changes to Device

Configuration
ACL Manager detects the Out-of-Band changes that have been made to device
configuration.
Out-of-Band (OOB) changes are the ACL-related changes that have been made to
device configuration outside ACL Manager, directly on the device. ACL Manager
also enables you to accept, reject, or edit these changes.
For more information, see these topics:
Viewing the Out-of-Band Changes Report
Checking for Out-of-Band Changes on Devices
Resolving Out-of-Band Changes
Checking for Out-of-Band Changes on Devices

Using ACL Manager, you can run a check for the Out-of-Band changes made to
device configuration.
Procedure
Step 1
In the ACL Manager Main Window, select the Devices folder.

All the devices in your Devices folder appear in the right pane.
Step 2
Select one or more devices, and right-click.
Step 3
From the pop-up menu that appears, select Check for Out-of-Band Changes.
ACL Manager performs a check for Out-of-Band changes, and displays the
changes, if any, in the Entities Out-of-Sync window (a pop-up window) (see
Figure 3-7).

78-16005-01
3-37
Chapter 3
Getting Started
Figure 3-7
Entities Out-of-Sync Window
Fields in the Entities Out-of-Sync window:

Field
Description
ID
Unique ID of the Out-of-band change.
Device
Name or IP address of the device on which the Out-of-Band

change has been detected.
Change Type
Type of change. Any one of theseDeletion, Modification,

or Addition.
Entity Type
Type of the ACL Manager entityACL, Time Range, Global

Use, Line Use, Object Group, etc.
Entity Name
Name or number of the entity.
Detection Time
Server time at which the Out-of-Band change was detected.
Status
Resolved or unresolved.
3-38
78-16005-01
Chapter 3
Getting Started
Step 4
Click OK to exit the Entities Out-of-Sync window.

When you run a check for Out-of-Band changes using the Check for Out-of-Band
Changes option, ACL Manager also refreshes the Out-of-Band Changes folder in
the ACL Manager Main Window, with the latest Out-of-Band changes that it has
detected on the devices.
The Out-of-Band Changes folder enables you to perform the required operations
to resolve the Out-of-Band changes detected by ACL Manager. To resolve the
Out-of-Band changes, see Resolving Out-of-Band Changes.
Viewing the Out-of-Band Changes Report

The Out-of-Band changes that ACL Manager detects are displayed as a report in
ACL Manager. (To detect Out-of-Band changes on devices, see Checking for
Out-of-Band Changes on Devices.) To access this report, select
ACL Manager > Out-of-Band Changes from the CiscoWorks desktop.

78-16005-01
3-39
Chapter 3
Getting Started
The Out-of-Band Changes window opens (see Figure 3-8)

Figure 3-8
Out-of-Band Changes Window
This window lists all the Out-of-Band changes that ACL Manager had previously
detected. Fields in the Out-of-Band Changes Window:
3-40
78-16005-01
Chapter 3
Getting Started
Field
Description
ID
Unique ID of the Out-of-Band change.
Device
Name or IP address of the device on which the Out-of-Band

change has been detected.
Change Type
Type of change. Any one of theseDeletion, Modification,

or Addition.
Entity Type
Type of the ACL Manager entity. This type can be ACL, Time
Range, Global Use, Line Use, Object Group, etc.
Entity Name
Name or number of the entity.
Detection Time
Server time at which the Out-of-band change was detected.
Status
For details on resolving Out-of-Band changes, see Resolving Out-of-Band

Changes.
Resolving Out-of-Band Changes

The Out-of-Band Changes folder in the ACL Manager Main Window enables you
to resolve Out-of-Band changes. An out-of-band change can be a modification, an
addition or creation, or a deletion.
To see all the Out-of-Band changes with their details, select the Out-of-Band
Changes folder. The details appear in the right pane ACL Manager Main Window.
the details are:
Device name or IP address.
Entity name and type (ACL, ACL Use, Time Range, etc.)
Change type.
Server time at which the Out-of-Band-change was detected.
Unique ID of the Out-of-Band-change.

78-16005-01
3-41
Chapter 3
Getting Started
To see the details of each Out-of-Band change, select the change and the details
appear in the right pane of the ACL Manager Main Window.
For example, the details are:
For an ACL, the ACEs, and the comments if any.
For an ACL Use, the ACLs, the IOS, Catalyst OS, or PIX OS command, and
the description.
To refresh the Out-of-Band Changes folder with the latest Out-of-Band changes,
see Checking for Out-of-Band Changes on Devices.
You can resolve the Out-of-Band changes that have been detected, by either
accepting or rejecting the changes.
High-level Workflow for Resolving Out-of-Band Changes

To resolve Out-of-Band changes:
Procedure
Step 1
Check for Out-of-Band changes using the procedure in the section Checking for
Out-of-Band Changes on Devices.
The Out-of-Band Changes folder in the ACL Manager Main Window, is refreshed.
Step 2
Select the required Out-of-Band change from the folder and right-click.
Step 3
You can select any of these options from the pop-up menu that appears:
3-42
78-16005-01
Chapter 3
Getting Started
Option
Description
Show Out-of- Launches the Diff Viewer, if the Out-of-Band change is a modification. For example,
Band Changes if the Out-of-Band change is an ACL modification, the Diff Viewer displays the
differences between the ACL on the device, and the Baseline version of ACL Manager.
Displays an appropriate message in the case of addition or deletion:
To Accept this change, delete and download this entity.
To Reject this change, do Get Baseline Version and download it.
Diff/Merge
Out-of-Band
Change
Displays the Diff/Merge with Out-of-Band Changes dialog box. You can select the
baseline version, the latest version or the version in the view.
If the changed entity is an ACL, and you check out the ACL, the Merge Editor appears.
For example, if the changed entity is an ACL modification, and you check out the
ACL, the Merge Editor is displayed. You can merge the changes and check in the new
version or save it. After checking it in, you should download the ACL using the Job
Download Wizard.
If the changed entity is anything other than an ACL, and you check it out, you see a
message box titled Merge Editor is not Supported for this Entity Type, with this
message:
Please merge the Out-of-band changes manually.
If you click OK, the Diff Viewer appears. You can check the differences between the
Out-of-Band change and the selected version, and make the changes manually, using
ACL Manager. You should then check in the changed version of the entity and
download it to the device.
The Out-of-Band change disappears from the Out-of-Band Changes folder after a
successful download.
Reject
Out-of-Band
Change
Launches the Job Download Wizard, to enable you to download the required version
of a changed entity to the device.
Explore
Takes you to the device context of the Out-of-Band change, or associates the
Out-of-Band change with the correct device. ACL Manager highlights the
Out-of-Band change on the appropriate device in your Devices folder.

78-16005-01
3-43
Chapter 3
Getting Started
Resolving Out-of-Band Changes Based on Their Type

To resolve Out-of-Band changes of a specific type (addition, modification or
deletion) see Table 3-6. This table has references to the Tools such as the Merge
Editor, Diff/Merge with Out-of-Band Changes dialog box, and Job Download
Wizard. For more information on using them see the topics:
Table 3-6
Using the Diff/Merge with Out-of-Band Changes Dialog Box and Merge
Editor.
Scheduling Downloads.
Resolving Out-of-Band Changes of ACLs
OOB Change
Type
Accepting the OOB Change
Modification
Rejecting the OOB Change

To reject the modification, revert the entity
back to its earlier version as required, and
check it in. After this, download it to the
device.
1.
Select the modified entity from

the Out-of-Band Changes folder
in the ACL Manager Main
Window.
2.
Right-click and select

Diff/Merge Out-of-Band
Change.
1.
Select the changed entity from the

Out-of-Band Changes folder in the ACL
Manager Main Window.
The Diff/Merge with

Out-of-Band Changes dialog box
appears.
2.
Right-click and select Reject

Out-of-Band Change.
(ACL is
modified on the
device)
3.
Select either the baseline version

(last successfully downloaded
version), the latest version, or
the version in the view (device
view).
The Job Download Wizard appears.

3.
Select the entity from the Select Changed

Entities pane and follow the steps in the
wizard to download the entity.
3-44
78-16005-01
Chapter 3
Getting Started
Table 3-6
OOB Change
Type
Modification

4.
(ACL is
modified on the
device)
(Continued)
Select CheckOut entity and

click OK. (If you do not check
out the entity, then the Merge
Editor appears with the Checkin
button disabled.)

The Out-of-Band change disappears from
the Out-of-Band Changes folder after a
The Merge Editor appears.

You can merge the out-of-band
modifications and click
Checkin.
The new version is checked in.
5.
Download the modified ACL

using the Job Download Wizard.
The Out-of-Band change
disappears from the Out-of-Band
Changes folder after a successful
download.

78-16005-01
3-45
Chapter 3
Getting Started
Table 3-6
OOB Change
Type
Addition
1.
Select the modified entity from

the Out-of-Band Changes folder
in the ACL Manager Main
Window.
2.

Change.
(ACL is added
or created on
the device)

1.
Select the added entity from the

2.

Out-of-Band Change.
A message box titled Entity has been
created out-of-band on the device,
appears with this message:
The Merge Editor appears.

You can merge the Out-of-Band
addition and click Checkin.
The new version is checked in.
3.
Download the new version of the

ACL, containing the
Out-of-Band addition, using the
Job Download Wizard.
download.
To Reject this change, an empty

entity will be created, deleted and
downloaded.
3.
Click OK.
4.
Select the dummy entity from the Select

Changed Entities pane and follow the
steps in the wizard to download the entity.
successful download
3-46
78-16005-01
Chapter 3
Getting Started
Table 3-6
OOB Change
Type
Deletion
1.
1.
(ACL is
deleted on the
device)
Select the deleted entity from the

Out-of-Band Changes folder in
the ACL Manager Main Window.

2.

Change.
2.

Out-of-Band Change.
3.
A message box titled Entity has

been deleted Out-of-Band from
the device, appears with this
message:
To Accept this change,
delete and download this
entity.

3.
Select the entity from the Select Changed

Entities pane and follow the steps in the
To Reject this change, do

Get Baseline Version and
download it.
4.
Delete the entity using the ACL

5.
Download to the device.

download.

78-16005-01
3-47
Chapter 3
Getting Started
For resolving OOB Changes of entities other than ACLs see Table 3-7.
Table 3-7
Resolving Out-of-Band Changes of Entities Other Than ACLs
OOB Change
Type
Modification
(Entity is
modified on
the device)
1.

2.
Right-click and select Diff/Merge

Out-of-Band Change.

To reject the modification, revert
the entity back to its earlier version
as required, and check it in. After
this, download it to the device.
1.
Select the changed entity from

the Out-of-Band Changes
folder in the ACL Manager
Main Window.
2.

Out-of-Band Change.
The Diff/Merge with Out-of-Band Changes

dialog box appears.
3.
4.
Select either the baseline version (last

successfully downloaded version), the latest
version, or the version in the view (device
view).
Select CheckOut entity.
The Merge Editor is not Supported for this
Entity Type message box appears with the
message:
Please merge the Out-of-band changes
manually.
5.
The Job Download Wizard

appears.
Click OK.
3.
Select the entity from the

Select Changed Entities pane
and follow the steps in the
disappears from the
Out-of-Band Changes folder
after a successful download.
The Diff Viewer appears. You can check the

diffs between the Out-of-Band change and the
selected version, and then make the changes
manually, using ACL Manager.
6.
Check in the changed version of the entity.
7.
Download changed version of the entity to the

device.
The Out-of-Band change disappears from the
Out-of-Band Changes folder after a
3-48
78-16005-01
Chapter 3
Getting Started
Table 3-7
OOB Change
Type
Addition
(Entity is
added or
created on
the device)

1.
Select the added entity from the Out-of-Band

Changes folder in the ACL Manager Main
Window.
2.

Out-of-Band Change.

1.
Select the added entity from

Main Window.
2.

Out-of-Band Change.
A message box titled Merge Editor is not

Supported for this Entity Type, appears with
this message:
A message box titled Entity

has been created out-of-band
on the device, appears with
this message:
Please merge the Out-of-band changes

manually.
3.
Click OK.
The Diff Viewer appears. You can check the
diffs between the Out-of-Band change and the
selected version, and then add the entity
manually, using ACL Manager.
4.
Check in the newly added entity.
5.
Download newly added entity to the device.

To Reject this change,

an empty entity will be
created, deleted and
downloaded.
3.
Click OK.
appears.
4.
Select the dummy entity from

the Select Changed Entities
pane and follow the steps in
the wizard to download the
entity.
disappears from the

78-16005-01
3-49
Chapter 3
Getting Started
Table 3-7
OOB Change
Type
Deletion
1.
(Entity is
deleted on
the device)
Select the deleted entity from the

2.

Out-of-Band Change.
3.

1.
Select the changed entity from

Main Window.
2.

Out-of-Band Change.
A message box titled Entity has been deleted

Out-of-Band from the device, appears with
this message:
To Accept this change, delete and
download this entity.

appears.
3.
Select the entity from the

Select Changed Entities pane
and follow the steps in the
wizard to download the device
4.

disappears from the
To Reject this change, do Get

Baseline Version and download it.
4.
Delete the entity using the ACL Manager

Main Window.
5.
Download to the device.

Using the Diff/Merge with Out-of-Band Changes Dialog Box and Merge Editor
For ACLs, if there are any Out-of-Band changes, you can accept them using the
Merge Editor. You can compare the configuration differences in the ACLs in your
Devices folder and those on the device using the Merge Editor, and merge them.
Note
The Merge Editor is available only for ACLs. For other ACL Manager entities you
will need to do a manual merge after viewing the configuration diffs (differences
between versions).
3-50
78-16005-01
Chapter 3
Getting Started
To do a merge:
Procedure
Step 1
Select the entity that has undergone an Out-of-Band change, from the
Out-of-Band Changes folder in the ACL Manager Main Window.
Step 2
Right-click and select Diff/Merge Out-of-Band Change.
Step 3
The Diff/Merge with Out-of-Band Changes dialog box appears (see Figure 3-8)
Step 4
Select either any one of these options:
Step 5
Baseline version (last successfully downloaded version).
Latest version (latest version of an ACL Manager entity).
Version in the view (version currently in the Devices folder, with your
modifications).
Select CheckOut entity (see Figure 3-8)and click OK.

Figure 3-9
Diff/Merge with Out-of-Band Changes Dialog Box
(If you do not select CheckOut entity and click OK, the Merge Editor appears,
however, cannot handle the OOB changes using the Merge Editor, as you have not
checked out the entity.)
The Check Out dialog box appears (see Chapter 10 Figure 10-1).

78-16005-01
3-51
Chapter 3
Getting Started
Step 6
Enter your check out comments if required in the Check Out dialog box and click
OK.
The ACL is checked out, and the Merge Editor appears (see Figure 3-10). You can
handle the OOB changes using the Merge Editor.
Figure 3-10 Merge Editor for OOB Changes
Note
If you only want to view and compare the OOB changes, in Step 5, do not
select the CheckOut ACL option. When you click the OK button, the
Merge Editor appears, with the Checkin button disabled.
3-52
78-16005-01
Chapter 3
Getting Started
The panes in the Merge Editor for OOB changes are:
OOB Changes ACL Pane (lower right pane): Contains the ACEs in the ACL
that has undergone the OOB changes.
Merged Logical View of ACL (top pane): Represents the ACEs in the logical
view of the ACL selected for comparison with the ACL that has OOB
changes. You can edit the information in this pane. You can add the ACEs
from the OOB Changes ACL pane, to this pane.
Merged Physical View of ACL Pane (lower left pane): Represents the
physical view of the ACEs. The information in this pane changes in response
to changes in the logical view.
The differences between the versions of the ACL are represented as follows:
Change
Representation
Changed
Lines

Deleted Lines
Unchanged
Lines
Black text.
Step 7
Select the ACEs from the lower right pane or the left pane, as required.
Step 8
Click the Move ACE Up icon to move the selected ACEs up to the
ACL Merged Logical View of ACL pane.
In the ACL Merge Version top pane, you can use:
The Move ACE Up, Move ACE Down arrow icons, to reorder the ACEs.
The Cut, Copy, Paste, and Undo icons to edit the ACEs.
The Delete icon, to delete ACEs, if required.

78-16005-01
3-53
Chapter 3
Getting Started
Step 9
Click CheckIn to check in the merged version.

You can use:
The Save button, to save your changes, and check in the version later.
The Cancel button, to cancel your changes.
The History button, to view the history of the ACL. This allows you to view
the changes that have happened to the ACL before the OOB change.
After the merge procedure is complete, download to the device after selecting the
Override OOB changes option in the Job Download Wizard.

You can back up and restore ACL Manager data on Solaris, and Windows 2000
server.
See the procedure for backing and up and restoring data in the User Guide for
CiscoWorks Common Services 2.2 at this URL:
http://www.cisco.com/en/US/products/sw/cscowork/ps3996/
products_user_guide_chapter09186a008017b745.html
Note
ACL Manager data comprising ACLs, templates, services, service classes,

networks, and network classes are backed up. Jobs will not be backed up.
Device Support in ACL Manager

Whenever ACL Manager encounters a new device, ACL Manager tries to discover
the device, and maps it to the device family, if available in its database. This will
enable you to do the basic management of ACL Manager entities on the device.
If ACL Manager cannot map the newly added device to the nearest device family,
then it displays the device as Device Newly Discovered. You should ensure that
you do not use those features that are not supported on the newly added device.
3-54
78-16005-01
C H A P T E R
Viewing and Editing ACLs

ACL Manager enables you to manage the following:
ACLs on Cisco routers running IOS.
VACLs on Catalyst switches running Catalyst OS.
PIX ACLs on PIX devices running PIX OS.
These topics describe how to view and edit ACLs and ACEs:
Creating ACLs
Versioning ACLs
Defining ACL Uses
Viewing Existing ACLs
Editing ACLs
Deleting ACLs
Manipulating ACEs
Editing ACEs
Saving ACEs as a Template
Viewing the Configuration Changes
Using Time Range Definitions
Marking ACLs for Download
Printing the ACL/ACE

78-16005-01
4-1
Chapter 4
Creating ACLs
Managing VLAN Access Control Lists (VACLS)
Creating Object Groups for PIX ACLs
For information on VACLs see:
Editing VACEs
For information on objects groups to be used in ACL statements on PIX devices,

see Creating Object Groups for PIX ACLs.
Creating ACLs
ACLs are created under the ACL Definition folder for a particular device. After
you create an ACL, you can add ACEs to it.
You can also copy and paste an existing ACL, to create a new ACL (see Creating
a New ACL by Copying and Pasting an Existing ACL).
To be able to use an ACL that you have created, you should first check it in (see
Chapter 10, Checking In Entities).
To create an ACL:
Procedure
Step 1
Start ACL Manager by selecting ACL Manager > Edit ACLs (see Chapter 3,
Starting ACL Manager).
Step 2
Add devices (see Chapter 3, Populating the Devices Folder.)
Step 3
Expand the Devices folder in the ACL Manager Main Window, and select the
required device.
Step 4
Select ACL Definitions.

The ACLs for the device appear in the right pane (see Figure 4-3).
4-2
78-16005-01
Chapter 4

Creating ACLs
Step 5
Select ACL Definitions, then select New ACL from the ACL Definitions popup
menu.
The ACL Editor dialog box appears (see Figure 4-1).
Figure 4-1
Step 6
ACL Editor Dialog Box
Enter the following information:

Field
Description
Type
Specifies the type of ACL that you can create on the

selected router, for example: IP, IP_EXTENDED,
RATE_LIMIT_MAC, RATE_LIMIT_PRECEDENCE.
Select a type from the drop-down list box.
Only those types supported for the device IOS version and
feature-set, are available from the drop-down list.
In the case of VACLs, specifies the type of VACL that you
can create on the device, for example, VACL_IP,
VACL_MAC.
After the ACL is created, you cannot change the type.
Autonumber
Select Autonumber if you want the ACL Manager to select

the first available number for you.

78-16005-01
4-3
Chapter 4
Creating ACLs
Field
Description
Name or
Number
NameIf the IOS version of the selected device does not

support named ACLs, ACL Manager generates a unique
number, and associates the ACL name with this number as
an alias.
If you specify a name that already exists, you will see a
message indicating this. Change the name of the ACL
appropriately.
NumberIf Autonumber is not checked, enter a unique
number that identifies the ACL.
Comment
Step 7
Enter comments to be associated with this ACL.
Click OK.
The ACL is created.
Note
You can select ACL > New ACE from the ACL Manager Main Window to insert
ACE entries into the new ACL.
Tip
You can also start the ACL Editor dialog box by clicking the New ACL toolbar
icon or by selecting ACL > New ACL from the ACL Manager Main Window.
Creating a New ACL by Copying and Pasting an Existing ACL

You can create a new ACL by copying an existing ACL, and pasting it on to a
device in your Devices folder. Use the ACL Manager Main Window to copy an
ACL.
You can also create a fresh ACL and add ACEs to it, without copying and pasting
an existing ACL (see Creating ACLs).
4-4
78-16005-01
Chapter 4

Versioning ACLs
To create an ACL by copying and pasting an existing ACL:
Procedure
Step 1
Start ACL Manager by selecting ACL Manager > Edit ACLs (see Chapter 3,
Starting ACL Manager).
Step 2
Add devices (see Chapter 3, Populating the Devices Folder.)
Step 3
Expand the Devices folder in the ACL Manager Main Window, and select the
required device.
Step 4

The ACLs for the device appear in the right pane.
Step 5
Right-click on the required ACL and select Copy.

The ACL is copied to the clipboard.
Step 6
Select the device into which you wish to paste the copied ACL, and expand its
ACL Definitions folder.
Step 7
Right-click and select Paste from the menu.

The ACL appears within the ACL Definitions folder of the selected device.
The ACL that you have created by copying and pasting, is writable. It is in a
checked-out state. You should check it in after you make any changes (see
Chapter 10, Checking In Entities). The ACL does not inherit the versioning
history of the source ACL.
Versioning ACLs
ACLs are versioned in ACL Manager. After you create an ACL, you should check
it in, to be able to use it. You should check out an ACL to be able to modify it.
You can also view the Versioning History of ACLs. For details on versioning, see
Chapter 10, Versioning ACL Manager Entities.

78-16005-01
4-5
Chapter 4
Defining ACL Uses
Defining ACL Uses

Use one of the ACL Use wizards to create an ACL Use (see Chapter 12, ACL
Manager Use Wizard).
Viewing Existing ACLs

You can display all ACLs on a particular device in the ACL Manager Main
Window contents pane.
If you have not yet started ACL Manager, to open the ACL Manager Main, see
these topics in Chapter 3:
To view ACLs:
Procedure
Step 1
Step 2

The ACLs for the device appear in the right pane (see Figure 4-2).
4-6
78-16005-01
Chapter 4

Editing ACLs
Figure 4-2
Viewing ACLs
The ACL versions appear in square brackets beside the ACL name or number.
Editing ACLs
You can use the ACL editor to change the ACL name or comments about the ACL.
Check out the ACL to be able to make these changes (see Chapter 10, Checking
Out Entities.)
If you have not yet started ACL Manager, to open the ACL Manager Main
Window, see these topics in Chapter 3:

78-16005-01
4-7
Chapter 4
Editing ACLs
To edit ACLs:
Procedure
Step 1

The folders, ACL Definitions, ACL Uses and Time Range Definitions appear for
the selected device.
Step 2

The ACLs appear in the right pane of the ACL Manager Main Window.
Step 3
Right-click on the required ACL, then select Edit.

The ACL Editor dialog box appears (see Figure 4-1).
Step 4
Tip
Enter your values in the fields (see Creating ACLs for field descriptions), and
click OK.
You can insert a comment into an ACL using ACL > New Comment.
You can use the ACL Manager Main Window in this editable mode to:
Get the latest version of an ACL on to a device in your Devices folder and
view the ACEs within the ACL (see Chapter 10, Getting the Latest Version
of an Entity.)
Check out an ACL (see Chapter 10, Checking Out Entities.)
Cancel a check out (see Chapter 10, Undoing the Check Out of an Entity.)
Check in an ACL (see Chapter 10, Checking In Entities.)
Compare the existing version of the ACL on a device in your Devices folder,
with its latest version in the versioning repository (see Chapter 10,
Comparing an Entity with its Latest Version.)
View the details of an ACL version currently on a device in your Devices

folder, or in the versioning repository (see Chapter 10, Viewing Version
Details of an Entity and Viewing Details of a Specific Version of an
Entity.)
4-8
78-16005-01
Chapter 4

Deleting ACLs
View the versioning history of an ACL (see Chapter 10, Viewing the Version
Graph of an Entity.) From within the Version History window, you can:
Get a specified ACL version onto a device in your Devices folder (see
Chapter 10, Getting a Specific Version of an Entity.)

Check out a specific version of an ACL (see Chapter 10, Checking Out
Entities.)
View the differences between any two ACL versions (see Chapter 10,
Comparing Any Two Versions of an Entity.)

Delete an ACL (see Deleting ACLs.)
Deleting ACLs
You can delete ACLs, as part of your administrative functions.
Use the ACL Manager Main Window to delete an ACL.
Procedure
Step 1
Step 2

Step 3
Select the required ACL.
Step 4
Right-click and select Delete.

The ACL is deleted.
If another user has checked out the ACL that you are trying to delete, you will see
a message that the ACL cannot be deleted.

78-16005-01
4-9
Chapter 4
Manipulating ACEs
Manipulating ACEs
The ACL Manager provides many features for manipulating ACE entries for a
particular ACL definition that has been checked out (see Chapter 10, Checking
Out Entities). You can:
Insert a new ACE (see Inserting a New ACE)
Append a new ACE (see Appending a New ACE)
Insert a template include ACE (see Inserting a Template)
Append a comment (see Appending a Comment)
Insert a comment (see Inserting a Comment)
Reorder ACEs (see Reordering ACEs)
Inserting a New ACE

You can insert a new ACE above the selected ACE.
Procedure
Step 1
Step 2

4-10
78-16005-01
Chapter 4

Manipulating ACEs
Step 3
Select the required ACL definition and check it out.

The ACEs appear in the right pane (see Figure 4-3).
Figure 4-3
Step 4
Viewing ACEs
Right-click on the ACE above which the new ACE is to be inserted, then select
Insert ACE.
The ACE Editor dialog box appears.
Step 5
Enter the parameters for the new ACL (see Editing ACEs).
Step 6
Click OK.
Step 7
Check in the ACL after your changes are complete.

78-16005-01
4-11
Chapter 4
Manipulating ACEs
Appending a New ACE

You can append a new ACE to the end of the current list.
To append a new ACE:
Procedure
Step 1
Step 2

Step 3
Right-click on the required ACL definition, then select New ACE.

The ACE Editor dialog box appears.
Step 4
Enter the parameters for the new ACE. (seeEditing ACEs).
Step 5
Click OK.
For information on editing ACE attributes, (seeEditing ACEs).
Inserting a Template
You can insert a template into an ACL by creating a template include ACE that
references the template.
To insert a template:
Procedure
Step 1
Step 2

The ACLs for the device appear in the right pane of the ACL Manager Main
Window.
Step 3
Right-click on the required ACL, then select New Include Template.

The Template Selection dialog box appears (see Figure 4-4).
4-12
78-16005-01
Chapter 4

Manipulating ACEs
Figure 4-4
Template Selection
This dialog box displays only the templates appropriate to the ACL.
Step 4
Select the template to include.
Step 5
Click Expand to open a window showing the template details (see Figure 4-5).
Figure 4-5
Expanded Template

78-16005-01
4-13
Chapter 4
Manipulating ACEs
Step 6
Click OK.
The include template ACE is inserted, or is appended to the end of the ACL if
you made no selection (see Figure 4-6).
Figure 4-6
Inserted Template
Appending a Comment
Use the Comment Editor to append a comment to the end of an ACL or ACL
template.
You can use the Comment Editor to insert a comment after an ACE (see Inserting
a Comment), or download the comment (see Downloading Comments).
To append a comment:
Procedure
Step 1
Step 2

4-14
78-16005-01
Chapter 4

Manipulating ACEs
Step 3
Right-click on the required ACL, then select New Comment.

The Comment Editor dialog box appears (Figure 4-7).
Figure 4-7
Step 4
Insert Comment Dialog Box
Enter a one-line comment.

To make the comment downloadable to a device, check Download this comment
(see Downloading Comments for details.)
Step 5
Click OK.
The comment is appended with the prefix !
Figure 4-8 shows a comment inserted at the end of an ACL.
Note
On devices supporting Remark ACEs, Comments ACEs will be converted into

Remark ACEs in the physical view. Otherwise, they are ignored.
Inserting a Comment
Use the Comment Editor to insert a comment after an ACE.
You can also use the Comment Editor to append a comment at the end of an ACL
or ACL template (see Appending a Comment), or download the comment (see
Downloading Comments).

78-16005-01
4-15
Chapter 4
Manipulating ACEs
To insert a comment after an ACE:
Procedure
Step 1
Step 2

Step 3
Select the ACL.

The ACEs appear in the right pane.
Step 4
Right-click on the required ACE, then select Insert Comment.

The Comment Editor dialog box appears (Figure 4-7).
Step 5
Enter a one-line comment.

To make the comment downloadable to a device, check Download this comment
(see Downloading Comments for details.)
Step 6
Click OK.
See Figure 4-8 for inserted comment.
Figure 4-8
Inserted Comment
4-16
78-16005-01
Chapter 4

Manipulating ACEs
Downloading Comments
ACL Manager supports two types of comments:
Line commentsComments that are like ACE statement. However, they

specify a remark. Therefore, they are called Remark ACEs. You can
download Remark ACEs to a device (see Appending a Comment).
In-line commentsComments associated with a particular ACE. This

information is specific to ACL Manager, and you cannot download in-line
comments to a device.
Remark ACEs are preceded by a ! (bang) in the IOS format.

They are:
Supported by IOS, only in IP and IP Extended type of ACLs.
Not supported by devices running IOS version prior to 12.0(T).
Making Remark ACEs Downloadable

To make a Remark ACE (or multiple Remark ACEs) downloadable:
Procedure
Step 1
Invoke the Comment Editor by right-clicking the ACE or ACL.
Step 2
Select Download this comment in the Comment Editor.
Step 3
Click OK.
Step 4
The selected comment becomes downloadable.

For details see the procedure in Appending a Comment.
To make all the Remark ACEs in an ACL downloadable, select the ACL on the
device in your Devices folder, and then select ACL > Mark All Comments from
the ACL Manager Main Menu.
If you want to make all the Remark ACEs in an ACL non-downloadable, select
the ACL on the device in your Devices folder, and then select ACL > Unmark All
Comments from the ACL Manager Main Menu.

78-16005-01
4-17
Chapter 4
Manipulating ACEs
To be able to use the options, Mark All Comments and Unmark All Comments,
you should first check out the ACL.
The Physical View (select an ACL, then from the ACL Manager Main Menu,
select ACL > Physical View) displays the Remark ACEs, as perceived by the
device.
When you import configuration from an external source (see Chapter 13,
Importing Configuration) an comment that is preceded by a ! (bang), in the
IOS format, is also imported.
However, the comments are not downloadable by default. If you want to download
the imported comments or Remark ACEs:
Procedure
Step 1
Check out the ACL
Step 2
Invoke the Comment Editor
Step 3
Select the Download this Comment option.
If you have created Remark ACEs (comments) for an ACL in a template, these
will not be downloaded by default. However, when you are including the ACL in
a template, you can add the comments before or after the template ACE, in the
ACL.
If you:
1.
Include a downloadable comment within a template

and
2.
Download the template to a device that does not support downloadable

comments, then
ACL Manager treats the comment as a non-downloadable comment. That is, the
job may be displayed as a success in the Job Browser, but the comment is not
downloaded to the device.
4-18
78-16005-01
Chapter 4

Manipulating ACEs
These are the icons associated with downloadable and non-downloadable

comments:
Icon
Description
Downloadable comment.
Non-downloadable comment.
Reordering ACEs
Use the Move ACE Up and Move ACE Down toolbar buttons to move selected
ACEs up or down.
Procedure
Step 1
Step 2

Step 3

Step 4
Select the ACE you want to move.
To move the ACEs up one position, click the Move ACE Up icon.

78-16005-01
4-19
Chapter 4
Editing ACEs
To move the ACEs down one position, click the Move ACE Down icon.
Alternatively, you can select multiple ACEs to be moved, right-click on them,

select Cut from the pop-up menu. You can then paste them in the required order
within the ACL using the Paste option from the pop-up menu.
Step 5
Note
If you try to reorder ACEs while in physical mode, a warning message appears if
the reorder changes the ACL semantics.
Editing ACEs
Use the ACE Editor to edit an ACE. ACEs are contained within ACLs. To edit an
ACE, you should first check out the ACL to which it belongs. See Chapter 10,
Checking Out Entities.
The ACE Editor performs a check for the validity of DNS hostnames that you
enter and displays an error message if the syntax is incorrect.
Procedure
Step 1
Expand the Devices folder ACL Manager Main Window.
Step 2

Step 3

4-20
78-16005-01
Chapter 4

Editing ACEs
Step 4
Right-click on the ACE to be edited, then select Edit.

The ACE Editor dialog box appears. You can edit the ACE.
You can invoke an ACE Editor from:
The ACL Manager Main Window to add or edit an ACE in an ACL.

or
The Template Manager to:

Add or edit an ACE in a template
Specify variables in a variable template
Specify values for the variables in a variable template instance.
Therefore, an ACE is color-coded. The ACE color codes and their meanings are
explained in this table:
Step 5
Tip
Color
Meaning
Green
Permit action of the ACE
Red
Deny action of the ACE
Grey
Variable name
Blue
Variable value and ACE comment
You can start the ACE Editor dialog box from the Edit menu by selecting
Edit > Edit.
The format of the ACE editor dialog box and attributes that can be edited depend
on the IOS ACL protocol type, as described in these sections:
Editing IP ACE Attributes
Editing IP Extended ACE Attributes

78-16005-01
4-21
Chapter 4
Editing ACEs
Editing RATE LIMIT MAC ACE Attributes
Editing RATE LIMIT PRECEDENCE ACE Attributes
Specifying Source and Destination Addresses

Most ACE types require you to specify either the Source address, or the
Destination address, or both.
You can use any of these as the source or destination address:
Note
IP address
Hostname
Network
Network Class
Network Object Group (for PIX devices only)
While specifying wildcard masks for PIX, use the IOS inverted mask notation.
ACL Manager will automatically convert it into the PIX notation prior to
download.
To specify an IP address or hostname or network as the source or destination
address, enter it directly into the appropriate ACE editor field.
To specify a network class or a network object group as the source or destination
address:
Procedure
Step 1
In the ACE Editor, click Source Address or Destination Address to open the
Browser dialog box.
Step 2
Select the required network class or network object group from the Class Root or
from one of the folders.
4-22
78-16005-01
Chapter 4

Editing ACEs
Step 3
Click OK.
If you have invoked this dialog box from an ACE Editor, the selected network
class or object group appears in the ACE Editor.
If you have invoked this dialog box from the Network Class Editor, the
selected network class or object group appears in the Network Classes field
of the Network Class Editor.
Specifying Source and Destination Ports

Most ACE types require you to specify either the Source port, or the Destination
port, or both.
You can use any of these as the source or destination port:
Port Number
Service Name
Service Class
Service Object Group (for PIX devices only)
To specify a port number or service name as the source or destination port, enter
it directly into the appropriate ACE editor field.
To specify a service class or a service object group as the source or destination
port:
Procedure
Step 1
In the ACE Editor, click Source Port or Destination Port to open the Browser
dialog box.
Step 2
Select the required service class or service object group from the Class Root or
from one of the folders.
Step 3
Click OK.
The service class or object group appears in the ACE Editor.

78-16005-01
4-23
Chapter 4
Editing ACEs
Specifying Protocol
You can specify protocol object groups only for PIX devices.
To specify a protocol object group:
Procedure
Step 1
In the ACE Editor, click Protocol to open the Browser dialog box.
Step 2
Select the required protocol object group.
Step 3
Click OK when you have finished.
Specifying ICMP-Type
You can specify one of these:
Type
Type and Code (not for PIX devices)
Message
To specify an ICMP-Type object group:
Procedure
Step 1
In the ICMP section, click Type to open the Browser dialog box.
This is enabled only if the ACE protocol is specified as ICMP or protocol object
group.
Step 2
Select the required ICMP-type object group.
Step 3
Click OK when you have finished.
4-24
78-16005-01
Chapter 4

Editing ACEs
Using the ACE Editor Buttons

The following table explains the buttons at the bottom of the ACE Editor dialog
boxes:
Button
Description
Expand
Expands the ACE. Expansion of the ACE shows the ACE

physical viewthe actual IOS, Catalyst OS, or PIX OS
statements that implement the ACE.
For example, if the source address field class translates to
n IP addresses and the destination field class expands to m
IP addresses, there will be nxm entries in the expanded
ACE and in the actual IOS, Catalyst OS, or PIX OS
statements that implement the ACE.
New
Saves the current ACE and start editing a new one. You
can then save changes to the current ACE and carry the
settings into the new ACE or discard them. If you save, the
main window is updated to display the saved ACE.
Prev
Saves the current ACE and load the previous one from the
ACL. You can then save changes to the current ACE or
discard them. If you save, the main window is updated to
display the saved ACE.
Next
Saves the current ACE and load the next one from the
ACL. You then have the option to save changes made to
the current ACE. If you save, the main window is updated
to display the saved ACE.

78-16005-01
4-25
Chapter 4
Editing ACEs
Editing IP ACE Attributes

Select an ACE that belongs to a standard IP ACL. Start the ACE Editor on this
ACE (see Figure 4-9). The ACE being edited is shown in the display area above
the Expand button.
Figure 4-9
ACE Editor Dialog BoxIP
You can edit the fields as follows:

Field
Description
Permission
Determines whether the ACE is a permit or deny statement.
Log Options Allows you to log packets that match this ACE.
4-26
78-16005-01
Chapter 4

Editing ACEs
Field
Description
Variable
You can invoke ACE Editor to:
Specify variables in a variable template.
Add or edit an ACE in a static template.
Add or edit an ACE in an ACL.
The Variable checkbox applies to the Source Address field:
If the Variable checkbox is enabled, it indicates that the ACE Editor has been
invoked for a variable template. By selecting the variable checkbox:
You can specify the variables for the Source Address.
or
You can select existing variables from the drop-down list boxes for the Source
Address.
If the Variable checkbox is disabled and:

If it is already checked, it indicates that the ACE Editor has been invoked for a
variable template instance, and you can specify the values for the Source
Address field.
If it is not already checked, it indicates that the ACE Editor has been invoked
for an ACE in a static template, and you can specify the values for the Source
Address.
or
The ACE Editor has been invoked to add an ACE into an ACL.
Source
Address
Defines the source address in the ACE. This field is mandatory. Enter the address or
select an existing network, or network class (see Specifying Source and Destination
Addresses).
Source
Wildcard
Mask
Defines the wildcard mask to be applied to the source address. This field is optional.
Comment
You can add a comment about this ACE. The comment appears in-line. This field is
optional.

78-16005-01
4-27
Chapter 4
Editing ACEs
Editing IP Extended ACE Attributes

Select an ACE that belongs to an IP Extended ACL, then start the ACE Editor on
this ACE.
There are three tabbed sections, each with a different format, as described in these
topics:
Editing IP Extended General Attributes
Editing IP Extended Advanced Attributes
Editing IP Extended Other Attributes
Editing IP Extended General Attributes

Click the General tab to display the IP Extended (General) attributes that can be
edited (see Figure 4-10). The ACE being edited appears above the Expand button.
Figure 4-10 ACE Editor Dialog BoxIP Extended (General)
4-28
78-16005-01
Chapter 4

Editing ACEs

Field
Description
Protocol
Allows you to select from various protocols, such as TCP, IP, ICMP, and IGMP. You can
also enter a protocol name or number.
Permission
Determines whether the ACE is a permit or deny statement.
Log
Options
Allows you to log packets that match this ACE.
Variable
You can invoke an ACE Editor to:
The Variable checkbox in this tab of the ACE Editor, applies to the Source Address and
Destination Address fields, under these conditions:
You can specify the variables for the Source Address and Destination Address
fields.
or
Address and Destination Address fields.

If it is checked, it indicates that the ACE Editor has been invoked for a variable
template instance, and you can specify the values for the Source Address and
Destination Address fields.
If it is not checked, it indicates that the ACE Editor has been invoked for an ACE
in a static template, and you can specify the values for the Source Address and
or

78-16005-01
4-29
Chapter 4
Editing ACEs
Field
Description
Source
Address
Defines the source address in the ACE. The keyword any is allowed. This field is
mandatory. Enter the address or select an existing network, or network class (see
Specifying Source and Destination Addresses).
Source
Wildcard
Mask
Defines the wildcard mask for the source address. This field is optional.
MAC
Address
Disabled. Is applicable only for ARP Inspection VACEs.
Destination Defines the destination address in the ACE. The keyword any is allowed. This field is
Address
mandatory. Enter the address, or select an existing network or network class (see
Destination Defines the wildcard mask for the destination address. This field is optional.
Wildcard
Mask
Destination If the protocol selected is TCP or UDP, this field specifies the destination port for this
Port
ACE. The port relationship is assumed to be =.
Comment
You can add a comment about this ACE. The comments will appear in-line. This field is
optional.
4-30
78-16005-01
Chapter 4

Editing ACEs
Editing IP Extended Advanced Attributes

Click the Advanced tab to display the IP Extended (Advanced) attributes that can
be edited (see Figure 4-11). The ACE being edited appears above the Expand
button.
Figure 4-11 ACE Edit Dialog BoxIP Extended (Advanced)

78-16005-01
4-31
Chapter 4
Editing ACEs

Field
Description
TCP flags
Allows you to cause the TCP packets to be filtered according to the setting of the
appropriate flags (ACK, FIN, PSH, RST, SYN, and URG). Selecting ACK and RST is
the same as checking Established.
This field is available only on some IOS versions.
Variable
An ACE Editor can be invoked to:
The Variable checkbox in this tab of the ACE Editor, applies to the Source Port Operator
and Destination Port Operator fields, under these conditions:
You can specify the variables for the Source Port Operator and Destination Port
Operator fields.
or
Port Operator and Destination Port Operator fields.

template instance, and you can specify the values for the Source Port Operator
and Destination Port Operator fields.
If it is not checked, it indicates that the ACE Editor has been invoked for an ACE
in a static template, and you can specify the values for the Source Port Operator
or
4-32
78-16005-01
Chapter 4

Editing ACEs
Field
Description
Source Port Select an operator from the drop-down list box to define the operation to be performed
Operator
on the source:
eq (equal to)
neq (not equal to)
gt (greater than)
lt (less than)
range
none
This field is available only if the protocol selected in the General tab is TCP or UDP.
Only the eq operator is available if Service Class is selected.
Source Port Defines the source port or the start of a range of ports if you selected range as the
Start
relation. You can enter a port name or select a name from the drop-down list box.
You can also click on the Start button to open the Service Class Selection dialog box, and
select a service class (see Specifying Source and Destination Addresses).
Source Port Applies only if the source operator is range. You can enter a port name or select a name
End
from the drop-down list box.
Destination
Port
Operator
Select an operator from the drop-down list box to define the operation to be performed
on the destination:
eq (equal to)
neq (not equal to)
gt (greater than)
lt (less than)
range
or none
This field is available only if the protocol selected in the General tab is TCP or UDP.
Only the eq operator is available if Service Class is selected.

