Professional Documents
Culture Documents
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Customer Order Number: DOC-7816005=
Text Part Number: 78-16005-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT
NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT
ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR
THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION
PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO
LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as
part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE
PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED
OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR
INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks
of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet,
ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo,
Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel,
EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys,
MGX, MICA, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar,
ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient,
TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply
a partnership relationship between Cisco and any other company. (0402R)
User Guide for ACL Manager
Copyright 2004 Cisco Systems, Inc. All rights reserved.
C O N T E N T S
Preface xvii
Audience xvii
Conventions xviii
Product Documentation xix
Related Documentation xxi
Additional Information Online xxiii
Obtaining Documentation xxiii
Cisco.com xxiii
Ordering Documentation xxiv
Documentation Feedback xxiv
Obtaining Technical Assistance xxiv
Cisco TAC Website xxv
Opening a TAC Case xxv
TAC Case Priority Definitions xxvi
Obtaining Additional Publications and Information xxvi
CHAPTER
78-16005-01
iii
Contents
CHAPTER
CHAPTER
iv
78-16005-01
Contents
CHAPTER
Contents
vi
78-16005-01
Contents
CHAPTER
vii
Contents
CHAPTER
viii
78-16005-01
Contents
CHAPTER
CHAPTER
78-16005-01
ix
Contents
Operators 8-7
List of Search Attributes 8-9
Using the Standard Search Context GUI 8-13
Replacing Entities 8-15
Undoing a Check Out 8-18
Using the Standard Replace Context GUI 8-19
CHAPTER
CHAPTER
10
78-16005-01
Contents
CHAPTER
11
xi
Contents
CHAPTER
12
CHAPTER
13
xii
78-16005-01
Contents
CHAPTER
14
CHAPTER
15
xiii
Contents
CHAPTER
16
CHAPTER
17
CHAPTER
18
CHAPTER
19
xiv
78-16005-01
Contents
xv
Contents
xvi
78-16005-01
Preface
User Guide for ACL Manager describes how to use the Access Control List
(ACL) Manager, a software tool for the management of access control lists on
Cisco routers, catalyst switches, and PIX devices.
This preface describes who should read User Guide for ACL Manager and
outlines the document conventions used in this manual.
Audience
This publication is written for network operators, network administrators, and
system administrators. To use the ACL Manager application, you should have a
basic understanding of operation, management and the configuration of your
network. You should understand the basic ACL structure and configuration and
the concept of network and service definitions.
xvii
Preface
Conventions
Conventions
This document uses the following conventions:
Note
Caution
Item
Convention
boldface font
italic font
screen
italic screen
boldface font
font
font
Means reader be careful. In this situation, you might do something that could
result in equipment damage or loss of data.
xviii
78-16005-01
Preface
Product Documentation
Product Documentation
Note
Table 1
Product Documentation
Document Title
Release Notes for ACL
Manager 1.6
Available Formats
On Cisco.com:
a. Log into Cisco.com.
b. Go to:
http://www.cisco.com/univercd/cc/td/doc/product/
rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/
index.htm
Installation Guide for ACL
Manager
On Cisco.com:
a. Log into Cisco.com.
b. Go to: http://www.cisco.com/univercd/cc/td/doc/product
/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/
index.htm
xix
Preface
Product Documentation
Table 1
Document Title
User Guide for ACL Manager
Available Formats
On Cisco.com:
a. Log into Cisco.com.
b. Go to:
http://www.cisco.com/univercd/cc/td/doc/product/
rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/
index.htm
1.
2.
Go to:
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt
/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htm
xx
78-16005-01
Preface
Related Documentation
Related Documentation
Note
Table 2
Related Documentation
Document Title
Available Formats
On Cisco.com:
1.
2.
Go to: http://www.cisco.com/univercd/cc/td/doc/product/
rtrmgmt/cw2000/cw2000_d/comser22/index.htm
On Cisco.com:
Installation and Setup Guide for
CiscoWorks Common Services 2.2 1. Log into Cisco.com.
(includes CiscoView 5.5) on
2. Go to:
Solaris
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/
cw2000/cw2000_d/comser22/index.htm
On Cisco.com:
Installation and Setup Guide for
CiscoWorks Common Services 2.2
1. Log into Cisco.com.
includes CiscoView 5.5) on
2. Go to:
Windows
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/
cw2000/cw2000_d/comser22/index.htm.
CiscoWorks Common Services
User Guide 2.2
On Cisco.com:
1.
2.
Go to:
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/
cw2000/cw2000_d/comser22/index.htm
xxi
Preface
Related Documentation
Table 2
Document Title
Available Formats
On Cisco.com:
1.
2.
Go to:
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/
cw2000/cw2000e/e_3_x/3_5/index.htm
On Cisco.com:
1.
2.
Go to:
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/
cw2000/cw2000e/e_3_x/3_5/index.htm
On Cisco.com:
1.
2.
Go to:
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/
cw2000/cw2000e/e_3_x/3_5/index.htm
Go to:
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/
cw2000/cw2000e/e_3_x/3_5/index.htm
On Cisco.com:
1.
2.
Go to:
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/
cw2000/cw2000e/e_3_x/3_5/index.htm
1. CiscoView 5.5 and Package Support Updater information in this document, is not applicable to the ACL Manager 1.6 release.
xxii
78-16005-01
Preface
Additional Information Online
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco
also provides several ways to obtain technical assistance and other technical
resources. These sections explain how to obtain technical information from Cisco
Systems.
Cisco.com
You can access the most current Cisco documentation on the World Wide Web at
this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
http://www.cisco.com
International Cisco websites can be accessed from this URL:
http://www.cisco.com/public/countries_languages.shtml
xxiii
Preface
Documentation Feedback
Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
Registered Cisco.com users (Cisco direct customers) can order Cisco product
documentation from the Ordering tool:
http://www.cisco.com/en/US/partner/ordering/index.shtml
Documentation Feedback
You can submit e-mail comments about technical documentation to
bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front
cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
xxiv
78-16005-01
Preface
Obtaining Technical Assistance
xxv
Preface
Obtaining Additional Publications and Information
xxvi
78-16005-01
Preface
Obtaining Additional Publications and Information
Packet magazine is the Cisco quarterly publication that provides the latest
networking trends, technology breakthroughs, and Cisco products and
solutions to help industry professionals get the most from their networking
investment. Included are networking deployment and troubleshooting tips,
configuration examples, customer case studies, tutorials and training,
certification information, and links to numerous in-depth online resources.
You can access Packet magazine at this URL:
http://www.cisco.com/packet
xxvii
Preface
Obtaining Additional Publications and Information
xxviii
78-16005-01
C H A P T E R
1-1
Chapter 1
Access Control List (ACL, ACL Definition): An Access Control List (ACL)
consists of one or more Access Control Entries (ACEs) that collectively define the
network traffic profile. This profile can then be referenced by IOS, Catalyst OS,
or PIX OS features such as traffic filtering, priority or custom queuing, dynamic
access control, encryption, Telnet access, and so on.
The generic term ACL refers to IOS ACLs, VLAN ACLs, and PIX ACLs.
Wherever the term VACL is used, it applies only to VLAN ACL. Wherever the
term IOS ACL is used, it applies only to Router ACL. Wherever the term PIX ACL
is used, it applies only to an ACL on a PIX device.
ACL Manager Entity: A generic term used in ACL Manager for ACEs, ACLs,
ACL Uses, Time Ranges, Templates, Networks, Network Classes, Services and
Service Classes.
ACL Template (Template): A named set of ACEs. Templates can be inserted into
ACLs (see Template Include ACE on page 1-3). Templates can include other
templates.
ACL Use: ACL Use statements in a device configuration utilize or reference an
ACL for some purpose. There are over 50 possible purposes, which include, for
example: IP packet filtering, line access, traffic shaping, IP multicast rate
limiting, SNMP server, and so on.
ACL Use Modes and Contexts: ACLs can be used in various IOS configuration
modes: global, router, route-map, crypto-map, line, and interface.
Except for global, the configuration modes have named contexts within which
ACL Use statements can be created in IOS. The contexts for line mode are the
actual vtys (for example, console, vty 0, vty 1, and so on). The contexts for
interface mode are interface names (for example, Serial 0, Ethernet 0,
TokenRing 0, and so on).
ACL Manager allows you to create Use statements only for line, interface and
global modes. ACL Manager allows you to apply these statements only for line
access, packet filtering, and SNMP server access controls. VACLs can be used
only for packet filtering and redirection on VLANs. For VACL Uses, the mode is
VLAN and the contexts are the VLANs defined on the switch.
Device View: A set of devices grouped according to common attributes or
user-defined characteristics. You can use views to monitor groups of devices.
IOS ACLs: Also known as Router ACLs. They are used in routers for packet
filtering on interfaces, line access, SNMP access, route maps, and other purposes.
1-2
78-16005-01
Chapter 1
1-3
Chapter 1
Using ACL Manager, you can create ACL uses for traffic filtering, line access, and
SNMP server access. Although you cannot create all types of ACL uses,
ACL Manager recognizes and tracks all existing types of ACL uses (such as
router, route-map, and crypto-map). This means that if you rename an ACL that
is referenced in uses other than traffic filtering or line access, the use statement is
updated with the new ACL name.
ACL Manager allows comments to be associated with an ACL or ACE, so that you
can audit and track the changes on an ACL or ACE.
1-4
78-16005-01
Chapter 1
Provides a uniform interface that insulates the user from any differences in
ACL features for the supported IOS, Catalyst OS, and PIX OS versions.
Enables controlling and tracking of all changes made to ACLs, ACL uses,
templates, etc.
Allows monitoring of the system by logging all the changes made during a
user session.
Enables easy access to information about devices and the changes made to
them, through the reports generation feature.
1-5
Chapter 1
Is integrated with Resource Manager Essentials and uses the Config Archive,
Inventory, Change Audit Service, and Transport facilities.
Provides a browser-based GUI and integrates the task flow with the Resource
Manager Essentials GUI.
Allows you to fully exploit the ACL features in IOS, Catalyst OS, and PIX
OS.
Allows novice operators to safely deploy, previously set up, complex ACLs,
through flexible templates. Templates also allow users to establish policies
and to standardize on ACL uses.
Enables you to perform a check for the validity of ACEs within a ACL,
VACL, or a template.
Permits the use of Domain Name System (DNS) names in ACE source and
destination fields. ACL Manager will automatically perform a DNS look-up
and convert these fields to the appropriate IP addresses.
1-6
78-16005-01
Chapter 1
Identifying when an ACL was last modified and applied (Other Attributes
in Chapter ).
Navigating around devices to see which ACLs are defined and where they are
usedeven ACL Uses that are not supported for creation by ACL Manager
are listed (Viewing Existing ACLs in Chapter 4).
1-7
Chapter 1
Creating an alias for an ACL and using it in a device where named ACLs
are not supported (Editing ACLs in Chapter 4).
Creating and editing templates (Using the Template Manager in Chapter 6).
Use Wizard and its variantsEnable you to define ACL uses, (see
Chapter 12, ACL Manager Use Wizard).
1-8
78-16005-01
Chapter 1
Directory
Description
HD
Help Desk
AP
Approver
NO
Network Operator
NA
Network Administrator
SA
System Administrator
ACL Manager tasks require various privilege levels, and your ability to perform
these tasks depends on your assigned privilege level. You should contact your
system administrator to find out your privilege level and which tasks you can
access.
ACL Manager tasks are usually performed with network operator or network
administrator privileges. You can view the tasks that can be performed at each
level by going to the CiscoWorks desktop and selecting
Server Configuration > Setup > Security > Permission Reports.
1-9
Chapter 1
Approver
Network Administrator
Task
View ACLs
View ACLs
Schedule Downloads
View ACLs
1-10
78-16005-01
C H A P T E R
ACL Uses
Using the cut, copy, and paste features; by cutting or copying ACLs or ACEs
from one device or ACL and then pasting them to other devices or ACLs.
Using the import feature to import ACLs. ACL Manager allows you to import
Cisco device configurations that conform to the IOS, Catalyst OS and PIX
formats, from an external source.
Using the Template Manager in the same way that you create an ACL using
the Template Editor and the ACE Editor.
2-1
Chapter 2
Description
Name/Number
Version
Type
After you start ACL Manager (see Chapter 3, Getting Started), you can use the
following procedure to view the ACL definitions for a particular device.
To view ACLs and their attributes:
Procedure
Step 1
Step 2
2-2
78-16005-01
Chapter 2
Figure 2-1
Range
IP Standard
IP Extended
2-3
Chapter 2
ACL Type
Range
1 to 99
Rate Limit
Precedence
100 to 199
Named ACLs are not supported on some versions of device IOS. In which case,
the ACL name is shown with an automatically generated number appended to the
name and enclosed in parentheses.