78-16005-01
4-33
Chapter 4
Editing ACEs
Field
Description
Destination
Port Start
Defines the destination port or the start of a range of ports if you selected range as the
You can also click the Start button to open the Service Class Selection dialog box, and
select a service class (see Specifying Source and Destination Addresses).
Destination
Port End
Applies only if the destination operator is range. You can enter a port name or select a
name from the drop-down list box.
ICMP Type
ICMP packets can be filtered by message type (a number in the range 0 to 255). This
field is optional.
ICMP Code ICMP packets that are filtered by message type can also be matched by the message code
(a number in the range 0 to 255). This field is optional.
ICMP
Message
ICMP packets can be filtered by a message name, or message type and code name. Select
the message name from the list in the drop-down list box. This field is optional.
IGMP Type
IGMP packets can be filtered by message type (a number in the range 0 to 15 or a

message name in the drop-down list box). This field is optional.
Editing IP Extended Other Attributes

Click the Other tab to display the IP Extended (Other) attributes that can be edited
(see Figure 4-12). The ACE being edited appears in the window above the Expand
button.
To select either the IP Precedence/TOS or the DSCP options, click the radio
button next to the appropriate option. After you have selected either of these
options, you may choose a name from the drop-down list box.
4-34
78-16005-01
Chapter 4

Editing ACEs
Figure 4-12 ACE Editor Dialog BoxIP Extended (Other)

Field
Description
Precedence
Packets can be filtered by precedence level, as specified by a number in the range 0 to

7, or by name. You can select a name from the drop-down list box.
TOS
Packets can be filtered by type of service level, as specified by a number in the range
0 to 15, or by name. You can select a name from the drop-down list box.
Differentiated Packets can be filtered by a DSCP value. This value is specified by a number in the
Services Code range 0 to 63, or by name. You can select a name from the drop-down list box.
Point (DSCP)
Fragments
Select this check box to filter non-initial fragments of IP packets. This field is
optional.
Dynamic
Name
Specifies the name of a dynamic access list. This field is optional.

78-16005-01
4-35
Chapter 4
Editing ACEs
Field
Description
Dynamic
Timeout
(minutes)
Specifies a maximum time limit (in minutes) that a temporary access list entry can
remain within the dynamic access list. The default is infinite and allows an entry to
remain permanently. This field is optional.
Time Range
Name
Specifies a named Time Range, which combines at most one fixed interval and zero,
or more periodic intervals, during which this ACL entry is in effect.
From within ACL Manager, you are allowed to associate an ACE with a Time Range
that is already in existence, by selecting it from the Time Range Name selection box.
Create
You can create a new Time Range using the Create button. Click Create to open the
Time Range Editor (see Creating a Time Range Definition.)
After you create a Time Range here, it is associated with the ACE. However, you must
check it in and download it to the device, before downloading the ACE to the device.
Expiry Type
Specify the expiry type for the ACE:
AutomaticThe time-based ACEs are tracked by the device. They expire

automatically, at the time specified in the Time Range, and you receive a
notification of the expiry.
ManualThe time-based ACEs are not tracked by the device. They do not expire
automatically. However, you receive a notification when they expire. You can then
manually delete them from the ACL or continue to retain them, as required.
Evaluate ACL Select this check box to nest a reflexive access list within an ACL. Enter the name of
a reflexive ACL. This field is optional.
Reflexive
ACL
Select this check box if you want this entry to create and insert dynamic entries into a
reflexive ACL. This is used to filter IP traffic so that TCP or UDP session traffic is
permitted through the firewall only if the session originated from within the internal
network. This field is optional.
Reflexive
Timeout
(minutes)
Reflexive access list entries expire after no packets in the session have been detected
for a certain length of time (the timeout period, in minutes). If you do not specify a
timeout for the reflexive list, the list uses the global timeout value. This field is
optional.
Note
When you invoke the IP Extended Editor through the Template Manager, you will
not be able to select a Time Range name, in the Other tab. Instead, you should
enter a valid Time Range name in the Time Range Name field.
4-36
78-16005-01
Chapter 4

Editing ACEs
Editing RATE LIMIT MAC ACE Attributes

Select an ACL with RATE LIMIT MAC protocol and open the ACE Editor to
display the attributes that can be edited (see Figure 4-13). The ACE being edited
appears above the Expand button.
Figure 4-13 ACE Editor Dialog BoxRATE LIMIT MAC
You can edit the field as follows:

Field
Description
MAC
Address
Defines the MAC address.

78-16005-01
4-37
Chapter 4
Editing RATE LIMIT PRECEDENCE ACE Attributes

Select an ACL with RATE LIMIT PRECEDENCE protocol and open the ACE
Editor to display the attributes that can be edited (see Figure 4-14).
Figure 4-14 ACE Editor Dialog BoxRATE LIMIT PRECEDENCE

Field
Description
Precedence
Packets filtered by precedence level. You can specify a number in the range from 0 to 7
or a name.
Precedence
Mask
Packets matched by mask for filtering by precedence level. Enter the precedence mask
(a two-digit hexadecimal number).

You can save selected ACEs as a new template.
For information on saving ACLs as a template, see Deleting ACLs.
4-38
78-16005-01
Chapter 4

Procedure
Step 1
Step 2

Step 3

The ACEs for the definition appear in the right pane (see Figure 4-3).
Step 4
Select the ACEs to form the new template.

You cannot save as a template ACEs that have time ranges associated with them.
If the selected ACEs contain downloadable Remark ACEs, these are saved as
non-downloadable Remark ACEs, in the newly created template.
Step 5
Select File > Save ACEs As to display the Save As Template dialog box (see
Figure 4-15).
Figure 4-15 Save As Template Dialog Box

78-16005-01
4-39
Chapter 4
Step 6
Select the template directory to hold the new template.
Step 7
Enter the new template name, then click OK.

The selected ACEs are replaced by an include template statement in the ACL.
To be able to use the newly created template, first check it in and then set it as a
master version. For details, see Using the Template Manager.

You can view the device configuration changes that you have made to ACLs or
ACL Uses, using the Diff Viewer. For details, see Chapter 3, Verifying Device
Configuration Changes.
Optimizing the ACL

After you have created or edited an ACL, you can use the Optimizer to determine
if the ACL can be optimized by removing redundant ACEs (see Chapter 16,
Optimizing ACLs).
Note
Optimization changes the order of ACEs only if it does not change the ACL
semantics in any way.

ACL Manager supports time-based ACEs. You can use Time Range definitions to
control the frequency and/or absolute time duration, for the ACL to be applied on
an interface or a line.
This section discusses the following topics:
Versioning Time Range Definitions
Creating a Time Range Definition
4-40
78-16005-01
Chapter 4

Editing a Time Range Definition
Associating an ACE with a Time Range
Viewing Associated ACLs on the Device
Configuring the Time Zone on a Device
Downloading Time-based ACEs to the Device
Expiry Type for Time-based ACEs
Time Range E-mail Notification
To apply and use ACEs with Time Range definitions:
Procedure
Step 1
Create a Time Range (see Creating a Time Range Definition).
Step 2
Associate an ACE with a Time Range. You can have multiple time-based ACEs
within an ACL. (see Associating an ACE with a Time Range).
Step 3
Download the Time Range that is associated with the ACE, to the device. Also
download the ACL containing the time-based ACE to the device, to activate the
Time Ranges (see Downloading Time-based ACEs to the Device).
Versioning Time Range Definitions

Time Range Definitions are versioned in ACL Manager. After you create a Time
Range, you should check it in, to be able to use it. You should check out a Time
Range to be able to modify it.
You can also view the Versioning History of Time Ranges. For details on
versioning, see Chapter 10, Versioning ACL Manager Entities.

78-16005-01
4-41
Chapter 4
Creating a Time Range Definition

You can define the following types of Time Ranges, using the Time Range Editor:
Time Range Definition Absolute
Time Range Definition Periodic
Time Range Definitions Absolute and Periodic
Time Range Definition Absolute

Use an Absolute Time Range if you want an ACE to be active on a device for a
specified duration of time, after which it expires.
Procedure
Step 1
Right-click on the Time Range Definitions folder in the ACL Manager Main
Window, and select New Time Range. You can also select ACL > New Time
Range from the ACL Manager Main Window.
The Time Range Editor opens (see Figure 4-16).
Step 2
Click the Absolute tab in the Time Range Editor dialog box to display the
attributes that can be set.
4-42
78-16005-01
Chapter 4

Figure 4-16 Time Range Editor - Absolute
Step 3
Enter the name for the Time Range definition.
Step 4
Enter the values for the absolute Time Range in the Start group in the Time Range
Editor - Absolute dialog box:
Step 5
Field
Description
Time
Start time in hours and minutes. Enter hours in the

range 0 to 23, and minutes in the range 0 to 59.
Day
Day (1 through 31).
Month
Select the month from the drop-down list.
Year
Select the year.
Enter the values for the absolute Time Range in the End group.

78-16005-01
4-43
Chapter 4
Step 6
Click OK.
The Time Range is created and has this symbol against it:[*].
You should check it in to be able to use it (see Chapter 10, Checking In
Entities). The star symbol against the Time Range is replaced by a version
number. For example: [1].
Time Range Definition Periodic

Use a Periodic Time Range if you want an ACE to be active on a device at a
recurring frequency. For example, by specifying a periodic Time Range, you can
activate a certain ACE on a device daily between 10 p.m. and 6 a.m.
Procedure
Step 1
Range.
Step 2
Click the Periodic tab in the Time Range Editor to display the attributes that can
be set (see Figure 4-17).
4-44
78-16005-01
Chapter 4

Figure 4-17 Time Range Editor - Periodic
Step 3
Enter the name for the Time Range definition.
Step 4
Enter the values for the periodic Time Range in the Start group in the Time Range
Editor - Periodic dialog box:
Field
Description
Days
Select the days of the week (Monday through Sunday), or the

frequency. This could be daily, weekdays, or weekend.
Time
Start time in hours and minutes. Enter hours in the range 0 to 23,
and minutes in the range 0 to 59.

78-16005-01
4-45
Chapter 4
Step 5
Enter the values for the periodic Time Range in the End group.
To add the Start and End values selected to the Periodic Time Ranges list
Click Add
You can specify more than one periodic Time Range and click Add, for each
Time Range.
The periodic Time Ranges that you have specified, appear in the Periodic
Time Ranges box.
Step 6
To remove an existing periodic Time Range, select the Time Range from the
Periodic Time Ranges box and click Remove.
To change values for an existing periodic Time Range, select the Time Range
and click Change.
Click OK.
To use the Time Range, you must check it in (see Chapter 10, Checking In
Time Range Definitions Absolute and Periodic

If you want an ACE to be active on a device at a recurring frequency, but only for
a specified duration of time, you can create a Time Range that has both Absolute
and Periodic attributes.
For example, you may want to activate a certain ACE on a device daily between
10 p.m. and 6 a.m., from June to December of the current year. To do this, specify
both Absolute and Periodic Time Ranges.
Use the Time Range Editor to specify Absolute and Periodic attributes of a Time
Range.
4-46
78-16005-01
Chapter 4

Procedure
Step 1
Range.
Step 2
Specify the attributes in the Absolute tab. See Time Range Definition
Absolute.
Step 3
Specify the attributes in the Periodic tab. See Time Range Definition
Periodic
Step 4
Click OK.
To use the Time Range you must check it in. (See Chapter 10, Checking In
Editing a Time Range Definition

You can use the Time Range Editor to edit a Time Range.
Procedure
Step 1
Step 2
Select the Time Range that you want to edit, from the Time Range Definitions
folder.
Step 3
Check out the Time Range (see Chapter 10, Checking Out Entities for the
procedure).
Step 4
Right-click on the checked out Time Range and select Edit.

The Time Range Editor opens.

78-16005-01
4-47
Chapter 4
Step 5
Change the details in this dialog box, as required and click OK.
At this point the Time Range is in a checked out state.
You can use the Version Diff Viewer to see the differences between the original
Time Range and the checked out version (see Chapter 10, Comparing Any Two
Versions of an Entity).
Step 6
Check in the Time Range (see Chapter 10, Checking In Entities for the
procedure).
Associating an ACE with a Time Range

You can associate IP Extended ACEs with Time Ranges using the ACE Editor.
(see Editing ACEs.)
When a Time Range is associated with an ACE, a stop watch icon appears against
it. The color code of the icon indicates the state of the time-based ACE (see
Chapter 3, Using the Device State Icons for the Time Range icons).
A time-based ACE can be in any of these states:
State
Description
Active
Where the time-based ACE is active on the device.

If an ACE is associated with a non-existent Time Range on
the device, then the state of the ACE will always be active.
Passive
Where the time-based ACE is temporarily inactive on the

device. Only ACEs associated with periodic Time Ranges can
be in this state.
Inactive
Where an ACE and the Time Range associated with it, have
been downloaded to the device, but the activity of the Time
Range has not started.
Expired
Where a time-based ACE has become permanently inactive

on the device because the Time Range that was specified for
it, has expired.
4-48
78-16005-01
Chapter 4

Viewing Associated ACLs on the Device

You can view all the versions of ACLs that are associated with a version of a Time
Range that is currently on the device.
To see all the ACLs associated with a Time Range on a device:
Procedure
Step 1
Expand the required Devices folder in the ACL Manager Main Window.
Step 2
Select Time Range Definitions.

The Time Ranges for the device appear in the right pane.
Step 3
Right-click on the required Time Range and select Show Associated ACLs from
the pop-up.
Or
Select the required Time Range and click Edit > Show Associated ACLs from the
main menu bar.
The Associated ACLs on Device dialog box appears (see Figure 4-18).
Figure 4-18 Associated ACLs on Device

78-16005-01
4-49
Chapter 4
The columns in the Associated ACLs on Device are:

Column
Description
ACL Name
Name of the ACL that is associated with the Time Range, on

the device.
Version
ACL Version.
Configuring the Time Zone on a Device

We recommend that you configure the time zone on a device to be able to receive
Time Range notifications based on the device time zone. If you do not configure
the time zone on the device, ACL Manager sends notifications based on UTC
(Coordinated Universal Time).
To configure the time zone and daylight savings time on a device, see your Cisco
IOS Software documentation. The latest IOS Software documentation is available
at:
http://www.cisco.com/univercd/home/home.htm
After you configure the time zone on the device, you can update this in ACL
Manager.
To update the time zone configuration of device in ACL Manager:
Procedure
Step 1
In the ACL Manager Main Window, select the device for which the time zone
configuration has been changed.
Step 2
Right-click on the device and select Check for Out of Band Changes.
The time zone configuration of the device is updated in ACL Manager.
4-50
78-16005-01
Chapter 4

Downloading Time-based ACEs to the Device

Time-based ACEs are activated after the ACL version that contains them is
downloaded to the device. If the ACEs are of the automatic expiry type, then the
Time Range they are associated with, should also be downloaded to the device.
For details on downloading entities, see Chapter 15, Scheduling and
Downloading.
Expiry Type for Time-based ACEs

Time-based ACEs can be configured to expire:
Automatically (see Automatic Expiry).
Through manual intervention (see Manual Expiry).
Automatic Expiry
If you specify Automatic Expiry as the mode of expiry, the time-based ACEs will
be tracked by the device. They will expire automatically, at the time specified in
the Time Range.
You will get an e-mail informing you that the time-based ACEs have expired.
Manual Expiry
If you specify Manual Expiry as the mode of expiry, the time-based ACEs will not
be tracked by the device on which they are present. They do not expire
automatically.
Such ACEs are activated immediately, after you download them to the device, and
you will receive a notification when they expire. You can then manually delete
them from the ACL or continue to retain them.
This method of expiry is useful when you do not want the time-based ACEs that
you have implemented on a device to expire with split-second accuracy.
For example, if you have implemented a contract to provide certain resources to
a valued partner, you may want to provide a grace period after the contract
expires, before withdrawing the resources, or renewing or extending the contract.

78-16005-01
4-51
Chapter 4
To manually delete a time-based ACE from the ACL:
Procedure
Step 1
Check out the ACL (see Chapter 10, Checking Out Entities).
Step 2
Delete the Time-based ACE.
Step 3
Check in the ACL (see Chapter 10, Checking In Entities).
Step 4
Download the ACL to the device again (see Chapter 15, Scheduling and
Downloading).
Time Range E-mail Notification

ACL Manager sends out e-mail notifications when:
A Time Range changes its state, from active to passive or expired.
The server is re-started. In this case, you will be notified of the expired Time
Ranges.
Configuring Time Range E-mail

To receive e-mail notifications on Time Ranges, you will need to configure e-mail
for Time Ranges, by editing the aclm.properties file.
The aclm.properties file is available at the location:
Solaris /opt/CSCOpx/objects/aclm/etc/aclm on Solaris.
Windows NMSROOT\objects\aclm\etc\aclm on Windows.
In the file, edit the property TimebasedEmailIds.

To configure many e-mail IDs, separate them with semicolons.
4-52
78-16005-01
Chapter 4

Time Range E-mail Format

The Time Range e-mail lists ACLs. It also shows within each ACL, the ACEs that
are associated with the Time Range (for which the notification is generated).
The ACE expiry type (manual or automatic), is also displayed.
A typical Time Range e-mail notification format is as follows:
Subject: [AclManager] State of Time-Range "t2" is EXPIRED
This is an automatically generated message from ACL Manager
The state of the following Time-Range has changed
-------------------------------------------------Device Name
10.64.134.78
Time-Range Name
"t2" version 1
Time-Range State
EXPIRED
Device Time
Wed Nov 28 7:00 PM 2001 IndiaTime
Server Time
Wed Nov 28 5:30 AM 2001 America/Los_Angeles
Server URL
http://aclmblr-u10.cisco.com:1741
The following ACEs are EXPIRED

---------------------------------------------ACL "t2-test" version 1
* permit tcp any any time-range t2 [Automatic]
NOTE: User action is required on ACEs that have expiry-type as Manual
The details in the e-mail are:

Field
Description
Device Name
Name or IP address of the device.
Time Range
Name
Name of the Time Range.
Time Range
State
State of the Time Range. This could be Expired, Passive or

Active.
Device Time
Device time at which the change of state occurred for the

Time Range, in the time zone of the device.

78-16005-01
4-53
Chapter 4
Field
Description
Server Time
Server time at which the change of state occurred for the

Time Range in the time zone of the server.
Server URL
The URL of the server.

You can select ACLs and mark them for immediate download, or create a job and
schedule the download. This option is useful when the IP address for a hostname
has been changed and the changed IP address needs to be downloaded to the
device.
To mark an ACL for download:
Procedure
Step 1
From your Devices folder, select an ACL.
Step 2
Right-click on the ACL and select Mark for Download from the pop-up menu.
A message appears indicating that you will lose the existing marks for the ACL
that you have selected.
The existing marks for the entities you have selected will be lost.
Do you want to proceed?
Step 3
Click Yes in the message box to proceed.

A message appears indicating that the selected ACLs are marked, and that you can
download these entities immediately, or you can download them later using the
Pending Marks Browser:
Entities are successfully marked as NextRunUpdate marks. You can
either download these entities now or later by invoking Tools > Pending
Marks Browser.
Click Yes in the message box to do an immediate download. The Job

Download Wizard appears. Use this wizard to do an immediate download (see
Chapter 15 Scheduling Downloads).
or
Click No if you do not want do an immediate download.
4-54
78-16005-01
Chapter 4

To download at another time:

a.
Invoke the Pending Marks Browser by selecting Tools > Pending Marks
Browser in the ACL Manager Main Window.
b.
Select the required ACLs and then mark them for download (see Chapter 15
Marking Changes for Download).

You can print the selected ACLs or ACEs to any printer.
The printing interface will depend on the native operating system running
ACL Manager.
Note
Checked out ACLs or ACEs can also be printed.

VLAN Access Control Lists (VACLs) are used by Catalyst 6000 family switches
to access control all packets it switches, including packets bridged within a
VLAN.
Earlier, switches operated at only at Layer 2. Switches switched traffic within a
VLAN and routers routed traffic between VLANs. Catalyst 6000 family switches
with the Multilayer Switch Feature Card (MSFC) can accelerate packet routing
among VLANs. These switches do this using Layer 3 switching or Multilayer
Switching (MLS).
To be able to support VACLs, the Catalyst 6000 family switches should contain
the PFC hardware module.

78-16005-01
4-55
Chapter 4
Catalyst 6000 family switches accelerate packet routing among VLANs as

follows:
1.
The switch bridges the packet.
2.
The packet is then routed internally without going to the router
3.
The packet is bridged again to send it to its destination.
During this process, the switch can access control all packets to switches,
including packets bridged within a VLAN.
VACLs are used to impose access-control mechanism on packets entering VLAN.
Standard and extended IOS ACLs are used as a packet classification mechanism
and are used to filter packets that go in and out of router configuration.
You can create VACLs for filtering packets that belong to the IP, and MAC
protocols.
ACL Manager also allows you to apply VACLs on Private VLANs.
Using ACL Manager you can do the same operations on VACLs that you can do
on ACLs. For example you can:
Edit VACLs (see Editing ACLs)
Save VACLs as Templates (see Deleting ACLs)
Delete VACLs (see Deleting ACLs)
Manipulate VACEs (see Manipulating ACEs)
Edit VACEs (see Editing VACEs)
Save VACEs as a Template (see Saving ACEs as a Template)
View the Configuration Changes (see Viewing the Configuration Changes)
Optimize the VACL (see Optimizing the ACL)
Mark the VACL for download (see Marking ACLs for Download)
Print the VACL/VACE (see Printing the ACL/ACE)
4-56
78-16005-01
Chapter 4

Editing VACEs
Use the ACE Editor to edit an ACE. ACEs are contained within ACLs. To edit an
ACE, you should first check out the ACL to which it belongs. See Chapter 10,
Checking Out Entities.
The ACE Editor performs a check for the validity of DNS hostnames that you
enter and displays an error message if the syntax is incorrect.
For the procedure on using the ACE Editor, and other details, see Editing ACEs.
The format of the ACE Editor dialog box and attributes that can be edited depend
on the CatOS ACL protocol type, as described in these sections:
Editing IP VACE Attributes
Editing MAC VACE Attributes
Editing IP VACE Attributes

To edit IP VACE attributes, select a VACE that belongs to an IP VACL, then start
the ACE Editor on this VACE.
There are three tabbed sections, each with a different format, as described in these
topics:
Editing IP General Attributes
Editing IP Advanced Attributes
Editing IP Other Attributes
On switches running Cat OS 6.1 or higher, with Supervisor Engine II and PFC II,
in the IP VACL that you create, the first IP VACE, by default, is permit arp.
The attributes of an ARP VACE are:
You can change the permission to Permit or Deny.
You cannot re-order the ARP VACE.
You cannot do the following edit operations on the ARP VACE:

Cut.
Copy.
Paste.
Delete.
78-16005-01
4-57
Chapter 4
You cannot save the following as templates:

An IP VACL containing an ARP VACE.
An ARP VACE.
A set of VACEs containing an ARP VACE.
When you apply a VACL IP Template on a VLAN, an ARP VACE is

embedded as the first VACE in the VACL that is created.
You cannot check in a VACL, if it contains only an ARP VACE. You must
create another VACE to be able to successfully check in the VACL.
On switches running Cat OS 6.2 or higher, with Supervisor Engine II and PFC II,
for an ARP VACE, you can also enable logging, but with only the Deny
permission.
On switches running Cat OS 7.6, ARP Inspection IP VACEs are supported.
The attributes of an ARP Inspection VACE are:
ARP Inspection VACEs must appear before IP VACEs.
You cannot have more that 32 ARP Inspection VACEs in an ACL.
Editing IP General Attributes

Click the General tab to display the IP General attributes that can be edited (see
Figure 4-19). The VACE being edited appears above the Expand button.
4-58
78-16005-01
Chapter 4

Figure 4-19 ACE Editor Dialog BoxIP General

Field
Description
Protocol
Drop-down list box that allows you to select from various protocols, such as TCP, IP,
ICMP, IGMP. You can also enter a protocol name or number (0-255).
Permission
Radio button that determines whether the VACE is a permit or deny or redirect
statement. If you choose to redirect to ports, select Redirect to Port and enter the port
information, for example, 2/2.
Capture
Option
Allows you to capture the packets that are switched normally. This field is optional. You
must also enable Permit.
You should setup the capture ports separately, using the command line interface of the
device.
Log
Options
Allows you to log packets that match this ACE.

78-16005-01
4-59
Chapter 4
Field
Description
Variable
Add or edit a VACE in a static template.
Add or edit a VACE in a VACL.
The Variable checkbox in this tab of the ACE Editor, applies to the Source Address and
Destination Address fields:
If the Variable checkbox is enabled, the ACE Editor has been invoked for a variable
template. By selecting the variable checkbox:
You can specify the variables for the Source Address and Destination Address
fields.
or
Address and Destination Address fields.

template instance, and you can specify the values for the Source Address and
If it is not checked, it indicates that the ACE Editor has been invoked for a VACE
in a static template, and you can specify the values for the Source Address and
or
The ACE Editor has been invoked to add a VACE into a VACL.
Source
Address
Defines the source address in the VACE. The keyword any is allowed. This field is
mandatory. Enter the address or select an existing network, or network class (see
Source
Wildcard
Mask
Defines the wildcard mask for the source address. This field is optional.
MAC
Address
This field is enabled when you select an ARP Inspection VACE. Enter the MAC address.
4-60
78-16005-01
Chapter 4

Field
Description
Destination Defines the destination address in the VACE. The keyword any is allowed. This field is
Address
mandatory if the permission is redirect or if you select the capture option, or if you
do not select IP as a protocol. Enter the address, or select an existing network or network
class (see Specifying Source and Destination Addresses).
Destination Defines the wildcard mask for the destination address. This field is optional.
Wildcard
Mask
Destination If you select TCP or UDP as the protocol, this field specifies the destination port for this
Port
VACE. The port relationship is assumed to be =.
Comment
You can add a comment about this VACE. The comments will appear in-line. This field
is optional.

78-16005-01
4-61
Chapter 4
Editing IP Advanced Attributes

Click the Advanced tab to display the IP Advanced attributes that can be edited
(see Figure 4-20). The VACE being edited appears above the Expand button.
Figure 4-20 ACE Edit Dialog BoxIP Advanced
4-62
78-16005-01
Chapter 4


Field
Description
TCP flags
Select the Established checkbox to cause the TCP packets to be filtered if they belong to
the established TCP session.
Variable
Add or edit a VACE in a static template.
Add or edit a VACE in a VACL.
The Variable checkbox in this tab of the ACE Editor, applies to the Source Port Operator
and Destination Port Operator fields:
You can specify the variables for the Source Port Operator and Destination Port
Operator fields.
or
Port Operator and Destination Port Operator fields.

template instance, and you can specify the values for the Source Port Operator
If it is not checked, it indicates that the ACE Editor has been invoked for a VACE
in a static template, and you can specify the values for the Source Port Operator
or
The ACE Editor has been invoked to add a VACE into a VACL.

78-16005-01
4-63
Chapter 4
Field
Description
Source Port Select an operator from the drop-down list box to define the operation to be performed
Operator
on the source:
eq (equal to)
neq (not equal to)
gt (greater than)
lt (less than)
range
none
This field is available only if you have selected TCP or UDP as the protocol in the
General tab.
Only the eq operator is available if you select a Service Class.
Source Port Defines the source port or the start of a range of ports if you selected range as the
Start
You can also click on the Start button to open the Service Class Selection dialog box, and
select a Service Class (see Specifying Source and Destination Addresses).
Source Port Applies only if the source operator is range. You can enter a port name or select a name
End
from the drop-down list box.
Destination
Port
Operator
Select an operator from the drop-down list box to define the operation to be performed
on the destination:
eq (equal to)
neq (not equal to)
gt (greater than)
lt (less than)
range
or none
This field is available only if you have selected TCP or UDP as the protocol in the
General tab.
Only the eq operator is available if you select a Service Class.
4-64
78-16005-01
Chapter 4

Field
Description
Destination
Port Start
Defines the destination port or the start of a range of ports if you selected range as the
relation. You can enter a port name or select a name from the drop-down list box. You
can also click on the Start button to open the Service Class Selection dialog box, and
select a Service Class (see Specifying Source and Destination Addresses).
Destination
Port End
Applies only if the destination operator is range. You can enter a port name or select a
name from the drop-down list box.
ICMP Type ICMP packets can be filtered by message type (a number in the range 0 to 255). This field
is optional.
ICMP Code ICMP packets that are filtered by message type can also be matched by the message code
(a number in the range 0 to 255). This field is optional.
ICMP
Message
ICMP packets can be filtered by a message name, or message type and code name. Select
the message name from the list displayed in the drop-down list box. This field is optional.
IGMP Type IGMP packets can be filtered by message type (a number in the range 0 to 15 or a
message name in the drop-down list box). This field is optional.
Editing IP Other Attributes

Click the Other tab to display the IP Other attributes that can be edited (see
Figure 4-21). The VACE being edited appears in the window above the Expand
button.

78-16005-01
4-65
Chapter 4
Figure 4-21 ACE Editor Dialog BoxIP Other

Field
Description
Precedence
Packets can be filtered by precedence level, as specified by a number in the range 0 to

7, or by name. You can also select a name from the drop-down list box.
TOS
Packets can be filtered by type of service level, as specified by a number in the range
0 to 15, or by name. You can also select a name from the drop-down list box.
Editing MAC VACE Attributes

Select a MAC VACE and open the ACE Editor to display the attributes that can
be edited (see Figure 4-22). The VACE being edited appears above the Expand
button.
4-66
78-16005-01
Chapter 4

Figure 4-22 ACE Editor Dialog BoxMAC

Field
Description
Permission
Radio button that determines whether the VACE is a permit or deny statement.
Capture
Option
Select the checkbox to ensure packets are switched normally and captured. This field is
optional. permit must also be selected.
Source
Address
Defines the source address. This field is mandatory.
Source
Mask
Defines the wildcard mask to be applied to the source address. This field is optional.
Destination
Address
Defines the destination address. This field is mandatory.

78-16005-01
4-67
Chapter 4
Field
Description
Destination
Mask
Defines the wildcard mask to be applied to the destination address. This field is optional.
Ethertype
Name or number that matches the ethertype for Ethernet-encapsulated packets. This
field is optional.

ACL Manager allows you to create object groups and use them within
ACL statements, on PIX devices.
You can use these types of object groups:
Network object group
Protocol object group
Service object group
ICMP Types object group
You can include an object group as a member of another object group to create
nested object groups. ACL Manager does not allow cyclic nesting.
To create an object group:
Procedure
Step 1
In the ACL Manager Main Window, select the ACL Devices folder.
Note
Step 2
Make sure that the Devices folder contains a PIX device.
Select the PIX device and expand the Devices folder.

The folder displays the four object group types.
Step 3
Right-click on the required object group in the Devices folder and select New
Object Group, to create an object group.
For example, to create a new ICMP-type object group, right-click on ICMP-Type
Object Groups.
4-68
78-16005-01
Chapter 4

The Object Group Editor appears (see Figure 4-23).

Figure 4-23 Object Group Editor
Step 4
Enter a name and a description for the object group you are creating.
Step 5
Specify the other values depending on the type of object group you are creating.
For ICMP-Type object groups, select the ICMP type from the drop-down box.
For Network object groups, enter the network address and mask.
Note
Step 6
While specifying wildcard masks for PIX, use the IOS inverted mask
notation. ACL Manager will automatically convert it into the PIX notation
prior to download.
For Protocol object groups, select the protocol type from the drop-down box.
For Service object groups, select the protocol type, operator, and the Start
value of the port object.
If you have checked in previously created object groups of the same type, they
appear in the Group Objects list. Select a group object if you want to create a
nested object group.

78-16005-01
4-69
Chapter 4
Step 7
Click Add.
Step 8
Click OK.
The new object group appears in the Devices folder.
4-70
78-16005-01
C H A P T E R
Using the Class Manager

The Class Manager enables you to lessen the time-consuming task of defining
individual ACEs and to improve the consistency of the ACEs. These topics
describe the Class Manager and how it works:
Class Manager Overview
Starting the Class Manager
Using Services and Service Classes
Using Network Classes
Using the Class Manager: Example

You can use the Class Manager to define network classes, services, and service
classes. These can be used within ACEs, in an ACL, or a template.
For example, suppose you use the Class Manager to define a network class called
users. This class consists of IP address ranges and hostnames of host machines
belonging to a set of users, and another network class called fileservers,
consisting of IP address ranges and hostnames for a set of server machines.
You can now use the ACE Editor in ACL Manager to create a single statement that
replaces the multiple statements that would otherwise be necessary to achieve the
same effect:
permit tcp ftp from @/users to @/fileservers

78-16005-01
5-1
Chapter 5
Similarly, if you create a network class called Engineering_Hosts, containing the

host machines Eng1, Eng2, and Eng3 and another network class called
Marketing_Hosts, containing the host machines Mkt1 and Mkt2, you could now
create the ACE:
permit ip from @/Engineering_Hosts to @/Marketing_Hosts
In IOS, this single statement translates into the equivalent of the following six
statements:
permit
permit
permit
permit
permit
permit
ip
ip
ip
ip
ip
ip
from
from
from
from
from
from
host
host
host
host
host
host
Eng1
Eng1
Eng2
Eng2
Eng3
Eng3
to
to
to
to
to
to
Mkt1
Mkt2
Mkt1
Mkt2
Mkt1
Mkt2
You can also use Class Manager to create named TCP or UDP ports or port ranges
(service classes) for use in ACEs.
Class Manager Editors

There are two Class Manager editors:
Network Class Editor
Service Class Editor
The Class Manager editors allow you to create the appropriate Class Manager
entities. Some services are predefined and cannot be modified. However, you can
create a service class consisting of one or more predefined services or port ranges
(see Creating a Service Class).
Similarly, you can create a network class (see Creating a Network Class) using
a range of IP addresses, DNS host names, networks, and other network classes.
5-2
78-16005-01
Chapter 5


You need to start the Class Manager before creating or editing network classes and
service classes.
To open the Class Manager window:
Select ACL Manager > Edit Class Definition from the CiscoWorks desktop.
Or
Select Tools > Class Manager from the ACL Manager Main Window.
The Class Manager window appears (see Figure 5-1).
Tip
You can open the Class Manager window from the Template Manager Tools
menu.
Figure 5-1
Class Manager Window

78-16005-01
5-3
Chapter 5
Using the Class Manager Toolbar

The icons specific to the Class Manager toolbar are:
New Service ClassOpens a dialog box to create a new service class.
New Network ClassOpens a dialog box to create a new network class.
Creating and Inserting Class Folders

You can create or insert new folders under the service class root or network class
root folder, or under an existing folder.
Procedure
Step 1
Select the service class or network class root folders, or any other folder within
these (see Figure 5-1).
Step 2
Select File > New Folder.

The New Folder dialog box appears (see Figure 5-2).
Figure 5-2
Step 3
New Folder Dialog Box
Enter the name for the new folder.

If required, you can also enter your comments in the Comments field.
5-4
78-16005-01
Chapter 5

Step 4
Click OK.
The new folder is created.

The ACL Manager maintains a list of names of well-known TCP and UDP port
numbers. These are present under the Services folder in the Class Manager
window.
You can reduce the complexity of setting up ACLs by creating service classes.
Service classes comprise sets of TCP or UDP ports or port ranges. These classes
are used in an ACL or ACL template, or within other classes, to reduce the
time-consuming task of defining individual ACEs for a given set of services or
sockets.
Workflow for Using Service Classes

This is the workflow for using a service class:
Procedure
Step 1
Create a service class (see Creating a Service Class).
Step 2
Check the service class in (see Chapter 10, Checking In Entities).

The service class is checked in immediately if Change Approval has not been set.
If Change Approval has been set for service classes, it will be in a pending state,
till approved.
Step 3
Set a Master Version (see Marking a Master Version of a Class).
Step 4
Use the service class in an ACL or in a template (see Chapter 4 Specifying

Source and Destination Addresses).
Step 5
Download the ACL that contains your class, to a device (see Chapter 15

78-16005-01
5-5
Chapter 5
If the download is successful, a Device Use (DU) is created, and it appears within
your service class. You can monitor a Use, using the Class Manager window (see
Identifying Class Uses).
If the download is not successful, a Use is not created for the class. The Job
Browser displays the status of the download.
Reschedule the download after determining why the download was unsuccessful
(see Chapter 15 What to Do if Your Download Fails).
Creating a Service Class

Use this procedure to create a new service class from the Class Manager window.
To edit an existing service class, refer to Editing a Service Class.
After creating a service class, you should check it in (see Chapter 10, Checking
In Entities).
Procedure
Step 1
Select the Service Classes folder in the left pane, or navigate to a required folder
within it.
Step 2
Click on the New Service Class icon.

The Service Class Editor dialog box appears (see Figure 5-3).
5-6
78-16005-01
Chapter 5

Figure 5-3
Step 3
Service Class Editor Dialog Box
Set the appropriate fields, as follows:

Field
Description
Name
Name of the service class.
Protocol
Protocol for the service; either TCP or UDP.
Port Range
Defines a range (lowest and highest) of port addresses to be

added to the service class.
Services
Lists all pre-defined services that can be added to this service

class.
Classes/
Services/
Ranges
Shows the services and port ranges that have been added to
this service class.

78-16005-01
5-7
Chapter 5
When setting the above fields, you can:
Step 4
Click Add to add a field from a left pane to a right pane.
Click Remove to remove a field from the right pane.
Click OK to apply the changes.
Editing a Service Class

Use this procedure to edit an existing service class from the Class Manager
window. To create a new service class, see Creating a Service Class.
To be able to edit a service class, you should first check it out (see Chapter 10,
Checking Out Entities).
Procedure
Step 1
Select the Service Class folder in the left pane (see Figure 5-1).
The service classes appear in the right pane.
Step 2
Right-click on the service class to be edited, then select Edit.

The Service Class Editor dialog box appears (see Figure 5-3).
Step 3
Make your changes, then click OK.

A network class is defined by a collection of hosts, address ranges (low and high),
and nested network classes. You can perform these operations on network classes:
Creating a Network Class
Editing a Network Class
5-8
78-16005-01
Chapter 5

Workflow for Using Network Classes

This is the workflow for using a network class:
Procedure
Step 1
Create a network class (see Creating a Network Class).
Step 2
Check the network class in (see Chapter 10, Checking In Entities).

The network class is checked in immediately if Change Approval has not been set.
If Change Approval has been set for network classes, it will be in a pending state,
till approved.
Step 3
Specify the Master Version (see Marking a Master Version of a Class).
Step 4
Use the network class in an ACL or in a template (see Chapter 4 Specifying

Source and Destination Addresses).
or
Use the network class in another network class (see Creating a Network Class).
Step 5
Download the ACL that uses your network class, to a device (see Chapter 15
If the download is successful, a Device Use (DU) is created and appears within
your network class. You can monitor a Use, using the Class Manager window (see
Identifying Class Uses).
If the download is not successful, a Use is not created for the class. The Job
Browser displays the status of the download.
Reschedule the download after determining why the download was unsuccessful
(see Chapter 15 What to Do if Your Download Fails).

78-16005-01
5-9
Chapter 5
Creating a Network Class

Use the procedure to create a new network class from the Class Manager window.
To edit an existing network class definition, see Editing a Network Class.
You can also use this dialog box to add network classes within your network class.
After creating a network class, you should check it in (see Chapter 10, Checking
In Entities).
Procedure
Step 1
Select the Network Classes folder in the left pane (see Figure 5-1), or navigate to
a required folder within it.
Step 2
Click on the New Network Class icon.

The Network Class Editor dialog box appears (see Figure 5-4).
5-10
78-16005-01
Chapter 5

Figure 5-4
Step 3
Network Class Editor Dialog Box
Set the appropriate fields, as follows:

Field
Description
Name
Network class name.
Hosts
Name of a host to be added to the network class.
Address Range Defines a range of IP addresses to be added to the network

class.
Network
Classes
Lists all selected network classes that have been added to this
network class.
Hosts/Address
Ranges
Shows the hosts and address ranges that have been added so
far in this network class.
When setting the above hosts and address ranges, you can:
Click Add to add a field from a left pane to a right pane.
Click Remove to remove a field from the right pane.

78-16005-01
5-11
Chapter 5
If you want to include other network classes to your network class, click Add
Network Class.
The Network Class Selection dialog box opens (see Figure 5-5).
Figure 5-5
Network Class Selection Dialog Box
For the procedure to use this dialog box, see Chapter 4 Specifying Source and
Destination Addresses.
Step 4
Click OK to apply the changes and close the Network Class Editor.
5-12
78-16005-01
Chapter 5

Marking a Master Version of a Class
Editing a Network Class

Use this procedure to edit an existing network class from the Class Manager
window.
To be able to edit a network class, you should first check it out (see Chapter 10,
Checking Out Entities).
To edit a Network Class:
Procedure
Step 1
Select the Network Class folder in the left pane (see Figure 5-1).
The network classes appear in the right pane.
Step 2
Right-click on the network class to be edited, then select Edit.

The Network Class Editor dialog box appears (see Figure 5-4).
Step 3
Make your changes and click OK.
Marking a Master Version of a Class

After you check in a service class or a network class, you should set one of its
versions as a Master Version.
When you set a specific version of a service class or a network class as its Master
Version, you indicate that it is the preferred version for use. You can see only the
Master Versions of all existing classes, in the Class Manager window.

78-16005-01
5-13
Chapter 5
Identifying Class Uses
To set the Master Version of a service class or a network class:
Procedure
Step 1
Select the service class or a network class from its folder.

If the version you want to set as a Master Version is not currently visible in the
Class Manager select Version > Version Graph from the main menu of the Class
Manager window.
The Version Graph window appears. For more details see the topic Viewing the
Version Graph of an Entity in Chapter 10, Versioning ACL Manager Entities.
You can select the required version
Step 2
Click Get.
The selected version appears in the Class Manager window.
Step 3
Right-click on the required service class or a network class in the Class Manager
window and select Set Master Version from the pop-up menu.
The Master Version is set and is indicated by a red arrow against the class icon.
The service class or a network class use entries that do not include the current
Master Version become invalid. To make the class Uses valid again, see Handling
Invalid Class Uses.

You can use the Class Manager to:
Identify device and template uses for service classes (see Identifying Service
Class Uses).
Identify device, template and nested uses for network classes (see
Identifying Network Class Uses).
5-14
78-16005-01
Chapter 5

Identifying Service Class Uses

A Service Class Device Use (DU) is created when a service class included in an
ACL, is successfully downloaded to a device. A DU helps track modifications to
the service class or to the ACL that contains it.
A Service Class Template Use (TU) is created when a template includes your
service class.
A Service Class Policy Use (PU) is created when a policy includes your service
class.
Use the Class Manager to identify the devices, templates and policies, that use a
specific service class:
Procedure
Step 1
From the ACL Manager Main Window, select Tools > Class Manager.
The Class Manager window appears.
Step 2
Expand the Service Classes folder to show all service classes.
Step 3
To see the Service Class Device Uses, expand the required service class and select
Service Class Device Uses.
The devices and ACLs using this service class, appear in the right pane (see
Figure 5-6). This dialog box displays the Service Classes Device Uses columns in
the right pane.

78-16005-01
5-15
Chapter 5
Figure 5-6
Viewing Devices That Use Service Classes
The Service Class Device Uses columns are:

Field
Description
Device
Device to which the service class has been applied.
ACL Name Number or name of the ACL using the service class on this device.
ACL
Version
Version of the ACL that has the service class.
service
class
Instance
Valid
Validity of the service class. Shows whether the current service

class contents have changed since the last download of this ACL to
the device.
To make the invalid service class use valid, see Handling Invalid
Class Uses.
To see the service class Template Uses, expand the required service class, then
select Service Class Template Uses.
The templates using this service class appear in the right pane.
5-16
78-16005-01
Chapter 5

The Service Class Template Uses columns are:

Column
Description
Template Name
Name of the template in which this service class has been

included.
Template Version
Version of the template that uses this service class.
Service Class
Instance Valid
Validity of the service class. Shows whether the current

service class contents have changed since the last usage of
the service class in the template.
To make the invalid service class use valid, see Handling
Invalid Class Uses.
To see the Service Class Policy Uses, expand the required service class, then
select Service Class Policy Uses.
The policies using this service class appear in the right pane.
The Service Class Policy Uses columns are:
Column
Description
Policy Name
Name of the policy in which this service class has been

included.
Policy Version
Version of the policy that uses this service class
Service Class
Instance Valid
Validity of the service class. Shows whether the current

service class contents have changed since the last usage of
the service class in the policy.
To make the invalid service class Use valid, see Handling
Invalid Class Uses.

78-16005-01
5-17
Chapter 5
Identifying Network Class Uses

A Network Class Device Use (DU) is created when a network class included in an
ACL, is successfully downloaded to a device. A DU helps track modifications to
the network class or the ACL that contains it.
A Network Class Template Use (TU) is created when a template includes your
network class.
A Network Class Nested Use (NU) is created when your network class has been
included in another network class.
A Network Class Policy Use (PU) is created when a policy includes your network
class.
Use the Class Manager to identify the devices, the templates, the other network
classes and the policies that use a specific network class:
Procedure
Step 1
From the ACL Manager Main Window, select Tools > Class Manager.
The Class Manager window appears.
Step 2
Expand the Network Classes folder to show all network classes.
Step 3
To see the Network Class Device Uses, expand the required network class and
select Network Class Device Uses.
The devices and ACLs using this network class, appear in the right pane (see
Figure 5-7). This dialog box displays the Network Classes Device Uses columns
in the right pane.
5-18
78-16005-01
Chapter 5

Figure 5-7
Viewing Devices That Use Network Class
The Network Class Device Uses columns are:

Field
Description
Device
Device to which the network class has been applied.
ACL Name Number or name of the ACL using the network class on this device.
ACL
Version
Version of the ACL that has the network class.
Network
Class
Instance
Valid
Validity of the network class. Shows whether the current network

class contents have changed since the last download of this ACL to
the device.
To make the invalid network class use valid, see Handling Invalid
Class Uses.
To see the Network Class Template Uses, expand the required service class, then
select Network Class Template Uses.
The templates using this network class appear in the right pane.

78-16005-01
5-19
Chapter 5
The Network Class Template Uses columns are:

Column
Description
Template Name
Name of the template in which this network class has been

included.
Template Version
Version of the template that uses this network class.
Network Class
Instance Valid
Validity of the network class. Shows whether the current

network class contents have changed since the last usage of
the network class in the template.
To make the invalid network class use valid, see Handling
Invalid Class Uses.
To see the Network Class Nested Uses, expand the required service class, then
select Network Class Nested Uses.
The network classes using this service class appear in the right pane.
The Network Class Nested Uses columns are:
Column
Description
Network Class
Name
Name of the network class, in which this network class has

been included.
Network Class
Version
Version of the network class that uses the network class for
which this Use has been created.
Network Class
Instance Valid

network class contents have changed since the last since
the last usage of the network class in the network class.
Invalid Class Uses.
To see the Network Class Policy Uses, expand the required service class, then
select Network Class Policy Uses.
The policies using this network class appear in the right pane.
5-20
78-16005-01
Chapter 5

Handling Invalid Class Uses
The Network Class Policy Uses columns are:

Column
Description
Policy Name
Name of the policy in which this network class has been

included.
Policy Version
Version of the policy that uses this network class.
Network Class
Instance Valid

network class contents have changed since the last usage of
the network class in the policy.
Invalid Class Uses.

A Device Use (DU) or a Template Use (TU) of a class becomes invalid if you
change the Master Version of the service class or network class used by an ACL
or a template.
Network Class Nested Use (NU) of a class becomes invalid if you change the
Master Version of the network class.
When a Use becomes invalid, an e-mail notification is sent to the creator of the
latest version of the class.
To make an invalid Use, valid:
Procedure
Step 1
Select the invalid DU or TU for the service class or network class, or the NU for
the network class.
Step 2
Right-click on the invalid Uses that you have selected, and select Bulk Update
from the pop-up menu.
The Bulk Update dialog box appears (see Figure 5-8).

78-16005-01
5-21
Chapter 5
Figure 5-8
Bulk Update Dialog Box
Column
Description
Entity
Selected device, template or nested network class use.
Operation Status
Status of the operation, either success or failure.
Description
Description of the status of the entity. For example, Could

not check out, Pending for approval, Checked in as ver:xx.
In the case of a Device Use for a service class or a network class, after the bulk
update process completes, the ACL, which is updated and in a checked-in state,
appears in the My Changes folder.
If you want to go to the device context of the ACL:
Open the My Changes folder, select the ACL and select Explore. This takes you
to the device context, and highlights the ACL. You can now download the ACL to
the device. After the download is successful, the Use becomes valid again.
Note
When you select Explore, even if the required device has been deleted
from the Devices folder, ACL Manager adds the device, and displays the
ACL in the context of the device.
If the bulk update occurs on an ACL that is not the latest available version, the
Bulk Update dialog box displays a message that you need to perform a merge. The
ACL appears in a checked-out state in your My Changes folder.
5-22
78-16005-01
Chapter 5

If you want to go to the device context of the ACL, open the My Changes folder,
select the ACL and select Explore. This takes you to the device context, and
highlights the ACL. You can do a merge, check in the ACL, and download it to
the device to make the device Use valid.
If the bulk update happens on an ACL that is exclusively checked out by another
user, the Bulk Update dialog box displays a message that the update has failed.
The ACL appears as a previously saved version in the My Changes folder, and this
version would not have the bulk update changes.
In the case of a Template Use for a service class or a network class or a Network
Class Nested Use, after the bulk update process completes, the operation status is
displayed in the Bulk Update dialog box.
To get the latest version of the entity on to a device in your Devices folder, select
Versioning > Get Latest Version and set the latest version as the master version
(see Marking a Master Version of a Class).

This example shows how to use Class Manager to create a complex ACL with one
logical ACE, but multiple physical ACEs.
Procedure
Step 1
Create a network class called MainDataCenter.
Step 2
Use the Network Class Editor to create another network class that contains all the
end host addresses of the workstations used in the group called USR-Finance.
Step 3
Create a service class called StandardServices, at the root folder, that includes the
desired range of services. For example, pop2, pop3, Telnet, ftp-data, ftp, and port
range 1024 to 1034).

78-16005-01
5-23
Chapter 5
Step 4
Use ACL Manager, the ACE editor, and the Network/Class Selector to create one
logical ACE of the form:
permit tcp @/tcp%standardservice from @/Finance/USR-Finance to
@/Asia-Pac/MainDataCenter
This can be interpreted as permitting TCP traffic for all the 11 source addresses
specified in the class USR-Finance to the destination address specified by
MainDataCenter on the ports specified by the StandardServices.
5-24
78-16005-01
C H A P T E R
Using the Template Manager

The Template Manager allows you to define and apply ACL policies for filtering
traffic.
You can use the Template Manager to create, modify, and use templates. After
they are created, templates are saved in a directory hierarchy.
You can create templates with entities that are static or variable. A static entity
within a template has values when you create it, but a variable entity does not. To
be able to use a template with variable entities, you should create an instance of
variable template and assign values to the variables in that instance.
These topics describe the Template Manager and how it works:
Starting the Template Manager
The Workflow for Templates
Creating Templates
Marking a Master Version of a Template or an Instance
Editing an Existing Template
Using a Template in an ACL
Identifying Devices and Templates That Use an ACL Template
Saving Selected Template ACEs as a New Template
Viewing the Template Device Use Summary
Deleting a Template

78-16005-01
6-1
Chapter 6

This section explains how to start the Template Manager.
Procedure
Step 1
Select ACL Manager > Edit ACL Templates from the CiscoWorks desktop.
or
Select Tools > Template Manager from the ACL Manager Main Window.
The Template Manager window appears (see Figure 6-1).
Figure 6-1
Template Manager Window
6-2
78-16005-01
Chapter 6

Static Templates and Variable Templates
The attributes of both the static or the variable template are displayed in the right
pane:
Field
Description
Name
Name of the template.
Version
Version of the template
Template Type Type of template - static or variable.

Protocol Type
IP, IP_EXTENDED, RATE_LIMIT_MAC,

RATE_LIMIT_PRECEDENCE, VACL_IP, or VACL_MAC.
Using the Template Manager Toolbar

The icons specific to the Template Manager toolbar are:
New TemplateOpens a dialog box to create a new template.
New FolderOpens a dialog box to create a new template folder in the

template directory.
Static Templates and Variable Templates

Template Manager allows you to define two types of templates:
Static templates (see Creating a Static Template and Adding ACEs).

In a static template, the values for all the ACEs contained within it, are
defined (i.e., static).

78-16005-01
6-3
Chapter 6
Variable templates (see Creating a Variable Template and Adding ACEs).

In a variable template, at least one attribute of one or more of its ACEs is a
variable.
You can specify the following as variables within ACEs:
Source port
Destination port
Source address
Destination address
To be able to use a variable template, you should create an instance of the

template and assign values to all the variables in the ACEs within the template
(see Creating a Variable Template Instance and Assigning Values). An
instance of a template is a copy of the template with values assigned to all the
attributes of the ACEs within it.

These sections describe the workflow for templates:
Workflow for a Static Template
Workflow for a Variable Template
Workflow for a Static Template

This is the workflow for a static template:
Procedure
Step 1
Create a static template (see Creating a Static Template and Adding ACEs).
Step 2
Add ACEs or copy them from another template (see Creating a Static Template
and Adding ACEs).
6-4
78-16005-01
Chapter 6

Step 3
Check in the template in (see Chapter 10, Checking In Entities).

The template is checked in immediately if Change Approval has not been set. If
Change Approval has been set for templates, it will be in a pending state, till
approved.
Step 4
Specify a master version (see Marking a Master Version of a Template or an

Instance).
Step 5
Use the template in an ACL (see Using a Template in an ACL).
Step 6
Download the ACL containing the template, to a device (see Chapter 15

If the download is successful, a Template Device Use (TDU) is created and

appears within your template folder. You can monitor a TDU using the
Template Manager main window (see Identifying Devices and Templates
That Use an ACL Template).
If the download is not successful, a TDU is not created. The Job Browser
displays the status of the download. Reschedule the download after
determining why the download was unsuccessful (see Chapter 15 What to
Do if Your Download Fails).
Workflow for a Variable Template

This is the workflow for a variable template:
Procedure
Step 1
Create a variable template (see Creating a Variable Template and Adding ACEs)
Step 2
Add ACEs and specify variables in the ACEs (see Creating a Variable Template
and Adding ACEs).
Step 3
Check in the template in (see Chapter 10, Checking In Entities).

The template will be checked in immediately if Change Approval has not been set.
If Change Approval has been set for templates, it will be in a pending state till
approved.

78-16005-01
6-5
Chapter 6
Creating Templates
Step 4
Specify a master version (see Marking a Master Version of a Template or an

Instance).
Step 5
Create an instance of the variable template (see Creating a Variable Template

Instance and Assigning Values).
Step 6
Check in the instance in (see Chapter 10 Checking In Entities).
Step 7
Specify a master version for the instance (see Marking a Master Version of a
Template or an Instance).
Step 8
Use the template in an ACL (see Using a Template in an ACL).
Step 9
Download the ACL containing the template, to a device (see Chapter 15

If the download is successful, a Template Device Use (TDU) is created within

your template folder. You can monitor a TDU using the Template Manager
main window (see Identifying Devices and Templates That Use an ACL
Template).
Creating Templates
You can create these types of templates using Template Manager:
Static Templates (see Creating a Static Template and Adding ACEs).
Variable Templates (see Creating a Variable Template and Adding ACEs).
Creating a Static Template and Adding ACEs

Use this procedure to create a static template from the Template Manager window.
To edit an existing template, see Editing an Existing Template.
After you create your template, you should check it in (see Chapter 10,
Versioning ACL Manager Entities.)
6-6
78-16005-01
Chapter 6

Creating Templates
Procedure
Step 1
Select the Template root directory or the folder where you want the new template
to be located (see Figure 6-1). To create a new folder see Creating and Inserting
Template Folders.
Step 2
Click on the New Template icon in the toolbar.

The Template Editor dialog box appears (see Figure 6-2).
Figure 6-2
Template Editor Dialog Box
Step 3
Select Static Template.
Step 4
Select the ACE type.

The ACE type could be IP, IP_EXTENDED, RATE_LIMIT_MAC,
RATE_LIMIT_PRECEDENCE, VACL_IP, VACL_MAC, or PIX-IP.
Step 5
Enter a name for the template, in the Name field.
Step 6
Enter your comments on the new template, in the Comment field.
Step 7
Click OK.
The static template is created in the folder that you had selected.

78-16005-01
6-7
Chapter 6
Creating Templates
Step 8
After the template is created, you can add new ACEs by:
Right-clicking on the template and selecting the New ACEs...option.

The ACE Editor for the ACE type selected in the template, appears. For
details on using the ACE Editor, see Chapter 4, Editing ACEs.
or
Copying an ACE from another template and pasting it into the current
template.
If the ACE is not the same type as specified for your template, it is not copied
into your template. You will see an error message.
The ACE is copied into your template if it is of the same ACE type as your
template.
You can also:
Add other templates within your template (see Including Another Template
Within Your Template).
Save ACLs and ACEs as templates (see Chapter 4, Viewing and Editing
ACLs).
Edit templates (see Editing an Existing Template).
Creating a Variable Template and Adding ACEs

Use this procedure to create a variable template from the Template Manager
window. To edit an existing template, see Editing an Existing Template.
After you create your template, you should check it in (see Chapter 10,
Versioning ACL Manager Entities.)
Procedure
Step 1
Select the Template root directory or the folder in which you want the new
template to be located (see Figure 6-1). To create a new folder see Creating and
Inserting Template Folders.
6-8
78-16005-01
Chapter 6

Creating Templates
Step 2
Click on the New Template icon in the toolbar.

Step 3
Select Variable Template.
Step 4
Select the ACE type.

The ACE type could be IP, IP_EXTENDED, VACL_IP, or PIX-IP.
Step 5
Enter a name for the template, in the Name field.
Step 6
Enter your comments on the new template in the Comment field.
Step 7
Click OK.
The variable template is created in the folder that you had selected.
Step 8
Add new ACEs after the template is created. To do this, right-click on the template
and select the New ACEs...option.
The ACE Editor appears for the ACE type you selected in the template.
Step 9
Select the Variable check-box to assign variables for the ACE attributes. At least
one value in one of the ACEs in the template should be a variable.
A variable can be any name of your choice. However, when you assign a value to
a variable, it represents that value in all its occurrences within that template.
After you create a variable, the variable type (Address variable or port variable)
is fixed. For example, if you create a variable in a source address, it can be reused
in any other address field, but not in a port field.
For more details on using the ACE Editor, see Chapter 4, Editing ACEs.
You can also:
Add other templates within your template (see Including Another Template
Within Your Template).
Edit templates (see Editing an Existing Template).

78-16005-01
6-9
Chapter 6
Creating Templates
Creating a Variable Template Instance and Assigning Values

To be able to use a variable template, you should create an instance of the variable
template. An instance is a copy of the variable template, with values assigned to
the variables.
When you assign values to an instance, you cannot alter the existing static values
within the template. You can only assign values to the variables and enter your
comments. You are not allowed any other operation (such as editing or
re-ordering) on the ACE.
When you assign a value to a variable, all the ACEs containing this variable will
have this value, within a template.
You do not need to enter values for all the variables at once. You can enter some
of the values and save the instance.
Before you create an instance of a variable template, you should check it in and
set a master version for the template (see Marking a Master Version of a
Template or an Instance). You will see an error if you create an instance of a
variable template, before specifying its master version.
To create an instance for your variable template:
Procedure
Step 1
Navigate to your template folder and select the Instances folder within it, in the
Template Manager main window.
Step 2
Right-click on the folder and select New Instance.

The Instance Editor appears (see Figure 6-3)
6-10
78-16005-01
Chapter 6

Creating Templates
Figure 6-3
Instance Editor Dialog Box
Step 3
Enter a name for the instance, in the Name field.
Step 4
Enter your comments on the instance in the Comment field.
Step 5
Click OK.
The variable template instance appears in the left pane of the Template Manager
main window as a writable entity. The variable and static ACEs from its parent
variable template appear in the right pane of the window.
To see the attributes of a static ACE, double-click it and the ACE Editor
opens. The attributes of the ACE appear, but are grayed out.
To assign values for the variable ACEs in the variable template instance,
double-click on a variable ACE.
The ACE Editor dialog box appears with editable fields for the variables.
Step 6
Enter the values for the variables.

You can check in and use the instance only after you have specified values to all
the variables in the instance.
After you create an instance, you should check it in (see Chapter 10, Versioning
ACL Manager Entities.)

78-16005-01
6-11
Chapter 6
Creating Templates
Reconciling Instances of Variable Templates

The process of updating the instances of a variable template to reflect the current
changes to the variable template, is called reconciliation. Whenever a variable
template is modified, and its master version is changed, its instance should also
reflect the modifications. You can do this through reconciliation.
To reconcile the instances of a variable template:
Procedure
Step 1
Select the variable template that you want to reconcile.
Step 2
Right-click on the selected template and select Reconcile Instance(s), from the
pop-up menu.
Or
Select Template > Reconcile Instance(s) from the Template Manager main
menu.
The Reconcile Instance(s) dialog box appears.
Step 3
Select Check in Instances after reconciliation to check in the instances after

reconciliation.
If you select the option Check in Instances after reconciliation, the Set Master
Version option is also enabled. Select Set Master Version to set the master
version on the reconciled instances.
Step 4
Click OK.
The Reconcile Results dialog box appears.
6-12
78-16005-01
Chapter 6

Creating Templates
The fields in this dialog box are:

Field
Description
Instance Name
Name of the instance
Reconcile Status
Success or Failed
Description
Description of the reconciliation status.

If the reconciliation status is Success, you will see one
of the following descriptions:
Reconcile not required.
Reconciled successfully. Master version is

set to
Version Number.
Reconciled successfully. User needs to check

in.
If you had checked out the instance yourself, or if

you had not checked the option Check in Instances
after reconciliation in the reconcile Instance(s)
dialog box.
If the reconciliation status is Failed, you will see one of
the following descriptions:
Exclusively checked out already. (If an instance is

exclusively checked out, then a reconcile operation
is not possible).
Unresolved variables present in variable template

instance. Cannot check in until all variables are
resolved. (Resolve the variables in the instances and
then do a reconcile operation).
If the creator of a master version of a template does a reconcile operation, all the
instances of that variable template will be reconciled provided they are:
Not exclusively checked out by another user.
Not in a newly created state.
After a reconcile operation, all the instances will be refreshed with the changes in
the master version of the variable template.

78-16005-01
6-13
Chapter 6
Including Another Template Within Your Template
Step 5
Enter values to the new variables, if any (see Creating a Variable Template
Instance and Assigning Values) and check in the instance.
If you had not selected the option Set Master Version in the Reconcile Instance(s)
dialog box, you should also set the master version for the instance (see Marking
a Master Version of a Template or an Instance) after a reconcile operation.
Including Another Template Within Your Template

You can include other templates within your template.
In a static template or a variable template, you can include:
Another static template.
An instance of a variable template.
You cannot include:
A variable template within a static or a variable template.

You can only include an instance of a variable template.
A template within itself.

For example, if you have created a template named T1, you cannot include it
within T1.
If your static template or your variable template instance has been included in
another template, then a Template Nested Use (TNU) is created (see Identifying
Devices and Templates That Use an ACL Template). A TNU is created
immediately after the master version is set for the template that uses your
template.
6-14
78-16005-01
Chapter 6

To include a template within another template:
Procedure
Step 1
Right-click on the template into which you want to include another template or a
variable template instance.
Step 2
Select Insert Template.

A template browser dialog box appears.
Step 3
Select the template or the variable template instance that you want to include and
click OK.
The inserted template appears in the template as a template-ACE.
You cannot include a variable template within another template. You should create
an instance of the variable template (see Creating a Variable Template Instance
and Assigning Values) and include that within your template.
Marking a Master Version of a Template or an

Instance
After you check in a static template, a variable template, or a variable template
instance, you should set one of its versions as a Master Version.
When you set a specific version of a template or an instance as a master version,
you indicate that it is the preferred version for use. You can see only the master
versions of all existing templates in the Template Manager main window.

78-16005-01
6-15
Chapter 6
To set the master version of a static template, a variable template, or a variable

template instance:
Procedure
Step 1
Select the template or the instance from its folder.

Or
Select Version > Version Graph from the main menu of the Template Manager
main window. Do this if the version you want to set as a master version is not
currently visible in the Template Manager.
The Version Graph window appears.
Step 2
Select the required version and click Get.

The selected version appears in the Template Manager main window.
Step 3
Right-click on the required template or instance in the Template Manager main

window and select Set Master Version from the pop-up menu.
The master version is set and a red arrow appears on the template or instance icon.
Note
In the case of a variable template instance, if the selected version is not

derived from the current master version of the variable template, you will
see an error message when you try to set the Master Version.
Each time you reset the master version of a variable template, all its instances
become invalid. To make the instances valid again, see Reconciling Instances of
Variable Templates.
The template use entries that do not include the current Master Version of a static
template or a variable template instance, become invalid. To make the instances
valid again, see .
6-16
78-16005-01
Chapter 6


To edit an existing template from the Template Manager main window:
Procedure
Step 1
Expand the folder containing the template to edit.
Step 2
Right-click on the template, then select Edit.

Step 3
Make your changes and click OK.

You can also insert a comment into a templates ACEs. See Appending a
Comment in Chapter 5, Using the Class Manager.
Editing the Contents of a Template

To edit the contents of a template see these topic: Manipulating ACEs of
Chapter 4, Viewing and Editing ACLs.
To be able to edit the contents of a template you should check it out first (see
Chapter 10 Checking Out Entities).

78-16005-01
6-17
Chapter 6
Creating and Inserting Template Folders

You can create or insert new folders under the Template root directory or under an
existing folder.
To create and insert template folders:
Procedure
Step 1
Select the Template root directory or the folder where you want the new folder to
be located (see Figure 6-1).
Step 2
Click on the New Folder icon in the Template Manager toolbar:
or
Select File > New Folder.
The new folder dialog box appears (see Figure 6-4).
Figure 6-4
Step 3
New Folder Dialog Box
Enter the name for the new folder.

If required, you can also enter your comments in the Comments field.
6-18
78-16005-01
Chapter 6

Step 4
Click OK
The new folder is created.

A template is a logical entity that has to be included in an ACL and downloaded
to the device.
To include a template in an ACL:
Procedure
Step 1
From Devices folder in the ACL Manager Main Window, select the required
device.
Step 2
From the ACL Uses folder, select the ACL in which you want to include a static
template or an instance of a variable template.
Step 3
Check the ACL out (see Chapter 10 Checking Out Entities).
Step 4
Right-click on the checked out ACL and select Include Template... from the
pop-up menu.
The Template Selection dialog box appears.
Step 5
Select the static template or the variable template instance, that you want to
include in the ACL.
You can see or include only those templates where the master version has been set.
If you want to see the contents of the static template or the variable template
instance before including it in the ACL, click Expand... in the Template Selection
dialog box.
Step 6
Click OK after you select the static template or the variable template instance.
Step 7
Check in the ACL in (see Chapter 10 Checking In Entities).

78-16005-01
6-19
Chapter 6
Step 8
After you include the static template or the variable template instance in the ACL,
download it to the required devices (see Chapter 15 Scheduling Downloads).
If the download is successful, a valid Template Device Use (TDU) is created

for the static template or the variable template instance (see Identifying
Devices and Templates That Use an ACL Template).
Whenever the master version of the static template or the variable template
instance changes, the TDUs and TNUs becomes invalid (see ). An e-mail
notification is sent to the creator of the latest version of the template or instance.
Identifying Devices and Templates That Use an ACL

Template
A Template Device Use (TDU) is created when a template included in an ACL, is
successfully downloaded to a device. A TDU helps track modifications to the
template, variable template instance, or the ACL that contains the template.
Template Nested Use (TNU) is created when your static template or variable
template instance has been included in another template. The TNU appears
immediately after the Master version is set for the template that uses your
template.
Static templates and variable template instances can be included within other
templates (see Including Another Template Within Your Template. The
included templates are called nested templates, and their ACEs are called
Template ACEs.
6-20
78-16005-01
Chapter 6

To identify all devices or templates that use an ACL Template:
Procedure
Step 1
From the ACL Manager Main Window, select Tools > Template Manager.
The Template Manager window appears.
Step 2
Expand the template folder to show all templates, if necessary.
Step 3
To see the Template Device Uses, expand the required template, then select
Template Device Uses.
The devices and ACLs using this template appear in the right pane (see
Figure 6-5). This sample dialog box displays the Template Device Uses columns
in the right pane.
Figure 6-5
Viewing Devices That Use an ACL Template

78-16005-01
6-21
Chapter 6
The Template Device Use columns are:

Column
Description
Device
Device to which the template has been applied.
ACL Name
Number or name of the ACL using the template on this

device.
ACL Version
Version of the ACL that has this template.
Template Instance
Valid
Shows whether the current template contents have changed

since the last download of this ACL to the device. To make
an invalid template device Use valid, see .
To see the Template Nested Uses, expand the required template, then select
Template Nested Uses.
The templates using this template appear in the right pane.
The Template Nested Use columns are:
Column
Description
Template Name
Name of the template, in which this template has been

included.
Template Version
Version of the template that is using the template for which

the use has been created
Template Instance
Valid
Validity of the template instance. Shows whether the

current template contents have changed since it was
included in the template. To make an invalid template
device Use valid, see .
6-22
78-16005-01
Chapter 6

Handling Invalid Template Device Uses and Template Nested Uses
Handling Invalid Template Device Uses and

Template Nested Uses
A Template Device Use (TDU) becomes invalid if you change the master version
of the static template or the variable template instance, used by an ACL.
Template Nested Use (TNU) becomes invalid if you change the master version of
the static template or the variable template instance, used by a template.
To ensure that the ACL or the template has the current master version of the static
template or the variable template instance, and make the TDU or the TNU valid,
follow this procedure:
Procedure
Step 1
Select the invalid TDU or the TNU for the static template or the variable template
instance. You can select multiple TDUs or TNUs at a time.
Step 2
Right-click on the invalid TDUs, and select Bulk Update from the pop-up menu.
Or
Right-click on the invalid TNUs, and select Bulk Update from the pop-up menu.
The following message appears:
Do you want to bulk update nested hierarchy of selected entities and
set their master version?
If you click Yes in the message dialog box, all the nested TDUs and TNUs for
the selected TNU, will be updated and their master version will be set.
If you click No in the message dialog box, then only the selected TNU will
be updated. The master version will not be set after the update.

78-16005-01
6-23
Chapter 6
Figure 6-6
Bulk Update Dialog Box
The columns in the Bulk Update dialog box are:

Column
Description
Entity
Selected device or nested template use.
Operation Status
Status of the operation; either success or failure.
Description
Description of the status of the entityCould not check

out, pending for approval, checked in as ver:xx.
In the case of a Template Device Use, after the bulk update process completes,
after the bulk update process completes, the ACL, which is updated and in a
checked-in state, appears in the My Changes folder.
You can open the My Changes folder, select the ACL and select Explore. This
takes you to the device context, and highlights the ACL. You can now download
the ACL to the device. After the download is successful, the use becomes valid
again.
Note
When you select Explore, even if the required device has been deleted
from the Devices folder, ACL Manager adds the device, and displays the
ACL in the context of the device.
6-24
78-16005-01
Chapter 6

If the bulk update happens on an ACL that is not the latest available version,
the Bulk Update dialog box displays a message that a merge is required.
The ACL appears in a checked-out state in your My Changes folder. You can
open the My Changes folder, select the ACL and select Explore. This takes
you to the device context, and highlights the ACL. You can do a merge, check
in the ACL, and download it to the device to make the device use valid.
If the bulk update happens on an ACL that is exclusively checked out by

another user, the Bulk Update dialog box displays a message that the update
has failed.
The ACL appears as a previously saved version in the My Changes folder, and
this version would not have the bulk update changes.
In the case of a Template Nested Use, after the bulk update process completes, the
operation status is displayed in the Bulk Update dialog box.
To get the latest version of the template on to a device in your Devices folder,
select Versioning > Get Latest Version and set the latest version as the master
version (see Marking a Master Version of a Template or an Instance).
If you want to download selected ACLs from the Bulk Update dialog box, click
Initiate Download.
The Job Download Wizard appears. To create a job definition and schedule a
download, or to immediately download the selected entities using the Job
Download Wizard, see Chapter 15, Scheduling and Downloading.
You can download only those ACLs that are in the checked in state, using the
Inititate Download button.
A Template Device Use is deleted if:
The ACL is downloaded without the template.
The ACL itself is deleted.
If the ACL version on the device is changed, but still contains the master version
of the template that it did in its earlier version, then the TDU gets updated to
display the higher version of the ACL on the device.

78-16005-01
6-25
Chapter 6
Updating Logical Entities
A Template Nested Use is deleted if:
The template is included in an ACL and downloaded to a device, without your

template.
The template itself is deleted.
If the master version is changed for the template, but still contains your template,
then the TNU gets updated to display the higher version of the template.
Updating Logical Entities

You can update the logical entities for ACLs and templates, using ACL Manager.
The logical entities could be one or more of the following:
Templates (static templates, variable template instances)
Network and service classes.
You can update only those logical entities that are in the checked out state. Logical
entities must have a master version before they can be used or updated in an ACL
or a template.
6-26
78-16005-01
Chapter 6

To update logical entities:
Procedure
Step 1
From the ACL Manager Main Window select the ACL for which the logical
entities need to be updated.
or
From the Template Manager window, select the template for which the logical
entities need to be updated.
Step 2
Right-click on the selected ACL or template, and select Update Logical Entities
from the pop-up menu.
or
Select Tools > Update Logical Entities.
The logical entities are updated.
If you select variable template instances, only those logical entities which
correspond to variables will be updated.
Step 3
Check in the ACL or template that contains the logical entities.

In the case of a template, you should set the master version.

You can save selected ACEs from a static template, or a variable template
instance, as a new template.
To save selected template ACEs as a new template:
Procedure
Step 1
From the Template Manager main window, select the static template or variable
template instance that contains the required ACEs.
The ACEs for your selection, appear in the right pane.

78-16005-01
6-27
Chapter 6
Step 2
Step 3
From the right pane select the required ACEs (contiguous or non-contiguous).
If you select even one ACE that has a variable in it, you must save the
template as a variable template.
You can only save ACE types that are not supported by variable templates, as
static templates.Variable templates are supported for IP, IP Extended, VACL
IP and PIX ACL types. If you try to save unsupported ACE types (such as
Rate Limit) as a variable template, that option will be disabled for you.
Right-click and select Save ACEs.

The Save As Template dialog box appears.
Step 4
Enter the name of the template and select an existing template folder to save the
new template.
Step 5
Click OK.
Step 6
The new template appears in the Template Manager window.

You can view the Template Device Use (TDU) summary for any template. This
feature is especially useful in the case of variable templates, to enable you to see
the use details for all the instances of the template.
To view Template Device Use Summary:
Procedure
Step 1
Select a template from the Template Manager main window.
Step 2
Right-click and select Uses Summarization.

Or
Select Tools > Use Summarization.
The Template Uses Summarization dialog box appears.
6-28
78-16005-01
Chapter 6

Deleting a Template
The fields in the dialog boxes are:

Column
Description
Template/Instance
Name of the static template or variable template instance.
Master Version
Current master version for the static template or variable

template instance.
Device Name
Device that uses the ACL containing the static template or

ACL Name
Name or number of the ACL that uses the static template or

ACL Version
Version of ACL that uses the static template or variable

template instance.
Instance Valid
A cross mark appears for an invalid instance.

A blank box appears for a valid instance.
Deleting a Template
You can delete a static template, a variable template or instances of variable
templates.
Procedure
Step 1
From the Template Manager window, select the template that you want to delete.
Step 2
Right-click and select Delete.

You are prompted to confirm the deletion.
If you proceed, the template will be deleted.

78-16005-01
6-29
Chapter 6
Deleting a Template
You cannot delete a template if:
The template has been checked out.

or
If it is pending approval.
You are not a user with a CiscoWorks role of System Administrator. Only a
system administrator can delete templates.
The template has:

Template Device Uses (TDUs)
or
Template Nested Uses (TNUs).
6-30
78-16005-01
C H A P T E R
Creating and Using Policies

A policy is a set of rules that specifies tasks (ACEs) that you must include in the
ACL.
In ACL Manager, a policy is a special type of template that contains rules in the
form of ACEs. However, unlike an ACL policy, the rules are not order-dependent.
Policies, similar to templates, are versioned objects. After you create a policy and
add rules to it, you must check it in.
After you check in the policy, you must specify one of the versions as the Master
version. Policy verification is always done against the Master version. If you do
not specify a Master version, the policy will not be available for verification.
These topics describe how to work with policies:
Role-based Access for Policies
Creating a Policy
Verifying an ACL/Template Against a Policy
Role-based Access for Policies

ACL Manager enables you to restrict user privileges for creating and modifying
polices. Only users who belong to a specified user group can create or modify
policies. You must specify the name of this user group in the file, aclm.properties.
By default, no user is allowed to create or modify policies, except the user, admin.

78-16005-01
7-1
Chapter 7
Creating a Policy
To create a Role-based access:
Procedure
Step 1
Create a user group for policies (see Chapter 9, Creating a User Group).
Step 2
Shut down the ACLM Server.
Step 3
Step 4
On Windows, enter %NMSROOT% \bin\pdterm AclmServer

where %NMSROOT% is the directory in which CiscoWorks is installed.
On Solaris, enter install_dir/bin/pdterm AclmServer

where install_dir is the directory in which CiscoWorks is installed.
Open the file, aclm.properties.
On Windows, the file is located at %NMSROOT%\objects\aclm\etc\aclm.
On Solaris, the file is located at install_dir/objects/aclm/etc/aclm.
Enter this property in the file:

UserGroupForAccessToPolicies=user
group
where user group is the name of the user group that should have access to policies.
Step 5
Save and close the file.
Step 6
Restart the ACLM Server.
On Windows, enter %NMSROOT% \bin\pdexec AclmServer

On Solaris, enter install_dir/bin/pdexec AclmServer

Creating a Policy
You can use the Template Manager to create policies. After you create a policy, it
is saved in a directory hierarchy. You can save your policies directly under the
Policy Root Directory or you can organize them by creating folders within the root
directory.
You can create policies only for three types of ACLs/templates: PIX, IP, and IP
Extended.
7-2
78-16005-01
Chapter 7

Creating a Policy
To create a policy:
Procedure
Step 1
Select Edit ACL Templates.
Step 2
Right-click on Policy Root Directory and select New Folder, if you want to
create a folder under the Policy Root directory to store your policies. Else, go to
Step 5.
The New Folder dialog box appears.
Step 3
Enter a name for the folder.
Step 4
Enter any comments you may have and click OK.
Step 5
Right-click on the folder or on the Policy Root Directory and select New Policy.
The Policy Editor dialog box appears (see Policy Editor Dialog BoxFigure 7-1).
Figure 7-1
Policy Editor Dialog Box
Step 6
Select the policy type.
Step 7
Enter a name for the policy.
Step 8
Enter any comments you may have and click OK.

The policy appears under the folder.
You can specify rules within the policy by creating ACEs. Since the policies are
not order-dependent, you can specify the rules in any order.

78-16005-01
7-3
Chapter 7
Step 9
Right-click on the policy and select New ACE.

The ACE Editor appears.
Step 10
Create the ACE and click OK.
Step 11
Right-click on the policy and select Check In to check the policy in.
Step 12
Right-click on the checked-in policy and select Set as Master Version.

This version of the policy is now set as the Master version and is available for
verification.

You can verify ACLs or templates against the Master version of the policy.
Procedure
Step 1
Step 2
To verify:
An ACL, select it in the ACL Manager main window.
A template, select it in the Template Manager.
Select Tools > Verify Policy.

The Policy Browser appears (see Figure 7-2).
7-4
78-16005-01
Chapter 7

Figure 7-2
Step 3
Policy Browser
Select the policy against which you want to verify the ACL/template and click
OK.
The Policy Verification Summary appears (see Figure 7-3).
Figure 7-3
Policy Verification Summary Dialog Box

78-16005-01
7-5
Chapter 7
This summary displays the policy name and the verification status. The status can
be either Compliant, Noncompliant, or Error.
If the status is Error, the Description field displays the description of the error.
Step 4
Select a row and click Show Details to see the details.

The Policy Verification Results dialog box appears (see Figure 7-4).
Figure 7-4
Policy Verification Results
This shows the Logical view of the policy and the ACEs.
The Policy ACEs column lists the rules within the policy. Compliant policy rules
are in green and noncompliant ones are in red.
The ACL/Template ACEs column lists the ACEs within the ACL/template that
was verified.
To navigate among the colored rows listed in the left and right panes, use the
arrow icons.
Step 5
Select the policy rule in the Policy ACEs column.

The ACL/Template ACEs column displays the compliant ACEs in green and the
noncompliant ACEs in red.
7-6
78-16005-01
Chapter 7

Step 6
Select a policy rule in the left pane and a complying or noncomplying ACE on the
right pane and click Details to see further details.
The Policy Verification Details dialog box appears (see Figure 7-5).
Figure 7-5
Policy Verification Details
This shows the relationship between the policy rule and the selected ACE in the
physical view.
See Viewing Policy Verification Details for more details.

78-16005-01
7-7
Chapter 7
Viewing Policy Verification Details

To view the policy verification details:
Procedure
Step 1
Select an invalid ACE in the right pane of the Policy Verification Results dialog
box (see Verifying an ACL/Template Against a Policy for the procedure to
invoke this dialog box)
Step 2
Click Details.
The Policy Verification Details dialog box appears (see Figure 7-6).
Figure 7-6
ACE Validation Details
7-8
78-16005-01
Chapter 7

The following details are displayed in the Policy Verification Details dialog box:
First Group of ACEs

The selected logical
entity (ACEs, ACL,
or template) from the
left pane of the Policy
Verification Details
dialog box.
Relationship (Compliant, Noncompliant, Not

Attempted/No Relationship)
Second Group of ACEs
The relationship between the first group of ACEs The selected logical entity
and the second group of ACEs is displayed
(ACEs, ACL, or template)
in-between the two groups.
from the right pane of the
Policy Verification Details
For example, the relationship between the groups
dialog box.
is displayed as:
Has a Non-Compliant Relationship with the
policy
or
Has a Compliant Relationship with the
policy
The ACEs that are displayed in the Policy Verification Details dialog box are
indexed:
Index
Example
Meaning
Main Index Number
[1]
Sequence or the position of an invalid ACE or template within an

ACL.
Sub-index Number
--> [1]
This is meaningful if the main index entity is a template, or a

network class or a service class.
Then this sub-index displays the sequence of the invalid ACEs
within the template. (If the main entity is an ACE, then the same
ACE will be displayed with a sub-index).
Step 3
Click Close to exit the Policy Verification Details dialog box.

78-16005-01
7-9
Chapter 7
Mandating Policy Verification

You can mandate that all ACLs and Templates should be validated against the
Master version of the policy.
If you mandate policy verification, the ACL or Template will be automatically
validated against the Master version of the policy, when you try to check it in. The
Policy Browser dialog box appears and you can select the policy against which
you wish to validate the ACL/Template.
If the ACL/Template is compliant with the master version of the policy, it follows
the normal checkin workflow. This means, if Change Approval is enabled for ACL
modification, then it will be sent for approval.
If the ACL or Template is not compliant with the policy, it compulsorily goes
through the Change Approval workflow.
The following comments appear in the Change Approval dialog box:
policy name - Failed
where policy name is the name of the policy against which the ACL/Template
was validated.
The approver can click the Change Details button to launch the ACL Manager or
the Template Manager in a separate window. In this window, the approver can
select the ACL/Template and choose Tools > Verify Policy to see the policy
verification and noncompliance details.
Note
Make sure that approvers are specified for ACLs and Templates to enable the
successful completion of mandatory policy verification.
The approvers for Template modification are specified only for the Mandatory
Policy Verification workflow.
To specify approvers for ACLs, use the Change Approval > Configure Change
Approval option.
7-10
78-16005-01
Chapter 7

To specify approvers for Templates, do this:
Procedure
Step 1
Step 2


Step 3
Enter this property in the file to specify approvers for Templates:

UserGroupForTemplateApproval=user group
where user group is the name of the user group that contains users who can
approve changes to Templates.
Step 4
Step 5


To mandate policy verification:
Procedure
Step 1



78-16005-01
7-11
Chapter 7
Step 2
Step 3
Enter this property in the file to mandate policy verification:

MandatePolicyVerificationAtCheckinTime=true
Step 4
Step 5


7-12
78-16005-01
C H A P T E R
Searching for and Replacing ACLM

Entities
ACL Manager provides a Search and Replace feature that enables you to search
for specific ACLM versioned entities and then replace them, appropriately. See:
Searching for Entities
Replacing Entities
You can search the data that you can see in the logical view or physical view of
the ACL Manager Main Window, but you can replace only the data seen in the
logical view.
The ACLM versioned entities that can be searched includes:
ACLs
Global Uses
Interface Uses
Time Ranges
Templates
When you search for an ACE, the system also searches the included logical
entities such as Network Class, Service Class, and Templates also.
For example, if Host 1.1.1.1 is contained in a network class, which is used as the
Source Network Class of ACE in a template. The template in turn is included in
an ACL. The search filter (SRC_HOST = 1.1.1.1) will also list the included
template in the results, because the ACE in the template indirectly contains the
host.

78-16005-01
8-1
Chapter 8
Searching for and Replacing ACLM Entities
After searching for entities you can replace them. However, you can replace only
the ACEs within an ACL or template.

You can perform a Search using the Search window. Launch the Search window
either from the ACL Manager, Class Manager, or from the Template Manager.
To launch the Search window, select Edit > Search.
The Search window appears (see Figure 8-1).
Figure 8-1
Advanced Search
The default values in the Search Base panel depend on the entity screen from
which you launched the Search window. You can change the default values by
clicking Clear Search.
For example, if you launch the Search window from an ACL, you can search only
on that ACL. If you click Clear Search and then perform a Search, you will be
able to search on all the specified devices or all the template folders.
8-2
78-16005-01
Chapter 8

To search for entities:
Procedure
Step 1
Click Devices to select the devices on which you want to search.

This will restrict the Search to device-specific data.
See Using the ACL Manager Device Selector for details on selecting devices.
Step 2
Select the Entity type.

If you choose Template as the entity type, the Device button is replaced by the
Browse button. Click Browse to specify the template folder that you wish to
search in.
See Using the Template Folder Browser for details on selecting template folders.
Step 3
Step 4
Select the Version to which you want to restrict the Search. You can select:
Latest To search for the version which is the latest when Search begins.
On Device To search the version present on the device when Search

begins.
All Versions To search for all versions that exist when Search begins.
Choose one of the following as the Context Type.
Advanced Selected by default. In this context, you can use all the Search
attributes.
Standard Allows you to use a limited set of Search attributes for IP/IP
Extended ACL definitions or templates.
If you have chosen Advanced as the context type, do the following:

a.
Enter a Search filter in the Search for text box.

As you type in the Search filter, the Context Helper pops up to display the
valid parameters. You can select the required parameter.
For details on forming a search filter, see Forming a Search Filter. For a list
of all the supported Search attributes, see List of Search Attributes
b.
Click Search.

78-16005-01
8-3
Chapter 8
If you have chosen Standard as the context type, do the following:

a.
Specify the appropriate parameters.