For Rate Limit ACLs, ACL Manager distinguishes the ACL from a standard IP
ACL by appending the string rate-limit to the number.
Other Attributes
The Version attribute is also displayed in the ACL Manager Main Window,
besides the Name/Number and the Type attribute, The Version column of the
window displays the versions of the ACLs in the ACL definitions folder and also
their state that is whether the ACLs are checked in, checked out, etc.
Description
ACL Uses
Use Context
IOS/Catalyst OS
Command
Description
2-4
78-16005-01
Chapter 2
After you start ACL Manager (see Chapter 3, Getting Started), follow this
procedure to view the ACL properties for a particular device.
Procedure
Step 1
Step 2
Step 3
2-5
Chapter 2
ACL Uses
Tip
You can also view the properties by selecting the ACL to be examined and then
selecting the toolbar button or View > Properties from the ACL Manager Main
Menu.
ACL Uses
You can define ACL Uses for line access, packet filtering, SNMP community
access, SNMP TFTP server, and VLAN packet filtering.
You can view ACL Uses of other types, such as router, route-map, and crypto-map
using ACL Manager.
Global
Router
Route Map
Crypto Map
Line
Interface
VLAN
2-6
78-16005-01
Chapter 2
Use this procedure to view ACL Use information for a particular device:
Procedure
Step 1
Expand the Devices folder in the ACL Manager Main Window, select the device,
then expand ACL Uses.
Step 2
Step 3
2-7
Chapter 2
ACL Uses
Description
ACLs
IOS Command
Description
2-8
78-16005-01
C H A P T E R
Getting Started
ACL Manager provides you with a launch point for performing many of the tasks
involved with ACL management.
These topics describe how to get started with ACL Manager:
Printing
3-1
Chapter 3
Getting Started
Note
ACL Manager server has been installed on a server machine with RME
already installed (see Setting Up Resource Manager Essentials).
The RME Inventory application has been updated with device information for
those devices whose ACLs you intend to manage with ACL Manager.
Enable the Role-based Access Control feature, if required. (For details about
how to enable this feature, see the Installation Guide for ACL Manager).
We strongly recommend that you become familiar with the discussion of ACL
Terms and Definitions in Chapter 1 before proceeding further.
Procedure
Step 1
Step 2
Step 3
Ensure that Java, JavaScript, and Accept all cookies are enabled in your browser
settings.
If these settings are not enabled, you will not be able to log in to RME.
3-2
78-16005-01
Chapter 3
Getting Started
ACL Manager Functions
ACL Manager
Edit ACLs
Out-of-Band Changes
Job Management
Administration
3-3
Chapter 3
Getting Started
Table 3-1 describes each task, the associated tool, and the launch point from the
ACL Manager drawer on the CiscoWorks desktop:
Table 3-1
Task
Tool
ACL Manager
Edit ACLs
Class Manager
ACL Manager
Out-of-Band Changes
ACL Manager
Edit ACLs
ACL Manager
Job Management
ACL Manager
ACL Manager
Administering ACL Manager (resetting the
hit counter). If Role-based Access Control
and Change Approval have been enabled, the
administrative tasks associated with these
features also appear here.
Administration
Table 3-2 describes the subtasks, and the launch points, from the ACL Manager
drawer on the CiscoWorks desktop:
Table 3-2
Subtask
Navigation Path
Viewing changed entities that are marked for ACL Manager > Job Management > Pending Marks
downloading, scheduling downloads of
Browser
marked entities
Generating Time Range Changes report
3-4
78-16005-01
Chapter 3
Getting Started
ACL Manager Functions
Subtask
Navigation Path
Table 3-3 provides the launch points for the Role-based Administration task and
its subtasks, from the ACL Manager drawer on the CiscoWorks desktop.
Note
These tasks and sub-tasks appear within the ACL Manager drawer only if you
have enabled Role-based Access Control at the time of installing ACL Manager.
To enable Role-based Access Control, see the Installation Guide for ACL
Manager.
Table 3-3
Navigation Path
Role-based Administration
Navigation Path
ACL Manager > Administration > User Management > Create User
Group
ACL Manager > Administration > User Management > Delete User
Group
ACL Manager > Administration > User Management > Show All
User Groups
3-5
Chapter 3
Getting Started
Table 3-3
Navigation Path
Role-based Administration
Navigation Path
ACL Manager > Administration > Device Management > Show All
Device Groups
Table 3-4 provides the launch points for the Change Approval task and its
subtasks, from the ACL Manager drawer on the CiscoWorks desktop.
Note
These tasks and sub-tasks appear within the ACL Manager drawer only if you
have enabled Change Approval at the time of installing ACL Manager.
To enable Change Approval, see the Installation Guide for ACL Manager.
Table 3-4
Navigation Path
Change Approval
Navigation Path
3-6
78-16005-01
Chapter 3
Getting Started
ACL Manager Functions
Table 3-5 provides the launch points for the Reports for Change Approval and
Role-Based Access Control, from the ACL Manager drawer on the CiscoWorks
desktop.
Note
These ACL Manager Reports appear within the ACL Manager drawer only if you
have enabled Role-based Access Control or Change Approval at the time of
installing ACL Manager.
To enable Role-based Access Control or Change Approval, see the Installation
Guide for ACL Manager.
Table 3-5
Task
Navigation Path
ACL Manager > ACL Manager Reports > Change Approval Status
Generating Task Mapping report ACL Manager > ACL Manager Reports > Task Mapping
Generating My User Group
Membership report
ACL Manager > ACL Manager Reports > User Group Membership
3-7
Chapter 3
Getting Started
Procedure
Step 1
Note
In some browser versions, you will get a security warning asking for
permission to install and execute some code from Cisco Systems. Select
Yes to proceed.
3-8
78-16005-01
Chapter 3
Getting Started
Starting ACL Manager
The ACL Manager Main Window is a central point within ACL Manager for
managing ACL Manager entities such as ACLs, time ranges, ACL uses, object
groups, etc. You can also store imported entities, view and manage your specific
changes to ACL Manager entities, and resolve Out-of-Band changes. For more
information see Navigating in the ACL Manager Main Window.
Step 2
Step 3
Right-click on the Devices folder and select Add Device(s) from the pop-up
menu. For more information, see Populating the Devices Folder.
The Device Selector dialog box appears.
Step 4
Select a device view from the Views column, for example, All Devices.
The devices corresponding to the selected view appear in the Devices column.
Step 5
Select the required devices from the Devices column, then click Add.
The devices appear in the Selected Devices column.
Step 6
Click OK.
The selected devices appear in the Devices folder of the ACL Manager Main
Window.
3-9
Chapter 3
Getting Started
Procedure
Step 1
Right-click on the Devices folder and select Add Device(s) from the pop-up
menu.
The Device Selector dialog box appears with these options:
FilterAllows you to select devices using basic and custom filter criteria.
The basic filter criteria allows you to filter by domain name, device type,
or software version.
The custom filtering option allows you to define your own filter criteria.
If you check the User Filter option, all future view selections will use the
current filter settings.
Step 2
All DevicesList all managed devices already integrated into the server.
My Private ViewsLists the private device views that you have created. A
Private View contains the groups of devices that you had previously saved as
a Private view. See Saving a Device View.
Custom ViewsLists the custom device views that you and other users have
created.
Select a device view from the Views column, for example, My Private Views.
The devices corresponding to the selected view appear in the Devices column.
Step 3
Select all the devices from the view, or a subset of the devices in the view, and
click Add.
The devices appear in the Selected Devices column.
Step 4
Click OK.
The selected devices appear in the Devices folder of the ACL Manager Main
Window.
3-10
78-16005-01
Chapter 3
Getting Started
Starting ACL Manager
Deleting Devices
Deleting a device from the Devices folder in the ACL Manager Main Window will
not delete any changes that you may have made to the device. These changes are
stored in the My Changes folder of the ACL Manager Main Window.
To delete a device from the Devices folder:
Procedure
Step 1
Select the device and select the delete key on your keyboard.
A message appears that deleting the device will not delete your changes:
Deleting the selected devices will not delete your changes. All your
changes are still available in the My Changes folder. Do you want
to continue?
Step 2
Procedure
Step 1
Select the Devices folder in the ACL Manager Main Window, and right-click on it.
A pop-up menu appears.
Step 2
78-16005-01
3-11
Chapter 3
Getting Started
Step 3
Step 4
Step 5
Click OK.
Procedure
Step 1
Select the Devices folder in the ACL Manager Main Window, and right-click on it.
A pop-up menu appears.
Step 2
My Private ViewsLists the device views that you have created. A Private
View contains the groups of devices that you had previously saved as a Private
view. See Saving a Device View
Custom ViewsLists the custom device views that you and the other users
have created.
After you select a view, the devices in the view appear in the Devices column. You
cannot select a subset of devices from a view.
3-12
78-16005-01
Chapter 3
Getting Started
Starting ACL Manager
Step 3
Click OK.
All the devices in the view that you selected, appear in the Devices folder in the
ACL Manager Main Window.
Description
Folder (left
pane)
78-16005-01
3-13
Chapter 3
Getting Started
Item
Description
Contents (right Displays the attributes of any item selected in the folder pane.
pane)
The folder pane is blank if there are no attributes associated
with the selected item.
For example, in the left pane, if you select:
3-14
78-16005-01
Chapter 3
Getting Started
Starting ACL Manager
Item
Description
Item count area Shows the number of items contained in the currently
(bottom right) selected object. For example, when an ACL is selected,
shows the number of ACEs in that ACL.
View mode
area (bottom
center)
Shows the view mode for viewing ACEs. If you are in an ACL
context and in physical view mode, the contents pane has a
gray background. You cannot perform any editing in the
physical view mode, except reordering ACEs.
To modify the settings for an editable item in the folder pane, select the item and
then select an appropriate command from a menu. For convenience, you can
right-click some actions to display the options in a popup menu.
My Changes Folder
The My Changes folder stores all the ACL Manager entities that you have made
changes to. These entities will be in any one of these states:
New
Checked out
Procedure
Step 1
Step 2
If you have deleted the device from the Devices folder, ACL Manager adds the
device and then highlights the selected ACL in the context of the device.
3-15
Chapter 3
Getting Started
Devices Folder
The Devices folder contains all the devices that you have selected. This folder is
common to IOS, Catalyst OS and PIX devices.
To see the following folders, double-click on the devices in the Devices folder.
ACL Definitions
ACL Uses
Time Ranges
Object Groups
Deleting Devices
3-16
78-16005-01
Chapter 3
Getting Started
ACL Manager Menus
Description/Operations
File
Operations at the device level, and other disk file oriented operations such as saving
ACLs and saving ACEs as templates. See File Menu.
Edit
Operations that change the contents of the active view. See Edit Menu.
View
Operations that affect the active view display. See View Menu.
ACL
Operations that are related to ACLs and ACEs. See ACL Menu.
Versioning
3-17
Chapter 3
Getting Started
Menu
Description/Operations
Tools
Help
Operations related to online help such as, details on the ACL Manager release version,
copyright, browser JVM version, and Operating System.
File Menu
The File menu contains:
Selection
Description
Explore
Takes you to the device context. When you select a changed entity from the
My Changes Folder or the Out-of-Band Changes folder in the ACL Manager
Main Window, this option takes you to the device on which the changed
entity exists, and highlights it.
Add Device(s)
Opens the Device Selector dialog box to enable you to add devices. The
devices that you add, appear in the Device folder in the ACL Manager Main
Window (see Populating the Devices Folder).
Opens the Device Selector dialog box to enable you to open existing device
views. The devices from the view that you selected, appear in the Device
folder in the ACL Manager Main Window (see Opening a Device View).
Opens the Save As Private/Custom Static device View dialog box to enable
you to save a set of devices as a Custom View or a Private View (see Saving
a Device View).
Save ACL As
Save ACE As
3-18
78-16005-01
Chapter 3
Getting Started
ACL Manager Menus
Selection
Description
Copy to System
Clipboard
Copies the selected ACEs (or ACLs, templates, or policies) as text, to the
system clipboard. You can select non-contiguous ACEs (or ACLs, templates,
or policies). The logical or physical view for an ACL is preserved during the
copy operation.
For example, an ACE with a network class in the logical view would appear
as follows:
access-list 100 permit tcp network-class @/apac/mynetwork any
If more than one ACL (or template or policy) is selected and copied, they
would appear as text separated by !.
For named IOS ACLs, the ACL name is copied only if you have selected the
entire ACL, or all of its ACEs.