See Using the Standard Search Context GUI for details.
b.
Click Search.
Note
You can cancel the Search before it is completed, by clicking Stop

Search.
The results appear in the Search Results Pane:

The Status Bar displays the number of matches found.
Step 5
Click Clear Search to clear the results and the search filter.
Step 6
Click Close to close the Search window.
Search Results Pane

The matching results obtained by Search are displayed in the Search Results pane.
These results are refreshed every second.
Use the triangular buttons or the Split Bar to resize this pane.
The various columns in this pane are explained below:
Column
Description
Device
Applicable to all Entity Types except Templates
Context
Context of the Search results. For example, ACL_NAME is

for ACLs and ACE_PROTOCOL is for ACEs.
Index
Applicable to ACES within an ACL/template.
Version
Version of the entity. If it is the latest, it is explicitly

mentioned.
8-4
78-16005-01
Chapter 8

You can right-click on the rows of results and select one of these options:
Go to Context
Invokes the appropriate context for the entity.
For ACEs, ACLS, Timeranges, Global Uses, and Interface Uses, this option
will take you to the appropriate version of the entity on the device, and
highlight the result.
For Templates, and Template ACEs, this option will take you to the Template
Manager and then to the appropriate version of the entity.
View
Opens the appropriate editor for the result. This option is not available for
Global Uses and Interface Uses.
Replace
Select this option to invoke the Replace tab of the Search window.
Using the ACL Manager Device Selector

The ACL Manager Device Selector lists only the devices that you have added to
your Devices folder.
In the Devices column:
Procedure
Step 1
Select the required devices and click Add.

To remove devices from the Selected Devices column, select them and click
Remove.
Step 2
Click OK to return to the Search window.

78-16005-01
8-5
Chapter 8
Using the Template Folder Browser

The Template Folder Browser shows the template root directory and its
sub-directories.
Procedure
Step 1
Select the directory in which you wish to search.

The sub-directories under the selected directory will also be included in the
Search.
Step 2
Click OK to return to the Search window.
Forming a Search Filter

You should provide a well-defined Search Filter to obtain precise results. The
Search Filter is a string that contains the actual search attributes and operators
along with possible values. You should form the Search Filter based on the entity
type that you have selected.
Example: If the selected Entity Type is Global ACL Uses and the search filter is
ACTION = permit, you will not get any results.
There is no restriction on the length of the Search Filter.
The system validates the Search attributes you enter. However, the system does
not validate the values for the attributes.
As you enter the search parameters in the filter, the Context Helper pops up to
display the valid parameters. You can select the required parameter from this. You
can also invoke the Context Helper by pressing F1. Press Esc to close the Context
Helper.
Each search attribute should have an associated value, which is a string
representation of the actual value. For example, an IP Address value can be
represented as 123.134.60.0. A port value can be 80 or http.
8-6
78-16005-01
Chapter 8

Regular Expressions
You can use regular expressions such as * and ['' ''] in the Search Filter.
Use * while specifying IP addresses, template names, and service class

names.
Examples:
The IP address value of 123.134* will allow you to search for all IP
addresses beginning with 123.134.

The IP address value of *123.134 will allow you to search for all IP
addresses ending with 123.134.

The IP address value of *123.134* will allow you to search for all IP
addresses containing 123.134.
Use ['' ''] while specifying a range of ports.

Example:
The port value of [80 83] will allow you to search for all ports from 80 to 83.
Operators
A simple search expression specifies the search attribute and value(s) and contains
a single relational operator.
The valid relational operators are: = (for all attributes) and EQ, NEQ, GT, LT, and
Range for ports only. Make sure that you have at least a single space on either side
of the relational operator.
You can combine multiple simple search expressions by using the three logical
operators &, |, and ! along with braces. These three logical operators have the
same order of precedence. Use brackets appropriately to ensure operator
precedence.
See List of Search Attributes for a list of all the supported Search attributes.

78-16005-01
8-7
Chapter 8
Examples of Search Filters
Search for ACEs with the Source Host 123.25.45.36:

(SRC_HOST = 123.25.45.36)
Search for ACEs with Source Host starting with123.25:

(SRC_HOST = 123.25.*)
Search for ACEs with Source Host containing 123.25.:

(SRC_HOST = *123.25.*)
Search for ACEs with Source Host ending with 123.25 and Source Port equal
to 80:
(SRC_HOST = *123.25)&(SRC_PORT EQ 80)
or
(SRC_HOST = *123.25)&(SRC_PORT EQ http)
Search for ACEs with Source Network containing 123.25. and the mask
starting with 0.0. and Source Port not equal to 80:
(SRC_NW = *123.25.*/0.0.*)&(!(SRC_PORT EQ 80))
Search for ACEs with Source Network containing 123.25. and Source Port or
Destination Port equal to 80:
(SRC_HOST = *123.25.*)&((SRC_PORT EQ 80)|(DST_PORT EQ 80))
Search for ACEs using (Destination) Network Class and Service Class:
(DST_NW_CLASS = blrnw)&(DST_SV_CLASS = tcponlyports)
Search for ACEs using (Destination) Network Class and Destination port
range:
(DST_NW_CLASS = blrnw)&(DST_PORT RANGE 10 20)
Search for ACEs using (Destination) Network Class and Destination

ports/port ranges falling within/overlapping the specified range:
(DST_NW_CLASS = blrnw)&(DST_PORT RANGE [10 20])
Search for any comment:

(VERS_COMM = *comment*)
where comment is present in the actual text you want to search for.
8-8
78-16005-01
Chapter 8

Search for the case ID 1000 in Version Comments:

(VERS_COMM = *1000*)
List of Search Attributes

The following is the list of all supported Search attributes:
Attribute
Description
Possible Values
ACL_NAME
Name of the ACL
ACL_PROTOCOL ACL Protocol
Only IP is supported.
ACE_PROTOCOL ACE Protocol
TCP, UDP, PIM, etc.
SRC_NW
Source Network address 1.1.1.0/0.0.0.128

with mask
SRC_NW_CLASS Source Network Class

name
SRC_HOST
Source Host Name
ANY_SRC_IP
One of these:
DST_NW
Source Network
Address
Source Host name
Source Network
Class name
Destination Network
address with mask
1.1.1.0/0.0.0.128
DST_NW_CLASS Destination Network

Class
DST_HOST
Destination Network
Host

78-16005-01
8-9
Chapter 8
Attribute
Description
Possible Values
ANY_DST_IP
One of these:
ACTION
Destination
Network Address
Destination Host
name
Destination
Network Class
name
One of these:
Permit
Deny
Redirect
PRECEDENCE
Precedence level
0-7
TOS
Service level
0-15
LOG
Either of these:
LOG_INPUT
FRAGMENTS
True
False
Either of these:
True
False
Either of these:
True
False
DSCP
0-63
SRC_PORT
Source Port
SRC_SV_CLASS
Source Service Class

name
You need not specify the fully

qualified path. It is enough if you
give the name of the Service
Class.
8-10
78-16005-01
Chapter 8

Attribute
Description
ANY_SRC_PORT One of these:
Source Port
Source Service
Class
DST_PORT
Destination Port
DST_SV_CLASS
Destination Service
Class name
Possible Values
-
You need not specify the fully

qualified path. It is enough if you
give the name of the Service
Class.
ANY_DST_PORT One of these:
Destination Port
Destination Service
Class name
TCP_FLAG
Any tcp flag
ICMP_TYPE_CO
DE
ICMP type and ICMP

code separated by space
ICMP_MSG
ICMP message
IGMP_TYPE
IGMP type
INLN_COMM
Inline comment in an
ACE
*comment*
where comment is present in the
actual text you want to search
for.
COMM_ACE
A comment ACE which

includes either
downloadable or
non-downloadable
comments
*comment*
for.
REMK_ACE
A comment ACE which

includes only
downloadable
comments
*comment*
for.

78-16005-01
8-11
Chapter 8
Attribute
Description
Possible Values
VERS_COMM
Version comments for

individual versions of
the entity.
*comment*
for.
TR_NAME
Name of the Time

Range
TR_TYPE
Type of Time Range
Either of these:
TR_EXP_TYPE
Note
Time Range Expiry type
Absolute
Periodic
manual or
automatic
INTERFACE
Interface name
ACL_USE_DESC
R
Description along with

the ACL use.
DIRECTION
Either of these:
In
Out
TMPL_NAME
Name of the template
TMPL_PROTOC
OL
Name of the template

protocol
Only IP is supported.
ACE attributes such as ACE_PROTOCOL, SRC_NETWORK, ACTION, etc., can

be used along with the template attributes TMPL_NAME to search within
templates from the Template Manager.
8-12
78-16005-01
Chapter 8

Using the Standard Search Context GUI

Figure 8-2
Standard Search
If you select Standard Search as the context type, you have to specify the
following attributes:
Field
Description
Name
Name of the ACL/template to be searched.
Protocol
Protocol of the ACL/template to be searched.
ACE
Protocol
Protocol of the ACE within the ACL/ template to be searched.

78-16005-01
8-13
Chapter 8
Field
Description
Source/
Destination
Address
The address to be searched within the source or destination

address fields of the ACE respectively.
Select the type of the value in the Address Type drop-down box.
The options are:
Any
Maps to ANY_SRC_IP_OPERAND or
ANY_DST_IP_OPERAND
Network
Maps to SRC_NW_OPERAND or DST_NW_OPERAND
(searches only for networks)
Host
Maps to SRC_HOST_OPERAND or
DST_HOST_OPERAND (searches only for hosts or DNS
names)
Network Class
Maps to SRC_NW_CLASS_OPERAND or
DST_NW_CLASS_OPERAND (searches only for network
classes)
Source/
Destination
Ports
Ports to be searched within the source or destination port fields of

the ACE respectively.
Select the type of the value in the Port Type drop-down box. The
options are:
EQ, LT, GT, NEQ, RANGE

Maps to SRC_PORT_OPERAND or
ANY_DST_PORT_OPERAND (searches for ports)
Service Class
Maps to SRC_SV_CLASS_OPERAND or
DST_SV_CLASS_OPERAND (searches for service classes)
8-14
78-16005-01
Chapter 8

Replacing Entities
Field
Description
Comments
Select any or all of these options:
Inline Searches for Inline comments.
Comment ACE Searches for comment and remark ACEs
Remark ACE Searches for remark ACEs.
Versioning Searches for checked-in comments.
Match all of Select this if you want the results that match all the above
the above
attributes.
Match any
Select this if you want the results that match any of the above
of the above attributes.
Replacing Entities
You can replace ACLM entities only after searching for them. However, you can
replace only ACEs within an ACL or template.
All the attributes that are applicable to Search are applicable to Replace also with
the following exceptions:
SRC_HOST/SRC_NW_CLASS
Replaces the source address in an ACE with a host, host IP address, DNS
name, or a network class.
SRC_NW
Replaces the source address in an ACE only with a valid network.
DST_HOST/DTS_NW_CLASS
Replaces the destination address in an ACE with a host, host IP address, DNS
name, or a network class.
DST_NW
Replaces the destination address in an ACE only with a valid network.
The attributes you specify in the Replace tab are independent of the Search
attributes. This means, you can search for a certain attribute and then replace the
results with a different attribute.

78-16005-01
8-15
Chapter 8
Replacing Entities
Example: Your search parameter can be ACE_PROTOCOL = tcp while your

replace parameter can be SRC_HOST = wwwin.cisco.com.
Note
The system performs a minimum validation during Replace. Make sure you enter
appropriate values for the Replace attributes.
To use the Advanced replace option:
Procedure
Step 1
Launch the Search window and perform a Search.

The results appear in the Search Results pane.
Step 2
Click the Replace tab.

Figure 8-3
Step 3
Advanced Replace
Select the Context Type.

If you have selected Advanced as the context type, enter the Replace parameter in
the format, attribute = value, in the Replace with text box.
8-16
78-16005-01
Chapter 8

Replacing Entities
Example: SRC_NW = 1.1.1.0/0.0.0.1

You can have multiple Replace parameters separated by commas. However, while
replacing port data, use the format, attribute operator value,
where operator can be either EQ, NEQ, LT, GT, or RANGE.
Examples:
SRC_PORT RANGE bgp cmd

Replaces the source port with services ranging from bgp to cmd.
SRC_PORT EQ @/SJ/tcp%cisco_service
Replaces the source port with the service class, cisco_service from the folder
SJ.
If you have selected Standard as the context type, specify the various Replace
with parameters in the GUI.
See Using the Standard Replace Context GUI for details.
Step 4
Select at least one row in the Search Results pane.
Step 5
Click any of the following:
Replace to replace the selected ACEs.

The Replace button is enabled only if you have selected at least one row in
the Search Results pane.
Skip Next to select the next row in the Search Results pane.
Replace All to replace all the ACEs listed in the Search Results pane.
When you click Replace or Replace All, ACL Manager does the following:
1.
Checks out the selected entity with Check Out comments, if any.
The Version column in the Search Results pane displays an asterisk (*) to
indicate that the entity is in the checked out state.
2.
Replaces the data as specified.
3.
Checks in the entity with Check In comments, if any.
4.
This task is done only if you have selected Check In after Replace.

78-16005-01
8-17
Chapter 8
Replacing Entities
Note
If Check In after Replace is not selected, the entity will remain in the
checked out state after the data is replaced.
To check in the entity later, repeat the Replace procedure after selecting
Check In after Replace.
When you have multiple ACEs of the same version of an ACL, replacing one of
the ACEs will result in the checking out of only one version of the ACL.
However, the status is updated for all the ACEs that belong to the same ACL
version, and this is reflected in the Version column. This allows you to replace
data selectively in different ACEs and when you check in, you will have only one
new version of the ACL.
Undoing a Check Out

You can undo a check out and return the entity to its pre-check out version. To do
this:
Procedure
Step 1
Select a checked out entity in the Search Results pane.
Step 2
Click Undo Check Out.

The entity status is reverted and the asterisk (*) in the Version column of the
Search Results pane disappears.
8-18
78-16005-01
Chapter 8

Replacing Entities
Using the Standard Replace Context GUI

Figure 8-4
Standard Replace
If you choose Standard Replace as the context type, you have to specify the
parameters in the Replace with fields.
The parameters you can specify for Replace are described below:
Field
Description
Name
Name of the ACL/template to be replaced with.
Protocol
Protocol of the ACL/template to be replaced with.
ACE
Protocol
Protocol of the ACE within the ACL/ template to be replaced

with.

78-16005-01
8-19
Chapter 8
Replacing Entities
Field
Description
Source/
Destination
Address
Address to be replaced within the source or destination address

fields of the ACE respectively.
The Any, Host, and Network Class options replace with host
names, host IP addresses, and network classes respectively.
The Network option replaces with a network.
Source/
Destination
Ports
Ports to be replaced within the source or destination port fields of

the ACE respectively.
You can replace with port numbers, service names, or service
classes.
8-20
78-16005-01
C H A P T E R
Controlling Access Using

ACL Manager Roles
The Role-based Access Control system in ACL Manager allows groups of
authorized users to access the entire system, or a part of it.
Note
This feature is available to you only if you have enabled Role-based Access
Control at the time of installing ACL Manager.
To enable Role-based Access Control, see the Installation Guide for
ACL Manager.
A Role in ACL Manager is a relationship among user groups, device groups and
tasks.
The key features of Role-based Access Control in ACL Manager are:
The Role-based system in ACL Manager, extends the Role-based system of

CiscoWorks.
That is, CiscoWorks users can be grouped in ACL Manager so that:
Each group of users can be assigned certain tasks, which they can
perform on a specific group of devices.

A user group can contain other user groups within it, and users can be
part of more than one user group. The privileges they enjoy, are the
collective privileges of all the groups they belong to.

78-16005-01
9-1
Chapter 9
Controlling Access Using ACL Manager Roles
Populating ACL Manager with Role-based Data
The Role-based system in ACL Manager uses only the System Administrator
and Network Administrator roles of CiscoWorks.
The other Roles of CiscoWorks, such as, Network Operator, Approver, and
Guest, are not used.
User, admin is the super user for CiscoWorks. User, admin has the privilege
of performing all tasks on all devices. Admin also creates users, associates
them with user groups, device groups and tasks.
ACL Manager Role data management is available only to the System

Administrator Role of CiscoWorks.
All ACL Manager users, other than admin, are CiscoWorks Network
Administrators.
These topics describe Role-based access control in ACL Manager:
Adding Users
Adding Devices
Managing User Groups
Managing Device Groups
Managing Tasks

An ACL Manager Role is complete when a CiscoWorks user is a part of a user
group, has a device group to administer, and is assigned a set of tasks that he or
she can do on the devices.
To set up Role-based Access Control in ACL Manager:
Procedure
Step 1
Set up CiscoWorks users (see Adding Users).
Step 2
Add devices to CiscoWorks (see Adding Devices).
Step 3
Create groups of users (see Managing User Groups).
9-2
78-16005-01
Chapter 9

Adding Users
Step 4
Create groups of devices (see Managing Device Groups).
Step 5
Assign tasks or privileges to the user groups (see Managing Tasks).
Note
Your login determines whether you can do these tasks. That is, if you are a user
with the CiscoWorks Role of System Administrator, then you can add users and
devices to CiscoWorks. You can also manage user groups, device groups, and
tasks.
Adding Users
Before creating user groups in ACL Manager, you should add users with
CiscoWorks Network Administrator privileges.
You can add users, if you are a user with the CiscoWorks Role of System
Administrator.
To add users, select Server Configuration > Setup > Security on your
CiscoWorks desktop.
See Setting Up the CiscoWorks Server on Cisco.com, for the procedure.
Adding Devices
Before creating device groups in ACL Manager, you should add devices to
CiscoWorks.
You can add devices, if you are a user with a CiscoWorks Role of System
Administrator.
To add devices, select Administration > Inventory > Add Devices from
Resource Manager Essentials, on your CiscoWorks desktop.
See the User Guide for Resource Manager Essentials 3.5, on Cisco.com, for the
procedure.

78-16005-01
9-3
Chapter 9

A user group is the basic component of a Role in ACL Manager. A user group can
have users or other user groups nested within it.
After you create a user group, you may need to modify it, view all user groups, or
delete a user group that has served its purpose. All these tasks comprise user group
management.
These topics describe how to:
Note
Create a user group (see Creating a User Group).
Modify a user group (see Modifying a User Group).
Delete a user group (see Deleting a User Group).
View all user groups (see Viewing all User Groups).
You can manage user groups if you are a user with the CiscoWorks Role of System
Administrator.
Creating a User Group

You can create a user group if you are a user with the CiscoWorks Role of System
Administrator.
To create a user group:
Procedure
Step 1
From the CiscoWorks desktop, select ACL Manager >

Administration > Rolebased Administration >
User Management > Create User Group from your CiscoWorks desktop.
9-4
78-16005-01
Chapter 9

The first Create User Group dialog box opens (see Figure 9-1).
Figure 9-1
Create User Group Dialog Box - 1
Step 2
Enter the name of the user group.
Step 3
Click Next.

78-16005-01
9-5
Chapter 9
The second Create User Group dialog box opens (see Figure 9-2).
Figure 9-2
Step 4
Create User Group Dialog Box-2
Select users from the All Users box and click Add.
The users move to the Selected Users box.
Step 5
To remove a user from the Selected Users box, select a user and click Delete.
To remove all users from the Selected Users box, click Delete All.
Select user groups from the All User Groups box and click Add.
The user groups move to the Selected User Groups box.
To remove a user group from the Selected User Groups box, select a user
group and click Delete.
9-6
78-16005-01
Chapter 9

Step 6
To remove all user groups from the Selected User Groups box, click Delete
All.
Click Finish.
The third Create User Group window opens (see Figure 9-3).
Figure 9-3
Create User Group Window-3
The window displays the newly-created user group.

To see the users and the user groups, click on the top-level user group.

78-16005-01
9-7
Chapter 9
Modifying a User Group

You can modify a user group if you are a user with the CiscoWorks Role of System
Administrator.
To modify a user group:
Procedure
Step 1

User Management > Modify User Group.
The first Modify User Group dialog box opens (see Figure 9-4).
9-8
78-16005-01
Chapter 9

Figure 9-4
Modify User Group Dialog Box - 1
Step 2
Select the user group that you want to modify.
Step 3
Click Next.
The second Modify User Group dialog box opens (see Figure 9-5).

78-16005-01
9-9
Chapter 9
Figure 9-5
Step 4
Modify User Group Dialog Box-2
Modify the user group by adding or deleting users or user groups:
To add users, select the users from the All Users box and click Add.
The users move to the Selected Users box.
To remove existing users, the select users from the Selected Users box and
click Delete.
To remove all users from the Selected Users box, click Delete All.
9-10
78-16005-01
Chapter 9

To add user groups, select the user groups from the All User Groups box and
click Add.
The user groups move to the Selected User Groups box.
Step 5
To remove existing user groups, select the user groups from the Selected User
Groups box and click Delete.
To remove all user groups from the Selected User Groups box, click Delete
All.
Click Finish.
The third Modify User Group window opens (see Figure 9-6).
Figure 9-6
Modify User Group Window-3

78-16005-01
9-11
Chapter 9
The window displays the modified user group.

To see the users and the user groups that are within the modified user group, click
on the top-level user group.
Deleting a User Group

You can delete a user group if you are a user with the CiscoWorks Role of System
Administrator.
To delete a user group:
Procedure
Step 1

User Management > Delete User Group.
The first Delete User Group dialog box opens (see Figure 9-7).
9-12
78-16005-01
Chapter 9

Figure 9-7
Delete User Group Dialog Box - 1
Step 2
Select the user group that you want to delete.
Step 3
Click Finish.
The second Delete User Group window opens to indicate that the user group is
deleted (see Figure 9-8).

78-16005-01
9-13
Chapter 9
Figure 9-8
Delete User Group Window-2
9-14
78-16005-01
Chapter 9

Viewing all User Groups

You can view all user groups if you are a user with the CiscoWorks Role of System
Administrator.
To view all user groups:
Procedure
Step 1

User Management > Show All User Groups.
The All User Groups window opens and all the user groups in ACL Manager
appear (see Figure 9-9).

78-16005-01
9-15
Chapter 9
Figure 9-9
Step 2
All User Groups Window
Click on the groups to view the users and the user groups within them.

A device group can have devices or other device groups nested within it.
After you have created a device group, you may need to modify it, view all device
groups or delete a device group that has served its purpose. All these tasks
comprise device group management.
9-16
78-16005-01
Chapter 9

A device group is linked to a user group through a task.

These topics describe how to:
Note
Create a device group (see Creating a Device Group).
Modify a device group (see Modifying a Device Group).
Delete a device group (see Deleting a Device Group).
View all device groups (see Viewing all Device Groups).
You can manage device groups if you are a user with the CiscoWorks Role of
System Administrator.
Creating a Device Group

You can create a device group if you are a user with the CiscoWorks Role of
To create a device group:
Procedure
Step 1

Device Management > Create Device Group.
The first Create Device Group dialog box opens (see Figure 9-10).

78-16005-01
9-17
Chapter 9
Figure 9-10 Create Device Group Dialog Box - 1
Step 2
Enter the name of the device group.
Step 3
Click Next.
The second Create Device Group dialog box opens (see Figure 9-11).
9-18
78-16005-01
Chapter 9

Figure 9-11 Create Device Group Dialog Box-2
Step 4
Select devices from the All Devices box and click Add.
The devices move to the Selected Devices box.
To remove a device from the Selected Devices box, select a device, and click
Delete.
To remove all devices from the Selected Devices box, click Delete All.

78-16005-01
9-19
Chapter 9
Step 5
Select device groups from the All Device Groups box, and click Add.
The device groups move to the Selected Device Groups box.
Step 6
To remove a device group from the Selected Device Groups box, select a
device group, and click Delete.
To remove all device groups from the Selected Device Groups box, click
Delete All.
Click Finish.
The third Create Device Group window opens (see Figure 9-12).
Figure 9-12 Create Device Group Window-3
9-20
78-16005-01
Chapter 9

The window displays the newly-created device group.

To view the devices and the device groups that are within it, click on the top-level
device group folder.
Modifying a Device Group

You can modify a device group if you are a user with the CiscoWorks Role of
To modify a device group:
Procedure
Step 1

Device Management > Modify Device Group.
The first Modify Device Group dialog box opens (see Figure 9-13).

78-16005-01
9-21
Chapter 9
Figure 9-13 Modify Device Group Dialog Box - 1
Step 2
Select the device group that you want to modify.
Step 3
Click Next.
The second Modify Device Group dialog box opens (see Figure 9-14).
9-22
78-16005-01
Chapter 9

Figure 9-14 Modify Device Group Dialog Box-2
Step 4
Modify the device group by adding or deleting, devices or device groups:
To add devices, select the devices from the All Devices box, and click Add.
The devices move to the Selected Devices box.
To remove existing devices, select devices from the Selected Devices box and
click Delete.
To remove all devices from the Selected Devices box, click Delete All.
To add device groups, select the device groups from the All Device Groups
box and click Add.
The device groups move to the Selected Device Groups box.

78-16005-01
9-23
Chapter 9
Step 5
To remove existing device groups, select the device groups from the Selected
Device Groups box, and click Delete.
To remove all device groups from the Selected Device Groups box, click
Delete All.
Click Finish.
The third Modify Device Group window opens (see Figure 9-15).
Figure 9-15 Modify Device Group Window-3
The window displays the modified device group.

To view the devices and the device groups that are within it, click on the top-level
device group folder.
9-24
78-16005-01
Chapter 9

Deleting a Device Group

You can delete a device group if you are a user with the CiscoWorks Role of
To delete a device group:
Procedure
Step 1

Device Management > Delete Device Group.
The first Delete Device Group dialog box opens (see Figure 9-16).

78-16005-01
9-25
Chapter 9
Figure 9-16 Delete Device Group Dialog Box - 1
Step 2
Select the device group that you want to delete.
Step 3
Click Finish.
The second Delete Device Group window opens to indicate that the device group
is deleted (see Figure 9-17).
9-26
78-16005-01
Chapter 9

Figure 9-17 Delete Device Group Window-2

78-16005-01
9-27
Chapter 9
Viewing all Device Groups

You can view all device groups if you are a user with the CiscoWorks Role of
To view all device groups:
Procedure
Step 1

Device Management > Show All Device Groups.
The All Device Groups window opens and all the device groups in ACL Manager
appear (see Figure 9-18).
9-28
78-16005-01
Chapter 9

Managing Tasks
Figure 9-18 All Device Groups Window
Step 2
Click on the device groups to view the devices and the device groups within them.
Managing Tasks
A standard set of tasks is available to all user groups in ACL Manager. The tasks
are:
Approve Changes
Download ACLs
Immediate Download
78-16005-01
9-29
Chapter 9
Managing Tasks
Modify ACLs
View ACLs
These tasks are also inter-related (see Task Relationships).

For a user group to be able to perform a certain task on specific groups of devices,
you should assign device groups to the task. This association of a task with device
groups, enables the user group to perform the task on the selected groups of
devices.
For example, for a user group UG1, to be able to download ACLs to all the devices
within device group DG3, you should assign the device group DG3 to the task
Download ACLs, within the user group UG1.
Task management for a user group involves:
Assigning device groups to a task.
Modifying a task-device group association (you can assign more than one
device group to a task).
See Assigning Device Groups to Tasks or Modifying Assignments.
Note
You can manage tasks if you are a user with the CiscoWorks Role of System
Administrator.
Task Relationships
A user group can do certain tasks when you assign device groups to tasks (see
Assigning Device Groups to Tasks or Modifying Assignments). However, these
tasks are inter-related, and because of this inter-relationship, a user group can do
certain tasks even if you have not specifically assigned a device group to a task
within it.
For example, for a user group, if you have assigned device groups to the Modify
ACLs task, then that user group can also view ACLs, even if you have not
explicitly assigned device groups to the View ACLs task.
9-30
78-16005-01
Chapter 9

Managing Tasks
This table explains what tasks the user groups can perform if you assign device
groups to these tasks:
Task
Relationship
Approve Changes
Allows the user group to also view and modify ACLs.
Download ACLs
Allows the user group to also view ACLs.
Immediate
Download
Modify ACLs
For a user group, if you assign device groups to the View ACLs task alone, then
the user group can only view ACLs.
Assigning Device Groups to Tasks or Modifying Assignments

You create an ACL Manager Role when you assign device groups to the tasks
available to a user group. (Also see Task Relationships.)
To assign device groups to tasks, or modify the assignment:
Procedure
Step 1

Tasks Management > Assign/Modify Tasks.
The Assign Tasks to User Group dialog box opens (see Figure 9-19).

78-16005-01
9-31
Chapter 9
Managing Tasks
Figure 9-19 Assign Tasks to User Group Window
Step 2
Select the User Group that you want to assign tasks to, or modify task assignment.
Step 3
Click Next.
The Task Assignment for User Group window opens (see Figure 9-20) with the
name of the selected user group in the title bar.
9-32
78-16005-01
Chapter 9

Managing Tasks
Figure 9-20 Task Assignment for User Group Window
Step 4
Double-click the All Tasks folder to see the tasks available for the selected User
Group.
Step 5
Select a task, right click on it, and then select Add/Remove Device Group....
The Device Group Assignment dialog box opens (see Figure 9-21).

78-16005-01
9-33
Chapter 9
Managing Tasks
Figure 9-21 Device Group Assignment Window
Step 6
Assign or modify device group assignment by adding device groups, or removing

assigned device groups:
To add a device group, select the device group from the Device Groups box,
and click Add.
The device group moves to the Assigned Device Groups box.
To remove an assigned device group, select the device group from the
Assigned Device Groups box and click Remove.
The device group moves to the Device Groups box.
To see the details of the devices within a device group, select a device group,
and click Details.
A dialog box displays the devices within the selected device group.
Step 7
Click OK.
The Task Assignment for User Group window shows the updated assignment of
device groups, for the tasks.
9-34
78-16005-01
Chapter 9

Managing Tasks
Step 8
Click on each task to see the device-group assignment.

To make the task-device group assignment for another user group without going
back to the CiscoWorks desktop, see Using the Open User Group Option.
Using the Open User Group Option

You can select a user group from within the Task Assignment for User Group
dialog box and make its task-device group assignment, without returning to the
CiscoWorks desktop.
Procedure
Step 1
In the Task Assignment for User Group dialog box, select File > Open
Usergroup....
The Open Usergroup dialog box opens.
Step 2
Select the required user group.

If you want to see its details, click Details.
A window opens and shows all the users and user groups within the selected user
group.
To close this window, click on the Close button, and the Open Usergroup dialog
box becomes active again.
Step 3
Click OK in the Open Usergroup dialog box.

The title bar of the Task Assignment for User Group dialog box shows the selected
user group, and you can make the task-device group assignment for the user
group.

78-16005-01
9-35
Chapter 9
Managing Tasks
9-36
78-16005-01
C H A P T E R
10
Versioning ACL Manager Entities

ACL Manager, through its versioning mechanism, makes it possible to control and
track changes to ACL Manager entities.
An entity is a generic term used for a versioned object within ACL Manager.
The entities in ACL Manager are:
ACLs
ACL UsesGlobal Uses, Line Uses and Interfaces.
Time Ranges
Templates
Network Classes
Service Classes
PIX Object Groups
ACL Manager maintains each set of changes to an entity as an incremental version

of the entity, in its versioning repository.
Initially, the ACL Manager entities are available in a read-only state. To be able
to make changes to entities, you should check them out. After making the
changes, you should check the entities back into the versioning repository.
For example, if you want to modify the ACEs within an ACL, you should first
check out the ACL, make the modifications and then check in the ACL.
You can perform all versioning related activities using the Versioning menu which
is available from ACL Manager Main Window, Template Manager window and
Class Manager window. For more information about the versioning menu, see
Chapter 3 Versioning Menu.

78-16005-01
10-1
Chapter 10
You can perform all your activities from the ACL Manager Main Window for
these entities:
ACLs
Time Ranges
ACL Uses (Global mode and Interface contexts)
If you have not yet started ACL Manager, open the ACL Manager Main Window
using the procedure in Chapter 3, Starting ACL Manager.
You can perform all your activities from the Template Manager window for these
entities:
Static Templates
Variable Templates
Variable Template Instances
Policies
If you have not yet started Template Manager, open the Template Manager
window using the procedure in Chapter 6, Using the Template Manager.
Select the templates or the variable template instances from the required template
folder in the Template Manager window. You can use the Versioning Menu of the
Template Manager for versioning the templates or instances.
You can perform all your activities from the Class Manager window for these
entities:
Service Classes
Network Classes
If you have not yet started Class Manager, open the Class Manager window using
the procedure in Chapter 5, Using the Class Manager.
You can also perform some of the versioning activities like Check In and Check
out by right-clicking on the template or template instance of a variable template
and selecting the required versioning option. Also see Version Indicators.
These topics describe versioning for ACL Manager entities:
Versioning Workflow
Getting the Latest Version of an Entity
Getting a Specific Version of an Entity
10-2
78-16005-01
Chapter 10

Versioning Workflow
Checking Out Entities
Checking Out a Specific Version of an Entity
Undoing the Check Out of an Entity
Checking In Entities
Merging a Branch With a Main Line Version
Merging Using the Merge Editor: Example
Viewing the Version Graph of an Entity
Comparing an Entity with its Latest Version
Comparing Any Two Versions of an Entity
Viewing Version Details of an Entity
Viewing Details of a Specific Version of an Entity
Viewing the Versioning History of an ACL Manager Entity
Using the Version Diff Viewer
Versioning Workflow
This section describes the workflow for:
New entities
Checked in entities.
In a workflow for a new entity, you can:

1.
Create an entity.
Until you check it in, it is in the New state denoted by [*].
2.
Check in the entity.

It is checked in, and version 1 of the entity is created, denoted by [1].
In a workflow for a checked-in entity, you can:

1.
Check out the entity. Multiple users can check out the same version of an
entity.
Until you check it in, it is in the Checked-Out state denoted by [n*], where n
is the version number of the checked-out entity.

78-16005-01
10-3
Chapter 10
Versioning Workflow
2.
Check in the entity.

If you had checked out the latest version of the entity, and no higher versions
exist at the time of this check in:
The entity moves to a checked-in state. If change approval has been
enabled, for ACLs and templates, then the entity moves to the pending
state, indicating that the version has been submitted for approval. This
information is displayed in the right view.
For example, if a ACL100 [1] has been modified and submitted for
approval, and if the selection is on the ACL Definitions folder, the left
view would indicate 100[1*], and the right view would indicate
100[1*Pending].
If policy verification is enabled for ACLs and templates, and the checked
in ACL or template fails to comply with the policy, it is automatically
sent for Change Approval (for details, see Chapter 7, Mandating Policy
Verification.
The entity moves to a Checked In state, denoted by a number in square
brackets (if Change Approval is not enabled for versioning). For

example, [1].
If you had checked out a lower version of the entity, or a higher version is
created before you check in your version, ACL Manager displays a message.
Since this message informs you that there is a higher version of your entity,
You must do a merge of your version with the higher version, and check in
your version again.
In the case of:
ACLs, and templates, ACL Manager provides you with a dialog box that
shows you the differences between your version and the higher version.
You can select what needs to be merged.
After your merged version is ready, you need to check it in at least twice,
to move the ACL to the Checked-In state before the new main line
version is created. See Merging a Branch With a Main Line Version.
Other entities, like ACL Uses or Time Ranges, ACL Manager informs
you of the higher version and that a manual merge is required.

You can then view the higher version (see Getting the Latest Version of
an Entity), compare it with your own (see Comparing an Entity with its
Latest Version), and decide whether you want to incorporate the
information in the latest version, into your own.
10-4
78-16005-01
Chapter 10

Version Indicators
The version indicators for entities are as follows:
Version Indicators
Description
[*]
Newly created entity that is not yet checked in. After it is

checked in, the star within the square brackets is replaced
by 1.
[n]
Version of a checked-in entity, where n is the version

number. Also indicates that the version is in the
checked-in state.
[n*]
Checked-out state of the version of an entity, where n

is the version number.
If change approval has been enabled, it could also
indicate that the version has been submitted for approval
and is in the pending state (see Chapter 11 Approving or
Rejecting Changes).
In ACL Manager, a mainline version is one which has a whole number as its
version number. A branch version is one which does not have a whole number as
its version number. For an entity there can be only one mainline version, but more
than one branch versions.

Every time an entity is modified and checked in, it is stored as an incremental
version in the versioning repository of ACL Manager. Therefore there can be
many versions of a single entity. You can get the latest version of an entity into
your window.
After you get the latest version an entity, if you want to modify it, you should
check it out first (see Checking Out Entities).

78-16005-01
10-5
Chapter 10
To get the latest version of an entity:
Procedure
Step 1
Select the required entity from its respective folder. For example, select an ACL
from the ACL Definitions folder.
Step 2
Select Version ing > Get Latest Version from the Main Menu of your window.
The latest version of the entity available in the versioning repository, appears in
its folder and is indicated by a change in version number.
If the version of the entity that you already have, is the latest available version,
there will be no change in the version number after this operation.
You can also get a specific version of an entity into your window (see Getting a
Specific Version of an Entity).

You can get a specific version of an entity. Use the Version Graph dialog box to
get a required version of an entity into your window.
After you get the required version an entity, if you want to modify it, you should
check it out first (see Checking Out Entities).
To get a specific version of an entity into your window:
Procedure
Step 1
Step 2
Select Version ing > Version Graph from the Main Menu of your window.
The Version Graph dialog box opens (see Figure 10-10).
10-6
78-16005-01
Chapter 10

Step 3
In the Version Graph dialog box, select the version of the entity that you want to
get and click Get.
The selected version of the entity appears in the ACL Manager Main Window.
You can get a specific version of an entity, only if it is successfully checked in. If
the entity is checked out, or checked in but awaiting change approval processing,
you cannot get a specific version of the entity.
You can also get the latest version of an entity (see Getting the Latest Version of
an Entity).

In order to make changes to an entity, you must check it out.
Only an entity that is in the checked in state can be checked out.
Before checking out an entity, we recommend that you perform a Get Latest
Version operation (see Getting the Latest Version of an Entity), to avoid having to
do a merge.
To check out entities:
Procedure
Step 1
Select the required entity from its folder and right-click on it. (You can select
multiple entities within a folder. This is possible only from the right view.)
Step 2
Select Check Out from the pop-up menu.

A message appears:
You are about to check out an older version for the following entities.
ACL Name or Number
(latest version is [ Version_Number])
Do you want to proceed?
Step 3
Click Yes.
The Check Out dialog box appears (see Figure 10-1).

78-16005-01
10-7
Chapter 10
Figure 10-1 The Check Out Dialog Box
Step 4
Enter your comments in the Check Out dialog box.

The fields in the Check Out dialog box are:
Fields
Description
Comment
You can enter your check out comments here. These

comments are not mandatory.
Apply same
comment to all
Check Outs
You can select this box to apply the same comment to

all the entities that you are checking out.
Exclusive
Checkout
You can select this box to exclusively check out a

version of an entity.
This box is enabled only if you have selected more than

one entity for check out.
When you make an exclusive check out of an entity,

that entity and all its versions are locked. Another user
cannot work on any of its versions until you check it
back in.
Step 5
Click OK.
The entity is checked out.
10-8
78-16005-01
Chapter 10

You can also check out a specific version of an entity (see Checking Out a
Specific Version of an Entity).

You can check out a specific version of an entity, using the Version Graph dialog
box (see Figure 10-10). See Viewing the Version Graph of an Entity for the
procedure to open this window.
You can also use the Version History dialog box to check out a specific version of
an entity. See Viewing the Versioning History of an ACL Manager Entity
To check out a specific version of an entity:
Procedure
Step 1
In the Version Graph dialog box, select the version that you want to check out.
Step 2
Click Check Out.

The Check Out dialog box appears (see Figure 10-1).
Step 3
Enter your comments in the Check Out dialog box.

For details of the fields and options in the Check Out dialog box, see Checking
Out Entities.
Step 4
Click OK.
The entity is checked out.
Undoing the Check Out of an Entity

You can undo the check out of an entity, even after you have made changes to it.
When you undo the check out, the entity reverts to its pre-check out state and the
changes that you may have made, become ineffective.

78-16005-01
10-9
Chapter 10
Procedure
Step 1
Step 2
Select Version ing > Undo Check Out from the Main Menu of your window.
ACL Manager displays a message that all your changes will be lost if you proceed.
For example, if you undo a check out for an ACL, a message appears:
This will delete all changes made to the ACL. Do you want to continue?
Step 3
Click Yes.
The check out is canceled.
After your changes to an entity version are complete, you must check in the entity.
The entity will move to a checked-in state. If change approval has been enabled,
for ACLs and templates, then the entity moves to the pending state, indicating that
the version has been submitted for approval. This information is displayed in the
right view.
For example, if a ACL100 [1] has been modified and submitted for approval, and
if the selection is on the ACL Definitions folder, the left view would indicate
100[1*], and the right view would indicate 100[1*Pending].
If policy verification is enabled for ACLs and templates, and the checked in ACL
or template fails to comply with the policy, it is automatically sent for Change
Approval (see Chapter 11 Approving or Rejecting Changes).
You can also select multiple entities and check them in.
Procedure
Step 1
Select the required entity from its respective folder, right-click on it. (You can
select multiple entities for checking in.)
10-10
78-16005-01
Chapter 10

Step 2
Select Check In from the pop-up menu.

The Check In dialog box appears (see Figure 10-2).
Figure 10-2 The Check In Dialog Box
The fields in the Check In dialog box are:
Step 3
Fields
Description
Comment
You can enter your check in comments here. The

comments are not mandatory.
Apply same
comment to all
Check Ins
You can select this box to apply the same comment to

all the ACLs that you are checking in.
This box is active only if you have selected more than
one ACL for check in.
Enter your comments in Check In dialog box, and click OK.
If a higher version of the entity does not exist in the Versioning repository, at
the time of your check in, the entity is checked in.
If a higher version of the entity already exists in the Versioning repository at

the time of your check in, a message appears:
Check in has created a branch since the checked out version was
not the latest one. Another check in will be required to merge with
the main branch.

78-16005-01
10-11
Chapter 10
After you click OK in the message box, ACL Manager checks out the latest
main line version. This version also has the information from your branch
version.
When you check it in for the second time, the Check In dialog box appears
again. Enter your comments in the Check In dialog box and click OK.
ACL Manager prompts you to do a merge.
You will now have to merge the entity with the main line version:
To merge an ACL or a template, see Merging Using the Merge Editor.
To merge any entity other than an ACL or a template, see Merging Without
Using the Merge Editor.
After you merge your version with the latest available version, check in the
merged version again.
At any point during a check in, if a higher version is in existence, ACL Manager
will prompt you to do a check in and a merge again.
Before checking in an ACL after creation or modification, you can use ACL
Manager tools to:
Verify the ACL against a policy (see Chapter 7, Creating and Using
Policies)
Check validity of the ACL (see Chapter 14, Validating ACEs)
Optimize the ACL (see Chapter 16, Optimizing ACLs).

When you check in a version of an entity, if a higher version of it already exists
in the versioning repository, ACL Manager creates a checked out version for you
to work with. When you check in this version, ACL Manager also creates a branch
of the version you have checked out.
10-12
78-16005-01
Chapter 10

ACL Manager then prompts you to merge your branch with the latest version of
the entity. The merge operation can be done in two ways depending on the ACL
Manager entities:
If the entity is an ACL, or a template, you can merge the entity using the
Merge Editor, a tool provided by ACL Manager. See Merging Using the
Merge Editor.
If it is any other entity, you will have to do a manual merge operation. See
Merging Without Using the Merge Editor.
Merging Using the Merge Editor

When you check in a version of an entity, if a higher version of it already exists
in the versioning repository, ACL Manager creates a checked out version for you
to work with. When you check in this version, ACL Manager also creates a branch
of the version you have checked out. ACL Manager then prompts you to merge
your branch with the latest version of the entity.
In the case of an ACL or a template, ACL Manager provides you with a tool to
merge your version with the latest version.
To merge a branch of an ACL or a template with the latest version:
Procedure
Step 1
Select your branch version in the ACL Manager Main Window or the Template
Manager main window, right-click and select Check In from the pop-up menu.
The Check In dialog box appears.
Step 2
Enter your comments in the Check In dialog box and click OK. See Checking In
Entities for details of the fields and options in the Check In dialog box.
Since a higher version of the ACL or template exists at the time of your check in,
a message appears:
Check in has created a branch since the checked out version was not
the latest one. Another check in will be required to merge with the
main branch.
Step 3
Click OK.
Your branch version is replaced by a checked out, main line version in the
ACL Manager Main Window or the Template Manager main window.
78-16005-01
10-13
Chapter 10
Step 4
Select this version, right-click and select Check In again from the pop-up menu.
Step 5
Enter your comments in the Check In dialog box, and click OK. See Checking
In Entities for details of the Check In dialog box.
The Merge Editor opens (see Figure 10-3).
Figure 10-3 Merge Editor
In the Merge Editor:
The ACEs in the latest version of the entity appear in the lower left pane.
The ACEs in the branch appear in the lower right pane.
10-14
78-16005-01
Chapter 10

The ACEs in the merged version appear in the top pane.

To begin with, these are the same as the ACEs in your branch version. If
required, you can select ACEs from the latest main line version and add them
to the merged version.
The arrowhead icons (<, >) indicate the ACEs that differ from the base
version that was checked out.
The differences between the versions are represented as follows:

Change
Representation
Changed
Lines
Step 6
Deleted Lines
Unchanged
Lines
Black text.
Select the ACEs from the left pane, as required.

To move the ACEs up to the Merge Version pane, click the lower Move ACE to
Merge Version icon.
After the ACEs are in the Merge Version pane, you can use the toolbar buttons
above the, to Merge Version pane to reorder the ACEs, and delete the ACEs.
Use the Save button to save your changes, and check in the version later. Newly
added ACEs appear in the Merge Editor without any arrowhead icons (<, >).
Step 7
Click Checkin.
The merged version is checked in.
Note
At any point during a check in, if a higher version is in existence,

ACL Manager will prompt you to do a check in and a merge again.

78-16005-01
10-15
Chapter 10
Merging Using the Merge Editor: Example

This example shows you how you can merge versions and check in an ACL. It also
discusses the display in the Version Graph dialog box at each stage of the process.
The example refers to the processes of checking out, checking in, invoking the
Version Graph dialog box and merging ACLs. Use the links in this table to see the
procedures.
Process
Procedure Reference
Check In
Check Out
Viewing the Version

Graph
Merging ACLs
Procedure
Step 1
Assume that you are checking out Version 1 of an ACL, and check it out.
There is already a Version 2 of the ACL in the versioning repository. If you look
at its Version Graph dialog box at this point, you will see that a checked out copy
of Version 1 has been created for you, and has your user name, on it
(see Figure 10-4).
10-16
78-16005-01
Chapter 10

Figure 10-4 Example Window:1
Step 2
Check in Version 1 after you complete your modifications.

Step 3
Enter your comments in the Check In dialog box, and click OK.
Since a higher version (Version 2) exists for the ACL, ACL Manager displays a
message that there is a higher version of the ACL, and that you should do a check
in again, to merge the branch with the main line version.
ACL Manager creates branch version 1.1, for your checked out version.
At the same time, it creates a checked out version of the latest version that exists
in the repository, and this too, has your user name.
If you look at the Version Graph dialog box at this point, you see a branch
Version 1.1, merging with the latest checked- out version, also a branch, with your
username (see Figure 10-5).
In the ACL Manager Main Window, the version information for this ACL shows
[2*].

78-16005-01
10-17
Chapter 10
Figure 10-5 Example Window: 2
Step 4
Check in Version [2*] again after your modifications are complete.

Step 5
Enter your comments in this Check In dialog box and click OK.
At the time of checking this version in, you are prompted to do a merge. When
you proceed, the ACL Merge dialog box opens (see Figure 10-6).
10-18
78-16005-01
Chapter 10

Step 6
Select the ACEs you need for the merged version.

If you want to add ACEs, or edit existing ACEs before you check in the merged
version, click on the Save button. Your changes are saved and you can add or edit
ACEs using the ACL Manager Main Window.
After your changes are complete, repeat the procedure from Step 4 to Step 6.
Step 7
Check in the ACL again from the ACL Merge window, by clicking the CheckIn
button.
The ACL version is checked in.
If you view the Version Graph dialog box at this point, you see the ACL checked
in as Version 3 (see Figure 10-7).
In the ACL Manager Main Window, the version information for this ACL
shows [3].

78-16005-01
10-19
Chapter 10
Merging Without Using the Merge Editor

In the case of all ACL Manager entities other than ACLs and templates, if you are
prompted to merge a branch version with the mainline version, you will have to
do a manual merge.
You can compare your version of the entity the latest version available in the
repository, before checking in your version.
To do this, select the entity and select Version > Compare with the Latest
Version in the main menu of your window.
This opens the Diff Viewer. You can check the differences between the versions
(see Using the Version Diff Viewer) and if required, replicate them in your
version. You could then check in the version, or check in your version without
making any further modifications.
Merging Without Using the Merge Editor: Example

This example shows you how you can manually merge versions and check in an
Interface, Ethernet0. It also discusses the display in the Version Graph dialog box
at each stage of the process.
The example refers to the processes of checking out, checking in, invoking the
Version Graph dialog box. Use the links in this table to see the procedures.
Process
Procedure Reference
Check In
Check Out
Viewing the Version

Graph
Merging ACLs
10-20
78-16005-01
Chapter 10

Procedure
Step 1
Assume that you are checking out Version 1 of Ethernet0, and check it out.
There is already a Version 2 of Ethernet0 in the versioning repository. If you look
at its Version Graph dialog box at this point, you will see that a checked out copy
of Version 1 has been created for you, and has your user name, on it
(see Figure 10-4).
Figure 10-8 Example Window:1
Step 2
Check in Version 1 after you complete your modifications.

Step 3
Enter your comments in the Check In dialog box, and click OK.
Since a higher version (Version 2) exists for Ethernet0, ACL Manager displays a
message that there is a higher version of Ethernet0, and that you should do a check
in again, to merge the branch with the main line version.
ACL Manager creates branch version 1.1, for your checked out version.
At the same time, it creates a checked out version of the latest version that exists
in the repository, and this too, has your user name.
If you look at the Version Graph dialog box at this point, you see a branch
Version 1.1, merging with the latest checked- out version, also a branch, with your
username (see Figure 10-5).

78-16005-01
10-21
Chapter 10
In the ACL Manager Main Window, the version information for this Ethernet0
shows [2*].
Step 4
Check in Version [2*] again after your modifications are complete.

Step 5
Enter your comments in this Check In dialog box and click OK.
At the time of checking this version in, you are prompted to do a merge.
Step 6
Invoke the Show Changes option from the Versioning Menu.

This launches the Diff Viewer and shows the changes with respect to the latest
mainline version.
Step 7
Note down the changes and close the dialog box.
Step 8
Make the required changes in your version.
Step 9
Repeat Step 1 and Step 2 until you feel that the merge process is complete.
Step 10
Check in your version.
10-22
78-16005-01
Chapter 10


An entity may have undergone several changes since its creation. ACL Manager
versions each change to an entity. To view the versioning graph of an entity, use
the Version Graph dialog box. This shows the versioning history in a graphical
format.
We recommend that you use this option to get a complete picture of the
modification history of the entity.
Procedure
Step 1
Step 2
Select Versioning > Version Graph from the Main Menu of your window.
The Version Graph dialog box opens (see Figure 10-10).
Figure 10-10 The Version Graph dialog box

78-16005-01
10-23
Chapter 10
The Version Graph dialog box shows these details:

Elements
Description
The main line

versions of the
entity
Represented by whole numbers, in a box with a blue

background. For example, 1, 2, 3.
The branches
Represented by decimal numbers, for example, 1.1, 2.1

etc. The first branch of version 2 is version 2.1. If you
check out version 2.1 and a branch is created, this will
be version 2.1.1.
Branches are created when a version higher than the
one you have checked out, exists in the versioning
repository.
For example, if an ACL has two versions, (Version 1
and Version 2) and you check out Version 1,
ACL Manager creates a branch, Version 1.1.
You should merge this with the latest existing main line
version (Version 2), at the time of check in, to create a
new main line version (Version 3).
The merges
Represented by a red arrow.
The users who have Represented by their user names. The user name
checked out the
appears only when a version is in the checked-out state.
versions
The user name appears in a box with a red background.
Step 3
Click on the version you need.

This enables the Get, Check Out, and Details buttons.
The Diff button is enabled when you select two versions by holding down the Ctrl
key and mouse.
10-24
78-16005-01
Chapter 10

You can use the buttons in the Version Graph dialog box to perform these tasks on
any of the versions of the entity:
Table 10-1 Versioning Tasks
Step 4
Button
Action or Task
Get
Gets a selected version of an entity into your main

window. See Getting a Specific Version of an Entity.
Check Out
Checks out a selected version of an entity. See

Checking Out a Specific Version of an Entity.
Diff
Displays the differences between any two versions of

the entity. See Using the Version Diff Viewer.
Close
Closes the Version Graph dialog box.
Details
Displays the details of a selected version of an entity.

See Viewing Details of a Specific Version of an
Entity.
Help
Invokes the help for the Version Graph dialog box.
Click Close to exit.

You can compare the version of an entity that is in your window, with its latest
version in the versioning repository.
You can also compare any two versions of an entity (see Comparing Any Two
Versions of an Entity).

78-16005-01
10-25
Chapter 10
To compare the version of an entity in your window, with its latest version:
Procedure
Step 1
Step 2
Select Versioning > Compare with Latest Version from the Main Menu of your
window.
The Version DiffViewer opens (see Figure 10-13).
Step 3
For details of the Version DiffViewer, see Using the Version Diff Viewer
Step 4
Click OK.
The Version DiffViewer closes.

You can compare any two versions of an entity, using the Version Graph dialog
box (see Figure 10-11). See Viewing the Version Graph of an Entity for the
procedure to open this window.
You can also compare any two versions, using the Version History dialog box (see
Viewing the Versioning History of an ACL Manager Entity).
To compare any two versions of an entity:
Procedure
Step 1
Select the two versions, in the Version Graph dialog box, that you wish to
compare. To do this by hold down the Ctrl key and clicking on the versions.
10-26
78-16005-01
Chapter 10

Step 2
Click Diff.
The Version DiffViewer opens (see Figure 10-13).
For details of the Version DiffViewer, see Using the Version Diff Viewer.
Step 3
Click OK to exit.

You can view the details of an existing version of an entity in your window.
This version may not be the latest one in the versioning repository. To view the
latest version, see Getting the Latest Version of an Entity.
You can also view the details of a specific version of an entity (see Viewing
Details of a Specific Version of an Entity).
To view version details of an entity in your window:
Procedure
Step 1
Step 2
Select Versioning > Version Details from the Main Menu of your window.
The Version Details window opens (see Figure 10-11). This window shows the
details of an ACL version.

78-16005-01
10-27
Chapter 10
Figure 10-11 The Version Details Window
The fields in the Version Details window are:

Field
Description
Entity Version Version number of the entity for which the details are
displayed, and versioning state of the entity (checked in,
checked out, etc.)
Entity Name
or Number
Number or name of the ACL Manager entity. This can be ACL,

ACL use, Time Range, etc.
Entity Type
Type of the entity. For example, in the case of ACLs this could
be IP, IP Extended, etc.
Device
Device on which the entity is present.
Created By
User name of the creator of the version.
Created On
Date on which the version was created.
Creator
Comment
Comments entered by the creator of the version.
10-28
78-16005-01
Chapter 10

There may be minor differences between the version details displayed for the
various entities. For example, in the case of Time Range version details, the Time
Range Type information does not appear, as this field is not applicable for Time
Ranges.
Step 3
Click OK to exit.

You can view the details of a specific version of an entity in the versioning
repository.
Use the Version Graph dialog box to select the version and see its details. See
Viewing the Version Graph of an Entity for the procedure to open this window.
You can also view the details of an entity (see Viewing the Versioning History of
an ACL Manager Entity).
To view details of a specific version of an entity:
Procedure
Step 1
Click on the version you want to view in the Version Graph dialog box.
Step 2
Click Details.
The Version Details window opens (see Figure 10-11). For information on the
fields in the window, see Viewing Version Details of an Entity.
Step 3
Click OK to exit after you view the details of the selected version,.

78-16005-01
10-29
Chapter 10
Viewing the Versioning History of an

ACL Manager Entity
You can view the versioning history of an ACL Manager entity.
Procedure
Step 1
Step 2
Select Versioning > History from the Main Menu of your window.
The Version History dialog box opens (see Figure 10-12). This dialog box shows
the history of an ACL version.
Figure 10-12 Versioning History Dialog Box
10-30
78-16005-01
Chapter 10

If the selected entity is in the newly created state, then version history will not be
available for the entity. The following message appears:
Unable to view history.
Entity Name: This entity does not exist in the versioning database.
It may not have been checked in.
The entity (ACL, ACL use, or Time Range, etc.) and the name or number of the
entity are displayed as the heading of the Version History dialog box.
The fields in the Version History dialog box are:
Field
Description
Version
Version number of the entity.
Creator
User name of the creator of the version.
Created On
Date on which the version was created.
State
Versioning state of the ACL Manager entitychecked in,

checked out.
Parent
Versions
Number of versions before this version.
Creator
Comment
Comment by the user who created the version.
You can perform various versioning tasks, using the buttons in the Version History
dialog box, any of the versions of the entity (see Table 10-1 for details).
To see the Version Graph, click Version Graph.
If you click on a required version, the Get, Check Out, Delete, and Details buttons
are enabled.
The Diff button is enabled when you select two versions by holding down the Ctrl
key and clicking on them.

78-16005-01
10-31
Chapter 10

The Version Diff Viewer displays the differences in versions of ACL Manager
entities.
The Version Diff Viewer dialog box appears when you select the Diff button from
Version Graph or Version History dialog box.
In the case of an Out-of-Band change, the Version DiffViewer appears when you
select options such as Show Out-of-band Changes, or Diff/Merge with
Out-of-Band changes (for out-of-band entities other than ACLs.)
In Figure 10-13, you see the differences between your version and the latest
version of an ACL.
Figure 10-13 Version Diff Viewer to Compare Versions
Your version of the entity appears in the left pane, and the version selected for
comparison, in the right pane.
In the case of an Out-of Band change, the selected version of the entity appears in
the left pane, and the Out-of-Band version, in the right pane.
10-32
78-16005-01
Chapter 10

The differences between the versions are represented as follows:

Change
Representation
Changed
Lines
A change bar and red text.
Inserted Lines A plus sign and green text.

Deleted Lines
A minus sign and blue text.
Unchanged
Lines
Black text.
If your entity is an ACL, you can see the Logical View and the Physical View of
the ACL, by clicking on these tabs.
The Logical View shows an abstract or high-level view of the ACEs in the ACL.
Here, you see the names of hosts, templates, services, service classes, networks
or network classes used in the ACEs.
The Physical View is a low-level view, and maps to the IOS commands
corresponding to the ACE statements. The host names are resolved to IP
addresses, service names are replaced by port numbers, etc.
The concept of Logical and Physical views does not apply to all the other entities
and you find the same contents in both these tabs, for these entities.
The Previous Difference and the Next Difference icons allow you to navigate
between the differences.
Click OK to exit the Version DiffViewer.

78-16005-01
10-33
Chapter 10
10-34
78-16005-01
C H A P T E R
11
Approving or Rejecting Changes

ACL Manager, through its change approval mechanism, enables authorized users
to approve or reject ACL-related changes.
Note
This feature is available to you only if you have enabled Role-based Access
Control at the time of installing ACL Manager. To configure Role-based Access
Control, see the Installation Guide for ACL Manager.
To enable Change approval, see Enabling or Disabling Change Approval.
If you have not enabled this, see Chapter 15 Enabling Job Approval).
To receive change approval email notification, on Windows server, set the SMTP
server using Resource Manager > System Configuration.
On Solaris, since your machine acts as the SMTP server, the email notifications
are sent by default, if the SMTP daemon is running.
Change approval can be enabled ACL Manager, on a need basis, for ACLs, and
for job downloads. For ACL or template modifications, change approval, if
enabled, would become applicable compulsorily, if the ACL or template does not
comply with a policy. For more details, see the topic, Mandating Policy
Verification in Chapter 11.
Changes are version controlled in ACL Manager. After the changes are made, the
checked out entities can be passed through the change approval process before
they are checked into the versioning system. That is, authorized approvers can
validate changes proposed to entities, such as ACLs, before these changes are
implemented.

78-16005-01
11-1
Chapter 11
Processing Change Requests
A job definition will go through the Change Approval process, if you have
configured ACL Manager for Change Approval.
Jobs scheduled for immediate download will not go through the change approval
process.
If a job has been defined but not scheduled, the deadline for change approval is
indefinite.
When a change is submitted, approvers (users authorized to approve changes) will
be notified about the change requests by e-mail. Similarly, users who have
submitted change requests for approval will be notified by e-mail after their
change requests have been processed (either approved or rejected).
These topics describe change approval processing in ACL Manager:
Viewing Processed Changes
Enabling or Disabling Change Approval

A change request can comprise one or more changes grouped together for
approval by either a single approver, or multiple approvers. Each change request
has a unique Change Request ID assigned to it for reference.
You will be notified of the change requests that you are authorized to process, by
e-mail (see E-mail Notification of Change).
These topics describe how to process change requests:
Viewing Pending Change Requests
Approving or Rejecting Change Requests
Viewing Details of a Changed Entity
Your login determines whether you can use these options.
11-2
78-16005-01
Chapter 11

Viewing Pending Change Requests

You can view all the change requests that are pending your processing.
Procedure
Step 1
To view a summary of pending change requests, select Administration > Change

Approval > Approve/Reject Changes from ACL Manager.
The Pending Changes wizard opens (see Figure 11-1).
Figure 11-1 The Pending Changes Window

78-16005-01
11-3
Chapter 11
The Pending Changes wizard displays this information:

Field
Description
Priority
Priority level of the change requestHigh, Medium or Low.
Change ID
Unique number assigned to the change request at submission

time.
Submitter
Login ID of the user who submitted the change request.
Submitted At
Date and time the change request was submitted.
Process By
Last date and time on or before which the change request has to
be approved by the approvers.
Status
Can be either Pending or Partial.
Comments
Step 2
Pending -When the change request is to be processed.
Partial - When the change request has been configured to

be processed by more than one approver and only some of
them have completed the processing.
Description of change, entered by the user who submitted the

request.
Highlight a change request and click Next to process it. You can select only one
change request at a time.
The Approve or Reject Changes window opens (see Figure 11-2).
See the topic Approving or Rejecting Change Requests for information on
approving or rejecting changes.
11-4
78-16005-01
Chapter 11

Approving or Rejecting Change Requests

When you select a change request in the Pending Changes window (see
Figure 11-1), and click Next, the Approve or Reject Changes dialog box opens
(see Figure 11-2).
To view the details of the changed entities within the change request, before
processing them, click Entity Details (see Viewing Details of a Changed
Entity).
To view more details of a change, click Change Details.
Figure 11-2 Approve or Reject Changes Window

78-16005-01
11-5
Chapter 11
The fields in the Approve or Reject Changes dialog box are:

Field
Description
Change ID
Unique number, assigned to the change at submission time.
Priority
Priority level of the change approvalHigh, Medium or Low.
Status
Can be either Pending or Partial.
Pending When the change request is to be processed.
Partial - When the change request has been configured to

be processed by more than one approver and only some of
them have completed the processing.
Submitter
Change Type
Type of changeACL Modification, ACL Download, etc.
Submitted At
Date and time of submission of the change.
Process By
Date and time by which the change approval request expires if

it has not been approved by all the approvers. When the request
expires, it has to be re-submitted for approval, if required.
Submitter
Comments
Comments about the change request, entered by the user who

submitted the change.
Changed
Entities
Entity that has undergone the changeACL, ACL Use, Time

Range, Template, etc. There can be more than one changed
entity in a change request.
Changed
Entity Status
Status of the changed entity. This can be Pending, Approved, or

Rejected.
Action
Select Approve if you want to approve the change. If not, select

Reject.
Approver
Comments
Enter your comments regarding the approval or rejection of the

changes. It is not mandatory to enter comments.
11-6
78-16005-01
Chapter 11

To process the changes:
Procedure
Step 1
Highlight a Changed Entity within the Changed Entities table (see Figure 11-2),
and select either Approve or Reject.
You can select more than one Changed Entity from the table for processing.
Step 2
Click Finish.
The status of the change request is updated accordingly (see Change Request
Status).
Change Request Status

Change requests can be in any of these states:
Status
Description
Pending
Change request is not processed yet.
Partial
Change request has been configured to be processed by more

than one Approver Group, and not all groups have completed
the processing.
Approved
All the changes within the change request are approved.
Rejected
Change request is rejected. If a change request has to be to be

processed by more than one Approver Group, even if one
among them rejects a change, the overall status is Rejected.
Expired
Change request is past the last date by which it had to be

processed. The request is rejected and has to be put up for
processing once again, if required.
When all the changes within a change request are approved, the user who had put
up the change request for approval will receive an auto-generated email indicating
that the request has been approved (see E-mail Notification of Change).

78-16005-01
11-7
Chapter 11
Viewing Details of a Changed Entity

To view the details of a specific changed entity within a change request, before
approving or rejecting it, use the Approve or Reject Changes window
(see Figure 11-2 in Approving or Rejecting Change Requests).
Procedure
Step 1
Highlight a changed entity within the Changed Entities table in the Approve or
Reject Changes window and click Entity Details.
The Changed Entity Details window opens (see Figure 11-3).
Figure 11-3 The Changed Entity Details Window
11-8
78-16005-01
Chapter 11

The fields in the Changed Entity Details window are:

Field
Description
Changed Entity
ID of the entity that has been changed. This could be

a specific ACL on a device, a template, etc.
Status
Changed Entity can be any of these states:
Pending -When the change request is to be

processed.
Partial When the change request has been

configured to be processed by more than one
approver and only some of them have completed
the processing.
Approved
Rejected
Approver Group
Select the Approver Group, if the user who

requested the change, has specified multiple
approver groups.
Status
Displays the processing status of the changed entity.

It could be pending, approved, or rejected, for the
selected Approver Group, if multiple Approver
Groups have been specified.
Email
Email ID of the Approver belonging to the selected

Approver Group is displayed, if the change request
status is approved or rejected. This field is blank if
the change is to be processed.
Name
Login ID of the Approver, belonging to the selected

Approver Group, is displayed if the change request
status is approved or rejected. This field is blank if
the change is to be processed.

78-16005-01
11-9
Chapter 11
Field
Description
Time
If the change request has already been approved or

rejected by an Approver from the selected Approver
Group, then the time of approval is displayed. If not,
this field is blank.
Comments
Comments entered by the Approver at the time of

change approval or rejection, are displayed. This
field is blank if the change is to be processed.
Step 2
Click Back to return to the Approve or Reject Changes window (see Figure 11-2).
Step 3
Click Finish after selecting the Approve or Reject radio button.

The status of the change request is updated accordingly (see Change Request
Status).
11-10
78-16005-01
Chapter 11


You can view all the change requests that have been processed.
To view a summary of pending change requests:
Procedure
Step 1
Select Administration > Change Approval > Processed Changes from ACL
Manager.
The Processed Changes window opens (see Figure 11-4).
Figure 11-4 The Processed Changes Window

78-16005-01
11-11
Chapter 11
The Processed Changes window displays this information:

Field
Description
Priority
Change ID

time.
Submitter
Submitted At
Process By
Status
Can be any of these:
Comments
Step 2
Approved.
Rejected.
ExpiredWhen a change request is past the last date and

time by which it had to be processed.

request.
Highlight a processed change request and click Next to view it. You can select
only one change request at a time.
The Approve or Reject Changes window opens with the details of the Processed
Change (see Figure 11-2). For information displayed in the fields in this window,
see Approving or Rejecting Change Requests.
To view more details of each processed changed entity, within the change request,
in the Approve or Reject Changes window, highlight a Changed Entity and click
Details.
The Changed Entity Details window opens (see Figure 11-3). For information
displayed in the fields in this window, see Viewing Details of a Changed Entity.
11-12
78-16005-01
Chapter 11

E-mail Notification of Change

An email notification is automatically generated and sent to the email ID s of the
user who submitted the change and the approvers each time a change request is:
Submitted
Approved
Rejected
Expired
The email displays this information:

Field
Description
Change ID

time.
Status
Can be any of these:
Pending
Approved
Rejected
ExpiredWhen a change request is past the last date and

time by which it had to be processed.
Priority

The High and Low levels have priority icons against them; the
Medium level, does not.
Submitter ID
Submitter
Email
Email ID of the user who submitted the change.
Submission
Time
Expiry Time
Grouping
Type
Tight Grouping or Loose Grouping.

78-16005-01
11-13
Chapter 11
Field
Description
Submitter
Comments

request.
Approver
Group
Approver Group for the changed entity.
Approver
Approver within the specified Approver Group.
Approver
Comments
Comments entered by the approver, if the change has been

processed. The field is blank if the change request has expired.
Status
Status for the specified Approver Group, if there are more than
one Approver Groups assigned to the changed entity.

You can enable or disable change approval for various features in ACL Manager,
using the Change Approval Policy dialog box.
Procedure
Step 1
Select Administration > Change Approval > Configure Change Approval from
ACL Manager.
The Change Approval Policy dialog box opens (see Figure 11-5).
11-14
78-16005-01
Chapter 11

Figure 11-5 Change Approval Policy Dialog Box
Step 2
To enable change approval processing for the required features, select their
check boxes.
To disable change approval processing for the required features, uncheck the
boxes against the features.
Click Next.
A message appears that your change is successfully updated for the selected
feature.
After you enable change approval, ensure that you specify the approvers using the
Role-based Access Control feature of ACL Manager (see Chapter 9 Populating
ACL Manager with Role-based Data).

78-16005-01
11-15
Chapter 11
11-16
78-16005-01
C H A P T E R
12
ACL Manager Use Wizard

This chapter describes how to:
Create ACLs from previously created templates. See:

Applying an ACL Template to a Specific Device
Applying an ACL Template to Multiple Devices
Define Uses for previously created ACLs, or ACLs that have been newly
created from templates. See:
Defining ACL Uses
Defining ACL Uses

From the ACL Manager Main Window, you can use the Use ACL wizard to apply
device ACLs to control packet filtering, line access, SNMP community access,
SNMP TFTP server, and VLAN packet filtering.
Packet filtering, line access, SNMP community access, and SNMP TFTP server
are applicable to Router ACLs.
VLAN packet filtering is applicable to VACLs.
You can define a Use for an ACL by:
Step 1
Defining an ACL Use with the Use ACL Wizard.
Step 2
Selecting Interfaces, Lines, SNMP Community Settings or VLANS.

78-16005-01
12-1
Chapter 12
Defining ACL Uses
Step 3
Completing the Use ACL Wizard Summary.
Step 4
Displaying Use ACL Wizard Results.
To create a Use, in your left pane of the ACL Manager Main Window, right-click
on the ACL to be applied, then select Use ACL.
The Use Selection window appears (see Figure 12-1).
You can also display the ACL Use Selection dialog box by clicking the Create
Uses button in the ACL Results dialog box.
Defining an ACL Use with the Use ACL Wizard

To define an ACL Use with the use Wizard:
Procedure
Step 1
If you have created or selected an IOS ACL (see Figure 12-1), select one of these
from the Use Selection window
Packet Filtering
Line Access
SNMP Community Access
SNMP TFTP Server.
If the ACL created or selected is a VACL, select VLAN Packet Filtering from the
Use Selection window. (In such a case, the Use Selection window displays only
VLAN Packet Filtering).
12-2
78-16005-01
Chapter 12

Defining ACL Uses
Figure 12-1 Use Selection
Step 2
Click Next.
Based on your Use selection in Step 1, the following dialog boxes are displayed:
Interface Selection dialog box If you selected packet filtering. (See

Selecting Interfaces for Packet Filtering with the Use ACL Wizard).
Line Selection dialog box If you selected line access. (See Selecting Lines
for Line Access with the Use ACL Wizard).
SNMP Community Setting dialog box If you selected SNMP Community

Access. (See SNMP Community Settings with the Use ACL Wizard).
Summary dialog box If you selected SNMP TFTP Server. (See Completing
the Use ACL Wizard Summary).
VLAN Selection dialog box If you selected VLAN Packet Filtering. (See
Selecting VLANs for VLAN Packet Filtering with Use ACL Wizard).

78-16005-01
12-3
Chapter 12
Defining ACL Uses
Selecting Interfaces, Lines, SNMP Community Settings or VLANS

Based on your selection of the ACL Use in the Use ACL window, you can specify
the following for the Use that you want to create:
Interfaces. (See Selecting Interfaces for Packet Filtering with the Use ACL
Wizard).
Lines. (See Selecting Lines for Line Access with the Use ACL Wizard).
SNMP Community Settings. (See SNMP Community Settings with the Use
ACL Wizard).
VLANs. (See Selecting VLANs for VLAN Packet Filtering with Use ACL
Wizard).
Selecting Interfaces for Packet Filtering with the Use ACL Wizard
To select interfaces for packet filtering:
Procedure
Step 1
From the Interface Selection window, (see Figure 12-2), select the incoming (In)
and outgoing (Out) interfaces of the device for which you are defining the Use.
12-4
78-16005-01
Chapter 12

Defining ACL Uses
Figure 12-2 Interface Selection
Alternatively, instead of manually selecting the In and Out interfaces, you can
select either or both these options:
Apply on all interfaces of this device in in direction starting withApply

the ACL on all or the selected interfaces of the device, in the incoming
direction:
To select the interfaces, enter the starting characters of the interface in
this text field. The ACL will be applied on all incoming interfaces of the
device, that start with the string that you have specified. For example, you
can enter Fast in the text field to apply the ACL on all the FastEthernet
interfaces of the device, in the incoming direction.
To apply the ACL on all the interfaces in the incoming direction, enter *
in the text field.

78-16005-01
12-5
Chapter 12
Defining ACL Uses
Apply on all interfaces of this device in out direction starting withApply

the ACL on all or the selected interfaces of the device, in the outgoing
direction:
this text field. The ACL will be applied on all outgoing interfaces of the
device, that start with the string you have specified. For example, you can
enter Eth in the text field to apply the ACL on all the Ethernet interfaces
of the device, in the outgoing direction.
To apply the ACL on all the interfaces in the outgoing direction, enter *
in the text field.

Step 2
Click Next to display the Summary dialog box (see Completing the Use ACL
Wizard Summary).
Selecting Lines for Line Access with the Use ACL Wizard
Procedure
Step 1
From the Line Selection window (see Figure 12-3), select the incoming (In) and
outgoing (Out) lines to which you want to apply the ACL.
12-6
78-16005-01
Chapter 12

Defining ACL Uses
Figure 12-3 Line Selection
Alternatively, instead of manually selecting the In and Out lines, you can select
either or both these options:
Apply on all lines of this device in in direction starting withApply the

ACL on all or the selected lines of the device, in the incoming direction:
To select the lines, enter the starting characters of the line in this text
field. The ACL will be applied on all incoming lines of the device that
start with the string that you have specified. For example, you can enter
au in the text field to apply the ACL on all the aux lines of the device, in
the incoming direction.
To apply the ACL on all the lines in the incoming direction, enter * in
the text field.
Apply on all lines of this device in out direction starting withApply the
ACL on all or the selected lines of the device, in the outgoing direction:

78-16005-01
12-7
Chapter 12
Defining ACL Uses
field. The ACL will be applied on all outgoing lines of the device that
start with the string you have specified. For example, you can enter vt in
the text field to apply the ACL on all the vty lines of the device, in the
outgoing direction.
To apply the ACL on all the lines in the outgoing direction, enter * in the
text field.
Step 2
Click Next to display the Summary dialog box (see Completing the Use ACL
Wizard Summary).
SNMP Community Settings with the Use ACL Wizard

Procedure
Step 1
In the SNMP Community Settings dialog box (see Figure 12-4), enter the
Community String. This is a mandatory field.
12-8
78-16005-01
Chapter 12

Defining ACL Uses
Figure 12-4 SNMP Community Access Settings
Step 2
Enter the View Name. This is an optional field.

You should provide a view name that already exists on the device.
For some IOS versions, if you specify a view name that does not exist on the
device, the view name does not get created, and the download fails.
Step 3
Select Access Type. By default, Access Type is read only. You can select
Read/Write mode if required.
Step 4
Click Next.
The Summary dialog box appears for the selections made for this ACL (see
Completing the Use ACL Wizard Summary).

78-16005-01
12-9
Chapter 12
Defining ACL Uses
Selecting VLANs for VLAN Packet Filtering with Use ACL Wizard
Procedure
Step 1
Select the VLAN(s) for the device (see Figure 12-5) from the Use Selection
dialog box.
Figure 12-5 VLAN Selection
Step 2
Click Next.
The Summary dialog box appears (see Completing the Use ACL Wizard
Summary).
12-10
78-16005-01
Chapter 12

Defining ACL Uses
Completing the Use ACL Wizard Summary

The Summary dialog box (see Figure 12-6) displays the selections of interfaces
made for the ACL that will be applied to the device.
Figure 12-6 Summary
Procedure
Step 1
From the Summary dialog box, select Check out and Overwrite Latest Version
of Existing ACL Uses? to automatically check out and overwrite the latest
version of an existing ACL Use on any of the following:
Selected interfaces on the device (for packet filtering)
Selected lines on the device (for line access)
SNMP Community String on the device (for SNMP Community Settings)

78-16005-01
12-11
Chapter 12
Defining ACL Uses
Step 2
SNMP TFTP Server list on the device (for SNMP TFTP Server)
VLAN on the device (for VLAN Packet Filtering)
Click Finish to display the Results window (see Displaying Use ACL Wizard
Results).
Displaying Use ACL Wizard Results

The Results window displays the results of creating the Use on the selected
interfaces (for packet filtering) or lines (for line access) or device (for SNMP
Community Access and SNMP TFTP Server) or VLAN (for VLAN Packet
Filtering).
The Use Creation field displays either:
OK If the ACL Use is successfully created on the selected interface or lines

or devices.
or
Failed If the ACL Use cannot be successfully created on the selected

interface or lines or devices.
Procedure
Step 1
Examine the Results window (see Figure 12-7).
12-12
78-16005-01
Chapter 12

Defining ACL Uses
Figure 12-7 Use ACL Results
Step 2
Click Close to exit the Use ACL wizard.

If you had selected:
Packet Filtering The ACL is now installed for Packet filtering on the
specified interfaces.
Line Access The ACL is now installed for Line access on the specified
lines.
SNMP Community Access The ACL is now installed for the device.
SNMP TFTP Server list The ACL is now installed for the device.
VLAN Packet Filtering The ACL is now installed for the selected VLAN.
If you want to check the Use statements, go to the ACL Manager Main Window
and navigate to:
Interfaces For Packet filtering
Lines For line access

78-16005-01
12-13
Chapter 12
Global For SNMP Community settings and SNMP TFTP serve
VLANs For VLAN packet filtering
To invoke the ACL Use Selection dialog box again, you can click Create Uses.
See Defining an ACL Use with the Use ACL Wizard.

From the ACL Manager Main Window, you can create an ACL from an existing
template on a specific device, using the Template Use Wizard.
You can use this wizard to create Uses for the newly created ACLs, as follows:
Packet filtering On selected interfaces
Line access On selected lines
SNMP community access On selected VLANs
SNMP TFTP server On selected VLANs
VLAN packet filtering On selected VLANs
For more information on templates, see Chapter 6,Using the Template Manager.
You can create an ACL from an existing template on a specific device, and create
a Use for it by:
Step 1
Selecting a Template with the Template Use Wizard.
Step 2
Selecting a Device.
Step 3
Displaying ACL Creation Results (Single Device).
Step 4
Defining an ACL Use with the Use ACL Wizard.
In the ACL Manager Main Window, select the device on which you want to create
an ACL, from the template, then select Apply Template.
The Template Selection window appears (see Figure 12-8).
12-14
78-16005-01
Chapter 12

Selecting a Template with the Template Use Wizard

Procedure
Step 1
From the Template Selection window (see Figure 12-8), select the template to be
applied.
Figure 12-8 Template Selection
If you want to view the contents of the template, click Expand. The expanded
template appears in the ACE Expanded window (see Figure 12-9).

78-16005-01
12-15
Chapter 12
Figure 12-9 Expanded Template
Click Close when you are finished, to exit the ACE Expanded window.
Step 2
Click Next, in the Template Selection window.

The Device Selection dialog box appears with the selected device highlighted (see
Selecting a Device).
Selecting a Device
Procedure
Step 1
In the Device Selection dialog box (see Figure 12-10), the device that you selected
in the ACL Manager Main Window, for applying the template, is highlighted.
12-16
78-16005-01
Chapter 12

Figure 12-10 Device Selection
Step 2
Check out an existing ACL or create a new ACL:
To automatically check out the latest version an existing ACL, select

Checkout Latest Version ACL And.
After selecting this option, you should also choose one of these options:
Prepend to ACLTo add the new ACL at the beginning of the existing
ACL
Append to ACLTo add the new ACL at the end of the existing ACL.
Overwrite the ACLTo overwrite the existing ACL with the one that you
are creating.

78-16005-01
12-17
Chapter 12
To create a new ACL, either:

Select Autonumber the New ACL for generating a number
automatically for the new ACL. This option is selected by default.

or
Deselect Autonumber the New ACL and enter the ACL name or number
in the ACL name or number text field.

Step 3
Click Finish.
The ACL Results window appears, with the details of the ACL that you have
created (see Displaying ACL Creation Results (Single Device)).
Displaying ACL Creation Results (Single Device)

The ACL Creation Results dialog box (see Figure 12-11) displays the details of
the ACLs that you have created by applying a template.
12-18
78-16005-01
Chapter 12

Figure 12-11 Apply Template to Device
Click Close if you only want to create an ACL out of the template.
or
Click Create Uses to create Uses for such newly created ACLs.
When you click the Create Uses button, the Selection dialog box (Figure 12-1)
appears. (See Defining an ACL Use with the Use ACL Wizard).
For the complete workflow to create Uses for packet filtering, line access, SNMP
Community Access, SNMP TFTP Server or VLAN filtering, see the section,
Defining ACL Uses.

78-16005-01
12-19
Chapter 12

From the ACL Manager Main Window, you can create an ACL from an existing
template on multiple devices, using the Template Use Wizard.
If you have not yet started ACL Manager, to open the ACL Manager Main
Window, see these topics in Chapter 3:
If you are already in ACL Manager Main Window, display the Template Selection
Window by selecting Tools > ACL Use Wizard from the ACL Manager Main
Window.
You can apply a template to multiple devices by:
Step 1
Selecting a Template.
Step 2
Selecting the Devices
Step 3
Displaying ACL Creation Results (Multiple Devices)
Step 4
Defining ACL Uses for Multiple Devices.
For more information on templates, see Chapter 12 Using the Template

Manager.
Selecting a Template
Procedure
Step 1
From the Template Selection dialog box (see Figure 12-8), select the template to
be applied.
If you want to see the contents of the template, click Expand.
The ACE Expanded dialog box appears with the details of the expanded template
(see Figure 12-9).
Click Close when you are finished in the ACE Expanded dialog box.
12-20
78-16005-01
Chapter 12

Step 2
Click Next in the Template Selection dialog box.

The Device Selection dialog box appears with the selected device highlighted (see
Selecting the Devices).
Selecting the Devices

Procedure
Step 1
From the Device Selection window (see Figure 12-12), select the required devices
to which the template will be applied.
Figure 12-12 Devices Selection

78-16005-01
12-21
Chapter 12
Step 2
Check out an existing ACL or create a new ACL:
To automatically check out the latest version an exisiting ACL, select

Checkout Latest Version ACL And.
Prepend to ACLTo add the new ACL at the beginning of the existing
ACL
Overwrite the ACLTo overwrite the existing ACL with the one that you
are creating.
To create a new ACL, either:

Select Autonumber the New ACL for generating a number
automatically for the new ACL. This option is selected by default.

or
Step 3
Deselect Autonumber the New ACL and enter the ACL name or number in
the ACL name or number text field.
Click Finish.
The ACL Results dialog box appears, with the details of the ACLs that you have
created (see Displaying ACL Creation Results (Multiple Devices)).
Displaying ACL Creation Results (Multiple Devices)

The Results dialog box displays the results of the ACLs that you have created by
applying the template on multiple devices.
12-22
78-16005-01
Chapter 12

Procedure
Step 1
View the results of the ACL creation, in the Results dialog box (see Figure 12-13).
Figure 12-13 ACL Creation Results
The ACL Creation field displays Failed if the ACL was not created successfully.
Otherwise, it displays OK.
OK If the ACL is successfully created on the selected interface or lines or

devices.
or
Failed If the ACL cannot be successfully created on the selected interface

or lines or devices.

78-16005-01
12-23
Chapter 12
Step 2
Either:
Click Close to exit the Results dialog box, after creating ACLs out of the
template,
or
Click Create Uses to create Uses for the newly created ACLs.
The Use Selection dialog box appears (see Figure 12-1). For details see, Defining
ACL Uses for Multiple Devices.
Defining ACL Uses for Multiple Devices

Procedure
Step 1
If you have created or selected an IOS ACL (see Figure 12-1), select one of these
from the Use Selection window
Packet Filtering
Line Access
SNMP Community Access
SNMP TFTP Server.
If you have created or selected a VACL, select VLAN Packet Filtering from the
Use Selection window. (In such a case, the Use Selection window displays only
VLAN Packet Filtering).
Step 2
Click Next.
Based on your Use selection in Step 1, the following dialog boxes are displayed:
Interface Selection dialog box If you selected Packet Filtering. (See

Selecting Interfaces with the Template Use Wizard).
Line Selection dialog box If you selected Line Access. (See Selecting
Lines with the Template Use Wizard).
SNMP Community Setting dialog box If you selected SNMP Community

Access. (See SNMP Community Settings with the Template Use Wizard).
12-24
78-16005-01
Chapter 12

Summary dialog box If you selected SNMP TFTP Server. (See Completing
the Use ACL Wizard Summary). The summary will appear for all the selected
devices.
VLAN Selection dialog box If you selected VLAN Packet Filtering (see
Selecting VLANs for VLAN Packet Filtering with Template Use Wizard).
Step 3
View the Summary. (See Completing the Use ACL Wizard Summary).
Step 4
Display the results for the ACL Uses.

If you had selected:
Packet Filtering The ACL is now installed for packet filtering on the
specified interfaces on the selected devices.
Line Access The ACL is now installed for line access on the specified lines
on the selected devices.
SNMP Community Access The ACL is now installed for the selected
devices.
SNMP TFTP Server list The ACL is now installed for the selected devices.
VLAN Packet Filtering The ACL is now installed for the selected VLAN
on the selected devices.
Selecting Interfaces with the Template Use Wizard

Procedure
Step 1
From the Interface Selection window for the first device, select the incoming (In)
and outgoing (Out) interfaces of the device.

78-16005-01
12-25
Chapter 12
Figure 12-14 Selecting Interfaces
To select the same interfaces on all subsequent devices, select Treat all
subsequent devices similar to this device? If you select this option and
subsequent devices do not have the specified interfaces, the subsequent devices
will be skipped.
Alternatively, instead of manually selecting the In and Out interfaces, you can
select either or both these options:
Apply on all interfaces of this device in in direction starting withApply

the template on all or the selected interfaces of the device, in the incoming
direction:
this text field. The template will be applied on all incoming interfaces of
the device, that start with the string that you have specified. For example,
you can enter Fast in the text field to apply the template on all the
FastEthernet interfaces of the device, in the incoming direction.
12-26
78-16005-01
Chapter 12

To apply the template on all the interfaces in the incoming direction,
enter * in the text field.
Apply on all interfaces of this device in out direction starting withApply

the template on all or the selected interfaces of the device, in the outgoing
direction:
this text field. The template will be applied on all outgoing interfaces of
the device, that start with the string you have specified. For example, you
can enter Eth in the text field to apply the template on all the Ethernet
interfaces of the device, in the outgoing direction.
To apply the template on all the interfaces in the outgoing direction, enter *
in the text field.
If you also select Treat all subsequent devices similar to this device? along with
one or both the above options, then the template will be applied on all the
subsequent devices, for all the interfaces existing on those devices. Also see
Using the Use Wizard to Address Vulnerability in Your Network: Example.
Step 2
Click Next.
Summary).
Selecting Lines with the Template Use Wizard

Procedure
Step 1
From the Line Selection window for the first device, select the incoming (In) and
outgoing (Out) lines of the device to which the template will be applied.