Paste from System
Clipboard
Inserts text from system clipboard as ACEs, into the appropriate location
within an ACL (or template or policy). ACL Manager validates the syntax of
the pasted text.
You cannot edit more than one ACL (or template or policy) at a time, using
this operation.
When an ACL (or template or policy) is selected, the ACEs are appended to
the selected entity.
You cannot paste into the physical view of an ACL.
Import
Opens the File Import Wizard. Use this wizard to import configuration files
from an external source, into ACL Manager (see Chapter 13, Importing
Configuration).
Prints the object and its contents. An object can be the Root folder, any folder
within the Root folder in the ACL Manager Main Window, a device, or an
ACL. The Print option is also available in Class Manager and Template
Manager (see Printing).
Exit
3-19
Chapter 3
Getting Started
Edit Menu
The Edit menu contains:
Selection
Description
Paste
Pastes the contents of the paste buffer in front of the current selection. If there is
no current selection, the contents are appended in the right pane at the end of the
contents pane.
In the case of objects that are shown as sorted (for example, ACLs and
templates), the list in the contents pane is sorted again after pasting.
Undo
Undoes the last edit operation, if possible. However, some editing operations are
irreversible; for example, deleting an ACL use statement.
Cut
Copies the current selection to the paste buffer and deletes it (see Chapter 4,
Editing ACLs). You can select one or more ACLs or ACEs.
Copy
Copies the current selection to the paste buffer (see Chapter 4, Editing ACLs).
You can select one or more ACLs or ACEs.
Find
Searches for specified text in the right (Contents) pane (see ACL Manager
Menus).
Search
Searches for specific versioned entities. For example, ACLs, Global Uses,
Interface Uses, Time Ranges and Templates.
Replaces
Replaces entities. For example, ACLs, Global Uses, Interface Uses, Time Ranges
and Templates.
Apply Template
Launches the ACL Use Selection dialog box to allow you to specify a template
for a device.
Use ACL
Launches the ACL Use Selection wizard to allow you to select a use for an ACL.
Edit
Launches the appropriate editor on the current selection. For example, if the
selection is an ACL, ACL Editor will be launched. If the selection is an ACE,
ACE Editor will be launched.
Insert ACL
Launches the ACL Editor to create a new ACL and inserts it into the device.
Insert ACE
Include Template
Launches the Template Browser to insert a new template include statement into
the current ACL context, before the current ACE.
3-20
78-16005-01
Chapter 3
Getting Started
ACL Manager Menus
Selection
Description
Insert Comment
Launches a dialog box to insert a one-line comment into the current ACL context,
before the current ACE.
Launches the Time Range Editor to create a new time range definition on the
device.
Show Associated
ACLs
Launches the Associated ACLs on Device dialog box. This allows you to view
all the versions of ACLs that are associated with a version of a Time Range that
is currently on the device.
Go to ACL
Changes the contents pane view context from the ACL use to the ACL being used
in the selected use.
View Menu
The View menu contains:
Selection
Description
Logical View
Physical View
Left Pane
Properties
Show/Hide Line Numbers Displays or hides line numbers of ACL Manager entities in the right pane
of the main windows of ACL Manager, Template Manager and Class
Manager.
Go to Line
Opens the Go to Line dialog box for you to specify the line number of the
ACL Manager entity that you want to go to. When you click OK in the Go
to Line dialog box, the line corresponding to the line number that you
specified, is highlighted.
3-21
Chapter 3
Getting Started
ACL Menu
The ACL menu contains:
Selection
Description
New ACL
New ACE
Launches the ACE Editor to create a new ACE in the current ACL context.
The new ACE is appended to the end of the list of ACEs in the contents pane.
New Comment
Launches the Time Range Editor to create a new time range definition on the
device.
Highlights (in pale lavender), all the modifications that you made to the
ACEs within an entity.
Unmarks (releases) all the downloadable comments that were marked for
downloading to a device.
Show Out-of-Band
Changes
Diff/Merge with
Out-of-Band Changes
Opens the Diff Viewer. This allows you to view the differences between the
Out-of-Band change on a device, and the ACL Manager baseline
configuration.
3-22
78-16005-01
Chapter 3
Getting Started
ACL Manager Menus
Selection
Description
Reject Out-of-Band
Changes
Opens the Job Download Wizard to allow you to reject the Out-of-Band
change.
You can select one or more ACLs and mark them for download. After you
successfully mark the ACLs, you can:
Use the Pending Marks Browser to select the changed ACLs and
schedule their download at another time.
This option is useful when the IP address for a hostname has been changed,
and the changed IP address needs to be downloaded to the device.
Versioning Menu
The Versioning menu contains:
Selection
Description
Gets the latest version of an ACL Manager entity onto your view. This is also
applicable at the device level. Here, it will fetch the latest version of all entities
on to your view. This will include newly created entities.
Check Out
Launches the Check Out dialog box, to check out the selected ACL Manager
entities.
Show Changes
Launches the Diff Viewer to show the changes that you have made on an
ACL Manager entity.
Check In
Launches the Check In dialog box, to check in the selected ACL Manager
entities.
Cancels the check out, for the selected ACL Manager entities.
Gets the baseline version (the last successfully downloaded version) of an ACL
Manager entity on to your view. This menu item is applicable only for entities
that exist on a device. This is also applicable at the device level, wherein it will
fetch the baseline version of all entities on to your view.
3-23
Chapter 3
Getting Started
Selection
Description
History
Displays the version history details of a selected entity. This window allows
you to view the ACEs in a specified version of an ACL, view the Diffs between
two versions, check out a version, and view version details.
Version Graph
Launches the Diff Viewer to display the differences between the latest version
of the ACL Manager entity and the version currently on a device.
Version Details
Tools Menu
The Tools menu contains:
Selection
Description
Launches the ACL Use Wizard (see Chapter 12, Defining ACL Uses).
ACL Downloader
Job Browser
Launches the Job Browser (see Chapter 15, Browsing Job Status and
Viewing Results).
Launches the Mark Changes for Download dialog box. You can mark a
required version of an entity, to be downloaded to a device (see Chapter 15,
Scheduling and Downloading).
Pending Marks Browser Launches the Pending Marks Browser. You can view the marks that are
pending for the various changed entities (see Chapter 15, Scheduling and
Downloading).
Class Manager
Launches the Class Manager (see Chapter 5, Using the Class Manager).
Template Manager
Optimizer
3-24
78-16005-01
Chapter 3
Getting Started
Using the Device State Icons
Selection
Description
Hits Optimizer
ACE Validator
Launches the ACE Validation Results dialog box (see Chapter 14,
Validating ACEs).
Diff Viewer
Launches the Diff Viewer (see Chapter 15, Defining the Job and Selecting
the Job Options).
Verify Policy
Update Logical Entities Updates the logical entities within ACLs and templates (see Chapter 6,
Using the Template Manager).
Resolve DNS Names
Resolves the DNS names contained within an ACL or a template, into their
IP addresses.
Resolve IP Address
Description
An ACL definition.
3-25
Chapter 3
Getting Started
Icon
Description
A router that has no ACL definitions on it (if the icon is blue).
A router that is stale, and which has no ACL definitions on it (if the icon is gray).
A switch that has no ACL definitions on it (if the icon is in blue).
A stale switch that has no ACL definitions on it (if the icon is gray).
A router that is either unreachable, or is not in the database.
An unsupported device.
3-26
78-16005-01
Chapter 3
Getting Started
Using the Toolbar
Icon
Description
Time-based ACE in:
A PIX device.
Description
New ACLDisplays the ACL Editor (see Creating ACLs in Chapter 4). This action
is equivalent to selecting ACL > New ACL.
CutDeletes the current selection and copies it into the paste buffer (see Editing
ACLs in Chapter 4). The selection can be on one or more ACLs or ACEs. This action
is equivalent to selecting Edit > Cut.
CopyCopies the current selection into the paste buffer (see Editing ACLs in
Chapter 4). This action is equivalent to selecting Edit > Copy.
3-27
Chapter 3
Getting Started
Icon
Description
PastePastes the contents of the paste buffer in front of the current selection. If there
is no current selection, the contents are appended to the end of the contents pane. This
action is equivalent to selecting Edit > Paste.
DeleteDeletes the current selection. The selection can be on one or more devices,
ACLs, ACEs, or ACL use statements. This action is equivalent to selecting Edit >
Delete.
UndoUndoes last edit operation, provided that the undo is possible. Some editing
operations are irreversible; for example, deleting an ACL use statement. This action is
equivalent to selecting Edit > Undo.
Up One LevelChanges the left pane selection context to be at the next higher level.
Move selected ACE upMoves the selected ACEs by shifting them up one position.
This action is equivalent to selecting Edit > Move ACEs Up.
Move selected ACE downMoves the selected ACEs by shifting them down one
position. This action is equivalent to selecting Edit > Move ACEs Down.
3-28
78-16005-01
Chapter 3
Getting Started
Using Keyboard Shortcuts
Icon
Description
Job BrowserLaunches the Job Browser. This action is equivalent to selecting
Tools > Job Browser.
Action
Context
Up Arrow
Left pane
Down Arrow
Left pane
3-29
Chapter 3
Getting Started
Key
Action
Context
Right Arrow
Expands the current selection if it is collapsed; else selects the first Left pane
subfolder.
Left arrow
Left pane
Enter
Left pane
Enter
Right pane
Ctrl+P
Both
Ctrl+F
Searches.
Both
Ctrl+H
Replaces.
Both
Ctrl+Z
Undoes changes.
Both
Ctrl+A
Both
Ctrl+X
Deletes the current selection and copies it to the Paste buffer. (See Both
Editing ACLs in Chapter 4.)You can select and delete one or
more ACLs or ACEs.
Ctrl+C
Ctrl+V
Pastes the contents of the Paste buffer before the current selection. Both
If you have not selected anything in the contents pane, then the
contents is pasted at the end of the list.
Del
Deletes the current selection. You can select and delete one or more Both
devices, ACLs, ACEs, or ACL Use statements.
Tab
Both
Shift+Tab
Both
Alt+F4
Both
Both
3-30
78-16005-01
Chapter 3
Getting Started
Using Keyboard Shortcuts
Action
Tab
Shift+tab
Escape
Ctrl+A
Ctrl+X
Ctrl+C
Ctrl+V
Ctrl+Z
Undoes changes.
Del
Action
Tab
Shift+tab
Escape
Shift+Del
Ctrl+Ins
Shift+Ins
Ctrl+Z
Undoes changes.
Del
3-31
Chapter 3
Getting Started
Printing
Printing
ACL Manager allows you to print an object and its contents. An object can be the
Root folder, or any folder within the Root folder in the ACL Manager Main
Window, a device or an ACL. The Print option is also available in Class Manager
and Template Manager.
Procedure
Step 1
Starting ACL Manager and adding devices (see Starting ACL Manager).
Step 2
Step 3
Step 4
Creating ACL use statements (see Defining ACL Uses in Chapter 12).
Step 5
Viewing and verifying the changes made to the device configuration during
editing (seeVerifying Device Configuration Changes), checking for
Out-of-Band changes (see Managing Out-of-Band Changes to Device
Configuration).
Step 6
Scheduling a download job and downloading the ACL and ACL use modifications
to devices (see Downloading the Changes to the Devices).
Step 7
Verifying that the download was completed successfully (see Verifying That the
Download was Successful).
3-32
78-16005-01
Chapter 3
Getting Started
Performing a Complete Workflow Cycle
Procedure
Step 1
Select Tools > Diff Viewer from the ACL Manager Main Window, to display the
Config Diff View window (see Figure 3-4).
Figure 3-4
Only the entities that have been changed appear in this window.
User Guide for ACL Manager
78-16005-01
3-33
Chapter 3
Getting Started
Step 2
In this example, there are three changes from the original configuration for ACL
100 in device aclm7505-1:
ACE 4 is inserted
ACE 5 is deleted
ACE 11 is deleted
3-34
78-16005-01
Chapter 3
Getting Started
Performing a Complete Workflow Cycle
Representation
Changed
Lines
Unchanged
Lines
Black text.
If you want to view only those configuration commands that will be downloaded
to the device, click Delta (see Figure 3-6).
Figure 3-6
3-35
Chapter 3
Getting Started
The Select Changed Entities Pane of the Job Download Wizard (see
Chapter 15, Selecting the Devices and the Changed Entities to open the
Diff Viewer through the Select Changed Entities Pane).
The Mark Changes for Download dialog box (see Chapter 15, Marking
Changes for Download to open the Diff Viewer through the
Mark Changes for Download dialog box).