78-16005-01
12-27
Chapter 12
Figure 12-15 Selecting Lines
To select the same lines on all subsequent devices, select Treat all subsequent
devices similar to this device? If you select this option and subsequent devices
do not have the specified lines, the subsequent devices will be skipped.
Alternatively, instead of manually selecting the In and Out lines, you can select
either or both these options:
Apply on all lines of this device in in direction starting withApply the

template on all or the selected lines of the device, in the incoming direction:
field. The template will be applied on all incoming lines of the device that
start with the string that you have specified. For example, you can enter
au in the text field to apply the template on all the aux lines of the device,
in the incoming direction.
To apply the template on all the lines in the incoming direction, enter *
in the text field.
12-28
78-16005-01
Chapter 12

Apply on all lines of this device in out direction starting withApply the
template on all or the selected lines of the device, in the outgoing direction:
field. The template will be applied on all outgoing lines of the device that
start with the string you have specified. For example, you can enter vt in
the text field to apply the template on all the vty lines of the device, in
the outgoing direction.
To apply the template on all the lines in the outgoing direction, enter * in the
text field.
one or both the above options, then the template will be applied on all the
subsequent devices, for all the lines existing on those devices. Also see Using the
Use Wizard to Address Vulnerability in Your Network: Example.
Step 2
Click Next.
Summary).
SNMP Community Settings with the Template Use Wizard

Procedure
Step 1
Enter the Community String. This is a mandatory field.

78-16005-01
12-29
Chapter 12
Figure 12-16 Selecting SNMP Community Settings
Step 2
Enter the View Name. This is an optional field.

You should provide a view name that already exists on the device.
For some IOS versions, if you specify a view name that does not exist on the
device, the view name does not get created, and the download fails.
Step 3
Select Access Type. By default, Access Type is read only. You can select
Read/Write mode if required.
To select the same settings on all subsequent devices, select Treat all subsequent
devices similar to this device?
Step 4
Click Next.
Step 5
If you have not selected Treat all subsequent devices similar to this device?
repeat the steps in this procedure for all devices.
After you select the last device, the Summary dialog box appears (see Completing
the Use ACL Wizard Summary).
12-30
78-16005-01
Chapter 12

Selecting VLANs for VLAN Packet Filtering with Template Use Wizard
Procedure
Step 1
Select the VLAN(s) of the device.

Figure 12-17 Selecting VLANs
To select the same VLANs on all subsequent devices, select Treat all subsequent
devices similar to this device? If you select this option and subsequent devices
do not have the specified VLANs, the subsequent devices will be skipped.

78-16005-01
12-31
Chapter 12
Alternatively, without selecting any VLANs on any of the devices, you can select
the option Apply on all VLANs of this Device, to apply the template on all the
VLANs of the device.
the above option, then the template will be applied on all the subsequent devices,
for all the VLANs existing on those devices. Also see Using the Use Wizard to
Address Vulnerability in Your Network: Example.
Step 2
Click Next.
Summary).
Using the Use Wizard to Address Vulnerability in Your Network: Example

ACL Manager provides you with options in the ACL Use Wizard that enable you
to quickly deploy templates to protect your network, if a vulnerability is detected.
The Template User Wizard, for interface and line selection on multiple devices,
has the following options for application of templates:
Apply on all interfaces of this device in "in" direction starting with
Apply on all interfaces of this device in "out" direction starting with
Treat all subsequent devices similar to this device?
You may select these options in any combination.

If you select Apply on all interfaces of this device in "in" direction starting
with and Treat all subsequent devices similar to this device? and if there is
more than one device, the template will be applied on all the interfaces of all the
routers in "in" direction.
Also, if you have not selected Apply on all interfaces of this device in "out"
direction starting with but have manually selected some interfaces in "out"
direction, on a specific device, only those interfaces will be applied for the
subsequent devices.
For example, you have selected the following devices:
ar-gw-1 (Interfaces: FastEthernet0/0, FastEthernet0/1)
sing-gw-1 (Interfaces: FastEthernet1/0 and FastEthernet1/1),
12-32
78-16005-01
Chapter 12

Where ar-gw-1 is the first device.

You must select the following:
Procedure
Step 1
Apply on all interfaces of this device in "in" direction starting with and Treat
all subsequent devices similar to this device?
Step 2
FastEthernet0/0 interface in "out" direction, on the first device ar-gw-1.

The following uses are created:
ar-gw-1 FastEthernet0/0 in
ar-gw-1 FastEthernet0/1 in
ar-gw-1 FastEthernet0/0 out
sing-gw-1 FastEthernet1/0 in
sing-gw-1 FastEthernet1/1 in
sing-gw-1 does not have FastEthernet0/0 interface in "out" direction as this

interface does not exist on sing-gw-1. In this case, an error message is displayed
before the Summary window:
Some devices do not contain the specified interfaces.
Similarly, you can select all three options. Then, all the interfaces will have uses
in both directions for all the devices.
These options are also enabled for a single device. This feature is applicable to
IOS, Catalyst and PIX devices.
Prepend to ACLTo add the new ACL at the beginning of the existing ACL
Overwrite the ACLTo overwrite the existing ACL with the one that you are
creating.

78-16005-01
12-33
Chapter 12
12-34
78-16005-01
C H A P T E R
13
Importing Configuration
ACL Manager enables you to import Cisco Device Configurations that conform
to the IOS, Catalyst OS and PIX formats, from an external source. After you
import the configurations, you can paste them onto devices that ACL Manager is
managing, and thereafter use ACL Manager to manage the imported
configurations.
You can import the configurations from:
The ACL Manager server, by entering the path to the file in the File Import
Wizard, or using a File Browser in the wizard.
or
Your local machine, using a text editor (Config Editor of ACL Manager).
You can use the File Import Wizard in ACL Manager to import the configurations.
After you import the configurations, ACL Manager parses them and places them
in a folder, Imported Entities, under the Root folder within your ACL Manager
Main Window. This folder is a location for temporary storage of the imported
configurations, from where they are pasted onto devices.
When you import configurations from external sources:
You can import only the running configurations and not the startup
configurations.
You can import into ACL Manager, one or more files that are already on the
ACL Manager server.
From a client machine, you can copy the contents of the file into the Config
Editor in the File Import Wizard and then upload the configuration into
ACL Manager.

78-16005-01
13-1
Chapter 13
Uploading the Configuration and Viewing the Import Summary
You can import a configuration file from another server via a mounted file
system, where the ACL Manager server is running. (The configuration file on
the mounted file system should be readable by casuser.)
You can import a text file that contains an ACL without a name (for example,
the configuration in the text file may contain some, or all, the ACEs from a
named IP Extended ACL, but the ACL name may not be present in the file).
In this case, ACL Manager will generate a name for the ACL. You can rename
the ACL.
You need appropriate privileges to perform the configuration import task.
The tasks you can perform using the File Import Wizard are:
Pasting Imported Entities onto a Device
Uploading the Configuration and Viewing the Import

Summary
To upload the configuration and view the configuration import summary:
Procedure
Step 1
From the ACL Manager Main Window, select File> Import.

The Upload Config pane of the File Import Wizard opens (see Figure 13-1).
13-2
78-16005-01
Chapter 13
Figure 13-1 File Import Wizard
You can upload the configuration from:
A file on the ACL Manager server (see the procedural step, Select Upload
Config from File.)
or
A file on your local machine (see the procedural step, Select Upload Config
from Editor.).
To upload the configuration from a file on the ACL Manager server:

a.
Select Upload Config from File.
b.
Enter the full path of the configuration file in the Config File text box
or
Click Config file.
The File Browser dialog box appears (see Figure 13-3).

78-16005-01
13-3
Chapter 13
c.
Use the File Browser dialog box to select the text file (see Using the File
Browser).
The name of the selected file appears in the text box in the Config File text
box of the Upload Config pane.
To view the contents of the configuration file, click View Config.
To upload the configuration from a file on your local machine:

a.
Select Upload Config from Editor.
b.
Click Config Editor.

The Config Editor dialog box appears (see Figure 13-4).
Step 2
c.
Copy the required configuration from a file on your local machine, paste it
into the Config Editor dialog box, and edit it as required (for details, see
Using the Config Editor).
d.
Click OK in Config Editor, to return to the Upload Config pane of the File
Import Wizard.
Specify the Configuration Type - Router Configuration, or Switch Configuration,

or PIX Configuration.
To replace the entities that already exist in the Imported Entities folder of ACL
Manager from an earlier import operation, check Replace already existing
entities. The existing entities in the Imported Entities folder will be replaced by
the import operation. The status of the import operation will be Success: Entity
imported but overwritten.
If you do not check this option, the file will be imported but the entities that
already existed in the Imported Entities folder from an earlier import
operation, will not be replaced. The status of the import operation will be
Success: Entity imported but not overwritten.
To resolve IP addresses existing in the configuration file that is being

imported to their DNS host names in the imported configuration file (in the
Imported Entities folder), check Resolve IP addresses to hostnames.
If you do not check this option, the IP addresses in the configuration file that
is being imported, that have DNS host names, will not be resolved to their
hostnames in the file after the import operation, but will remain IP addresses.
ACL Manager resolves DNS hostnames to IP addresses at the time of download

of the configuration.
13-4
78-16005-01
Chapter 13
Step 3
Click Next.
The Import Summary pane appears (see Figure 13-2).
Figure 13-2 Import Summary Window
You can view the import details.

Field
Entity Name
Entity Type
Description
Name, or number, of the entity. For example, 100.
Type of the entity. For example, ACL.

78-16005-01
13-5
Chapter 13
Field
Description
Details
Details of the ACL. For example, IP.
Import Status These are the states of success:
Entity Newly CreatedFor a new entity.
Entity OverwrittenFor an entity that already existed

in ACL Manager, when you have selected the Replace
Already existing Entities option in the Upload Config
pane of the File Import Wizard.
Entity Imported but Not OverwrittenFor an entity

that already existed in ACL Manager, when you have
not selected the Replace Already existing Entities
option in the Upload Config pane of the File Import
Wizard.
These are the states of failure:
Locked for creation/renamingWhen different users

are simultaneously trying to create or rename an entity
from different browser sessions.
Locked for deletionWhen different users are

simultaneously trying to delete or rename an entity
from different browser sessions.
This can also happen if the same user is operating on the

same ACL, using two different browser sessions.
Step 4
Click Finish.
The entity is imported into ACL Manager, and placed in a temporary storage
folder, (Root > Imported Entities > Router, Switch, or Pix), in your
ACL Manager Main Window. You can do these operations on these imported
entities:
Rename
Delete
13-6
78-16005-01
Chapter 13
Using the File Browser

You can use the File Browser dialog box to select a configuration file that is
present on any server (a mounted file system), on which the ACL Manager
server is running.
The File Browser dialog box appears when you select the option Upload
Config from Editor and click the Config Editor button in the File Import
Wizard.
For details, in the procedure, Uploading the Configuration and Viewing the
Import Summary, see the procedural step Select Upload Config from
Editor.
Procedure
Step 1
Select the required file from the list of configuration files displayed in the File
Browser dialog box (see Figure 13-3).
You can also enter the complete path of a valid file that exists on the
ACL Manager server.
The name of the selected file appears in the File text box. (

78-16005-01
13-7
Chapter 13
Figure 13-3 The File Browser Dialog Box
Step 2
Click OK.
Using the Config Editor

You can use the Config Editor dialog box just as you would use a text editor, to
enter or copy and paste Cisco Device Configuration commands.
The Config Editor dialog box appears when you select the option Upload Config
from File and click the Config button in the File Import Wizard.
For details, in the procedure, Uploading the Configuration and Viewing the
Import Summary, see the procedural step Select Upload Config from File.
13-8
78-16005-01
Chapter 13
Procedure
Step 1
Copy and paste configuration from a text file on your local machine, into Config
Editor (see Figure 13-4).
or
Enter Cisco Device Configurations into Config Editor.
Figure 13-4 Config Editor Dialog Box
Step 2
Click OK.
To print out the configuration that you have copied into, or entered into Config
Editor, click Print.

78-16005-01
13-9
Chapter 13

After you have imported the required entities into ACL Manager you can paste
them on to devices. You can:
Paste an imported ACL onto a device (see Pasting an Imported ACL onto a
Device).
Paste selected ACEs and Comments from an imported ACL, on to a device

(see Pasting Imported ACEs and Comments on to a Device).
Paste imported ACEs as a template (see Pasting Imported ACEs as a

Template).
Pasting an Imported ACL onto a Device

To paste an imported ACL onto a device:
Procedure
Step 1
In the ACL Manager Main Window, add the required device in your Devices
folder.
Step 2
Copy the required ACL from Root > Imported Entities > Router, Switch, or
Pix.
Step 3
Select ACL Definitions in the device folder.
Step 4
Paste the ACL in the ACL Definitions folder.

An error message appears if the device does not support the type of ACL that you
have pasted, or if it does not support some of the ACEs within it.
Note
Check in the newly added ACL, before downloading it to the device.
13-10
78-16005-01
Chapter 13
Pasting Imported ACEs and Comments on to a Device

To paste a few selected ACEs, and comments (Remark ACEs), from an imported
ACL, on to a device:
Procedure
Step 1
In the ACL Manager Main Window, add the required device in your Devices
folder.
Step 2
Copy the required ACEs from an ACL in

Root > Imported Entities > Router, Switch, or Pix.
Step 3
Open ACL Definitions in the device folder.
Step 4
Check out an existing ACL, and paste the copied ACEs within it in the ACL
Definitions folder
or
Create a new ACL and paste the ACEs in this ACL.
An error message appears if the device does not support some or all, of the ACEs
that you have pasted in the ACL.
(You can follow the steps in this procedure to paste imported Remark ACEs on to
a device.
An error message appears if the device does not support Remark ACEs.)
Any statement that is preceded by a bang (!) in the Cisco Device Configuration
format, can be imported into ACL Manager, as a non-downloadable comment.
Using the Comment Editor, you can make this a downloadable comment (see
Chapter 4, Downloading Comments).
Note
Check in the newly added ACL or the modified ACL, before downloading
it to the device.

78-16005-01
13-11
Chapter 13
Using the File Import Command Line Tool
Pasting Imported ACEs as a Template

You can save the ACEs imported from an external source, as a template:
To save imported ACEs as a template:
Procedure
Step 1
Copy the ACEs from the required ACL in

Root > Imported Entities > Router, Switch, or Pix.
Step 2
Open Template Manager and create a new template

or
Check out an existing template.
Step 3
Paste the copied ACEs into the template.
Step 4
Check in the template.
A warning appears if you copy imported remark ACEs into a template.

You can use the File Import command line tool to import a configuration file that
is on the ACL Manager server.
Note
With the File Import command line tool, you cannot import a configuration file
that is on your local machine. To import a file from your local machine, you can
use the File Import Wizard (see Uploading the Configuration and Viewing the
Import Summary). This tool does not support https.
13-12
78-16005-01
Chapter 13
The pre-requisites for using the File Import tool are:
The configuration file that you wish to import, should have read permissions.
It should be readable by casuser.
You should be a root user to run the script that invokes the import utility. The
CiscoWorks username and password supplied to the script should have net
admin privileges.
To view the usage details of the File Import command line tool,
at the command line, enter:
import
The following usage details appear:

----------------------------------------------------------------File Import command line tool, (c) Cisco Systems, Inc 2002
Usage :
import [-d device_type][-n][-u username] [-p password] <host_name>
<config_file_path>
Options:
----------------------d device_type : Takes device type option. Valid device types are "R"
for router, "S" for switch and "P" for PIX. If this option is not used,
tool will attempt to find the device type.
-n : Does not overwrite ACLs existing with the same name/number.
-u username : Valid user of CiscoWorks 2000 with at least network admin
role.
-p password : Valid password of corresponding user.
--------------------------------------------------------------------

78-16005-01
13-13
Chapter 13
The following are the File Import tool usage options:

Options Description
-d
The device type:
for a router
for a switch
for a PIX device
If you do not use this option, the tool discovers the device type.
-n
Prevents the tool from overwriting existing ACLs with the same name
or number.
-u
Valid CiscoWorks username.
-p
Valid password.
Example: File Import Command Line Tool Usage

At the command line, enter:
./import.sh -u
admin aclm-u10 /config/switch.cfg
where, admin is the username, aclm-u10 is the hostname and /config/switch.cfg is

the path of the configuration file switch.cfg on the ACL Manager server.
If the file import operation is not successful, this message appears:
Cannot read this file
Check the permissions on the file and make it readable.

If the file import operation is successful, this message appears:
Completed importing of entities.
The imported configuration file appears in the Imported Entities folder of your
ACL Manager Main Window, for the respective category of device (router, or
switch).
Note
Close the Imported Entities folder under Root and reopen it to see the imported
configuration file.
13-14
78-16005-01
C H A P T E R
14
Validating ACEs
ACL Manager enables you to perform a check for the validity of ACEs within a
ACL, VACL, or a template, using the ACE Validator.
Packet filtering ACLs are usually large, and may consist of hundreds of ACEs. In
medium, or large sized networks, administrators may need to modify ACLs
several times in a week. Modification of an ACL consists of one or more of these
operations:
Editing of ACEs
Insertion of new ACEs
Deletion of existing ACEs
During the ACL modification process, new ACEs may be introduced or existing
ones modified. An ACL is order-dependent, and therefore, any modification has
the potential of inadvertently changing the semantics of the ACL.
The main objective of the ACE Validator is to minimize the human error that
could occur while an administrator makes modifications to an ACL. The ACE
Validator checks for and displays a report of the invalid relationships between one
or more sets of entities (ACEs in an ACL, or a template (a static template or a
variable template instance).
Note
In this chapter, ACEs that cause side effects such as redundancy or conflict with
other ACEs in an ACL or template, are termed invalid. However, this term does
not indicate that the syntax of the invalid ACEs is incorrect. It means that the
relationship between a pair of selected ACEs is invalid.

78-16005-01
14-1
Chapter 14
Validating ACEs
The ACE Validation feature of ACL Manager detects and displays the following
invalid relationships between ACEs that may change the semantics of an ACL:
Invalid Relationship
Meaning
Redundant
If an ACE is redundant.
For example, a modified ACE may have a larger
address scope than some of the ACEs appearing below
it within the ACL, and therefore make them redundant.
Conflict
If an ACE is in conflict with another ACE.

An ACE is in conflict with other ACEs if there is a
mismatch in the action of the ACE, and if the source
and destination address and/or port overlap.
For example, assume that you have created or modified
an ACE to allow Telnet access to some hosts when the
Telnet access was already denied by another ACE
occurring below it in the order of the ACL. In this case,
the modified ACE is in conflict with the existing ACE.
Redundant-conflict
If an ACL has a template that contains ACEs which are

redundant and/or are in conflict with other ACEs in the
ACL.
Unresolvable
If there is an error during validation that is out of the

scope of ACL Manager.
For example, the DNS server may go down when a
DNS host name in an ACE is being resolved. This
results in errors.
Using the ACE Validator you can select:
A single ACE within a logical entity (ACL or template), and validate it with
the other ACEs in the entity.
Multiple ACEs within a logical entity (ACL or template), and validate the
selected ACEs with the other ACEs in the entity.
An entire logical entity (ACL or template), and validate each ACE in the
selected entity with the other ACEs in the entity.
14-2
78-16005-01
Chapter 14
Validating ACEs
Features of the ACE validation check:
The ACE validation check runs only on logical entities (ACLs, ACEs within
an ACL, and templates) within ACL Manager.
The ACE validation check runs only on the following types of ACLs, and
static templates that contain these ACLs:
IP Standard
IP Extended
VACL IP
The ACE validation check does not apply to variable templates.
The ACE validation check is a reporting tool. If the ACL or the template you
selected contains invalid ACEs, the ACE validation check displays these in
the ACE Validation Results dialog box (see Performing a Validation Check
on a Logical Entity for the procedure on using the ACE Validation results
dialog box).
However, you cannot use this dialog box to make changes to an invalid ACE.
You should use your ACL Manager Main Window, (or the Template Manager
in the case of template ACEs) to make the appropriate modifications.
The ACE Validation Results dialog box remains open while you work within
The ACE Validation Results dialog box does not refresh automatically when
you make modifications to the invalid ACEs in the Results dialog box.
To update the results displayed in the ACE Validation Results dialog box,
click the Refresh button (see Figure 14-1). ACL Manager runs another
validation check on the modified ACEs and are updated in the ACE
Validation Results dialog box.
The ACE or ACL on which you want to perform an ACE validation check
need not be in a checked out state, because the validation check is a read-only
operation.

78-16005-01
14-3
Chapter 14
Validating ACEs
Performing a Validation Check on a Logical Entity

To run a validation check on an ACE, an ACL or a template:
Procedure
Step 1
From the ACL Manager Main Window, select either an ACL or one or more ACEs
(by holding down the Ctrl or Shift key) in an ACL. The selected entity should be
in its logical view.
To enable the logical view for the selected entity, select View > Logical View in
Follow this procedure from within the Template Manager on a static template or
a variable template instance, to perform validation of the template ACEs.
Step 2
Right-click and select ACE Validator from the menu that pops up
or
Select Tools > ACE Validator.
The ACE Validation Results dialog box appears (see Figure 14-1).
14-4
78-16005-01
Chapter 14
Validating ACEs
Figure 14-1 ACE Validation results Dialog Box
The ACE Validation Results dialog box may not appear immediately if you are
running the validation check on a large ACL or on a large number of ACEs.
However, you can continue with other tasks, using ACL Manager during the
validation check.
The left pane displays the selected ACEs with the invalid ACEs highlighted in red.
Step 3
Click on an invalid ACE in the left pane.

The ACE, with which the invalid ACE shares a relationship, is highlighted in the
right pane. The color of the ACE indicates the type of invalid relationship (see
Invalid Relationship Color Highlights and Their Meanings).
Table 14-1 Invalid Relationship Color Highlights and Their Meanings
Color Highlight
Meaning
White
Valid
Red
Invalid
Light green
Redundant

78-16005-01
14-5
Chapter 14
Validating ACEs
Table 14-1 Invalid Relationship Color Highlights and Their Meanings
Step 4
Color Highlight
Meaning
White
Valid
Maroon
Conflict
Dark pink
Redundant-conflict
Blue
Unresolvable
Use the arrow icons to navigate among the colored ACEs listed in the left and right
panes.
To see the details of an invalid relationship that a pair of ACEs share, select
an invalid ACE in the right pane.
The Details button in the ACE Validation Results dialog box is enabled.
If you click the Details button, the ACE Validation Details dialog box appears
(see Figure 14-2).
ACE Validation Details dialog box displays the relationship details between
selected pairs of ACEs. For details about the ACE Validation Details dialog
box, see Viewing ACE Validation Details.
You can keep both the ACE Validation Results dialog box and the ACL Manager
Main Window open, together. This enables you to check for the invalid entities
and make your corrections, without closing one window and opening the other.
If you have made modifications to an entity in your Devices folder, (or in the
Template Manager) click Refresh in the ACE Validation Results dialog box, to
perform a validation check on the modified entities.
Step 5
Click Close to exit the ACE Validation Details dialog box.
14-6
78-16005-01
Chapter 14
Validating ACEs
Viewing ACE Validation Details

To view the ACE validation details:
Procedure
Step 1
Select an invalid ACE in the right pane of the Validation Results dialog box (see
Performing a Validation Check on a Logical Entity) and click Details.
The ACE Validation Details dialog box appears (see Figure 14-2).
Figure 14-2 ACE Validation Details
The following details are displayed in the ACE Validation Details dialog box:

78-16005-01
14-7
Chapter 14
Validating ACEs
First Group of ACEs
Invalid Relationship
Second Group of ACEs
The selected logical

entity (ACEs, ACL,
or template) from the
left pane of the ACE
Validation Results
dialog box.
The invalid relationship between the first group of The selected logical entity
ACEs and the second group of ACEs is displayed (ACEs, ACL, or template)
in-between the two groups.
from the right pane of the
For example, the relationship between the groups ACE Validation Results
dialog box.
is displayed as:
Has a redundant relationship with the ACE
or
Has a conflicting relationship with the ACE
The ACEs that are displayed in the ACE Validation Details dialog box are
indexed:
Index
Example
Meaning
Main Index Number
[1]
This is the sequence or the position of an invalid ACE or template

within an ACL.
Sub-index Number
--> [1]
This is meaningful if the main index entity is a template, or a

network class or a service class. Then this sub-index displays the
sequence of the invalid ACEs within the template. (If the main
entity is an ACE, then the same ACE will be displayed with a
sub-index).
If the main index is not a template, then this sub-index is not
displayed.
Step 2
Click Close to exit the ACE Validation Details dialog box.
14-8
78-16005-01
Chapter 14
Validating ACEs
Validating Modified ACEs

You can use the option to view the ACEs that you have modified.
You can use ACL Manager while the ACE validator is performing running an ACE
validation check.
Procedure
Step 1
Select the required ACL from within your ACL Manager Main Window.
Step 2
Select ACL > Show All Changes from the ACL Manager Main Menu.
The ACEs that you modified (either edited, or added) are highlighted in the right
pane of the ACL Manager Main Window in light lavender color.
ACEs that you may have deleted, are not displayed.
You can right-click on the highlighted ACEs and select ACE Validator from the
pop-up menu.
The ACE Validation Results dialog box appears.
To use this dialog box, see Performing a Validation Check on a Logical Entity.

78-16005-01
14-9
Chapter 14
Validating ACEs
14-10
78-16005-01
C H A P T E R
15
Scheduling and Downloading

An ACL job definition is a set of devices and commands associated with the
devices that you must download to reconfigure the devices. With the
ACL Manager scheduling mechanism, you can schedule the
downloadimmediately or at a specified date and time. You can get approval for
a job definition before scheduling a download.
The scheduled job is sent to the server; and at the scheduled time, the server
downloads the configuration changes to the affected devices.
You can also mark the latest versions of your changes for download.
Depending upon your ACL Manager role, you can use the Job Download Wizard
to:
Create a job definition and schedule a job download.
Create a job definition and save it for another user with download access to
the device, to download the job.
The tasks you can perform using the Job Download Wizard and the Job Browser
are:
Enabling Job Approval
Scheduling Downloads
Browsing Job Status and Viewing Results
Scheduling Job Downloads Using the Job Browser
Rescheduling Jobs
Canceling Pending Jobs and Purging Old Jobs

78-16005-01
15-1
Chapter 15

Configure the ACL Manager for Job Approval. Your login determines whether
you can use this option.
To enable Job Approval:
Procedure
Step 1
Select Resource Manager Essentials > Administration > Job Approval > Edit
Preferences.
Step 2
Click the ACL Manager tab (see Figure 15-1).

Figure 15-1 Edit PreferencesACL Manager
Step 3
Select the Enable Job Approval check box to enable or disable Job Approval in
ACL Manager.
Step 4
Click Apply to apply the changes.
To receive email notification, set the SMTP server on Windows 2000 server using
Resource Manager Essentials > System Configuration.
15-2
78-16005-01
Chapter 15

Note

ACL Manager.
You can use the Job Download Wizard to select the devices or the specific
changed entities (ACLs, ACL Uses or Time Ranges) in your Devices folder, and
schedule downloads.
Permissions to create job definitions and schedule job downloads are based on
your ACL Manager role, if role-based access control is enabled. To enable
role-based access control, see the Installation Guide for ACL Manager.
Depending upon your role, you can perform these tasks:
Role
Download ACLs
Tasks
Create a job definition.
Schedule a job download for the job definition you

have created, using the Job Download Wizard.
You can schedule a job download only to those
devices to which you have access.
Schedule job downloads using the Job Browser, for

the job definitions created by other users.
However, with this role, you will not be allowed to
edit the job definitions created by other users. You
can edit only the job definitions that you have
created.

78-16005-01
15-3
Chapter 15
Role
Modify ACLs
Tasks
Create a job definition using the Job Download

Wizard.
After you define a job, with this role, the Job
Downloader Wizard will not allow you to access the
Schedule Job pane. Another user with the role
Download ACLs will have to schedule a download
using the Job Browser, for the job you have defined.
Immediate
Download
Schedule immediate downloads.

Immediate Downloads do not pass through the
Change Approval process.
With this role, you can also perform all the other
tasks that a user with Download ACLs role can, such
as:
Defining and scheduling a job using the Job
Download Wizard.
Scheduling downloads using the Job Browser,
for job definitions created by other users.

You can define these roles using the option ACL Manager > Administration >
Role-based Administration, from the CiscoWorks desktop. For more details on
Role-based Access Control, see Chapter 9, Populating ACL Manager with
Role-based Data.
To display the Job Download Wizard:
Procedure
Step 1
In the ACL Manager Main Window, do one of the following to display the Job
Download Wizard:
Select Tools > ACL Downloader....

or
15-4
78-16005-01
Chapter 15

Click on the ACL Downloader toolbar icon.
The Job Download Wizard appears (see Figure 15-2).

Figure 15-2 Job Download Wizard
Only the changed devices appear in the Job Download Wizard.

To define and download an ACL job:
Procedure
Step 1
Select the devices and the changed entities for the device. See Selecting the
Devices and the Changed Entities.
Step 2
Select the job definition options to apply. See Defining the Job and Selecting the
Job Options.

78-16005-01
15-5
Chapter 15
You can choose to schedule the download. See Scheduling the Download Using
the Job Download Wizard.
If you do not schedule a download, or if you do not have permissions to schedule
a download, another user with download rights can schedule a download using the
Job Browser. See Scheduling Job Downloads Using the Job Browser.
Step 3
View the Job Summary. See Viewing the Job Summary.

After a job is defined or scheduled, you can use the Job Browser to schedule or
track the job. See Browsing Job Status and Viewing Results.
Selecting the Devices and the Changed Entities

Use the Select Changed Entities pane of the Job Download Wizard to select the
devices to be downloaded. For each device, you can select the changed entities
that you want to download to the device.
To open the Job Download Wizard, follow the procedure in the section
Scheduling Downloads.
The Job Download Wizard opens and the Select Changed Entities pane appears
(see Figure 15-2).
The Select Changed Entities pane displays in a tree structure, all the devices that
you modified, and the changed entities within the devices.
To select the devices and changed entities:
Procedure
Step 1
Click the Expand icons for the devices in the Select Changed Entities pane.
The changed entities within the devices, appear. These changed entities could be
ACL Definitions, ACL Uses or Time Ranges.
Step 2
Click the Expand icons for ACL Definitions, ACL Uses, or Time Ranges.
The changed ACLs, ACL Uses, or Time Ranges within the folders appear in the
pane. The version of each entity appears in brackets against its name or number.
15-6
78-16005-01
Chapter 15

The icons for the changed entities indicate the changes are:
Icons
Meaning
Newly created ACL.
Modified ACL.
Deleted ACL.
Newly created ACL Global Use.
Modified Global Use.
Deleted Global Use.
Newly created ACL Interface Use.
Modified Interface Use.

78-16005-01
15-7
Chapter 15
Icons
Meaning
Deleted Interface Use.
Newly created Time Range.
Modified Time Range.
Deleted Time Range.
ACL Manager allows you to select the changed entities that should be downloaded
for each device.
You can select the check box:
At the device level.

All the changed entities for the device are selected for downloading.
At the folder level of the changed entities.

All the changed entities within that folder are selected. For example, if you
select the check box at the ACL Definitions folder level, all the ACLs within
that folder are selected for downloading.
For the specific changed entity, within a folder.

Only that entity will be selected for downloading. For example, within the
ACL definitions folder for a device, if you select the check box for a single
ACL, only that ACL will be selected for downloading to the device.
15-8
78-16005-01
Chapter 15

For downloading object groups.

ACL Manager downloads the child object groups before downloading the
parent object groups.
Therefore, you must include all the object groups in the nested hierarchy,
unless they are already present on the device. Alternatively, you can
download the child object groups in the first job and then download the parent
object group in the next job.
Your selection of changed entities is now complete.

Step 3
Click Next.
The Select Job Options panel of the Job Download Wizard opens. See Defining
the Job and Selecting the Job Options.
In the Select Changed Entities pane of the Job Download Wizard, before you
move on to specify the job options, you can verify the configuration changes on
the entities.
To see the configuration changes on the entities, select the check boxes for the
entities and click on the Diff button. The Config Diff Viewer opens, and you can
see the differences in configuration, for the selected changed entities. For details,
see Chapter 3, Verifying Device Configuration Changes.
Defining the Job and Selecting the Job Options

You can use the Select Job Options pane of the Job Download Wizard to define
the job and select the job download options.
To create a job definition:
Procedure
Step 1
Select the changed entities for download in the Select Changed Entities pane of
the Job Download Wizard (see Selecting the Devices and the Changed Entities).
Step 2
Click Next.
The Select Job Options pane of the Wizard appears. (see Figure 15-3).

78-16005-01
15-9
Chapter 15
Figure 15-3 Select Job Options Pane
Step 3
Enter a name for the job in the Job Definition Name field.
Step 4
Enter a description for the job definition, in the Job Definition Description field.
Use a description you can locate easily if you want to browse the jobs later.
Step 5
Select any one of the Failure Policy options to define the Failure Policy for the job
by selecting the appropriate radio button.
The failure policy that you specify here, determines the action to be taken by
ACL Manager if the job download fails.
Failure Policy Option
Description
Rollback on Failure
Attempts to restore the original configuration of all

the devices if an error occurs on one or more devices
while downloading.
Continue on Failure
Stops the configuration download on those devices

and continue to download the configuration changes
on the other devices, if the download on one or more
of the devices fails.
15-10
78-16005-01
Chapter 15

Step 6
Failure Policy Option
Description
Rollback Device and

Continue
Attempts to restore the original configuration of

those devices, and continues downloading on all the
other devices.
Stop on Failure
Stops the download on all the devices, if an error

occurs on one or more devices during download.
Rollback Device and

Stop
Attempts to restore the original configuration of that

device and stops further downloads on all the other
devices, if an error occurs on one or more devices
while downloading.
Select one of configuration download options to define the Execution Policy for
the job by selecting the appropriate radio button:
The Execution Policy that you specify here determines the mode of download of
configuration on the devices.
Sequential The configuration changes are downloaded onto the devices in

the sequence that you have specified. Select this option if the order of
download to the device is important. (In a secure network, parallel download
of configuration to devices, may compromise the security of your network.)
If you select this option, click the Device Order button.
The Device Order dialog box appears.
To set the order of devices for the configuration download:
a. Set the order of devices in this dialog box using the Up and Down
buttons.
b. Click OK.
The Device Order dialog box closes.
Parallel The configuration changes will be downloaded on to the devices

in parallel, and in no specific order. The download will proceed faster. Select
this option if the order of download to the device does not matter.
To copy the running configuration to the startup files of the device, after the
download is complete, select Update Startup Configuration.
Note
Saving to Startup Configuration is not allowed for Catalyst Switches.

78-16005-01
15-11
Chapter 15
To skip unresolvable DNS names while downloading, select Skip unresolvable

DNS names. This option will allow the download to proceed even if DNS names
cannot be resolved while downloading. We recommend that you use this option
with caution.
To terminate download to devices on which ACL Manager encounters DNS names
that it cannot resolve, select the option Abort download. The download will
proceed on the other devices, for which ACL Manager is able to resolve DNS
names.
Step 7
Check the Schedule Job Definition option to schedule a job using the Job
Download Wizard, if it is enabled for you.
15-12
78-16005-01
Chapter 15

See this table for details of the Schedule Job Definition option:
Schedule Job
Definition
Option
Enabled
Descriptions
You have role-based access to the devices for which you are
defining the job.
To schedule a job using the Job Download Wizard:
1.
Check the Schedule Job Definition option.
2.
Click the Next button in the Select Job Options pane

The Schedule Job Definition pane appears.
See Scheduling the Download Using the Job Download

Wizard for details on scheduling the job.
If you do not want to schedule a job using the Job Download
Wizard:
1.
Leave the Schedule Job Definition option unchecked
2.
Click the Next button the Select Job Options pane

The Job Summary pane of the Job Download Wizard
appears
See Viewing the Job Summary for details.

Disabled
You do not have role-based access to the devices for which you
are defining the job.
The Job Summary pane of the Job Download Wizard appears
when you click the Next button in the Schedule Job pane.
See Viewing the Job Summary for details.
If you have created any job definitions but not scheduled them,
a user with a Downloader role can access your job definitions
using the Job Browser and schedule a job download.
See Browsing Job Status and Viewing Results for details.

78-16005-01
15-13
Chapter 15
Step 8
Click Next.
If you have checked the Schedule Job Definition box in Step 5, the Schedule
Job pane appears next (see Figure 15-4) in the Job Download Wizard. See
Scheduling the Download Using the Job Download Wizard, for details.
If you have not checked the Schedule Job Definition box in Step 5, or it is
disabled for you, the Job Summary pane appears next (see Figure 15-5) in the
Job Download Wizard. See Viewing the Job Summary, for details.
If you have enabled change approval for the job, the Job Definition will go
through change approval processing, after you have created it. See,
Approving or Rejecting Changes, for details.
Scheduling the Download Using the Job Download Wizard

Use the Schedule Job pane of the Job Download Wizard, to schedule a download
for the job definition that you have created.
ACL Manager improves the download time of configuration commands by
allowing you to use TFTP, in addition to the Telnet protocol. It supports TFTP
downloads on both catalyst switches and routers.
If the ACEs to be downloaded have DNS hostnames instead of IP addresses,
ACL Manager resolves the hostnames at the time of download. If a DNS hostname
cannot be resolved by ACL Manager for some reason, (for example, the
DNS server is down) it results in a pre-download failure (if the Abort download
option was chosen in the Job Options dialog box). The status is displayed in the
Job Browser (see Browsing Job Status and Viewing Results).
You can schedule a job download using the Schedule Job pane of the Job
Download Wizard, if you have Role-based access to the devices for which you
want to schedule the job download. See Step 7 of the procedure in Defining the
Job and Selecting the Job Options, for details.
After you specify the job options in the Select Job Options pane of the Job
Download Wizard, select the Schedule Job Definition option and click Next, the
Schedule Downloads pane appears. (See Figure 15-4).
15-14
78-16005-01
Chapter 15

Figure 15-4 Schedule Job Pane
To schedule a job download:
Procedure
Step 1
Select one of these Protocol Options from the Schedule Job pane:
Select Use TFTP to specify TFTP as the protocol for downloading

configuration commands. This requires the SNMP Write Community String.
You can specify this through the Inventory Module of Resource Manager
Essentials. See the documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/
cw2000e/e_3_x/3_5/u_guide/ug_devm.htm
The Use TFTP option is selected by default, for all devices other than PIX
devices. If you have selected PIX devices, this option is disabled.

78-16005-01
15-15
Chapter 15
Select Use Telnet/SSH to specify Telnet or SSH as the protocol for

downloading configuration commands.
The commands are downloaded either through telnet or SSH, depending upon
the order maintained by Resource Manager Essentials > Administration >
Configuration Management > Configuration Job Setup > Config
Download Protocol Order.
Step 2
Specify the Download Schedule:
ImmediateRuns the job as soon as possible. To schedule an immediate

download, you need to have the Immediate Download role. Immediate job
downloads do not go through change approval processing.
or
Schedule AtRuns the job at a future date and time. Specify the date and the
time in hours and minutes.
If you want ACL Manager to override any out-of-band changes that may not have
been resolved, select Override Out-of-band Changes. See Managing
Out-of-Band Changes to Device Configuration.
If you select this option, the changes that you have scheduled for
downloading on to the selected devices, will supersede any configuration
changes that may have been directly on the device.
If you do not select this option, the job will run only if the configuration on
the device matches the baseline configuration. If you schedule a job and
someone changes the device configuration in the meantime, the job will fail.
If you want ACL Manager to do minimal download verification, select Minimal

Download Verification. ACL Manager generally performs two levels of
verification after a job has been downloaded to the specified devices. If you select
this option, ACL Manager will perform only one level of verification and the
deployment of ACLs on devices will be faster. However, before using this option,
you should ensure that:
ACL Manager has discovered the device features properly.
The devices are not physically remote, in case you have selected TFTP as the
download protocol, to avoid transport-related download failures.
If you have PIX devices in your network along with other devices, you create
two different job definitions, one for PIX devices, and the other for CatOS
and IOS devices, because this option is not available for PIX devices.
15-16
78-16005-01
Chapter 15

After using the Minimal Download Verification option, if you want to verify that
your changes have reached the devices, you can run a check on the devices for
Out-of-Band changes.
For details about checking for Out-of-Band changes, see Chapter 15 Managing
Out-of-Band Changes to Device Configuration.
If you want to be notified about the job download status after completion, select
Email me.
Step 3
Click Next.
The job is scheduled and the Job Summary pane appears. See Viewing the Job
Summary.
Viewing the Job Summary

Use the Job Summary pane of the Job Download Wizard, to verify your Job
Definition or your Job Download options (if you have scheduled a job download
using the Wizard).
To view the Job Summary pane:
Procedure
Step 1
Specify the job options and click the Next button in the Select Job Options pane.
or
Specify the job options, schedule a job download, and then click the Next button
in the Schedule Download pane.
See Step 7 of the procedure in Defining the Job and Selecting the Job Options,
for details.
The Job Summary pane appears (see Figure 15-5).

78-16005-01
15-17
Chapter 15
Figure 15-5 Job Summary Pane
The changed entities that you selected for the job definition, appear in the
Selected Entities table of the Job Summary pane.
The columns in the Selected Entities table are:
Column
Description
Device
Device selected for download.
Entity Name
Name of the selected entity.
Entity Type
Type of the selected entity. The entity could be an ACL,

and ACL Use, or a Time Range.
Version
Version of the entity.
Change Category
Type of the change. The change could be Creation,

Modification or Deletion.
15-18
78-16005-01
Chapter 15

The Job Summary pane has two tabbed sections:

Tab
Description
Definition Options Displays the options that you selected in the Select Job
Options pane.
Download Options Displays the options that you selected in the Schedule
Download pane.
This tab is enabled only if you have scheduled a job using
the Schedule Download pane of the Job Download Wizard.
In the Job Summary pane, you can verify the following Job Definition and Job
Download options that you may have already specified using the Job Download
Wizard:
Options displayed in the Selected Entities table.
Job definition options displayed in the Definition Options tab.
Job download options displayed in the Download Options tab.
If you want to change any of the options, use the Back button to navigate to the
appropriate pane of the Job Download Wizard. Make the necessary changes and
return to the Job Summary pane.
Step 2
Click Finish after you complete your verification of the Job Summary.
ACL Manager displays the Job Definition ID in a pop-up message box, for your
reference. The Job Definition and the Job Download options (if you have specified
them), are saved.
You can use the Job ID to track the status of the job. ACL Manager alerts you if
there is a problem with a job schedule time, see Browsing Job Status and
Viewing Results.
The device configuration does not change until a job runs and configuration
changes are downloaded to the device.
To open the Config Diff Viewer, click the Diff button in the Select Changed
Entities pane of the Job Download Wizard, see Defining the Job and Selecting
the Job Options. You can also select Tools > Diff Viewer in the ACL Manager
Main Window to open the Config Diff Viewer.

78-16005-01
15-19
Chapter 15

The ACL Manager Job Browser displays job status and results. The Job Browser
provides device-level details about a job.
You can use the Job Browser to:
View job definitions.
View all scheduled jobs, their status and other details, such as the creator, the
scheduler, the approver, the time of creation, scheduled time of download,
and completion time of download.
Schedule job downloads using the Job Browser, if you have role-based
download access to the devices (see Scheduling Job Downloads Using the
Job Browser.)
View Job results.
To open the Job Browser dialog box:
Procedure
Step 1
Select either:
ACL Manager > Job Management > Job Browser from the CiscoWorks
desktop.
or
Tools > Job Browser from the ACL Manager Main Window.
The Job Browser dialog box displays all job definitions and scheduled jobs (see
Figure 15-6).
15-20
78-16005-01
Chapter 15

Figure 15-6 Job Browser Dialog Box
If you want to display jobs based on Job Status or Job User, click on the required
radio button. The information in the browser is filtered based on your selection.
Step 2
To refresh the data in the browser, click Refresh.