When you open the Diff Viewer from these windows, you must first select the
changed entities for which you want to see the configuration differences.
If you do not select the check box for All Entities, or the specific changed entities,
the Config Diff Viewer does not show any Diffs.
3-36
78-16005-01
Chapter 3
Getting Started
Managing Out-of-Band Changes to Device Configuration
Procedure
Step 1
Step 2
Step 3
From the pop-up menu that appears, select Check for Out-of-Band Changes.
ACL Manager performs a check for Out-of-Band changes, and displays the
changes, if any, in the Entities Out-of-Sync window (a pop-up window) (see
Figure 3-7).
3-37
Chapter 3
Getting Started
Figure 3-7
Description
ID
Device
Change Type
Entity Type
Entity Name
Detection Time
Status
Resolved or unresolved.
3-38
78-16005-01
Chapter 3
Getting Started
Managing Out-of-Band Changes to Device Configuration
Step 4
3-39
Chapter 3
Getting Started
This window lists all the Out-of-Band changes that ACL Manager had previously
detected. Fields in the Out-of-Band Changes Window:
3-40
78-16005-01
Chapter 3
Getting Started
Managing Out-of-Band Changes to Device Configuration
Field
Description
ID
Device
Change Type
Entity Type
Type of the ACL Manager entity. This type can be ACL, Time
Range, Global Use, Line Use, Object Group, etc.
Entity Name
Detection Time
Status
Resolved or unresolved.
Entity name and type (ACL, ACL Use, Time Range, etc.)
Change type.
3-41
Chapter 3
Getting Started
To see the details of each Out-of-Band change, select the change and the details
appear in the right pane of the ACL Manager Main Window.
For example, the details are:
For an ACL Use, the ACLs, the IOS, Catalyst OS, or PIX OS command, and
the description.
To refresh the Out-of-Band Changes folder with the latest Out-of-Band changes,
see Checking for Out-of-Band Changes on Devices.
You can resolve the Out-of-Band changes that have been detected, by either
accepting or rejecting the changes.
Procedure
Step 1
Check for Out-of-Band changes using the procedure in the section Checking for
Out-of-Band Changes on Devices.
The Out-of-Band Changes folder in the ACL Manager Main Window, is refreshed.
Step 2
Select the required Out-of-Band change from the folder and right-click.
Step 3
You can select any of these options from the pop-up menu that appears:
3-42
78-16005-01
Chapter 3
Getting Started
Managing Out-of-Band Changes to Device Configuration
Option
Description
Show Out-of- Launches the Diff Viewer, if the Out-of-Band change is a modification. For example,
Band Changes if the Out-of-Band change is an ACL modification, the Diff Viewer displays the
differences between the ACL on the device, and the Baseline version of ACL Manager.
Displays an appropriate message in the case of addition or deletion:
To Accept this change, delete and download this entity.
To Reject this change, do Get Baseline Version and download it.
Diff/Merge
Out-of-Band
Change
Displays the Diff/Merge with Out-of-Band Changes dialog box. You can select the
baseline version, the latest version or the version in the view.
If the changed entity is an ACL, and you check out the ACL, the Merge Editor appears.
For example, if the changed entity is an ACL modification, and you check out the
ACL, the Merge Editor is displayed. You can merge the changes and check in the new
version or save it. After checking it in, you should download the ACL using the Job
Download Wizard.
If the changed entity is anything other than an ACL, and you check it out, you see a
message box titled Merge Editor is not Supported for this Entity Type, with this
message:
Please merge the Out-of-band changes manually.
If you click OK, the Diff Viewer appears. You can check the differences between the
Out-of-Band change and the selected version, and make the changes manually, using
ACL Manager. You should then check in the changed version of the entity and
download it to the device.
The Out-of-Band change disappears from the Out-of-Band Changes folder after a
successful download.
Reject
Out-of-Band
Change
Launches the Job Download Wizard, to enable you to download the required version
of a changed entity to the device.
Explore
Takes you to the device context of the Out-of-Band change, or associates the
Out-of-Band change with the correct device. ACL Manager highlights the
Out-of-Band change on the appropriate device in your Devices folder.
3-43
Chapter 3
Getting Started
Table 3-6
Using the Diff/Merge with Out-of-Band Changes Dialog Box and Merge
Editor.
Scheduling Downloads.
OOB Change
Type
Modification
1.
2.
1.
2.
(ACL is
modified on the
device)
3.
3-44
78-16005-01
Chapter 3
Getting Started
Managing Out-of-Band Changes to Device Configuration
Table 3-6
OOB Change
Type
Modification
(ACL is
modified on the
device)
(Continued)
3-45
Chapter 3
Getting Started
Table 3-6
OOB Change
Type
Addition
1.
2.
(ACL is added
or created on
the device)
2.
3.
Click OK.
The Job Download Wizard appears.
4.
3-46
78-16005-01
Chapter 3
Getting Started
Managing Out-of-Band Changes to Device Configuration
Table 3-6
OOB Change
Type
Deletion
1.
1.
(ACL is
deleted on the
device)
2.
2.
3.
4.
5.
3-47
Chapter 3
Getting Started
For resolving OOB Changes of entities other than ACLs see Table 3-7.
Table 3-7
OOB Change
Type
Modification
(Entity is
modified on
the device)
1.
2.
2.
4.
5.
Click OK.
3.
7.
3-48
78-16005-01
Chapter 3
Getting Started
Managing Out-of-Band Changes to Device Configuration
Table 3-7
OOB Change
Type
Addition
(Entity is
added or
created on
the device)
2.
2.
3.
Click OK.
The Diff Viewer appears. You can check the
diffs between the Out-of-Band change and the
selected version, and then add the entity
manually, using ACL Manager.
4.
5.
3.
Click OK.
The Job Download Wizard
appears.
4.
3-49
Chapter 3
Getting Started
Table 3-7
OOB Change
Type
Deletion
1.
(Entity is
deleted on
the device)
2.
3.
2.
4.
4.
5.
Using the Diff/Merge with Out-of-Band Changes Dialog Box and Merge Editor
For ACLs, if there are any Out-of-Band changes, you can accept them using the
Merge Editor. You can compare the configuration differences in the ACLs in your
Devices folder and those on the device using the Merge Editor, and merge them.
Note
The Merge Editor is available only for ACLs. For other ACL Manager entities you
will need to do a manual merge after viewing the configuration diffs (differences
between versions).
3-50
78-16005-01
Chapter 3
Getting Started
Managing Out-of-Band Changes to Device Configuration
To do a merge:
Procedure
Step 1
Select the entity that has undergone an Out-of-Band change, from the
Out-of-Band Changes folder in the ACL Manager Main Window.
Step 2
Step 3
The Diff/Merge with Out-of-Band Changes dialog box appears (see Figure 3-8)
Step 4
Step 5
Version in the view (version currently in the Devices folder, with your
modifications).
(If you do not select CheckOut entity and click OK, the Merge Editor appears,
however, cannot handle the OOB changes using the Merge Editor, as you have not
checked out the entity.)
The Check Out dialog box appears (see Chapter 10 Figure 10-1).
3-51
Chapter 3
Getting Started
Step 6
Enter your check out comments if required in the Check Out dialog box and click
OK.
The ACL is checked out, and the Merge Editor appears (see Figure 3-10). You can
handle the OOB changes using the Merge Editor.
Figure 3-10 Merge Editor for OOB Changes
Note
If you only want to view and compare the OOB changes, in Step 5, do not
select the CheckOut ACL option. When you click the OK button, the
Merge Editor appears, with the Checkin button disabled.
3-52
78-16005-01
Chapter 3
Getting Started
Managing Out-of-Band Changes to Device Configuration
OOB Changes ACL Pane (lower right pane): Contains the ACEs in the ACL
that has undergone the OOB changes.
Merged Logical View of ACL (top pane): Represents the ACEs in the logical
view of the ACL selected for comparison with the ACL that has OOB
changes. You can edit the information in this pane. You can add the ACEs
from the OOB Changes ACL pane, to this pane.
Merged Physical View of ACL Pane (lower left pane): Represents the
physical view of the ACEs. The information in this pane changes in response
to changes in the logical view.
The differences between the versions of the ACL are represented as follows:
Change
Representation
Changed
Lines
Unchanged
Lines
Black text.
Step 7
Select the ACEs from the lower right pane or the left pane, as required.
Step 8
Click the Move ACE Up icon to move the selected ACEs up to the
ACL Merged Logical View of ACL pane.
In the ACL Merge Version top pane, you can use:
The Move ACE Up, Move ACE Down arrow icons, to reorder the ACEs.
The Cut, Copy, Paste, and Undo icons to edit the ACEs.
3-53
Chapter 3
Getting Started
Step 9
The Save button, to save your changes, and check in the version later.
The History button, to view the history of the ACL. This allows you to view
the changes that have happened to the ACL before the OOB change.
After the merge procedure is complete, download to the device after selecting the
Override OOB changes option in the Job Download Wizard.
Note
3-54
78-16005-01
C H A P T E R
These topics describe how to view and edit ACLs and ACEs:
Creating ACLs
Versioning ACLs
Editing ACLs
Deleting ACLs
Manipulating ACEs
Editing ACEs
4-1
Chapter 4
Creating ACLs
Editing VACEs
Creating ACLs
ACLs are created under the ACL Definition folder for a particular device. After
you create an ACL, you can add ACEs to it.
You can also copy and paste an existing ACL, to create a new ACL (see Creating
a New ACL by Copying and Pasting an Existing ACL).
To be able to use an ACL that you have created, you should first check it in (see
Chapter 10, Checking In Entities).
To create an ACL:
Procedure
Step 1
Start ACL Manager by selecting ACL Manager > Edit ACLs (see Chapter 3,
Starting ACL Manager).
Step 2
Step 3
Expand the Devices folder in the ACL Manager Main Window, and select the
required device.
Step 4
4-2
78-16005-01
Chapter 4
Step 5
Select ACL Definitions, then select New ACL from the ACL Definitions popup
menu.
The ACL Editor dialog box appears (see Figure 4-1).
Figure 4-1
Step 6
Description
Type
Autonumber
4-3
Chapter 4
Creating ACLs
Field
Description
Name or
Number
Comment
Step 7
Click OK.
The ACL is created.
Note
You can select ACL > New ACE from the ACL Manager Main Window to insert
ACE entries into the new ACL.
Tip
You can also start the ACL Editor dialog box by clicking the New ACL toolbar
icon or by selecting ACL > New ACL from the ACL Manager Main Window.
4-4
78-16005-01
Chapter 4
Procedure
Step 1
Start ACL Manager by selecting ACL Manager > Edit ACLs (see Chapter 3,
Starting ACL Manager).
Step 2
Step 3
Expand the Devices folder in the ACL Manager Main Window, and select the
required device.
Step 4
Step 5
Step 6
Select the device into which you wish to paste the copied ACL, and expand its
ACL Definitions folder.
Step 7
Versioning ACLs
ACLs are versioned in ACL Manager. After you create an ACL, you should check
it in, to be able to use it. You should check out an ACL to be able to modify it.
You can also view the Versioning History of ACLs. For details on versioning, see
Chapter 10, Versioning ACL Manager Entities.
4-5
Chapter 4
To view ACLs:
Procedure
Step 1
Step 2
4-6
78-16005-01
Chapter 4
Figure 4-2
Viewing ACLs
The ACL versions appear in square brackets beside the ACL name or number.
Editing ACLs
You can use the ACL editor to change the ACL name or comments about the ACL.
Check out the ACL to be able to make these changes (see Chapter 10, Checking
Out Entities.)
If you have not yet started ACL Manager, to open the ACL Manager Main
Window, see these topics in Chapter 3:
4-7
Chapter 4
Editing ACLs
To edit ACLs:
Procedure
Step 1
Step 2
Step 3
Step 4
Tip
Enter your values in the fields (see Creating ACLs for field descriptions), and
click OK.
You can insert a comment into an ACL using ACL > New Comment.
You can use the ACL Manager Main Window in this editable mode to:
Get the latest version of an ACL on to a device in your Devices folder and
view the ACEs within the ACL (see Chapter 10, Getting the Latest Version
of an Entity.)
Cancel a check out (see Chapter 10, Undoing the Check Out of an Entity.)
Compare the existing version of the ACL on a device in your Devices folder,
with its latest version in the versioning repository (see Chapter 10,
Comparing an Entity with its Latest Version.)
4-8
78-16005-01
Chapter 4
View the versioning history of an ACL (see Chapter 10, Viewing the Version
Graph of an Entity.) From within the Version History window, you can:
Get a specified ACL version onto a device in your Devices folder (see
Entities.)
View the differences between any two ACL versions (see Chapter 10,
Deleting ACLs
You can delete ACLs, as part of your administrative functions.
Use the ACL Manager Main Window to delete an ACL.
Procedure
Step 1
Step 2
Step 3
Step 4
4-9
Chapter 4
Manipulating ACEs
Manipulating ACEs
The ACL Manager provides many features for manipulating ACE entries for a
particular ACL definition that has been checked out (see Chapter 10, Checking
Out Entities). You can:
Procedure
Step 1
Step 2
4-10
78-16005-01
Chapter 4
Step 3
Figure 4-3
Step 4
Viewing ACEs
Right-click on the ACE above which the new ACE is to be inserted, then select
Insert ACE.
The ACE Editor dialog box appears.
Step 5
Enter the parameters for the new ACL (see Editing ACEs).
Step 6
Click OK.
Step 7
4-11
Chapter 4
Manipulating ACEs
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Click OK.
For information on editing ACE attributes, (seeEditing ACEs).
Inserting a Template
You can insert a template into an ACL by creating a template include ACE that
references the template.
To insert a template:
Procedure
Step 1
Step 2
Step 3
4-12
78-16005-01
Chapter 4
Figure 4-4
Template Selection
This dialog box displays only the templates appropriate to the ACL.
Step 4
Step 5
Click Expand to open a window showing the template details (see Figure 4-5).
Figure 4-5
Expanded Template
4-13
Chapter 4
Manipulating ACEs
Step 6
Click OK.
The include template ACE is inserted, or is appended to the end of the ACL if
you made no selection (see Figure 4-6).
Figure 4-6
Inserted Template
Appending a Comment
Use the Comment Editor to append a comment to the end of an ACL or ACL
template.
You can use the Comment Editor to insert a comment after an ACE (see Inserting
a Comment), or download the comment (see Downloading Comments).
To append a comment:
Procedure
Step 1
Step 2
4-14
78-16005-01
Chapter 4
Step 3
Step 4
Step 5
Click OK.
The comment is appended with the prefix !
Figure 4-8 shows a comment inserted at the end of an ACL.
Note
Inserting a Comment
Use the Comment Editor to insert a comment after an ACE.
You can also use the Comment Editor to append a comment at the end of an ACL
or ACL template (see Appending a Comment), or download the comment (see
Downloading Comments).
4-15
Chapter 4
Manipulating ACEs
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Click OK.
See Figure 4-8 for inserted comment.
Figure 4-8
Inserted Comment
4-16
78-16005-01
Chapter 4
Downloading Comments
ACL Manager supports two types of comments:
Procedure
Step 1
Step 2
Step 3
Click OK.
Step 4
4-17
Chapter 4
Manipulating ACEs
To be able to use the options, Mark All Comments and Unmark All Comments,
you should first check out the ACL.
The Physical View (select an ACL, then from the ACL Manager Main Menu,
select ACL > Physical View) displays the Remark ACEs, as perceived by the
device.
When you import configuration from an external source (see Chapter 13,
Importing Configuration) an comment that is preceded by a ! (bang), in the
IOS format, is also imported.
However, the comments are not downloadable by default. If you want to download
the imported comments or Remark ACEs:
Procedure
Step 1
Step 2
Step 3
If you have created Remark ACEs (comments) for an ACL in a template, these
will not be downloaded by default. However, when you are including the ACL in
a template, you can add the comments before or after the template ACE, in the
ACL.
If you:
1.
2.
ACL Manager treats the comment as a non-downloadable comment. That is, the
job may be displayed as a success in the Job Browser, but the comment is not
downloaded to the device.
4-18
78-16005-01
Chapter 4
Description
Downloadable comment.
Non-downloadable comment.
Reordering ACEs
Use the Move ACE Up and Move ACE Down toolbar buttons to move selected
ACEs up or down.
Procedure
Step 1
Step 2
Step 3
Step 4
To move the ACEs up one position, click the Move ACE Up icon.
4-19
Chapter 4
Editing ACEs
To move the ACEs down one position, click the Move ACE Down icon.
Note
If you try to reorder ACEs while in physical mode, a warning message appears if
the reorder changes the ACL semantics.
Editing ACEs
Use the ACE Editor to edit an ACE. ACEs are contained within ACLs. To edit an
ACE, you should first check out the ACL to which it belongs. See Chapter 10,
Checking Out Entities.
The ACE Editor performs a check for the validity of DNS hostnames that you
enter and displays an error message if the syntax is incorrect.
Procedure
Step 1
Step 2
Step 3
4-20
78-16005-01
Chapter 4
Step 4
Therefore, an ACE is color-coded. The ACE color codes and their meanings are
explained in this table:
Step 5
Tip
Color
Meaning
Green
Red
Grey
Variable name
Blue
You can start the ACE Editor dialog box from the Edit menu by selecting
Edit > Edit.
The format of the ACE editor dialog box and attributes that can be edited depend
on the IOS ACL protocol type, as described in these sections:
4-21
Chapter 4
Editing ACEs
Note
IP address
Hostname
Network
Network Class
While specifying wildcard masks for PIX, use the IOS inverted mask notation.
ACL Manager will automatically convert it into the PIX notation prior to
download.
To specify an IP address or hostname or network as the source or destination
address, enter it directly into the appropriate ACE editor field.
To specify a network class or a network object group as the source or destination
address:
Procedure
Step 1
In the ACE Editor, click Source Address or Destination Address to open the
Browser dialog box.
Step 2
Select the required network class or network object group from the Class Root or
from one of the folders.
4-22
78-16005-01
Chapter 4
Step 3
Click OK.
If you have invoked this dialog box from an ACE Editor, the selected network
class or object group appears in the ACE Editor.
If you have invoked this dialog box from the Network Class Editor, the
selected network class or object group appears in the Network Classes field
of the Network Class Editor.
Port Number
Service Name
Service Class
To specify a port number or service name as the source or destination port, enter
it directly into the appropriate ACE editor field.
To specify a service class or a service object group as the source or destination
port:
Procedure
Step 1
In the ACE Editor, click Source Port or Destination Port to open the Browser
dialog box.
Step 2
Select the required service class or service object group from the Class Root or
from one of the folders.
Step 3
Click OK.
The service class or object group appears in the ACE Editor.
4-23
Chapter 4
Editing ACEs
Specifying Protocol
You can specify protocol object groups only for PIX devices.
To specify a protocol object group:
Procedure
Step 1
In the ACE Editor, click Protocol to open the Browser dialog box.
Step 2
Step 3
Specifying ICMP-Type
You can specify one of these:
Type
Message
Procedure
Step 1
In the ICMP section, click Type to open the Browser dialog box.
This is enabled only if the ACE protocol is specified as ICMP or protocol object
group.
Step 2
Step 3
4-24
78-16005-01
Chapter 4
Description
Expand
New
Saves the current ACE and start editing a new one. You
can then save changes to the current ACE and carry the
settings into the new ACE or discard them. If you save, the
main window is updated to display the saved ACE.
Prev
Saves the current ACE and load the previous one from the
ACL. You can then save changes to the current ACE or
discard them. If you save, the main window is updated to
display the saved ACE.
Next
Saves the current ACE and load the next one from the
ACL. You then have the option to save changes made to
the current ACE. If you save, the main window is updated
to display the saved ACE.
4-25
Chapter 4
Editing ACEs
Description
Permission
Log Options Allows you to log packets that match this ACE.
4-26
78-16005-01
Chapter 4
Field
Description
Variable
If the Variable checkbox is enabled, it indicates that the ACE Editor has been
invoked for a variable template. By selecting the variable checkbox:
You can specify the variables for the Source Address.
or
You can select existing variables from the drop-down list boxes for the Source
Address.
variable template instance, and you can specify the values for the Source
Address field.
If it is not already checked, it indicates that the ACE Editor has been invoked
for an ACE in a static template, and you can specify the values for the Source
Address.
or
The ACE Editor has been invoked to add an ACE into an ACL.
Source
Address
Defines the source address in the ACE. This field is mandatory. Enter the address or
select an existing network, or network class (see Specifying Source and Destination
Addresses).
Source
Wildcard
Mask
Defines the wildcard mask to be applied to the source address. This field is optional.
Comment
You can add a comment about this ACE. The comment appears in-line. This field is
optional.
4-27
Chapter 4
Editing ACEs
4-28
78-16005-01
Chapter 4
Description
Protocol
Allows you to select from various protocols, such as TCP, IP, ICMP, and IGMP. You can
also enter a protocol name or number.
Permission
Log
Options
Variable
The Variable checkbox in this tab of the ACE Editor, applies to the Source Address and
Destination Address fields, under these conditions:
If the Variable checkbox is enabled, it indicates that the ACE Editor has been
invoked for a variable template. By selecting the variable checkbox:
You can specify the variables for the Source Address and Destination Address
fields.
or
You can select existing variables from the drop-down list boxes for the Source
template instance, and you can specify the values for the Source Address and
Destination Address fields.
If it is not checked, it indicates that the ACE Editor has been invoked for an ACE
in a static template, and you can specify the values for the Source Address and
Destination Address fields.
or
The ACE Editor has been invoked to add an ACE into an ACL.
4-29
Chapter 4
Editing ACEs
Field
Description
Source
Address
Defines the source address in the ACE. The keyword any is allowed. This field is
mandatory. Enter the address or select an existing network, or network class (see
Specifying Source and Destination Addresses).
Source
Wildcard
Mask
Defines the wildcard mask for the source address. This field is optional.
MAC
Address
Destination Defines the destination address in the ACE. The keyword any is allowed. This field is
Address
mandatory. Enter the address, or select an existing network or network class (see
Specifying Source and Destination Addresses).
Destination Defines the wildcard mask for the destination address. This field is optional.
Wildcard
Mask
Destination If the protocol selected is TCP or UDP, this field specifies the destination port for this
Port
ACE. The port relationship is assumed to be =.
Comment
You can add a comment about this ACE. The comments will appear in-line. This field is
optional.
4-30
78-16005-01
Chapter 4
4-31
Chapter 4
Editing ACEs
Description
TCP flags
Allows you to cause the TCP packets to be filtered according to the setting of the
appropriate flags (ACK, FIN, PSH, RST, SYN, and URG). Selecting ACK and RST is
the same as checking Established.
This field is available only on some IOS versions.
Variable
The Variable checkbox in this tab of the ACE Editor, applies to the Source Port Operator
and Destination Port Operator fields, under these conditions:
If the Variable checkbox is enabled, it indicates that the ACE Editor has been
invoked for a variable template. By selecting the variable checkbox:
You can specify the variables for the Source Port Operator and Destination Port
Operator fields.
or
You can select existing variables from the drop-down list boxes for the Source
template instance, and you can specify the values for the Source Port Operator
and Destination Port Operator fields.
If it is not checked, it indicates that the ACE Editor has been invoked for an ACE
in a static template, and you can specify the values for the Source Port Operator
and Destination Port Operator fields.
or
The ACE Editor has been invoked to add an ACE into an ACL.
4-32
78-16005-01
Chapter 4
Field
Description
Source Port Select an operator from the drop-down list box to define the operation to be performed
Operator
on the source:
eq (equal to)
gt (greater than)
lt (less than)
range
none
This field is available only if the protocol selected in the General tab is TCP or UDP.
Only the eq operator is available if Service Class is selected.
Source Port Defines the source port or the start of a range of ports if you selected range as the
Start
relation. You can enter a port name or select a name from the drop-down list box.
You can also click on the Start button to open the Service Class Selection dialog box, and
select a service class (see Specifying Source and Destination Addresses).
Source Port Applies only if the source operator is range. You can enter a port name or select a name
End
from the drop-down list box.
Destination
Port
Operator
Select an operator from the drop-down list box to define the operation to be performed
on the destination:
eq (equal to)
gt (greater than)
lt (less than)
range
or none
This field is available only if the protocol selected in the General tab is TCP or UDP.
Only the eq operator is available if Service Class is selected.
4-33
Chapter 4
Editing ACEs
Field
Description
Destination
Port Start
Defines the destination port or the start of a range of ports if you selected range as the
relation. You can enter a port name or select a name from the drop-down list box.
You can also click the Start button to open the Service Class Selection dialog box, and
select a service class (see Specifying Source and Destination Addresses).
Destination
Port End
Applies only if the destination operator is range. You can enter a port name or select a
name from the drop-down list box.
ICMP Type
ICMP packets can be filtered by message type (a number in the range 0 to 255). This
field is optional.
ICMP Code ICMP packets that are filtered by message type can also be matched by the message code
(a number in the range 0 to 255). This field is optional.