The columns in the Job Browser are:
Column
Description
Job Definition
ID
Unique number assigned to the job by the Job Download

Wizard at the time of job definition.
Definition Name Name of the job definition that was entered in the Select Job
Options pane of the job Download Wizard.
Creator
ID of the user who created the job.
Time Created
Server time of creation of the job definition.
Description
Information about the job, which was entered in the Select

Job Options pane of the Job Download Wizard.
Job Status
Current state or last run result of the job.
Scheduler
ID of the user who scheduled the job for download.

This column is blank if the job has been defined, but not yet
scheduled.

78-16005-01
15-21
Chapter 15
Column
Description
Job ID
Unique number assigned by JRM to the job at the time that it

was scheduled for download to the device. This number is
never reused.
scheduled.
Scheduled At
Server date and time at which the job is scheduled to run.

scheduled.
Finish Time
Server date and time the job download was completed.

scheduled.
Approval ID
Change Approval ID for the job.
The Job Status can be any one of the following:

Job Status
Meaning
Running
Job is running.
Pending
Job definition is not scheduled.
Scheduled waiting for

approval
Job is waiting for approval from one of the

approvers.
Scheduled
Job definition is scheduled for download.
Pending (Approved)
Job definition has been approved and has not started.
Rejected
Job was rejected by one of the approvers.
Failed
Download failed on all devices. Click Results to

obtain more information.
Partial success
Download failed on one or more devices. Click

Results to obtain more information.
Success
Job downloaded successfully on all devices.
15-22
78-16005-01
Chapter 15

The buttons in the Job Browser and their actions are:

Button
Action
Close
Closes the Job Browser.
Refresh
Updates the Job Browser with the latest job

definitions and scheduled jobs.
Schedule
Allows you to schedule jobs. Opens up the Job

Download dialog box.
Results
Allows you to view the status of all the devices in a

job.
Reschedule
Allows you to reschedule a job that has failed.
Delete
Allows you to delete jobs.

Any CiscoWorks Network Administrator can delete
a job definition.
Help
Invokes the Help window for the Job Browser.
If you want to view the job status by device, select the job and click Results. The
Job Results window displays the status for all devices for that job (see
Figure 15-7).

78-16005-01
15-23
Chapter 15
Figure 15-7 Job Results
The Status column in the Job Results window can have these values:
Status
Meaning
Not attempted
No configuration changes were made to the device.
Pending
Job has not started.
Partial
Job is partially complete.
15-24
78-16005-01
Chapter 15

Status
Meaning
Pre-download
failure
Can occur under these conditions:
An Out-of-Band change was detected on the downloaded

device. Also, the Overwrite Out-of-Band Changes option
was not checked while scheduling the download.
Resolve the Out-of-Band change (see Chapter 3, topic
Managing Out-of-Band Changes to Device
Configuration). Click Reschedule, to reschedule the
download.
Alternatively, you can click Reschedule and check the
option, Override Out-of-Band changes. The Out-of-Band
changes will be over-written, and the download will
proceed.
ACL Manager was unable to lock the changed entities

because they have already been locked for another user.
Click Reschedule, and reschedule the download to take
place after 15-20 minutes. For details see What to Do if
Your Download Fails.
ACL Manager was unable to resolve the DNS hostname

for some reason. This may happen if the DNS server is
down, or hostnames have been removed from DNS and
you have selected the Abort download option in the Job
Options dialog box.
Click Reschedule, and reschedule the download to take
place after a few minutes, or when the DNS server comes
up
Downloaded
Job has been downloaded.
Rejected
Job was rejected by one of the approvers.
If you want to view the configuration changes, click Diffs....

The Config Diff Viewer opens (see Chapter 3, Verifying Device Configuration
Changes).
If you want to see the results of the download on the devices, click Device
Details....
78-16005-01
15-25
Chapter 15
The Device Results window appears (see Figure 15-8).

Figure 15-8 Device Results Window
If you want to see the results of the download on the changed entities, select a
device from the Job Results dialog box (see Figure 15-7) and click Entity
Details....
The Job Entity Details window appears (see Figure 15-9).
Figure 15-9 Job Entity Details Window
The Job Definition ID and the Device Name details appear in the Job Entity
Details dialog box.
15-26
78-16005-01
Chapter 15

Marking Changes for Download
The columns in the Job Entity Details window are:

Column
Description
Entity
Name or ID of the entity.
Type
ACLs, ACL Uses, and Time Ranges.
Status
Download status of the Entity. This could be

Download, Pending, or Verify Failed.
The Status column in the Job Entity Details window can have these values:
Status
Meaning
Verify failed
Download configuration does not match device

configuration. (For example, there could have
been a change to the device configuration after
the download started.)
Pending
Job has not started.
Downloaded
Job has been downloaded.

You can mark a required version of a changed entity, to be downloaded to a device,
using the Mark Changes for Download dialog box.
This dialog box is useful when there are two groups of users:
The group that defines jobs
The group that downloads ACLs, based on their roles, if you have enabled
Role-based Access Control (see Chapter 9 Managing Tasks)
The users who define the jobs can mark the version of the entities that they want
the users with Download ACLs role, to download to the device.
This way, only the marked versions of the entities, are downloaded to the device.

78-16005-01
15-27
Chapter 15
To mark the required version of a changed entity for download:
Procedure
Step 1
Select ACL Manager > Edit ACLs from ACL Manager to display the Edit ACLs
dialog box (see Chapter 3, Starting ACL Manager).
Step 2
Click Next, after checking the required options. For details on the options in this
dialog box (see Chapter 3, Starting ACL Manager).
The ACL Manager Main Window appears.
Step 3
In the ACL Manager Main Window, select Tools > Mark Changes for
Download....
The Mark Changes for Download dialog box appears (see Figure 15-10).
Figure 15-10 Mark Changes for Download
Step 4
Expand the device folder and the required entity folders.
Step 5
Select the entities (ACLs, ACL Uses or Time Ranges) that you want to mark for
the next run, by clicking their check boxes.
15-28
78-16005-01
Chapter 15

Step 6
Click OK.
A message appears that you will lose the existing marks for the entities you have
selected.
Step 7
Click OK in the message box to proceed.

Your selected entities are marked, and appear in the Pending Marks Browser (see
Viewing Pending Marks).
If change approval has been enabled for job downloads, these marks will be in the
Pending state. After they are approved, their state changes to Approved.
The buttons in the Mark Changes for Download dialog box enable you to do these
tasks:
Button
Task
Diff
Shows the differences between the version of the

changed entity in your Devices folder or My Changes,
and its version on the device.
In the Mark Changes for Download dialog box, you
can verify the configuration changes on the entities
marked for download.
To see the configuration changes on the marked
entities:
1.
Select the check boxes for the entities
2.
Click on the Diff button.

The Config Diff Viewer opens.
For details, see Chapter 3, Verifying Device

Configuration Changes.
Show Pending Marks
Shows pending marks (see Viewing Pending Marks).
OK
Saves your marks.
Cancel
Closes the dialog box, without saving changes.
Help
Invokes the help for the dialog box.

78-16005-01
15-29
Chapter 15
Viewing Pending Marks

You can view the marks that are pending for the various changed entities, using
the Pending Marks Browser.
You can also schedule the download for the marked entities, using this browser if
you are a user with a Download ACLs role (see Chapter 9 Managing Tasks).
To open the Pending Marks Browser:
Procedure
Step 1
Select ACL Manager > Job Management > Pending Marks Browser from the
CiscoWorks desktop.
or
Open it from the Mark Changes for Download dialog box using the Show Pending
Marks button (see Marking Changes for Download).
The Pending Marks Browser appears (see Figure 15-11).
Figure 15-11 Pending Marks Browser
15-30
78-16005-01
Chapter 15

The columns in the Pending Marks Browser are:

Column
Description
Device Name
Entity Name
Name of the marked entity.
Entity Type
Type of the marked entity. This can be ACL, ACL Use,

Time Range etc.
Entity Version
Version of the marked entity.
Change Category
Creation, Modification or Deletion.
Entity Status
Change approval processing status of the entity, if change

approval has been enabled for job downloads. This status
can be either Pending or Approved
Marked Time
Server time at which the entity was marked.
Approval ID
Change Approval ID for the mark.
If you want to display jobs based on Job Status or Job User, click on the required
radio button. The information in the browser is filtered based on your selection.
To refresh the data in the browser, click Refresh.
If you want to delete a mark, select it, and click Delete. A message prompts you
to confirm the deletion. Click Yes to delete the mark.
If you want to schedule a download for a marked entity, select it, and click
Schedule. This button is enabled only for user with a Downloader role.
The Schedule Job dialog box opens. To schedule the job, see the procedure in the
topic, Scheduling the Download Using the Job Download Wizard.

78-16005-01
15-31
Chapter 15

You can use the Job Browser to schedule job downloads.
Procedure
Step 1
To display the Job Browser dialog box, select either:
desktop.
or
The Job Browser appears (see Figure 15-6).

Step 2
Select the job definition that you want to schedule for download, and click
Schedule.
The Job Download dialog box appears. The options in this dialog box are the same
as those in the Schedule Job pane of the Job Download Wizard. See Scheduling
the Download Using the Job Download Wizard.
Step 3
Click OK.
The job is scheduled.
Job Management Integration

The Job Browser of ACL Manager is integrated with the Job Resource Manager
(JRM) using the CiscoWorks Job Management tasks. You can:
Get information on all the jobs that are running, including ACL Manager
jobs.
Free resources locked by running jobs.
Remove jobs.
(For details of ACL Manager Jobs, see Browsing Job Status and Viewing
Results, see Figure 15-7).
15-32
78-16005-01
Chapter 15

Rescheduling Jobs
Use the Job Resource Manager (JRM) of CiscoWorks to browse jobs, release
resources, stop and remove jobs.
Select Server Configuration > Administration > Job Management from the
CiscoWorks desktop, to perform these tasks.
Rescheduling Jobs
You can edit and reschedule jobs that have or have not been completed, using the
ACL Manager Job Browser.
To reschedule a job:
Procedure
Step 1
Select either of the following to display the Job Browser dialog box:
desktop.
or

Step 2
Select the required job, then click Reschedule.

The Reschedule Config Download dialog box appears.
The title of the screen displays the Job Definition ID for the job that you want to
reschedule. The options in this dialog box are the same as those in the Schedule
Job pane of the Job Download Wizard. See Scheduling the Download Using the
Job Download Wizard.
Step 3
Change the download options, schedule the date and time, and click OK.
If the job that you are rescheduling has failed devices, the following message
appears:
Job contains failed devices. Do you want to reschedule for failed
devices only?
Click Yes to reschedule the job download for only the failed devices. A new job
is created for these failed devices, while the old job remains intact.

78-16005-01
15-33
Chapter 15
To reschedule the job for all the devices, click No. A new job (with a new job ID)
will be created.
A device is said to be a failed device if:
Pre-download has failed.
Download has failed.
Update startup has failed.
Download verification has failed.
Device has been locked.
If you reschedule the download only on the failed devices, the download will be
faster.

To cancel a scheduled ACL job or purge old ACL jobs, use the ACL Manager Job
Browser. All jobs remain until you remove them.
Procedure
Step 1
To display the Job Browser dialog box, select either of the following:
desktop.
or

Step 2
Select the jobs you want to cancel or purge.
Step 3
Click Delete.
15-34
78-16005-01
Chapter 15

What to Do if Your Download Fails

A download can fail for many reasons. The workarounds are given below:
Reason for Failure
Workaround
Loss of connectivity to the

device
Ensure that the device is reachable and you can telnet to the device.
An Out-of-Band change
was detected on the device
on which the download is
running, and you have not
checked the option
overwrite Out-of-Band
changes
Click the Reschedule button in the Job Browser, to reschedule the

download, and check the option, Override Out-of-Band changes. The
Out-of-Band changes will be over-written, and the download will
proceed.
or
Resolve the Out-of-Band change (see Chapter 3, topic Managing

Out-of-Band Changes to Device Configuration). Click the
Reschedule button in the Job Browser, to reschedule the download.

78-16005-01
15-35
Chapter 15
Reason for Failure

The device has already
been locked for download,
by another user
Workaround
Click the Reschedule button in the Job Browser, and reschedule the
download to take place after 15-20 minutes.
or
Before rescheduling, you can check details of the job that is already
running, as follows:
If you are sure it is an ACL Manager job, use the Job Browser to
view the job details. Reschedule your job accordingly, by

clicking the Reschedule button in the Job Browser.
If you are not sure it is an ACL Manager job that is running
currently on the device, use the JRM Job Manager to see the job
details.
On the CiscoWorks desktop:
1.
Select Server Configuration > Administration > Job

Management.
The Job Manager dialog box appears. It displays all scheduled jobs,
and their download status.
2.
Select the required job and click on the Job Details button.
The Job Results window of ACL Manager appears (see Figure 15-7).
3.
Check the job details here and reschedule your job accordingly, by
clicking the Reschedule button in the Job Browser (see Figure 15-6).
15-36
78-16005-01
C H A P T E R
16
Optimizing ACLs
These topics describe optimization and how you can optimize your ACLs for
better performance:
ACL Optimizer and Hits Optimizer
Using the ACL Optimizer
Using the ACL Hits Optimizer
Resetting Hit Counters
Getting Hits from a Device

When you use an ACL on one or more interfaces in a network device, network
traffic performance through the device can be degraded for these reasons:
Each packet through an interface may be compared against all the ACE
statements in an ACL used on the interface until one of the statements is a
hit.
The ACE statements are examined in sequence.
To improve device performance, the ACL Optimizer minimizes the number of

ACEs that must be compared. The ACL Hits Optimizer re-arranges ACEs in an
order in which the most frequently-hit ACEs are placed first.

78-16005-01
16-1
Chapter 16
Optimizing ACLs
Using ACL Optimizer or Hits Optimizer changes the physical view of the ACL. it
does not change the logical view. Any change made to the logical view (including
re-ordering ACEs) will re-create the physical view, hence the optimizations will
be lost and need to be re-done.
ACL Optimizer
The goal of the ACL Optimizer is to minimize the number of ACEs in an ACL. It
accomplishes this by:
Removing covered ACEs. In the following example, the second original ACE
covers the first.
Original ACEs
Optimized ACEs
permit ip from host 205.178.18.5

permit ip from
205.178.18.0/0.0.0.255
permit ip from 205.178.18.0/0.0.0.255
Merging maskable ACE address ranges: In the following example, the

original ACEs address ranges are contiguous and maskable:
Original ACEs
Optimized ACEs

permit ip from 205.178.18.8/0.0.0.7
16-2
78-16005-01
Chapter 16
Optimizing ACLs
Merging covered ACE port ranges: In the following example, the port range
for the second original ACE combines with the port range of the first original
ACE to cover the entire set of port ranges:
Original ACEs
Optimized ACEs
permit tcp gt 25 from host

205.178.18.5
permit tcp lt 50 from 205.178.18.5
permit tcp between 0 and 65535 from

205.178.18.5
Removing redundant ACEs.
Original ACEs
Optimized ACEs
permit ip from any

deny ip from 205.178.18.5
permit ip from any
Removing duplicate ACEs.
Original ACEs
Optimized ACEs


ACL Hits Optimizer

The goal of the ACL Hits Optimizer is to place the most frequently hit ACEs
ahead of the less frequently hit ACEs. A hit occurs when an ACE statement
matches a network packet, IOS tracks the number of times a statement is hit.
ACL Manager reorders the ACE accordingly, as follows:
Original ACEs (# Hits)
Optimized ACEs
permit ip from host 205.178.18.5 (300) deny ip from host 205.178.18.100

deny ip from host 205.178.18.100 (500) permit ip from host 205.178.18.5

78-16005-01
16-3
Chapter 16
Optimizing ACLs
Reordering ACEs is performed only if the new order does not change ACL
semantics. For example, ACL Manager will not reorder ACEs in the following
way:
Original ACEs (# Hits)
Incorrectly Reordered ACEs
deny ip from host 205.178.18.5 (300) permit ip from 205.178.18.0/0.0.0.255

permit ip from
deny ip from host 205.178.18.5
205.178.18.0/0.0.0.255 (500)
ACL Manager will not perform this reorder because doing so would change the
ACL semantics, which were to deny packets from host 205.178.18.5 and allow
them from the rest of the subnet.
Note
Standard IP ACLs and VACLs do not support Hit Counters, so the Hits Optimizer
is not available for these types of ACLs.

Use the ACL Optimizer to minimize the number of ACEs in an ACL and improve
router performance.
To use the ACL Optimizer:
Procedure
Step 1
From the ACL Manager Main Window, select the ACL that you want to optimize.
In Figure 16-1, ACL 7 is selected.
16-4
78-16005-01
Chapter 16
Optimizing ACLs
Figure 16-1 ACL to be Optimized
Step 2
Select Optimizer from the ACL pop-up window.

The Optimizer completes optimization and a high-level report appears (see
Figure 16-2).

78-16005-01
16-5
Chapter 16
Optimizing ACLs
Figure 16-2 ACL Optimizer
Step 3
Click Details to view more information (see Figure 16-3).
16-6
78-16005-01
Chapter 16
Optimizing ACLs
Figure 16-3 ACL Manager OptimizerDetails
Step 4
If you are satisfied with the optimization, click Done to return to the previous
display.
Step 5
Click Apply to apply the optimization.

Use the ACL Hits Optimizer to place the most frequently hit ACEs ahead of the
less frequently hit ACEs, improving network traffic throughput.
You can use the Hits Optimizer only for IP Extended ACLs and PIX ACLs.

78-16005-01
16-7
Chapter 16
Optimizing ACLs
To use the ACL Hits Optimizer:
Procedure
Step 1
From the ACL Manager Main Window, select the ACL you want to optimize, for
example, ACL 103 (see Figure 16-4).
Figure 16-4 ACL to be Hit Optimized
Step 2
Right-click on the ACL and select Hits Optimizer.

The Hits Optimizer completes optimization and a high-level report appears (see
Figure 16-5).
16-8
78-16005-01
Chapter 16
Optimizing ACLs
Figure 16-5 Hits Optimizer
Step 3
Click Details to view more information (see Figure 16-6).

78-16005-01
16-9
Chapter 16
Optimizing ACLs
Figure 16-6 Hits OptimizerDetails
If you are satisfied with the optimization, click Done to return to the previous
display.
Step 4
Click Apply to apply the optimization.
16-10
78-16005-01
Chapter 16
Optimizing ACLs

You can reset the hit counters to zero from ACL Manager.
Procedure
Step 1
From ACL Manager, select

Administration >Reset Hit Counter (see Figure 16-7).
Figure 16-7 Reset Hit Counter Dialog Box
Step 2
Select All Devices, then select those devices for which you want the hit counter
reset to zero.
Step 3
Click Finish.

78-16005-01
16-11
Chapter 16
Optimizing ACLs

To view the latest hits on a specific device, you can use the option Get Hits from
the Device.
This option is not supported for IP and VACLs.
To use the Get Hits from Device Option:
Procedure
Step 1
In the ACL Manager Main Window, select a device from the Devices folder.
Step 2
Select the option Get Hits from Device.

The latest hits on the device appear in the right pane.
Note
You should be in the physical view of an ACL to view the hits from a
device.
16-12
78-16005-01
C H A P T E R
17
Generating Reports in ACL Manager

You can generate reports that provide various levels of information about the
events that have occurred within ACL Manager components.
For example, you could generate a report of:
All change requests that are approved, rejected, expired, or pending approval.
All time range events.
All Out-of-Band changes on a device within a specified time-frame.
You can view the reports in your browser window, save them for review later, or
print them out for reference.
Your login determines the type of reports that you can generate. That is, you can
generate reports of only those devices for which you have rights, based on the user
group that you belong to, when Role-based Access Control is enabled.
To enable Role-based Access Control, see the Installation Guide for ACL
Manager.
You can generate the following reports:
Time Range Events in Selected Time Frame Report
Change Approval Status Report
Out-of-Band Changes Report
Role-based Access Control Reports

78-16005-01
17-1
Chapter 17

You can generate a report on Time-based ACEs and check their status within a
time frame that you have specified.
For more details on Time-based ACEs, see Chapter 4, Using Time Range
Definitions.
To generate the report:
Procedure
Step 1
Select Administration > ACL Manager Reports > Time Range Changes.
The first Time Range Events in Selected Time Frame Report dialog box opens.
Step 2
Enter the start time in hours (0 to 23) and minutes (0 to 59).
Step 3
Select the start date for the report.
Step 4
Enter the end time in hours (0 to 23) and minutes (0 to 59). The end time should
be greater than the start time.
Step 5
Click Next.
The second Time Range Events in Selected Time Frame Report dialog box opens.
Step 6
From the Available Event Types box, select the events that you require for the
report, and click Add.
The selected events move to the Selected Event Types box.
Step 7
Click Next.
The third Time Range Events in Selected Time Frame Report dialog box opens.
Step 8
Step 9
Select the devices for which you would like to see the report.
ACL Manager allows you to select any device from the Device Selector dialog
box. If you do not have access rights to some of the devices, you will see a
message indicating this. Only the devices that you have rights to access, are
selected.
17-2
78-16005-01
Chapter 17

Step 10
Click Finish.
The Time Range Events in Selected Time Frame Report opens in a separate
browser window.
The fields in the Time Range Events in Selected Time Frame Report are:
Fields
Explanation
Device ID
Device on which the change was implemented.
Occurred Event Type Type of the event. For example, Time Range Active,
Time Range Expired.
Comments
Comments for the event.
Type of Change
Type of the change. For example, Network Change is the

type of change that occurs when a Time Range becomes
active.
Recorded At
Date and time of the event.

This report is available to you only if you have enabled Change Approval at the
time of installing ACL Manager.
To enable Change Approval, see the Installation Guide for ACL Manager.
You can generate a report of all the change requests that you have submitted, and
view their status. The change requests that you submitted could be in a pending,
approved, rejected, expired or partially approved state.
A partially approved state is one where the change request needs to be processed
by more than one Approver Group, and not all groups have completed the
processing. For details, see Chapter 11, Approving or Rejecting Change
Requests.

78-16005-01
17-3
Chapter 17
Procedure
Step 1
Select Administration > ACL Manager Reports > Change Approval Status.
The Change Approval Status Report dialog box opens.
Step 2
Select the change request status from the drop-down list box.
Step 3
Click Next.
The Approver Group dialog box opens.
Step 4
Select the required approver group.
Step 5
Click Finish.
The Change Approval Status Report opens in a separate browser window.
17-4
78-16005-01
Chapter 17

The fields in the Change Approval Status Report are:

Fields
Explanation
Change ID
Unique number assigned to the change request at

submission time.
Status of Request
Processing status of a change request. For example, it

could be pending, partial, approved, rejected, or
expired.
Submitter Name
User ID of the user who submitted the change request.
Submitter Comments
Description of change, entered by the user who

submitted the request.
Submitted Time
Time of submission of the change request.
Approver Group Name Name of the Approver Group that has rights to approve
this change request.
Approver Comments
Comments entered by the Approver at the time of

change processing. This field is blank if the change
request is to be processed.
Approver Name
User ID of the Approver. If the change request is

pending processing, this field is blank.
Approval Time
Date and time of approval.

Out-of-Band changes are those changes that are made to the network outside the
premises of ACL Manager. You can generate a report on all the Out-of-Band
changes that have been made to specific devices, within a time frame.

78-16005-01
17-5
Chapter 17
Procedure
Step 1
Select Administration > ACL Manager Reports > Out-of-Band Changes.

The first Out-of-Band Changes Report dialog box opens.
Step 2
From the Available Event Types box, select the events that you require for the
report, and click Add.
The selected events move to the Selected Event Types box.
Step 3
Click Next.
The second Out-of-Band Changes Report dialog box opens.
Step 4
Step 5
Select the devices for which you would like to see the report.
ACL Manager allows you to select any device from the Device Selector dialog
box. If you do not have access rights to some of the devices, you will see a
message indicating this. Only the devices that you have rights to access, are
selected.
Step 6
Click Next.
The third Out-of-Band Changes Report dialog box opens.
Step 7
Enter the start date and end date to specify the period for which you want to see
the Out-of-Band changes.
Step 8
Click Finish.
The Out-of-Band Changes Report opens in a separate browser window.
17-6
78-16005-01
Chapter 17

The fields in the Out-of-Band Changes Report are:

Fields
Explanation
Device Name
Name of the device on which the Out-of-Band changes

have been made.
Type of Change
Type of the Out-of-Band change. For example, ACL

Modification.
Entity Type
Type of the entity that has been changed. For example,

ACL, Time Range.
Entity Name/ID
Name or ID of the entity.
Detected At
Date and time of detection of the Out-of-Band change.
If Resolved
Handled By
ID of the user who handled the Out-of-Band change.

These reports are available to you only if you have enabled Role-based Access
Control at the time of installing ACL Manager.
ACL Manager.
You can generate the following Role-based Access Control reports:
Approver Group Mapping for Devices and Device Groups
Task Mapping Report
My User Group Membership Report.
User Group Membership Report.
My Task Mapping Report.

78-16005-01
17-7
Chapter 17
Approver Group Mapping for Devices and Device Groups

You can generate a report of all the change requests, categorized by approver
group, for specified devices or device groups.
Procedure
Step 1
Select Administration > ACL Manager Reports > Approver Group Mapping
for Devices.
The Approver Group Mapping for Devices Report dialog box opens.
Step 2
Select one of these options as your filter criteria for the report and click Next:
Use Devices as Filter Criterion

If you have selected Use Devices as Filter Criterion, next dialog box that
appears, allows you to select the required devices. ACL Manager allows you
to select any device from the Device Selector dialog box.
If you do not have access rights to some of the devices, you will see a message
indicating this. Only the devices that you have rights to access, are selected.
Use Device Groups as Filter Criterion

If you have selected Use Device Groups as Filter Criterion, the next dialog
box that appears, allows you to select the required device groups.
Step 3
Click Finish either the devices or device groups.

If you had selected Use Devices as Filter Criterion, the Approver Group Mapping
for Devices Report opens in a separate browser window.
The fields in the Approver Group Mapping for Devices Report are:
Fields
Explanation
Device Name
Device Group Name Name of the Device Group for the device.
Device Group
Members
Devices in the Device Group.
17-8
78-16005-01
Chapter 17

Fields
Explanation
Approver Group
Name
Name of the Approver Group that should process this

change request.
Approver Group
Members
User IDs of the members of the Approver Group that

should process this change request.
If you had selected Use Device Groups as Filter Criterion, the Approver Group
Mapping for Device Groups Report opens in a separate browser window.
The fields in the Approver Group Mapping for Device Groups Report are:
Fields
Explanation
Device Group Name Name of the Device Group for the device.
Device Group
Members
Devices in the Device Group.
Approver Group
Name
Name of the Approver Group that should process this

change request.
Approver Group
Members
User IDs of the members of the Approver Group that

should process this change request.
My Task Mapping Report

You can generate a report to see the various tasks you are authorized to perform
on the devices or device groups that you have access to.
Procedure
Step 1
Select Administration > ACL Manager Reports > My Task Mapping.

The My Task Mapping Report dialog box opens.

78-16005-01
17-9
Chapter 17
Step 2
Select one of these options as your filter criteria for the report and click Next:
Use Devices as Filter Criterion

If you have selected Use Devices as Filter Criterion, the dialog box that
appears allows you to select the required devices. ACL Manager allows you
to select any device from this dialog box.
If you do not have access rights to some of the devices, you see a message
indicating this. Only the devices that you have rights to access, are selected.
Use Device Groups as Filter Criterion

If you have selected Use Device Groups as Filter Criterion, the dialog box
that appears, allows you to select the required device groups.
Step 3
Click Finish after selecting either the devices or device groups.

The My Task Mapping Report appears.
If you had selected Use Devices as Filter Criterion, the fields in the My
Authorized Tasks Report are:
Fields
Explanation
User Name
User ID for which this report is generated.
User Group Name
Name of the user group that you belong to.
Task Name
Name of the task that you can perform on the device or

device group.
Device Name
Name of the device that you have access to.
17-10
78-16005-01
Chapter 17

If you had selected Use Device Groups as Filter Criterion, the fields in the My
Task Mapping Report are:
Fields
Explanation
User Name
The user ID for which this report is generated.
User Group Name
Name of the user group that you belong to.
Task Name
Name of the task that you can perform on the device or

device group.
Device Group Name Name of the device group that you have access to.
Task Mapping Report

You can generate a report that shows the task mapping for user groups to device
groups.
Procedure
Step 1
Select Administration > ACL Manager Reports > Task Mapping.

The Task Mapping of User Group to Device Group Report dialog box opens.
Step 2
Select the required user groups and click Next.
Step 3
Select the required device groups and click Next.
Step 4
Click Finish.
The Task Mapping of User Group to Device Group Report opens in a separate
browser window.

78-16005-01
17-11
Chapter 17
The fields in the Task Mapping of User Group to Device Group Report are:
Fields
Explanation
User Group Name
Name of the selected user group.
Task Name
Tasks which the user group can do on the device group.
Device Group Name Name of the selected device group.
My User Group Membership Report

You can generate a report to see all the user groups that you currently belong to.
To generate the report, select Administration > ACL Manager Reports > My
User Group Membership.
The My User Group Membership Report opens.
The fields in the My User Group Membership Report are:
Fields
Explanation
User Name
User Group Name
Name of the user group.
User Group
Membership
User IDs of the members of the user group.
17-12
78-16005-01
Chapter 17

User Group Membership Report

You can generate a report to see the user groups that selected users belong to.
Procedure
Step 1
Select Administration > ACL Manager Reports > User Group Membership.
The User Group Membership Report dialog box opens.
Step 2
Select the required users.
Step 3
Click Finish.
The User Group Membership Report opens.
The fields in the User Group Membership Report are:
Fields
Explanation
User Name
User Group Name
Name of the user group
User Group
Membership
User IDs of the members of the user group.

78-16005-01
17-13
Chapter 17
17-14
78-16005-01
C H A P T E R
18
Troubleshooting ACL Manager

This chapter helps you troubleshoot the general problems of ACL Manager. See
Table 18-1.
Table 18-1 Troubleshooting ACL Manager
Symptom
Probable Causes
Possible Solution
The ACL Manager Main

Window is grayed out.
The OS did not refresh

successfully.
Resize the Main Window to force

refresh.
Template not visible in

Template Selection
Window
The Template Selection Window

shows a list of Templates specific
to the ACL Protocol.
Create a template appropriate to the

ACL protocol.
This means that if you are on ACL

100, you will see only IP Extended
Templates and so on. However,
Template Manager will list all
templates.
You have to have administrator
privileges to access Template
Manager.

78-16005-01
18-1
Chapter 18
Symptom
Probable Causes
Possible Solution
Error Message:
You tried to start Resource

Manager Essentials or
ACL Manager before the
applications were initialized.
Wait 1 minute for Resource Manager

Essentials and ACL Manager
processes to start.
TCP port 15349 is in use.
Use netstat a n to view status of

TCP port 15349. If the port is in use,
change the AclmPort value in
aclm.properties.
RmeGatekeeper is not running
Start RmeGatekeeper.
Cannot connect to ACLM

Server
To start RmeGatekeeper:
1.
Select CiscoWorks Server >

Administration > Process
Management > Process Status.
The Process Status dialog box
appears.
2.
Select RmeGatkeeper from the

drop-down list box to start the
process.
The ACL Manager server is not

running.
Select CiscoWorks Server >

Administration > Process
Management > Process Status to
make sure the ACL Manager server is
running.
The JRM or Change Audit

processes are not running.
Make sure JRM and Change Audit

processes are running.
18-2
78-16005-01
Chapter 18
Symptom
Probable Causes
Download Job status:
Resource Manager Essentials

Match telnet and enable passwords in
telnet and enable passwords do not Resource Manager Essentials
match device.
inventory with the device.
Download Failed
Device Results reports

that telnet credentials did
not match.
Possible Solution
To do this:
1.
From the CiscoWorks desktop,

select
Resource Manager Essentials>
Administration > Inventory >
Check Device Attributes.
The Check Device Attributes
dialog box appears.
2.
Check the passwords, in this

dialog box.
TACACS username and password If you are using TACACS, match the
in Resource Manager Essentials do TACACS username and password in
not match device.
Resource Manager Essentials
inventory with the device.
Do not specify the Local username
and password in the Resource
Manager Essentials inventory.
Download Failed
Device Results reports

that telnet could not get
device prompt.
Download Failed
TFTP Download Failed

and Device Results
Reports SNMP
Community string is
wrong.
This happens if the device enable

prompt ends in something other
than #.
Set the device enable prompt to end

in #.
Check that:
For TFTP download,
ACL Manager uses the SNMP
SNMP Write Community string
write Community string as well as
has been updated in the Resource
SNMP read Community string
Manager Essentials Inventory.
Community strings are correct.

78-16005-01
18-3
Chapter 18
Symptom
Probable Causes
The option, Tools > Get

Hits from Device in the
ACL Manager Main
Window, is not enabled
This happens if you have selected a None.

Standard ACL. This option is
supported only for IP Extended
ACLs.
You have checked out an The right view/left view is not

ACL or template from the refreshed.
right view.
However, when you right
click on it, the entity
shows the Checkout
option as enabled.
Possible Solution
Refresh the right view.

To do this:
Close the ACL Definitions

folder and open it again,
or
Click elsewhere first and then

click in the ACL Definitions
folder.
18-4
78-16005-01
C H A P T E R
19
ACL Manager Usage Scenarios

This section describes ACL Manager usage scenarios.
These scenarios show you how to effectively tackle problems such as
vulnerability in your network using ACL Manager:
Note
Tracking and Mitigating Network Vulnerabilities
Easy Deployment and Tracking of ACLs for Partner Networks
Using DNS Names in an ACE and Deploying Updated DNS-IP Mappings

publication. Therefore, you should also review the documentation related the
scenarios, on Cisco.com, for any updates.

New vulnerabilities are appearing at a fast rate in today's world. Recent
vulnerabilities include RPC/DCOM (Windows OS) and Interface blocking IPv4
packets (Cisco IOS).
Whenever Cisco or any other vendor announces vulnerability, they also release a
rectified OS (patch etc.) and recommend customers to deploy some ACLs to
combat this vulnerability.
Customers usually have several devices, where this vulnerability may exist. They
usually opt for ACLs, to solve the problem immediately.

78-16005-01
19-5
Chapter 19
We recommend that users update the ACLs on applicable devices based on Cisco
Product Security Incident Response Team (PSIRT) Security Advisories. Updating
ACLs to mitigate vulnerabilities is a repetitive and cumbersome process since in
most cases it involves making the same changes on a number of devices.
This scenario describes how to mitigate the vulnerabilities using ACL Manager
effectively.
Prerequisites
In this scenario, you will use the following ACL Manager tools and features:
File Import (see the chapter Importing Configuration in the User Guide for
ACL Manager).
Template Manager (see the chapter Using the Template Manager in the User
Guide for ACL Manager).
Use Wizard (see the chapter ACL Manager Use Wizard in the User Guide
for ACL Manager).
ACL Downloader (see the chapter Scheduling and Downloading in the User
Handling Vulnerabilties
When a related vulnerability is announced, Cisco Systems posts the advisory on
http://psirt.cisco.com.
To tackle a vulnerability using ACL Manager, you must:
Procedure
Step 1
Import the published ACL into ACL Manager (see Importing the Published ACL
into ACL Manager).
Step 2
Create a template using the imported ACL (see Creating a Template Using the
Imported ACL)
19-6
78-16005-01
Chapter 19

Step 3
Deploy the template on devices (see Deploying the Template on Devices)
Step 4
Deploy the ACL on devices (see Deploying the ACL on the Devices).
Importing the Published ACL into ACL Manager

To import a published ACL into ACL Manager:
Procedure
Step 1
Go to the appropriate web page and copy the ACEs recommended in the PSIRT
Security advisory from the web page.
For example, for the vulnerability being discussed in this example, the advisory
is available at:
http://www.cisco.com/warp/public/707/cisco-sa-2030717-blocked.shtml
Select and copy these ACEs (which help secure a Cisco IOS interface that is
blocked by IPv4 packets):
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 deny 53 any any
access-list 101 permit ip any any
Step 2
From the CiscoWorks desktop, select ACL Manager > Edit ACL Templates.
The Template Manager main window opens.
Step 3
Select File > Import in the Template Manager main menu.

The File Import wizard opens.
Step 4
Select the option Upload Config from Editor in the File Import wizard, and click
Config Editor.
The Config Editor dialog box opens.
Step 5
Paste the ACEs that you copied from the web page (http://psirt.cisco.com) in
Step 1, into this window.
78-16005-01
19-7
Chapter 19
Step 6
Click OK.
If the ACL that you copied (ACL 101) already exists in the Imported Entities
folder of ACL Manager, select Replace Already Existing Entities, in the File
Import wizard.
Step 7
Click Next.
The Import Summary window opens and displays the ACL that you imported.
Step 8
Click Finish
Creating a Template Using the Imported ACL

To create a template using an imported ACL:
Procedure
Step 1
In the left pane of the Template Manager main window, go to Root > Imported
Entities > Router > ACL Definitions.
Step 2
Select the imported ACL (ACL 101).

The ACEs appear in the right pane of the Template Manager main window.
Step 3
Select all the ACEs in the right pane.
Step 4
Right-click on the selected ACEs.

A pop up menu appears
Step 5
Select Save ACEs As from the pop up menu.

The Save As Template dialog box appears.
Step 6
Enter a name for the template that you are creating. For example, Vulnerabilities.
Ensure that you select the template type as Static.
Step 7
Select OK.
Step 8
From the Template Manager main window, go to Root > Template Root
Directory > Vulnerabilities.
Step 9
Right-click on the template Vulnerabilities.

A popup menu appears.
19-8
78-16005-01
Chapter 19

Step 10
Select Check-in from this pop-up menu.
Step 11
In the Check In dialog box, enter an appropriate check-in comment and click OK.
The template, Vulnerabilities, is checked in.
Step 12
Right-click on the template, Vulnerabilities, and select Set Master Version from
the pop-up menu.
This version will be deployed on the devices.
Deploying the Template on Devices

To deploy the template on Devices:
Procedure
Step 1
From the Template Manager main menu, select Tools > ACL Manager.
The ACL Manager Main Window appears.
Step 2
From the ACL Manager Main Menu, select Tools > ACL Use Wizard.
Step 3
Navigate to the location (or folder) where you have created the template
Vulnerabilities.
Step 4
Select the template Vulnerabilities. (Click Expand if you want to verify the
constituent ACEs.)
Step 5
Click Next.
The Device Selection dialog box appears.
Step 6
Select the devices on which you want to deploy the template Vulnerabilities.
Step 7
Enter a name for the ACL in the ACL Name or Number field. For example, the
ACL name can be Vulnerabilities_eliminator.
Before entering a name ensure that Autonumber the New ACL? is not selected
in the Device Selection dialog box.

78-16005-01
19-9
Chapter 19
If you are deploying the template for the first time, you should select only these
two options from the Device Selection dialog box
Check out latest version of ACL
Overwrite the ACL.
When you deploy the template subsequently, you may select other options.
Step 8
Click Finish.
The Results window appears and displays the devices and the ACL. In this
window, the template that you earlier selected (Vulnerabilities) is included in the
ACL that is created on the selected devices.
Step 9
Click Create Uses.

The ACL Use Selection dialog box appears.
Step 10
Select the Packet Filtering option.
Step 11
Click Next.
The Interface Selection dialog box appears, displaying the interfaces of the first
device.
In this dialog box, you can choose all the interfaces or select some of them in the
incoming or outgoing directions, or in both directions.
If you want to tackle the vulnerabilities on all the interfaces for the device in the
incoming direction, enter * in the text field for the option Apply on all the
interfaces in the in direction starting with. This will select all the interfaces
in the incoming direction.
Also select the checkbox for the option Treat all subsequent devices similar to
this device?
For details of other options, see the chapter ACL Manager Use Wizard in the
User Guide for ACL Manager.
Step 12
Click Next.
The Summary window appears, with the interfaces for all the devices on which
this ACL has been used.
Step 13
Ensure that Checkout and overwrite latest version of existing ACl Uses? is
selected.
19-10
78-16005-01
Chapter 19

Step 14
Click Finish.
The results window appears with the ACL Vulnerabilities_eliminator applied on
the inside direction of all the interfaces of the devices you have selected.
Step 15
Click Close.
Deploying the ACL on the Devices

To deploy the ACL on devices:
Procedure
Step 1
From the ACL Manager Main menu, select Tools > ACL Downloader.
The Select Changes Entities pane of the Job Download wizard appears, displaying
all the devices on which you have modified the ACLs and their uses.
Step 2
Select only those devices on which you want to deploy the ACL Vulnerabilities_
eliminator.
Step 3
Select their respective ACL Uses folder. Also select the ACL created on those
devices.
If you are sure that the only changes that have occurred, are those made through
the Use Wizard (that is, the creation of the ACL Vulnerabilities_eliminator and its
Uses), select the option All Entities, at the root level. This selects all the changed
entities under it.
Step 4
Click Diff to go to the respective devices and see what is being downloaded
on them.
Click Delta if you want to see the actual IOS commands being generated for
the devices.
Click Next.
The Select Job Options pane of the Job Download wizard appears.
Step 5
Enter a name and description for your job.
Step 6
Retain the default selections for the options in this pane and click Next.
The Select Job Definitions pane of the Job Download wizard appears.

78-16005-01
19-11
Chapter 19
Step 7
Select TFTP as your download protocol if you have selected many devices, since
the download will be faster.You may also select Minimal Download Verification
for a quicker job download.
Step 8
Schedule an Immediate job or select the job options as required.
Step 9
Click Email me if you want to receive an email regarding your job status.
Step 10
Click Next.
The Job Summary pane of the Job Download wizard appears.
Step 11
Select Finish.
The download job is created.
To verify this job, you can navigate to the Job Browser (ACL Manager > Job
Management > Job Browser) and see the status of your job. If you have
configured email, you will receive an email after the job is complete.
Tracking the Template Changes

After the job has been downloaded successfully:
Procedure
Step 1
Invoke Template Manager.
Step 2
From the CiscoWorks desktop, select ACL Manager > Edit ACL Templates to
open the Template Manager main window.
Step 3
Navigate to the template, Vulnerabilities and open the Template Device Uses
folder.
All the devices to which this template has been deployed, are listed in the right
pane.
19-12
78-16005-01
Chapter 19

Modifying the Template in case of New Vulnerabilities and

Deploying the Changes
This section describes how to use ACL Manager to tackle any new vulnerability
that may arise, using an existing template.
In this example, the new vulnerability is Blaster Worm.
Procedure
Step 1
Go to the appropriate web page and copy the ACEs recommended in the advisory
from the web page.
For example, for the vulnerability being discussed in this example, the advisory
is available at:
http://www.cisco.com/warp/public/707/cisco-sa-2030717-blocked.shtml
Win32.Blaster Worm ACEs:
! --- block TFTP
access-list 115 deny udp any any eq 69
! --- block W32.Blaster related protocols
access-list 115 deny tcp any any eq 135
access-list 115 deny udp any any eq 135
! --- block other vulnerable MS protocols
access-list
access-list
access-list
access-list
access-list
access-list
115
115
115
115
115
115
deny
deny
deny
deny
deny
deny
udp
udp
tcp
udp
tcp
tcp
any
any
any
any
any
any
any
any
any
any
any
any
eq
eq
eq
eq
eq
eq
137
138
139
139
445
593
! --- block remote access due to W32.Blaster

access-list 115 deny tcp any any eq 4444

78-16005-01
19-13
Chapter 19
Step 2
Use the File Import Wizard as before, to import the ACL 115 into ACL Manager.
For the procedure, see Importing the Published ACL into ACL Manager.
The ACEs are imported.
Step 3
Go to Root > Imported Entities > Router > ACL Definitions In the left pane of
the Template Manager main window.
Step 4
Select the imported ACL (ACL 115).

The ACEs appear in the right pane of the Template Manager main window.
Step 5
Right-click in the right pane where the ACEs are displayed and select Copy.
Step 6
Check out the template Vulnerabilities.
Step 7
Select this template.

The ACEs in the template appear in the right pane of the Template Manager.
Step 8
Select the first ACE and right-click on it.

Step 9
Select Paste.
The ACEs that you copied, are pasted.
Step 10
Right-click on the template, and select Check-in from the pop-up menu that
appears.
Step 11
The template, Vulnerabilities, is checked in.
Step 12
Right-click on the template, Vulnerabilities, and select Set Master Version from
the pop-up menu.
This version will be deployed on the devices.
Step 13
Go to the folder Template Device Uses for the template.

All the template instances in the right view will be displayed as false.
Step 14
Select all the template instances, and right-click.
Step 15
Select Bulk Update.

The Bulk Update dialog box appears. It automatically updates all the ACLs with
the new version of the template.
19-14
78-16005-01
Chapter 19

Step 16
Select all the rows in the Bulk Update dialog box and click Initiate Download.
The Job Download wizard appears. Schedule a download job (see Deploying the
ACL on the Devices
Step 17
After a successful job download, open Template Manager and open the folder
You will see that all the Template Device Uses in the right view are now displayed
as true.
Following this process, tackling vulnerabilities will become easier, using ACL
Manager. You only need to update an existing template, perform Bulk Update and
then download the template to the devices. Since the ACL Uses already exist on
the devices, you do not need to modify the uses.
Easy Deployment and Tracking of ACLs for Partner

Networks
Large enterprises usually enter into partnerships with other organizations and as
a process, they need to give access to these partners, through their networks.
This scenario describes how to deploy ACLs for partner networks, track and
manage them effectively using ACL Manager.
Typically, organizations or enterprises define a set of common rules (in the form
of ACLs) to allow partners to access their network and the services offered by
their network. Generally, the changing or variable components of these rules are
the networks and the ports.
ACL Manager allows you to define these type of rules as a variable template.
A variable template is a template that has at least one variable element present in
it. A variable element can be a source network, a destination network, a source
port, or a destination port. (If the variable template has more than one variable
within it, the variables can be in combination of these elements.)
Further, these variable templates, after they are created, can provide different
instances of the template for different partners.

78-16005-01
19-15
Chapter 19
We shall describe the creation, management and tracking of these variable

template instances, in this scenario.
Prerequisites
Template Manager (see the chapter Using the Template Manager in the User
Class Manager (see the chapter Using the Class Manager in the User Guide
for ACL Manager)
Use Wizard (see the chapter ACL Manager Use Wizard in the User Guide
for ACL Manager).
To deploy, manage and track ACLs for partner networks you must:
Step 1
Create a variable template (see Creating a Variable Template)
Step 2
Create variable template instances (see Creating Variable Template Instances)
Step 3
Use variable template instances (see Using Variable Template Instances)
Step 4
Track Instances (see Tracking Instances)
19-16
78-16005-01
Chapter 19

Creating a Variable Template

To create a variable template:
Procedure
Step 1
Invoke Template Manager either by selecting:
ACL Manager > Edit ACL Templates from the CiscoWorks desktop
or
Tools > Template Manager from the ACL Manager Main Window.
Step 2
Navigate to the Template Root Directory.
Step 3
Select File > New Folder from the Template Manager main menu.
The New Folder dialog box appears.
Step 4
Name this folder, Partners.
Step 5
Click OK.
Step 6
Select the folder, Partners, from the Template Manager main window.
Step 7
Right-click and from the pop-up menu that appears, select New Template.
The Template Editor appears.
Step 8
Select Template Type as variable and Type as IP Extended.
Step 9
Name the template, apac-partners.
Step 10
Enter an appropriate comment.
Step 11
Click OK.
The template apac-partners is created.
For our example, this template will contain the following ACEs:
Example ACEs
! --- Allow web access
permit tcp <partners-network> any eq www
! --- Allow ftp access
permit tcp <partners-network> any eq ftp
permit tcp <partners-network> any eq ftp-data

78-16005-01
19-17
Chapter 19
! --- Allow ICMP

permit icmp <partners-network> any
! --- Allow TFTP server access
! --- Deny everything else and log
deny ip any any log
Here, partners-network is the variable element which represents partners

network and is the source network field of the ACEs.
To create the first ACE:
Procedure
Step 1
Select the new template, apac-partners, that you created, right-click on it.
A pop-up menu appears
Step 2
Select Insert ACE from this popup.

The ACE Editor appears.
Step 3
Select the TCP protocol.
Step 4
Select the Source as Variable option.
Step 5
Enter a name for the variable, for example, partner-net.
Step 6
Select the destination port as www.
Step 7
Click OK.
The ACE is displayed in the right pane of the Template Manager main window.
This ACE contains the variable element, partner-net, which is displayed as:
$<partners-network>
Step 8
Similarly create the other ACEs, that you need for this example (see Example
ACEs).
Note
In the ACE Editor, the variable that you created earlier is available in the
Variable drop-down box.
19-18
78-16005-01
Chapter 19

Step 9
After you create all the required ACEs, right click on the template apac-partners.
Step 10
Select Check-in from this pop-up menu.
Step 11
The template apac-partners is checked in.
Step 12
Right-click on the template, apac-partners, and select Set Master Version from
the pop-up menu.
The master version for the template is set.
Step 13
Create instances for the template, apac-partners (see Creating Variable Template
Instances).
Creating Variable Template Instances

After the variable template has been created, the next step is to create the actual
instances for the variable in this template.
In this scenario, we shall assume that there are two corporations:
Frontier Networks
Ganga Electronics Inc.
Procedure
Step 1
In the Template Manager main window, navigate to the variable template

apac-partners, that you created, and double-click on it.
The folder, Instances, appears. This is a system-defined folder.
Step 2
Select this folder, right-click and from the pop-up menu that appears, select New
Instance.
The Instance Editor appears.
Step 3
Enter a name for the instance, for example, Frontier-partner.
Step 4
Enter an appropriate comment.

78-16005-01
19-19
Chapter 19
Step 5
Click OK.
The Frontier-partner instance is created within the Instances folder. All the parent
variable template ACEs are copied to the instance. These are displayed in the right
pane when you select the instance. The new instance will be in the checked-out
state.
To assign the values to the variable elements in the ACEs, select the instance that
you have created (Frontier-partner).
The ACEs are displayed in the right pane.
Step 6
Double-click an ACE which contains the variable element displayed as

$<partners-network> in our example.
The ACE Editor dialog box appears:
In this dialog box, you can only assign values to the variables. Everything else
will be disabled.
For our example, we will assume that you have already created a network
class corresponding to each partner. We will call these network classes,
Frontier-network and Ganga-network.
To create network classes, see the chapter Using the Class Manager in the
User Guide for ACL Manager.)
Step 7
In the ACE Editor dialog box, click Source Address.

The Network Class Browser dialog box appears.
Step 8
Select the network class, Frontier-network, from the Network Class Browser
dialog box.
Step 9
Click OK.
The value, Frontier-network is assigned to the variable $<partner-net> and
appears in blue italics in the right pane of the Template Manager main window.
If this variable appears elsewhere in ACL Manager, the system will assign the
value for that variable, in all the ACEs.
Step 10
Check in the Instance, after assigning the values to all the variables in the
instances.
19-20
78-16005-01
Chapter 19

Step 11
Set the Master Version for the instance.

Similarly, create a variable template instance, Ganga-partner, for Ganga
Electronics Inc., and assign values to the instance following the same procedure.
Using Variable Template Instances

To use variable template instances:
Procedure
Step 1
Invoke the ACL Manager Main Window by selecting Tools > ACL Manager from
the Template Manager main window.
Step 2
Navigate to the device to which you want to deploy the template instances.
You can either:
Select an existing ACL and insert the template (see Selecting an Existing
ACL).
or
You can use ACL Use Wizard to create a new ACL consisting only of the new
instance (see Creating a New ACL Using the ACL Use Wizard).

78-16005-01
19-21
Chapter 19
Selecting an Existing ACL

If you want to use an existing ACL:
Procedure
Step 1
Select the ACL from the ACL Definitions folder, right-click and check it out.
Step 2
Navigate the appropriate position among existing ACEs and right-click and select
Include Template.
Step 3
Navigate to the instance which you want to include.

If you want to see the constituent ACEs, select the instance, click Expand and
click OK.
The template is included in the ACL in the appropriate position.
Step 4
Check in the ACL.
Creating a New ACL Using the ACL Use Wizard

If you want to use the ACL Use Wizard:
Procedure
Step 1
Select Tools > ACL Use Wizard from the Template Manager main window.
Step 2
Navigate to the instance, and select it.

If you want to see the constituent ACEs, click Expand and click OK.
Step 3
Click Next.
The Device Selection dialog box appears.
Step 4
Select the required devices.
Step 5
Deselect the Autonumber the new ACL? option.
Step 6
Enter a name for the ACL in the ACL name or number field. For example,
Frontier-partner-access.
19-22
78-16005-01
Chapter 19

Step 7
Click Create Uses.

The ACL Use Selection dialog box appears.
Step 8
Select the ACL Use Packet Filtering.
Step 9
Click Next.
The Interface Selection dialog box appears.
Step 10
Select the interface on which you want to use the ACL (access-group statement)
in the incoming direction (direction may vary based on your requirements).
If you have selected multiple devices, select the option Treat all Subsequent
Devices Similar to this Device? if the interfaces that you have selected exist on
these devices.
Step 11
Click Next.
The Summary dialog box appears with the uses created on the specified interfaces.
Step 12
Select the option Checkout and Overwrite the Latest version of ACL Uses?
Step 13
Click Finish.
The Results dialog box appears.
Step 14
Click Close.
Similarly follow these steps for creating the ACL Use for Ganga Electronics Inc.
Deploying and Verifying Variable Template Instances and Their Uses

To deploy and verify variable template instances and their uses:
Procedure
Step 1
From the Template Manager main menu, select Tools > ACL Downloader.
The Select Changes Entities pane of the Job Download wizard appears.
Step 2
Follow the procedure described in Deploying the ACL on the Devices.

To verify this job, you can go to the job browser and see the status of your job. If
you have configured email, you will receive an email after the job is complete
Step 3
After a successful job download, open Template Manager.

78-16005-01
19-23
Chapter 19
Step 4
Navigate to the template Instances folder.
Step 5
Open the folder, Template Device Uses.

You will see that all the Template Device Uses for the instances are now displayed
as true.
Verify that the validity is true for both the instances that you created (for Frontier
Networks and Ganga Electronics Inc.)
Tracking Instances
In this scenario, we shall consider two cases:
When the Variable Template Instance Changes.

For example, a variable template instance will change if a partner corporation
has reassigned the IP addresses for its network.
When the Parent Variable Template Changes.

For example, a variable template will change when an administrator wants to
add more rules to the template to either allow or restrict the partner from
additions services.
When the Variable Template Instance Changes

Let us consider a case where a template instance has to change.
Assume that we need to incorporate an additional network into Frontier-net
network class. Make the appropriate changes.
Procedure
Step 1
After making the appropriate changes, in the Template Manager, navigate to the
instance Frontier-partner, and check it out.
Step 2
Select the instance, right-click and select Update Logical Entities in the pop-up
menu.
This updates all the variable elements with the latest version of the Frontier-net
network class, which you modified.
Step 3
Check in the instance
19-24
78-16005-01
Chapter 19

Step 4
Set the master version.
Step 5
Double-click on the instance and select the folder Template Device Uses.
The template instance validity is displayed as false in the right pane.
Step 6
Select all the rows in the right pane and right-click.
Step 7
Select Bulk Update.

The Bulk Update dialog box appears. It updates all the ACLs with the new version
of the template.
Step 8
The Job Download wizard appears.
Step 9
Schedule a download job (see Deploying the ACL on the Devices).

You will see that all the Template device Uses are now displayed as true.
When the Parent Variable Template Changes

Let us consider the where the parent variable template has to change.
Procedure
Step 1
Navigate to the parent variable template in the Template Manager main window.
Step 2
Check out the variable template.
Step 3
Add or delete or modify the ACEs in the right view as required.

For example, if you want to allow SNMP access, use ACE Editor to add an ACE
with SNMP access, add this ACE before the comment Deny everything also and
log, in your set of ACEs (see Example ACEs):
! Allow SNMP access
permit udp <partners-network> any eq snmp
Therefore, your block of ACEs will now appear as:

! --- Allow web access

78-16005-01
19-25
Chapter 19
permit tcp <partners-network> any eq www

! --- Allow ftp access
permit tcp <partners-network> any eq ftp
permit tcp <partners-network> any eq ftp-data
! --- Allow ICMP
! --- Allow TFTP server access
! Allow SNMP access
permit udp <partners-network> any eq snmp
! --- Deny everything else and log
deny ip any any log
Step 4
Check in the Variable template.
Step 5
Set the Master Version.

After selecting the master version, all the instances will be grayed out.
In this example, the instances Frontier-partner and Ganga-partner, will be grayed
out.
Step 6
Select the parent variable template which has changed, and right click.
Step 7
From the pop-up that appears, select Reconcile Instances (s).

This option reconciles or syncs instances with the parent variable template. (That
is, it transmits all the changes effected on the parent variable template, to all the
instances.)
The Reconcile Instance(s) dialog box appears.
Step 8
For our example, select both the options Check In Instances after
Reconciliation and Set the Master Version.
Step 9
Click OK.
The Reconcile Results window appears with the results of the reconciliation
operation.
If no new variables were introduced in the parent variable template, the

system automatically synchronizes all the instances. That is, it checks out,
updates, and then checks in the instances.
19-26
78-16005-01
Chapter 19

Step 10
If new variables have been introduced in the variable template, the system
will not be able to check in the instances.The Reconcile Results window will
show the appropriate results. To successfully check in, you need to assign
values to the newly introduced variables.
Double-click on the instance and select the Template Device Uses.

The template instance validity is displayed as false in the right pane.
Step 11
Select all the rows in the right pane and right-click.
Step 12
Select Bulk Update.

The Bulk Update dialog box appears. It updates all the ACLs with the new version
of the template.
Step 13
The Job Download wizard appears.
Step 14
Schedule a download job (see Deploying the ACL on the Devices).

You will see that all the Template Device Uses are now displayed as true.
This is how the tracking of changes to templates and uses are tracked using ACL
Manager.
Using DNS Names in an ACE and Deploying Updated

DNS-IP Mappings
Customers usually prefer using DNS names for a host rather than the IP address
because of the convenience it offers.
ACL Manager allows you to use the DNS names in the ACEs and resolves the
DNS names to IP addresses.
ACL Manager only resolves the DNS names at the time of download so that the
current IP address gets downloaded to the device.

78-16005-01
19-27
Chapter 19
If at the time of including DNS name in an ACE, DNS name does not get resolved
to an IP address, ACL Manager gives you a choice to keep the DNS name as it is,
or to proceed without using the DNS name.
Prerequisites
ACE Editor (see the chapter Viewing and Editing ACLs in the User Guide
for ACL Manager).
To use DNS names in an ACE and deploy updated DNS-IP mappings, follow these
steps:
Step 1
Use DNS names in an ACE (see Using DNS Names in an ACE).
Step 2
Deploy updated DNS-IP mappings (see Deploying Updated DNS Name - IP

Mappings)
Using DNS Names in an ACE

To use DNS names in an ACE:
Procedure
Step 1
From the ACL Manager Main Window, invoke the ACE Editor (see the chapter
Viewing and Editing ACLs in the User Guide for ACL Manager).
Step 2
In the ACE Editor, enter the required DNS names for the source address, the
destination address, or for both source and destination addresses.
Step 3
Complete the other fields as required.
19-28
78-16005-01
Chapter 19

Step 4
Click OK.
If the DNS name is not resolvable to an IP address, the following message is

displayed:
DNS name(s) in the source/destination is not resolvable.
Do you still want to continue?
If you click Yes, the ACE will contain the unresolvable DNS name.
If you click No, the ACE Editor window will continue to remain open. You
can fill the correct DNS name, and then click OK.
Note
You can also directly use a network class consisting of DNS names.
Step 5
Repeat Step 4 until you complete the task of providing DNS names in the ACEs.
Step 6
Check in the ACL.
Step 7
Click Tools > ACL Downloader from the ACL Manager Main Window.
The Select Changed Entities dialog box appears.
Step 8
Select the ACL to be downloaded to the device.
Step 9
Click Next.
The Select Job Options pane of the Job Download Wizard appears.
This pane has a group titled Unresolvable DNS Names, with two options:
Skip Unresolvable DNS NamesSelect this option, if you want ACL

Manager to skip those ACEs which contain unresolvable DNS names.
Use this option with caution as some of the ACEs which contain unresolvable
DNS names, will not go to the device at all, if you select this option
Abort DownloadSelect this option (default selection) to stop the download

if there are any unresolvable DNS names in the ACEs
Step 10
Complete the other fields as required.
Step 11
Choose the Select Job Definition option.
Step 12
Click Next.
The Schedule Job pane of the wizard appears.
Step 13
Select the required options and click Next.

The Job Summary pane appears.
78-16005-01
19-29
Chapter 19
Step 14
Click Finish.
The job is created, and is downloaded at the scheduled time.
Deploying Updated DNS Name - IP Mappings

To deploy DNS names to IP mappings:
Procedure
Step 1
In the ACL Manager Main Window, select the ACL or the ACLs which you think
have DNS names for which the DNS name to IP mapping has changed.
Step 2
Right-click on the required ACL or ACLs and select Mark for Download.
A dialog box appears with the message:
The existing marks for the entities you have selected will be lost,
do you want to proceed?
Step 3
Select Yes, in the dialog box.

Another message appears:
Entities are successfully marked as NextRunUpdates marks.
You can either download these entities now or later by invoking Tools
> Pending Marks Browser.
Do you want to Download?
Step 4
Select Yes.
The Select Job Options panel appears.
Step 5
Select the required options, and click Next.

Schedule Job pane appears.
Step 6
Select the required options and click Next.

Job Summary pane appears.
Step 7
Click Finish.
The job is created and scheduled for download.
19-30
78-16005-01
Chapter 19

Step 8
To verify that the updated IP addresses have been downloaded, navigate to the Job
Browser (ACL Manager > Job Management > Job Browser).
Step 9
In the Job Browser, select the job that you have just created.
If the job status is Success, click Results.
The Job Results dialog box appears.
Step 10
Select the device on which you have downloaded the ACLs and click Device
Details.
The Device Results dialog box appears.
This dialog box shows the actual ACEs downloaded to the device. You will see
here that the updated IP addresses have been downloaded.

78-16005-01
19-31
Chapter 19
19-32
78-16005-01
I N D EX
RATE LIMIT PRECEDENCE ACE

attributes 4-38
absolute time range definitions
source and destination addresses,

specifying 4-22, 4-23
creating 4-42
including periodic attributes in 4-46
access, controlling (see user roles) 9-1
ACE Editor dialog box buttons, using 4-25
ACEs (Access Control Entries)
adding
to a static template 6-6
to a variable template 6-8
associating with a time range 4-48
definition of 1-1
downloading 4-17
marking for 4-54
remark ACEs, making downloadable 4-17
time-based 4-51
editing 4-20
printing 4-55
reordering 4-19
saving
as ACE templates 4-38
as templates 4-38
time-based, downloading to a device 4-51
time ranges, associating with 4-48
validating 14-1
modified ACEs, validating 14-9
validation check on a logical entity,
performing 14-4
validation details, viewing 14-7
working with 4-10
comments, appending 4-14
comments, inserting 4-15
ACE Editor buttons, using 4-25
new ACE, appending 4-12
ICMP-type, specifying 4-24
new ACE, inserting 4-10
IP ACE attributes 4-26
template, inserting 4-12
IP Extended ACE attributes 4-28
ACE Validator function, launching 3-25
protocol, specifying 4-24
ACL Manager Device Selector, using 8-5
RATE LIMIT MAC ACE attributes 4-37
ACL Manager entities (see entities) 8-1

78-16005-01
IN-1
Index
ACL Manager main window (see main

window) 3-13
ACL Manager roles (see user roles) 9-1
ACLs (Access Control Lists)
appending a comment to 4-14
associated with time ranges, viewing 4-49
changes to, working with 11-1
approval, enabling or disabling 11-14
change requests, processing 11-2
e-mail notification of changes 11-13
pending, viewing 11-3
processed, viewing 11-11
creating and using 7-1
ACL, verifying against a policy 7-4
by copying and pasting an existing 4-4
launch point for 3-4
new 4-2

renaming 4-9
existing, viewing 4-6
optimizing 4-40, 16-1
ACL Optimizer, description 16-1
ALC Optimizer, using 16-4
Hits Optimizer, description 16-1
Hits Optimizer, using 16-7
time range definitions, working with 4-40
printing 4-55
saving as templates 4-9
uses 2-6
creating 4-6
definition of 1-2
modes and contexts 2-6
versioning 4-5
viewing 4-1
policies, creating 7-2

policy verification, mandating 7-10
role-based access for policies 7-1
templates, verifying against a policy 7-4
defining and using 2-1
attributes 2-2
creating 2-1
properties (use details) 2-4
uses (see ACL uses) 2-6
definition of 1-2
deleting 4-9
download, marking for 4-54
editing 4-1
ACL templates
comments to, appending 4-14
creating 3-4
defining and using 2-1
attributes 2-2
creating 2-1
definition of 1-2
editing 6-17
template contents 6-17
template folders, creating and
inserting 6-18
viewing 3-4
IN-2
78-16005-01
Index
administrative tools, launch point for 3-4
checking entities in 10-10
appending
specific versions 10-9
a comment to an ACL or ACL template 4-14

a new ACE to a current list 4-12
Approver Group Mapping report,
generating 17-8
Approver privilege level
overview 1-9
tasks associated with 1-10
assigning device groups to tasks
open group option 9-35
procedure 9-31
audience for this document xvii
undoing checkout 10-9

CiscoWorks
adding
devices to 9-3
users with Network Administrator
privileges to 9-3
Job Resource Manager, interaction with Job
Browser 15-32
Class Manager
class folders, creating and inserting 5-4
description of 5-1
editors 5-2
Network Class Editor 5-2
Network Class Entry Editor 5-2
branch versions, merging with main line

versions 10-12
Network Editor 5-2

Service Class Entry Editor 5-2
Service Editor 5-2
example, creating a complex ACL 5-23
identifying
cancelling pending download jobs 15-34
class uses 5-14
cautions
devices that use classes 5-14
significance of xviii
invalid class uses, handling 5-21
change approval, disabling 11-14
invoking 5-3
change approval reports, generating 17-3
launching 3-24
Approver Group Mapping for Devices

report 17-8
Change Approval Status report 17-3
checking out ACL Manager entities
master version of a class, marking 5-13

network classes
creating 5-10
editing 5-13

78-16005-01
IN-3
Index
using 5-8
workflow for using 5-9
overview 1-8
service classes
creating 5-6
editing 5-8
managingservices and service classes,
managing
services classes
using 5-5
workflow for using 5-5
services, managing 5-5
toolbar, using 5-4
time-based ACEs to expire 4-51

automatically 4-51
manually 4-51
time zones on devices 4-50
creating
ACLs
by copying and pasting an existing 4-4
new 4-2
ACL templates 3-4
device groups 9-17
network classes, using Class Manager 5-10
networks and network classes, launch point
for 3-4
using 5-1
class uses
devices that use, identifying 5-14
networks and network classes, launch points

for 3-4
handling invalid 5-21
service classes, using Class Manager 5-6
identifying 5-14
services and service classes, launch point

for 3-4
comments
appending to an ACL or template 4-14
inserting after an ACE 4-15
comparing
services and service classes, launch points

for 3-4
time range definitions
absolute and periodic 4-46
an ACL Manager entity with its latest

version 10-25
two versions of an ACL Manager entity 10-26
configuration changes to ACLs or ACL uses,
viewing 4-40
configuring
absolute only 4-42

configuring time zones on a device 4-50
periodic only 4-44
Time Range Editor, using 4-42
user groups 9-4
ACL Manager 3-2

e-mail notification of changed time-range
states 4-52
IN-4
78-16005-01
Index
adding to CiscoWorks 9-3
configuration changes, verifying 3-33

deleting
configuring time zones on 4-50
ACLs 4-9
Devices folder, deleting from 3-11
device groups 9-25
Devices folder, working in 3-16
templates 6-29
downloading to 3-36
user groups 9-12

device configurations, importing 13-1
File Import command line tool
selecting for 15-6

time-based ACEs 4-51
verifying 3-36
usage example 13-14
hit counters, resetting 16-11
using 13-12
identifying devices that use classes 5-14
imported entities, pasting onto a device 13-10

ACEs and comments 13-11
network classes 5-18

service classes 5-15
ACEs as templates 13-12
state icons, interpreting and using 3-25
ACLs 13-10
support for in ACL Manager 3-54
import summary, viewing 13-2
that use an ACL template, identifying 6-20
uploading the configuration 13-2
viewing time range associated ACLs on 4-49
Config Editor, using 13-8

file browser, using 13-7
device groups, managing 9-16
(see also user roles) 9-16
CiscoWorks, adding to 9-3
views
definition of 1-2
opening 3-12
saving 3-11
Diff Viewer
creating 9-17
launching 3-25
deleting 9-25
overview 1-9
modifying 9-21
using 4-40
tasks, assigning device groups to 9-31
disabling change approval 11-14
viewing all 9-28
documentation
devices
(see also device configurations,
importing) 13-1
additional
online xxiii

78-16005-01
IN-5
Index
obtaining xxiii
related xxi

inserting 6-18
typographical conventions used in xviii

updated xix
device groups 9-21

IP VACE attributes for VACLs
Downloader
launching 3-24
overview 1-9
advanced 4-62
general 4-58
other 4-65
downloading (see scheduling and

downloading) 15-1, 5
MAC VACE attributes for VACLs 4-66
DUs (Device Uses)
network classes, using Class Manager 5-13
network class, identifying 5-18
service classes, using Class Manager 5-8
service class, identifying 5-15
time range definitions 4-47

user groups 9-8
VACEs 4-57
IP VACE attributes 4-57

MAC VACE attributes 4-66
editing
ACEs 4-20
e-mail notifications
ACE Editor buttons, using 4-25
of processed ACL-related changes 11-13
ICMP-type, specifying 4-24
of time range state changes 4-52
IP ACE attributes 4-26
configuring 4-52
IP Extended ACE attributes 4-28
formats for 4-53
protocol, specifying 4-24
enabling change approval 11-14
RATE LIMIT MAC ACE attributes 4-37
entities 8-1
RATE LIMIT PRECEDENCE ACE

attributes 4-38
source and destination addresses and ports,
specifying 4-22, 4-23
ACLs 4-7
ACL templates 6-17
contents 6-17
replacing 8-15
check out, undoing 8-18
Standard Replace context GUI, using 8-19
searching for 8-2
ACL Manager Device Selector, using 8-5
search attributes list 8-9
search filter, forming 8-6
IN-6
78-16005-01
Index
Search Results pane 8-4

Standard Search context GUI, using 8-13
Template Folder Browser, using 8-6
Getting Hits from Device function,

launching 3-25
getting started with ACL Manager 3-1
entity, definition of 1-2

error messages 18-2
H
Help Desk privilege level, overview 1-9
hit counters, resetting 16-11
Find feature, using 3-17
Hits Optimizer
launching 3-25
formats for time-range state change

e-mails 4-53
overview 1-9
generating reports 17-1
Imported Entities folder, working with 3-16
change approval reports 17-3
inserting

report 17-8
class folders 5-4
new ACEs 4-10
OOB Changes report 17-5

role-based access control reports 17-7
My Authorized Tasks report 17-9
comments after an ACE 4-15

template folders 6-18
templates 4-12
invalid class uses, handling 5-21
My User Group Membership report 17-12
invalid template device uses, handling 6-22
Task Mapping of User Group to Device

Group report 17-11
IOS ACL, definition of 1-2
User Groups Membership report 17-13

time range reports
Time Range Events in Selected Time
Frame report 17-2
Time Range Status report 17-3
IP ACE attributes of ACEs, editing 4-26

IP Extended ACE attributes, editing 4-28
advanced attributes 4-31
general attributes 4-28
other attributes 4-34

78-16005-01
IN-7
Index
IP VACE attributes, editing 4-57
logical view, definition of 1-3
advanced 4-62
general 4-58
other 4-65
M
MAC VACE attributes for VACLs,
editing 4-66
main line versions, merging with branch

versions 10-12
Job Browser
main window
CiscoWorks, and 15-32

Job Resource Manager, integrating
with 15-32
launching 3-24
overview 1-8
scheduling downloads using 15-32
Job Download Wizard (see scheduling and
downloading) 15-14
Jobs Management, launch point for 3-4
(see also main window menu reference) 3-17

device state icons, interpreting and
using 3-25
grayed out, troubleshooting 18-1
menus (see main window menu
reference) 3-17
navigating in 3-13
Devices folder 3-16
Imported Entities folder 3-16
My Changes folder 3-15
Out-of-Band Changes folder 3-17

keyboard shortcuts 3-29
from the main window 3-29
in ACL Manager dialog boxes
in Solaris 3-31
in Windows 3-31
toolbar icons, descriptions 3-27

main window menu reference 3-17
ACL 3-22
Diff/Merge with Out-of-Band
Changes 3-22
Mark All Comments 3-22
Mark for Download 3-23
New ACE 3-22
logical entities for ACLs and templates,

updating 6-26
New ACL 3-22

New Comment 3-22
IN-8
78-16005-01
Index
New Include Template 3-22
Import 3-19
New Object Group 3-22
Open Device View 3-18
New Time Range 3-22
Print 3-19
Reject Out-of-Band Changes 3-23
Save ACE As 3-18
Show All Changes 3-22
Save ACL As 3-18
Show Out-of-Band Changes 3-22
Save As Device View 3-18
Unmark All Comments 3-22

Edit 3-20
Tools 3-24
ACL Downloader 3-24
Apply Template 3-20
Mark Changes for Download 3-24
Copy 3-20
Use Wizard 3-24
Cut 3-20
Versioning 3-23
Edit 3-20
Check In 3-23
Find 3-20
Check Out 3-23
Go to ACL 3-21
Compare with Latest Version 3-24
Include Template 3-20
Get Baseline Version 3-23
Insert ACE 3-20
Get Latest Version 3-23
Insert ACL 3-20
History 3-24
Insert Comment 3-21
Show Changes 3-23
Insert Time Range 3-21
Undo Check Out 3-23
Move ACE Down 3-20
Version Details 3-24
Paste 3-20
Version Graph 3-24
Replace 3-20
View 3-21
Show Associated ACLs 3-21
Go to Line 3-21
Use ACL 3-20
Left Pane 3-21
File 3-18
Logical View 3-21
Add Device(s) 3-18
Physical View 3-21
Check for Out of Band 3-18
Properties 3-21
Exit 3-19
Show/Hide Line Numbers 3-21
Explore 3-18
marking

78-16005-01
IN-9
Index
changes for a download 15-27
using 5-8
master version of a class 5-13
workflow 5-9
master versions of templates or

instances 6-15
master versions
of a class, marking 5-13
Network Operator privilege level

overview 1-9
Number attribute of an ACL, defining 2-3
of templates or instances, marking 6-15

menus (see main window menu reference) 3-17
merging an ACL branch with a main line
version 10-12
My Authorized Tasks report, generating 17-9
My Changes folder, working with 3-15
My User Group Membership report,
generating 17-12
O
object groups, creating for PIX ACLs 4-68
OOB (out-of-band) changes to device
configurations, managing 3-37
devices, checking for changes on 3-37
change report, viewing 3-39
Diff/Merge 3-50
OOB change, definition of 1-3
Name attribute of an ACL, defining 2-3

Network Administrator privilege level
adding users as Network Administrators in
CiscoWorks 9-3
overview 1-9
network classes, managing
Class Manager editors, using 5-2
creating 5-10
OOB Changes report, generating 17-5

resolving 3-41
based on type 3-44
workflow for 3-42
Optimizer
launching 3-24
overview 1-9
optimizing
ACLs 16-1
editing 5-13
ACL Optimizer, using 16-4
identifying devices that use 5-18
ACL Optimizer and Hits Optimizer,

descriptions of 16-1
Network Class Editor, using 5-2

Network Class Entry Editor, using 5-2
device hit counters, resetting 16-11

Hits Optimizer, using 16-7
IN-10
78-16005-01
Index

Out-of-Band (OOB) Changes folder, working
in 3-17
creating object groups for 4-68

definition of 1-3
policies
out-of-band change handling, launch point

for 3-4
creating 7-2
verification of, mandating 7-10
out-of-band change listing, launch point for 3-4
verifying an ACL or template against 7-4
overview 1-1
privilege levels 1-9
printing
ACEs 4-55
tasks, and 1-10
ACLs 4-55
terms and definitions 1-1
objects and object contents 3-32
tools for ACL development 1-8

Class Manager 1-8
purging old download jobs 15-34
Diff Viewer 1-9

Downloader 1-9
Hits Optimizer 1-9

Job Browser 1-8
Optimizer 1-9
Template Manager 1-8
Template Use Wizard 1-8
what ACL Manager is 1-4
RATE LIMITE MAC ACE attributes,

editing 4-37
RATE LIMIT PRECEDENCE ACE attributes,
editing 4-38
reconciling instances of a changed variable
template 6-12
benefits 1-5
renaming ACLs 4-9
components 1-4
reordering ACEs 4-19
product functionality 1-7
reports, generating 17-1

change approval reports 17-3
report 17-8

Pending Marks Browser, launching 3-24
periodic time range definitions, creating 4-44
physical view, definition of 1-3

OOB Changes report 17-5
role-based access control reports 17-7
PIX ACLs

78-16005-01
IN-11
Index
My Authorized Tasks report 17-9
changes, marking for download 15-27
Job Browser, scheduling downloads

using 15-32
Task Mapping report 17-11

time range reports
Time Range Events in Selected Time
Frame report 17-2
Time Range Status report 17-3
job management integration 15-32

job status, browing and viewing 15-20
marking, and
ACEs, marking for download 4-54
pending marks, viewing 15-30
rescheduling downloads 15-33
purging old jobs 15-34
resetting device hit counters 16-11
remark ACEs, making downloadable 4-17
RME, setting up 3-2
rescheduling downloads 15-33
role-based access control reports,

generating 17-7
scheduling downloads 15-3
My Task Mapping report 17-9
devices and changed entities,

selecting 15-6
job and job options, defining 15-9
Task Mapping of User Group to Device

Group report 17-11
Job Download Wizard, scheduling

through 15-14
job summary, viewing 15-17
roles (see user roles) 9-1

router ACL (IOS ACL), definition of 1-2
verifying device change downloads 3-36

search filters for entities, forming 8-6
operators 8-7
regular expressions 8-7
services and service classes, managing 5-5

Class Manager editors 5-2
saving
ACEs as ACE templates 4-38
ACLs as templates 4-9
scheduling and downloading 15-1, 5
service classes
creating 5-6
definition of 1-3
ACEs, downloading 4-17
editing 5-8
actions to take if your download fails 15-35
identifying devices that use 5-15
canceling pending download jobs 15-34
Service Class Editor, using 5-2
IN-12
78-16005-01
Index
services
Telnet troubleshooting
definition of 1-3
could not get device prompt 18-3
Service Editor, using 5-2
credentials not matched on download

attempt 18-3
workflow 5-5
starting
ACL Manager 3-8
devices, deleting from Devices folder 3-11
devices folder, populating 3-9
device view, opening 3-12
device view, saving 3-11
main window, navigating in 3-13
Class Manager 5-3
Template Folder Browser, using 8-6

Template Include ACE, definition of 1-3
Template Manager, using 6-1
creating templates 6-6
reconciling instances of a changed variable
template 6-12
static templates, adding ACEs to 6-6
variable template, adding ACEs to 6-8
variable template instance, assigning
values 6-10
class folders, creating and inserting 5-4
deleting templates 6-29
toolbar, using 5-4
editing an existing template 6-17

static templates
creating 6-6
defining 6-3
workflow for 6-4
System Administrator privilege level,
overview 1-9
contents 6-17
inserting 6-18
identifying devices that use an ACL
template 6-20
including another template within a
template 6-14
invalid template device uses, handling 6-22
launching 3-24
logical entities, updating 6-26
Task Mapping of User Group to Device Group

report, generating 17-11
tasks, managing 9-29
assigning tasks to device groups 9-31
relationships among tasks 9-30
marking a master version of a template or

instance 6-15
overview 1-8
starting 6-2
static templates and variable templates,
defining 6-3
78-16005-01
IN-13
Index
template ACE, saving as new template 6-27

template device use summary, viewing 6-28
template nested uses, handling 6-22
troubleshooting templates 18-1
using a template in an ACL 6-19
Template Use wizard, selecting a template
with 12-15
terms and definitions 1-1
TFTP download failed, troubleshooting 18-3
Time Range Events in Selected Time Frame

report, generating 17-2
Time Range Status report, generating 17-3
time ranges
associating an ACE with 4-48
e-mail notification of changes,
configuring 4-52
time zones, configuring on devices 4-50
toolbars
time-based ACEs, downloading to a

device 4-51
Class Manager 5-4
time range definitions, using 4-40
(see also time ranges) 4-48
main window 3-27

troubleshooting 18-1
configuring a time zone on a device 4-50
download jobs 15-35
configuring time-based ACEs to expire 4-51
error messages, interpreting 18-2
automatically 4-51
manually 4-51
creating 4-42
troubleshooting ACL Manager

main window grayed out 18-1
Telnet could not get device prompt 18-3
absolute 4-42
Telnet credentials not matched 18-3
absolute and periodic 4-46
template not visible in Template Selection

window 18-1
associating an ACE with a time range 4-48

periodic 4-44
downloading time-based ACEs to a
device 4-51
editing 4-47
e-mail notifications related to time
ranges 4-52
versioning definitions 4-41
viewing ACLs associated with time
ranges 4-49
time range reports, generating
TFTP download failed 18-3

Type attribute of an ACL, defining 2-3
typographical conventions in this
document xviii
U
updating logical entities for ACLs and
templates
procedure 6-26
IN-14
78-16005-01
Index
Update Logical Entities function,

launching 3-25
user groups, managing 9-4
template, selecting 12-20

ACL template, applying to a specific
device 12-14
creating 9-4
results, displaying 12-18
deleting 9-12
selecting a device 12-16
modifying 9-8
selecting a template 12-15
Network Administrators, adding 9-3

User Groups Membership report,
generating 17-13
ACL uses, applying to a multiple

devices 12-24
interfaces, selecting 12-25
viewing all 9-15
lines, selecting 12-27
user roles 9-1
device groups, managing 9-16
SNMP community settings, selecting 12-29
creating 9-17
deleting 9-25
VLANs, selecting 12-31

defining ACL uses
modifying 9-21
through the main window 12-1
viewing all 9-28
through the wizard 12-2
devices, adding to CiscoWorks 9-3
elements, selecting 12-4
populating role-based data 9-2
interfaces 12-4
tasks, managing 9-29
lines 12-6
device groups, assigning to tasks 9-31
SNMP community settings 12-8
relationships among tasks 9-30
VLANs 12-10
uses 2-6
creating 4-6

summary, completing 12-11
definition of 1-2
modes and definitions 2-6
Use wizard, using 12-1
ACL template, applying to a multiple
devices 12-20
devices, selecting 12-21
V
VACLs (VLAN Access Lists)
definition of 1-3
managing 4-55
VACEs, editing 4-57

78-16005-01
IN-15
Index
IP VACE attributes 4-57
version indicators 10-5
MAC VACE attributes 4-66
viewing versioning history 10-23
validating ACEs 14-1
workflow 10-3
details, viewing 14-7
ACLs 4-5
modified ACEs 14-9
validation check on a logical entity 14-4

variable templates
defining 6-3
reconciling instances of a changed 6-12
workflow for 6-5
viewing
ACE validation details 14-7
ACLs 4-1
associated with time ranges on a
device 4-49
configuration changes in 4-40
verifying
ACLs or templates against a policy 7-4
device configuration changes 3-33
download success 3-36
Verify Policy function, launching 3-25
on a particular device 4-6

ACL templates, launch point for 3-4
ACL uses, configuration changes in 4-40
details
of a change request 11-8
versioning
ACL Manager entities 10-1
checking out entities 10-7
comparing an entity with its latest
version 10-25
comparing two versions of an entity 10-26
details of a specific version, viewing 10-29
history, viewing 10-30
of a specific version of an ACL Manager

entity 10-29
device groups, all 9-28
download jobs
status and results 15-20
summaries 15-17
pending ACL-related change requests 11-3
latest version of an entity, obtaining 10-5
pending marks for changed entities prior to

downloads 15-30
merging an ACL branch with a main line

version 10-12
processed ACL-related changes 11-11
specific version of an entity, obtaining 10-6
template device use summary 6-28
Version attribute of an ACL, defining 2-4

version details, viewing 10-27
user groups, all 9-15

Use wizard results 12-12
Version Diff Viewer, using 10-32
IN-16
78-16005-01
Index
W
workflows
complete 3-32
for defining templates 6-4
static 6-4
variable 6-5
for downloading changes to devices 3-36
for managing out-of-bound changes 3-37
for verifying device configuration
changes 3-33
for verifying downloads of device
changes 3-36
for versioning ACL Manager entities 10-3

78-16005-01
IN-17
Index
IN-18
78-16005-01

ACL Manager - UserGuide PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ACL Manager - UserGuide PDF

Uploaded by

Copyright:

Available Formats

User Guide for ACL Manager

Software Release 1.6

ACL Manager Overview 1-1

Privilege Levels and Tasks 1-10

ACL Definitions and Uses 2-1

Getting Started 3-1

View Menu 3-21

Viewing and Editing ACLs 4-1

User Guide for ACL Manager

Versioning ACLs 4-5

User Guide for ACL Manager

Optimizing the ACL 4-40

Using the Class Manager 5-1

User Guide for ACL Manager

Starting the Class Manager 5-3

Using the Template Manager 6-1

Reconciling Instances of Variable Templates 6-12

Creating and Using Policies 7-1

Searching for and Replacing ACLM Entities 8-1

Controlling Access Using ACL Manager Roles 9-1

Populating ACL Manager with Role-based Data 9-2

Versioning ACL Manager Entities 10-1

User Guide for ACL Manager

Getting the Latest Version of an Entity 10-5

Approving or Rejecting Changes 11-1

User Guide for ACL Manager

ACL Manager Use Wizard 12-1

Importing Configuration 13-1

User Guide for ACL Manager

Using the Config Editor 13-8

Validating ACEs 14-1

Scheduling and Downloading 15-1

User Guide for ACL Manager

Optimizing ACLs 16-1

Generating Reports in ACL Manager 17-1

Troubleshooting ACL Manager 18-1

ACL Manager Usage Scenarios 5

User Guide for ACL Manager

Deploying the Template on Devices 9

User Guide for ACL Manager

User Guide for ACL Manager

User Guide for ACL Manager

Commands and keywords

Variables for which you supply values

Displayed session and system information

Information you enter

boldface screen font

Variables you enter

Menu items and button names

Selecting a menu item in paragraphs

Option > Network Preferences

Selecting a menu item in tables

Option > Network Preferences

Means reader take note. Notes contain helpful suggestions or references to

User Guide for ACL Manager

We sometimes update the printed and electronic documentation after original

Printed document that was included with the product.

PDF on the product CD-ROM.

Printed document available by order (part number

User Guide for ACL Manager

Product Documentation (continued)

PDF on the product CD-ROM.