ICMP
Message
ICMP packets can be filtered by a message name, or message type and code name. Select
the message name from the list in the drop-down list box. This field is optional.
IGMP Type
4-34
78-16005-01
Chapter 4
Description
Precedence
TOS
Packets can be filtered by type of service level, as specified by a number in the range
0 to 15, or by name. You can select a name from the drop-down list box.
Differentiated Packets can be filtered by a DSCP value. This value is specified by a number in the
Services Code range 0 to 63, or by name. You can select a name from the drop-down list box.
Point (DSCP)
Fragments
Select this check box to filter non-initial fragments of IP packets. This field is
optional.
Dynamic
Name
4-35
Chapter 4
Editing ACEs
Field
Description
Dynamic
Timeout
(minutes)
Specifies a maximum time limit (in minutes) that a temporary access list entry can
remain within the dynamic access list. The default is infinite and allows an entry to
remain permanently. This field is optional.
Time Range
Name
Specifies a named Time Range, which combines at most one fixed interval and zero,
or more periodic intervals, during which this ACL entry is in effect.
From within ACL Manager, you are allowed to associate an ACE with a Time Range
that is already in existence, by selecting it from the Time Range Name selection box.
Create
You can create a new Time Range using the Create button. Click Create to open the
Time Range Editor (see Creating a Time Range Definition.)
After you create a Time Range here, it is associated with the ACE. However, you must
check it in and download it to the device, before downloading the ACE to the device.
Expiry Type
ManualThe time-based ACEs are not tracked by the device. They do not expire
automatically. However, you receive a notification when they expire. You can then
manually delete them from the ACL or continue to retain them, as required.
Evaluate ACL Select this check box to nest a reflexive access list within an ACL. Enter the name of
a reflexive ACL. This field is optional.
Reflexive
ACL
Select this check box if you want this entry to create and insert dynamic entries into a
reflexive ACL. This is used to filter IP traffic so that TCP or UDP session traffic is
permitted through the firewall only if the session originated from within the internal
network. This field is optional.
Reflexive
Timeout
(minutes)
Reflexive access list entries expire after no packets in the session have been detected
for a certain length of time (the timeout period, in minutes). If you do not specify a
timeout for the reflexive list, the list uses the global timeout value. This field is
optional.
Note
When you invoke the IP Extended Editor through the Template Manager, you will
not be able to select a Time Range name, in the Other tab. Instead, you should
enter a valid Time Range name in the Time Range Name field.
4-36
78-16005-01
Chapter 4
Description
MAC
Address
4-37
Chapter 4
Description
Precedence
Packets filtered by precedence level. You can specify a number in the range from 0 to 7
or a name.
Precedence
Mask
Packets matched by mask for filtering by precedence level. Enter the precedence mask
(a two-digit hexadecimal number).
4-38
78-16005-01
Chapter 4
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Select File > Save ACEs As to display the Save As Template dialog box (see
Figure 4-15).
Figure 4-15 Save As Template Dialog Box
4-39
Chapter 4
Step 6
Step 7
Note
Optimization changes the order of ACEs only if it does not change the ACL
semantics in any way.
4-40
78-16005-01
Chapter 4
Procedure
Step 1
Step 2
Associate an ACE with a Time Range. You can have multiple time-based ACEs
within an ACL. (see Associating an ACE with a Time Range).
Step 3
Download the Time Range that is associated with the ACE, to the device. Also
download the ACL containing the time-based ACE to the device, to activate the
Time Ranges (see Downloading Time-based ACEs to the Device).
4-41
Chapter 4
Procedure
Step 1
Right-click on the Time Range Definitions folder in the ACL Manager Main
Window, and select New Time Range. You can also select ACL > New Time
Range from the ACL Manager Main Window.
The Time Range Editor opens (see Figure 4-16).
Step 2
Click the Absolute tab in the Time Range Editor dialog box to display the
attributes that can be set.
4-42
78-16005-01
Chapter 4
Step 3
Step 4
Enter the values for the absolute Time Range in the Start group in the Time Range
Editor - Absolute dialog box:
Step 5
Field
Description
Time
Day
Month
Year
Enter the values for the absolute Time Range in the End group.
4-43
Chapter 4
Step 6
Click OK.
The Time Range is created and has this symbol against it:[*].
You should check it in to be able to use it (see Chapter 10, Checking In
Entities). The star symbol against the Time Range is replaced by a version
number. For example: [1].
Procedure
Step 1
Right-click on the Time Range Definitions folder in the ACL Manager Main
Window, and select New Time Range. You can also select ACL > New Time
Range.
The Time Range Editor opens (see Figure 4-16).
Step 2
Click the Periodic tab in the Time Range Editor to display the attributes that can
be set (see Figure 4-17).
4-44
78-16005-01
Chapter 4
Step 3
Step 4
Enter the values for the periodic Time Range in the Start group in the Time Range
Editor - Periodic dialog box:
Field
Description
Days
Time
Start time in hours and minutes. Enter hours in the range 0 to 23,
and minutes in the range 0 to 59.
4-45
Chapter 4
Step 5
Enter the values for the periodic Time Range in the End group.
To add the Start and End values selected to the Periodic Time Ranges list
Click Add
You can specify more than one periodic Time Range and click Add, for each
Time Range.
The periodic Time Ranges that you have specified, appear in the Periodic
Time Ranges box.
Step 6
To remove an existing periodic Time Range, select the Time Range from the
Periodic Time Ranges box and click Remove.
To change values for an existing periodic Time Range, select the Time Range
and click Change.
Click OK.
The Time Range is created and has this symbol against it:[*].
To use the Time Range, you must check it in (see Chapter 10, Checking In
Entities). The star symbol against the Time Range is replaced by a version
number. For example: [1].
4-46
78-16005-01
Chapter 4
Procedure
Step 1
Right-click on the Time Range Definitions folder in the ACL Manager Main
Window, and select New Time Range. You can also select ACL > New Time
Range.
The Time Range Editor opens (see Figure 4-16).
Step 2
Specify the attributes in the Absolute tab. See Time Range Definition
Absolute.
Step 3
Specify the attributes in the Periodic tab. See Time Range Definition
Periodic
Step 4
Click OK.
The Time Range is created and has this symbol against it:[*].
To use the Time Range you must check it in. (See Chapter 10, Checking In
Entities). The star symbol against the Time Range is replaced by a version
number. For example: [1].
Procedure
Step 1
Step 2
Select the Time Range that you want to edit, from the Time Range Definitions
folder.
Step 3
Check out the Time Range (see Chapter 10, Checking Out Entities for the
procedure).
Step 4
4-47
Chapter 4
Step 5
Change the details in this dialog box, as required and click OK.
At this point the Time Range is in a checked out state.
You can use the Version Diff Viewer to see the differences between the original
Time Range and the checked out version (see Chapter 10, Comparing Any Two
Versions of an Entity).
Step 6
Check in the Time Range (see Chapter 10, Checking In Entities for the
procedure).
Description
Active
Passive
Inactive
Where an ACE and the Time Range associated with it, have
been downloaded to the device, but the activity of the Time
Range has not started.
Expired
4-48
78-16005-01
Chapter 4
Procedure
Step 1
Expand the required Devices folder in the ACL Manager Main Window.
Step 2
Step 3
Right-click on the required Time Range and select Show Associated ACLs from
the pop-up.
Or
Select the required Time Range and click Edit > Show Associated ACLs from the
main menu bar.
The Associated ACLs on Device dialog box appears (see Figure 4-18).
Figure 4-18 Associated ACLs on Device
4-49
Chapter 4
Description
ACL Name
Version
ACL Version.
Procedure
Step 1
In the ACL Manager Main Window, select the device for which the time zone
configuration has been changed.
Step 2
Right-click on the device and select Check for Out of Band Changes.
The time zone configuration of the device is updated in ACL Manager.
4-50
78-16005-01
Chapter 4
Automatic Expiry
If you specify Automatic Expiry as the mode of expiry, the time-based ACEs will
be tracked by the device. They will expire automatically, at the time specified in
the Time Range.
You will get an e-mail informing you that the time-based ACEs have expired.
Manual Expiry
If you specify Manual Expiry as the mode of expiry, the time-based ACEs will not
be tracked by the device on which they are present. They do not expire
automatically.
Such ACEs are activated immediately, after you download them to the device, and
you will receive a notification when they expire. You can then manually delete
them from the ACL or continue to retain them.
This method of expiry is useful when you do not want the time-based ACEs that
you have implemented on a device to expire with split-second accuracy.
For example, if you have implemented a contract to provide certain resources to
a valued partner, you may want to provide a grace period after the contract
expires, before withdrawing the resources, or renewing or extending the contract.
4-51
Chapter 4
Procedure
Step 1
Check out the ACL (see Chapter 10, Checking Out Entities).
Step 2
Step 3
Step 4
Download the ACL to the device again (see Chapter 15, Scheduling and
Downloading).
The server is re-started. In this case, you will be notified of the expired Time
Ranges.
4-52
78-16005-01
Chapter 4
10.64.134.78
Time-Range Name
"t2" version 1
Time-Range State
EXPIRED
Device Time
Server Time
Server URL
http://aclmblr-u10.cisco.com:1741
Description
Device Name
Time Range
Name
Time Range
State
Device Time
4-53
Chapter 4
Field
Description
Server Time
Server URL
Procedure
Step 1
Step 2
Right-click on the ACL and select Mark for Download from the pop-up menu.
A message appears indicating that you will lose the existing marks for the ACL
that you have selected.
The existing marks for the entities you have selected will be lost.
Do you want to proceed?
Step 3
4-54
78-16005-01
Chapter 4
Invoke the Pending Marks Browser by selecting Tools > Pending Marks
Browser in the ACL Manager Main Window.
b.
Select the required ACLs and then mark them for download (see Chapter 15
Marking Changes for Download).
Note
4-55
Chapter 4
2.
3.
During this process, the switch can access control all packets to switches,
including packets bridged within a VLAN.
VACLs are used to impose access-control mechanism on packets entering VLAN.
Standard and extended IOS ACLs are used as a packet classification mechanism
and are used to filter packets that go in and out of router configuration.
You can create VACLs for filtering packets that belong to the IP, and MAC
protocols.
ACL Manager also allows you to apply VACLs on Private VLANs.
Using ACL Manager you can do the same operations on VACLs that you can do
on ACLs. For example you can:
Mark the VACL for download (see Marking ACLs for Download)
4-56
78-16005-01
Chapter 4
Editing VACEs
Use the ACE Editor to edit an ACE. ACEs are contained within ACLs. To edit an
ACE, you should first check out the ACL to which it belongs. See Chapter 10,
Checking Out Entities.
The ACE Editor performs a check for the validity of DNS hostnames that you
enter and displays an error message if the syntax is incorrect.
For the procedure on using the ACE Editor, and other details, see Editing ACEs.
The format of the ACE Editor dialog box and attributes that can be edited depend
on the CatOS ACL protocol type, as described in these sections:
On switches running Cat OS 6.1 or higher, with Supervisor Engine II and PFC II,
in the IP VACL that you create, the first IP VACE, by default, is permit arp.
The attributes of an ARP VACE are:
78-16005-01
4-57
Chapter 4
You cannot check in a VACL, if it contains only an ARP VACE. You must
create another VACE to be able to successfully check in the VACL.
On switches running Cat OS 6.2 or higher, with Supervisor Engine II and PFC II,
for an ARP VACE, you can also enable logging, but with only the Deny
permission.
On switches running Cat OS 7.6, ARP Inspection IP VACEs are supported.
The attributes of an ARP Inspection VACE are:
4-58
78-16005-01
Chapter 4
Description
Protocol
Drop-down list box that allows you to select from various protocols, such as TCP, IP,
ICMP, IGMP. You can also enter a protocol name or number (0-255).
Permission
Radio button that determines whether the VACE is a permit or deny or redirect
statement. If you choose to redirect to ports, select Redirect to Port and enter the port
information, for example, 2/2.
Capture
Option
Allows you to capture the packets that are switched normally. This field is optional. You
must also enable Permit.
You should setup the capture ports separately, using the command line interface of the
device.
Log
Options
4-59
Chapter 4
Field
Description
Variable
The Variable checkbox in this tab of the ACE Editor, applies to the Source Address and
Destination Address fields:
If the Variable checkbox is enabled, the ACE Editor has been invoked for a variable
template. By selecting the variable checkbox:
You can specify the variables for the Source Address and Destination Address
fields.
or
You can select existing variables from the drop-down list boxes for the Source
template instance, and you can specify the values for the Source Address and
Destination Address fields.
If it is not checked, it indicates that the ACE Editor has been invoked for a VACE
in a static template, and you can specify the values for the Source Address and
Destination Address fields.
or
The ACE Editor has been invoked to add a VACE into a VACL.
Source
Address
Defines the source address in the VACE. The keyword any is allowed. This field is
mandatory. Enter the address or select an existing network, or network class (see
Specifying Source and Destination Addresses).
Source
Wildcard
Mask
Defines the wildcard mask for the source address. This field is optional.
MAC
Address
This field is enabled when you select an ARP Inspection VACE. Enter the MAC address.
4-60
78-16005-01
Chapter 4
Field
Description
Destination Defines the destination address in the VACE. The keyword any is allowed. This field is
Address
mandatory if the permission is redirect or if you select the capture option, or if you
do not select IP as a protocol. Enter the address, or select an existing network or network
class (see Specifying Source and Destination Addresses).
Destination Defines the wildcard mask for the destination address. This field is optional.
Wildcard
Mask
Destination If you select TCP or UDP as the protocol, this field specifies the destination port for this
Port
VACE. The port relationship is assumed to be =.
Comment
You can add a comment about this VACE. The comments will appear in-line. This field
is optional.
4-61
Chapter 4
4-62
78-16005-01
Chapter 4
Description
TCP flags
Select the Established checkbox to cause the TCP packets to be filtered if they belong to
the established TCP session.
Variable
The Variable checkbox in this tab of the ACE Editor, applies to the Source Port Operator
and Destination Port Operator fields:
If the Variable checkbox is enabled, it indicates that the ACE Editor has been
invoked for a variable template. By selecting the variable checkbox:
You can specify the variables for the Source Port Operator and Destination Port
Operator fields.
or
You can select existing variables from the drop-down list boxes for the Source
template instance, and you can specify the values for the Source Port Operator
and Destination Port Operator fields.
If it is not checked, it indicates that the ACE Editor has been invoked for a VACE
in a static template, and you can specify the values for the Source Port Operator
and Destination Port Operator fields.
or
The ACE Editor has been invoked to add a VACE into a VACL.
4-63
Chapter 4
Field
Description
Source Port Select an operator from the drop-down list box to define the operation to be performed
Operator
on the source:
eq (equal to)
gt (greater than)
lt (less than)
range
none
This field is available only if you have selected TCP or UDP as the protocol in the
General tab.
Only the eq operator is available if you select a Service Class.
Source Port Defines the source port or the start of a range of ports if you selected range as the
Start
relation. You can enter a port name or select a name from the drop-down list box.
You can also click on the Start button to open the Service Class Selection dialog box, and
select a Service Class (see Specifying Source and Destination Addresses).
Source Port Applies only if the source operator is range. You can enter a port name or select a name
End
from the drop-down list box.
Destination
Port
Operator
Select an operator from the drop-down list box to define the operation to be performed
on the destination:
eq (equal to)
gt (greater than)
lt (less than)
range
or none
This field is available only if you have selected TCP or UDP as the protocol in the
General tab.
Only the eq operator is available if you select a Service Class.
4-64
78-16005-01
Chapter 4
Field
Description
Destination
Port Start
Defines the destination port or the start of a range of ports if you selected range as the
relation. You can enter a port name or select a name from the drop-down list box. You
can also click on the Start button to open the Service Class Selection dialog box, and
select a Service Class (see Specifying Source and Destination Addresses).
Destination
Port End
Applies only if the destination operator is range. You can enter a port name or select a
name from the drop-down list box.
ICMP Type ICMP packets can be filtered by message type (a number in the range 0 to 255). This field
is optional.
ICMP Code ICMP packets that are filtered by message type can also be matched by the message code
(a number in the range 0 to 255). This field is optional.
ICMP
Message
ICMP packets can be filtered by a message name, or message type and code name. Select
the message name from the list displayed in the drop-down list box. This field is optional.
IGMP Type IGMP packets can be filtered by message type (a number in the range 0 to 15 or a
message name in the drop-down list box). This field is optional.
4-65
Chapter 4
Description
Precedence
TOS
Packets can be filtered by type of service level, as specified by a number in the range
0 to 15, or by name. You can also select a name from the drop-down list box.
4-66
78-16005-01
Chapter 4
Description
Permission
Radio button that determines whether the VACE is a permit or deny statement.
Capture
Option
Select the checkbox to ensure packets are switched normally and captured. This field is
optional. permit must also be selected.
Source
Address
Source
Mask
Defines the wildcard mask to be applied to the source address. This field is optional.
Destination
Address
4-67
Chapter 4
Field
Description
Destination
Mask
Defines the wildcard mask to be applied to the destination address. This field is optional.
Ethertype
Name or number that matches the ethertype for Ethernet-encapsulated packets. This
field is optional.
You can include an object group as a member of another object group to create
nested object groups. ACL Manager does not allow cyclic nesting.
To create an object group:
Procedure
Step 1
In the ACL Manager Main Window, select the ACL Devices folder.
Note
Step 2
Step 3
Right-click on the required object group in the Devices folder and select New
Object Group, to create an object group.
For example, to create a new ICMP-type object group, right-click on ICMP-Type
Object Groups.
4-68
78-16005-01
Chapter 4
Step 4
Enter a name and a description for the object group you are creating.
Step 5
Specify the other values depending on the type of object group you are creating.
For ICMP-Type object groups, select the ICMP type from the drop-down box.
For Network object groups, enter the network address and mask.
Note
Step 6
While specifying wildcard masks for PIX, use the IOS inverted mask
notation. ACL Manager will automatically convert it into the PIX notation
prior to download.
For Protocol object groups, select the protocol type from the drop-down box.
For Service object groups, select the protocol type, operator, and the Start
value of the port object.
If you have checked in previously created object groups of the same type, they
appear in the Group Objects list. Select a group object if you want to create a
nested object group.
4-69
Chapter 4
Step 7
Click Add.
Step 8
Click OK.
The new object group appears in the Devices folder.
4-70
78-16005-01
C H A P T E R
5-1
Chapter 5
In IOS, this single statement translates into the equivalent of the following six
statements:
permit
permit
permit
permit
permit
permit
ip
ip
ip
ip
ip
ip
from
from
from
from
from
from
host
host
host
host
host
host
Eng1
Eng1
Eng2
Eng2
Eng3
Eng3
to
to
to
to
to
to
Mkt1
Mkt2
Mkt1
Mkt2
Mkt1
Mkt2
You can also use Class Manager to create named TCP or UDP ports or port ranges
(service classes) for use in ACEs.
The Class Manager editors allow you to create the appropriate Class Manager
entities. Some services are predefined and cannot be modified. However, you can
create a service class consisting of one or more predefined services or port ranges
(see Creating a Service Class).
Similarly, you can create a network class (see Creating a Network Class) using
a range of IP addresses, DNS host names, networks, and other network classes.
5-2
78-16005-01
Chapter 5
Select ACL Manager > Edit Class Definition from the CiscoWorks desktop.
Or
Select Tools > Class Manager from the ACL Manager Main Window.
Tip
You can open the Class Manager window from the Template Manager Tools
menu.
Figure 5-1
5-3
Chapter 5
Procedure
Step 1
Select the service class or network class root folders, or any other folder within
these (see Figure 5-1).
Step 2
Step 3
5-4
78-16005-01
Chapter 5
Step 4
Click OK.
The new folder is created.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Download the ACL that contains your class, to a device (see Chapter 15
Scheduling and Downloading).
5-5
Chapter 5
If the download is successful, a Device Use (DU) is created, and it appears within
your service class. You can monitor a Use, using the Class Manager window (see
Identifying Class Uses).
If the download is not successful, a Use is not created for the class. The Job
Browser displays the status of the download.
Reschedule the download after determining why the download was unsuccessful
(see Chapter 15 What to Do if Your Download Fails).
Procedure
Step 1
Select the Service Classes folder in the left pane, or navigate to a required folder
within it.
Step 2
5-6
78-16005-01
Chapter 5
Figure 5-3
Step 3
Description
Name
Protocol
Port Range
Services
Classes/
Services/
Ranges
Shows the services and port ranges that have been added to
this service class.
5-7
Chapter 5
Step 4
Procedure
Step 1
Select the Service Class folder in the left pane (see Figure 5-1).
The service classes appear in the right pane.
Step 2
Step 3
5-8
78-16005-01
Chapter 5
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Download the ACL that uses your network class, to a device (see Chapter 15
Scheduling and Downloading).
If the download is successful, a Device Use (DU) is created and appears within
your network class. You can monitor a Use, using the Class Manager window (see
Identifying Class Uses).
If the download is not successful, a Use is not created for the class. The Job
Browser displays the status of the download.
Reschedule the download after determining why the download was unsuccessful
(see Chapter 15 What to Do if Your Download Fails).
5-9
Chapter 5
Procedure
Step 1
Select the Network Classes folder in the left pane (see Figure 5-1), or navigate to
a required folder within it.
Step 2
5-10
78-16005-01
Chapter 5
Figure 5-4
Step 3
Description
Name
Hosts
Lists all selected network classes that have been added to this
network class.
Hosts/Address
Ranges
Shows the hosts and address ranges that have been added so
far in this network class.
When setting the above hosts and address ranges, you can:
5-11
Chapter 5
If you want to include other network classes to your network class, click Add
Network Class.
The Network Class Selection dialog box opens (see Figure 5-5).
Figure 5-5
For the procedure to use this dialog box, see Chapter 4 Specifying Source and
Destination Addresses.
Step 4
Click OK to apply the changes and close the Network Class Editor.
5-12
78-16005-01
Chapter 5
Procedure
Step 1
Select the Network Class folder in the left pane (see Figure 5-1).
The network classes appear in the right pane.
Step 2
Step 3
5-13
Chapter 5
Procedure
Step 1
Step 2
Click Get.
The selected version appears in the Class Manager window.
Step 3
Right-click on the required service class or a network class in the Class Manager
window and select Set Master Version from the pop-up menu.
The Master Version is set and is indicated by a red arrow against the class icon.
The service class or a network class use entries that do not include the current
Master Version become invalid. To make the class Uses valid again, see Handling
Invalid Class Uses.
Identify device and template uses for service classes (see Identifying Service
Class Uses).
Identify device, template and nested uses for network classes (see
Identifying Network Class Uses).
5-14
78-16005-01
Chapter 5
Procedure
Step 1
From the ACL Manager Main Window, select Tools > Class Manager.
The Class Manager window appears.
Step 2
Step 3
To see the Service Class Device Uses, expand the required service class and select
Service Class Device Uses.
The devices and ACLs using this service class, appear in the right pane (see
Figure 5-6). This dialog box displays the Service Classes Device Uses columns in
the right pane.
5-15
Chapter 5
Figure 5-6
Description
Device
ACL Name Number or name of the ACL using the service class on this device.
ACL
Version
service
class
Instance
Valid
To see the service class Template Uses, expand the required service class, then
select Service Class Template Uses.
The templates using this service class appear in the right pane.
5-16
78-16005-01
Chapter 5
Description
Template Name
Template Version
Service Class
Instance Valid
To see the Service Class Policy Uses, expand the required service class, then
select Service Class Policy Uses.
The policies using this service class appear in the right pane.
The Service Class Policy Uses columns are:
Column
Description
Policy Name
Policy Version
Service Class
Instance Valid
5-17
Chapter 5
Procedure
Step 1
From the ACL Manager Main Window, select Tools > Class Manager.
The Class Manager window appears.
Step 2
Step 3
To see the Network Class Device Uses, expand the required network class and
select Network Class Device Uses.
The devices and ACLs using this network class, appear in the right pane (see
Figure 5-7). This dialog box displays the Network Classes Device Uses columns
in the right pane.
5-18
78-16005-01
Chapter 5
Figure 5-7
Description
Device
ACL Name Number or name of the ACL using the network class on this device.
ACL
Version
Network
Class
Instance
Valid
To see the Network Class Template Uses, expand the required service class, then
select Network Class Template Uses.
The templates using this network class appear in the right pane.
5-19
Chapter 5
Description
Template Name
Template Version
Network Class
Instance Valid
To see the Network Class Nested Uses, expand the required service class, then
select Network Class Nested Uses.
The network classes using this service class appear in the right pane.
The Network Class Nested Uses columns are:
Column
Description
Network Class
Name
Network Class
Version
Version of the network class that uses the network class for
which this Use has been created.
Network Class
Instance Valid
To see the Network Class Policy Uses, expand the required service class, then
select Network Class Policy Uses.
The policies using this network class appear in the right pane.
5-20
78-16005-01
Chapter 5
Description
Policy Name
Policy Version
Network Class
Instance Valid
Procedure
Step 1
Select the invalid DU or TU for the service class or network class, or the NU for
the network class.
Step 2
Right-click on the invalid Uses that you have selected, and select Bulk Update
from the pop-up menu.
The Bulk Update dialog box appears (see Figure 5-8).
5-21
Chapter 5
Figure 5-8
Column
Description
Entity
Operation Status
Description
In the case of a Device Use for a service class or a network class, after the bulk
update process completes, the ACL, which is updated and in a checked-in state,
appears in the My Changes folder.
If you want to go to the device context of the ACL:
Open the My Changes folder, select the ACL and select Explore. This takes you
to the device context, and highlights the ACL. You can now download the ACL to
the device. After the download is successful, the Use becomes valid again.
Note
When you select Explore, even if the required device has been deleted
from the Devices folder, ACL Manager adds the device, and displays the
ACL in the context of the device.
If the bulk update occurs on an ACL that is not the latest available version, the
Bulk Update dialog box displays a message that you need to perform a merge. The
ACL appears in a checked-out state in your My Changes folder.
5-22
78-16005-01
Chapter 5
If you want to go to the device context of the ACL, open the My Changes folder,
select the ACL and select Explore. This takes you to the device context, and
highlights the ACL. You can do a merge, check in the ACL, and download it to
the device to make the device Use valid.
If the bulk update happens on an ACL that is exclusively checked out by another
user, the Bulk Update dialog box displays a message that the update has failed.
The ACL appears as a previously saved version in the My Changes folder, and this
version would not have the bulk update changes.
In the case of a Template Use for a service class or a network class or a Network
Class Nested Use, after the bulk update process completes, the operation status is
displayed in the Bulk Update dialog box.
To get the latest version of the entity on to a device in your Devices folder, select
Versioning > Get Latest Version and set the latest version as the master version
(see Marking a Master Version of a Class).
Procedure
Step 1
Step 2
Use the Network Class Editor to create another network class that contains all the
end host addresses of the workstations used in the group called USR-Finance.
Step 3
Create a service class called StandardServices, at the root folder, that includes the
desired range of services. For example, pop2, pop3, Telnet, ftp-data, ftp, and port
range 1024 to 1034).
5-23
Chapter 5
Step 4
Use ACL Manager, the ACE editor, and the Network/Class Selector to create one
logical ACE of the form:
permit tcp @/tcp%standardservice from @/Finance/USR-Finance to
@/Asia-Pac/MainDataCenter
This can be interpreted as permitting TCP traffic for all the 11 source addresses
specified in the class USR-Finance to the destination address specified by
MainDataCenter on the ports specified by the StandardServices.
5-24
78-16005-01
C H A P T E R
Creating Templates
Deleting a Template
6-1
Chapter 6
Procedure
Step 1
Select ACL Manager > Edit ACL Templates from the CiscoWorks desktop.
or
Select Tools > Template Manager from the ACL Manager Main Window.
The Template Manager window appears (see Figure 6-1).
Figure 6-1
6-2
78-16005-01
Chapter 6
The attributes of both the static or the variable template are displayed in the right
pane:
Field
Description
Name
Version
6-3
Chapter 6
Procedure
Step 1
Create a static template (see Creating a Static Template and Adding ACEs).
Step 2
Add ACEs or copy them from another template (see Creating a Static Template
and Adding ACEs).
6-4
78-16005-01
Chapter 6
Step 3
Step 4
Step 5
Step 6
If the download is not successful, a TDU is not created. The Job Browser
displays the status of the download. Reschedule the download after
determining why the download was unsuccessful (see Chapter 15 What to
Do if Your Download Fails).
Procedure
Step 1
Create a variable template (see Creating a Variable Template and Adding ACEs)
Step 2
Add ACEs and specify variables in the ACEs (see Creating a Variable Template
and Adding ACEs).
Step 3
6-5
Chapter 6
Creating Templates
Step 4
Step 5
Step 6
Step 7
Specify a master version for the instance (see Marking a Master Version of a
Template or an Instance).
Step 8
Step 9
If the download is not successful, a TDU is not created. The Job Browser
displays the status of the download. Reschedule the download after
determining why the download was unsuccessful (see Chapter 15 What to
Do if Your Download Fails).
Creating Templates
You can create these types of templates using Template Manager:
6-6
78-16005-01
Chapter 6
Procedure
Step 1
Select the Template root directory or the folder where you want the new template
to be located (see Figure 6-1). To create a new folder see Creating and Inserting
Template Folders.
Step 2
Figure 6-2
Step 3
Step 4
Step 5
Step 6
Step 7
Click OK.
The static template is created in the folder that you had selected.
6-7
Chapter 6
Creating Templates
Step 8
After the template is created, you can add new ACEs by:
Copying an ACE from another template and pasting it into the current
template.
If the ACE is not the same type as specified for your template, it is not copied
into your template. You will see an error message.
The ACE is copied into your template if it is of the same ACE type as your
template.
Add other templates within your template (see Including Another Template
Within Your Template).
Save ACLs and ACEs as templates (see Chapter 4, Viewing and Editing
ACLs).
Procedure
Step 1
Select the Template root directory or the folder in which you want the new
template to be located (see Figure 6-1). To create a new folder see Creating and
Inserting Template Folders.
6-8
78-16005-01
Chapter 6
Step 2
Step 4
Step 5
Step 6
Step 7
Click OK.
The variable template is created in the folder that you had selected.
Step 8
Add new ACEs after the template is created. To do this, right-click on the template
and select the New ACEs...option.
The ACE Editor appears for the ACE type you selected in the template.
Step 9
Select the Variable check-box to assign variables for the ACE attributes. At least
one value in one of the ACEs in the template should be a variable.
A variable can be any name of your choice. However, when you assign a value to
a variable, it represents that value in all its occurrences within that template.
After you create a variable, the variable type (Address variable or port variable)
is fixed. For example, if you create a variable in a source address, it can be reused
in any other address field, but not in a port field.
For more details on using the ACE Editor, see Chapter 4, Editing ACEs.
Add other templates within your template (see Including Another Template
Within Your Template).
6-9
Chapter 6
Creating Templates
Procedure
Step 1
Navigate to your template folder and select the Instances folder within it, in the
Template Manager main window.
Step 2
6-10
78-16005-01
Chapter 6
Figure 6-3
Step 3
Step 4
Step 5
Click OK.
The variable template instance appears in the left pane of the Template Manager
main window as a writable entity. The variable and static ACEs from its parent
variable template appear in the right pane of the window.
To see the attributes of a static ACE, double-click it and the ACE Editor
opens. The attributes of the ACE appear, but are grayed out.
To assign values for the variable ACEs in the variable template instance,
double-click on a variable ACE.
The ACE Editor dialog box appears with editable fields for the variables.
Step 6
After you create an instance, you should check it in (see Chapter 10, Versioning
ACL Manager Entities.)
6-11
Chapter 6
Creating Templates
Procedure
Step 1
Step 2
Right-click on the selected template and select Reconcile Instance(s), from the
pop-up menu.
Or
Select Template > Reconcile Instance(s) from the Template Manager main
menu.
The Reconcile Instance(s) dialog box appears.
Step 3
Step 4
Click OK.
The Reconcile Results dialog box appears.
6-12
78-16005-01
Chapter 6
Description
Instance Name
Reconcile Status
Success or Failed
Description
Version Number.
If the creator of a master version of a template does a reconcile operation, all the
instances of that variable template will be reconciled provided they are:
After a reconcile operation, all the instances will be refreshed with the changes in
the master version of the variable template.
6-13
Chapter 6
Step 5
Enter values to the new variables, if any (see Creating a Variable Template
Instance and Assigning Values) and check in the instance.
If you had not selected the option Set Master Version in the Reconcile Instance(s)
dialog box, you should also set the master version for the instance (see Marking
a Master Version of a Template or an Instance) after a reconcile operation.
If your static template or your variable template instance has been included in
another template, then a Template Nested Use (TNU) is created (see Identifying
Devices and Templates That Use an ACL Template). A TNU is created
immediately after the master version is set for the template that uses your
template.
6-14
78-16005-01
Chapter 6
Procedure
Step 1
Right-click on the template into which you want to include another template or a
variable template instance.
Step 2
Step 3
Select the template or the variable template instance that you want to include and
click OK.
The inserted template appears in the template as a template-ACE.
You cannot include a variable template within another template. You should create
an instance of the variable template (see Creating a Variable Template Instance
and Assigning Values) and include that within your template.
6-15
Chapter 6
Procedure
Step 1
Step 2
Step 3
Note
Each time you reset the master version of a variable template, all its instances
become invalid. To make the instances valid again, see Reconciling Instances of
Variable Templates.
The template use entries that do not include the current Master Version of a static
template or a variable template instance, become invalid. To make the instances
valid again, see .
6-16
78-16005-01
Chapter 6
Procedure
Step 1
Step 2
Step 3
6-17
Chapter 6
Procedure
Step 1
Select the Template root directory or the folder where you want the new folder to
be located (see Figure 6-1).
Step 2
or
Select File > New Folder.
The new folder dialog box appears (see Figure 6-4).
Figure 6-4
Step 3
6-18
78-16005-01
Chapter 6
Step 4
Click OK
The new folder is created.
Procedure
Step 1
From Devices folder in the ACL Manager Main Window, select the required
device.
Step 2
From the ACL Uses folder, select the ACL in which you want to include a static
template or an instance of a variable template.
Step 3
Step 4
Right-click on the checked out ACL and select Include Template... from the
pop-up menu.
The Template Selection dialog box appears.
Step 5
Select the static template or the variable template instance, that you want to
include in the ACL.
You can see or include only those templates where the master version has been set.
If you want to see the contents of the static template or the variable template
instance before including it in the ACL, click Expand... in the Template Selection
dialog box.
Step 6
Click OK after you select the static template or the variable template instance.
Step 7
6-19
Chapter 6
Step 8
After you include the static template or the variable template instance in the ACL,
download it to the required devices (see Chapter 15 Scheduling Downloads).
If the download is not successful, a TDU is not created. The Job Browser
displays the status of the download. Reschedule the download after
determining why the download was unsuccessful (see Chapter 15 What to
Do if Your Download Fails).
Whenever the master version of the static template or the variable template
instance changes, the TDUs and TNUs becomes invalid (see ). An e-mail
notification is sent to the creator of the latest version of the template or instance.
6-20
78-16005-01
Chapter 6
Procedure
Step 1
From the ACL Manager Main Window, select Tools > Template Manager.
The Template Manager window appears.
Step 2
Step 3
To see the Template Device Uses, expand the required template, then select
Template Device Uses.
The devices and ACLs using this template appear in the right pane (see
Figure 6-5). This sample dialog box displays the Template Device Uses columns
in the right pane.
Figure 6-5
6-21
Chapter 6
Description
Device
ACL Name
ACL Version
Template Instance
Valid
To see the Template Nested Uses, expand the required template, then select
Template Nested Uses.
The templates using this template appear in the right pane.
The Template Nested Use columns are:
Column
Description
Template Name
Template Version
Template Instance
Valid
6-22
78-16005-01
Chapter 6
Procedure
Step 1
Select the invalid TDU or the TNU for the static template or the variable template
instance. You can select multiple TDUs or TNUs at a time.
Step 2
Right-click on the invalid TDUs, and select Bulk Update from the pop-up menu.
The Bulk Update dialog box appears (see Figure 6-6).
Or
Right-click on the invalid TNUs, and select Bulk Update from the pop-up menu.
The following message appears:
Do you want to bulk update nested hierarchy of selected entities and
set their master version?
If you click Yes in the message dialog box, all the nested TDUs and TNUs for
the selected TNU, will be updated and their master version will be set.
If you click No in the message dialog box, then only the selected TNU will
be updated. The master version will not be set after the update.
6-23
Chapter 6
Figure 6-6
Description
Entity
Operation Status
Description
In the case of a Template Device Use, after the bulk update process completes,
after the bulk update process completes, the ACL, which is updated and in a
checked-in state, appears in the My Changes folder.
You can open the My Changes folder, select the ACL and select Explore. This
takes you to the device context, and highlights the ACL. You can now download
the ACL to the device. After the download is successful, the use becomes valid
again.
Note
When you select Explore, even if the required device has been deleted
from the Devices folder, ACL Manager adds the device, and displays the
ACL in the context of the device.
6-24
78-16005-01
Chapter 6
If the bulk update happens on an ACL that is not the latest available version,
the Bulk Update dialog box displays a message that a merge is required.
The ACL appears in a checked-out state in your My Changes folder. You can
open the My Changes folder, select the ACL and select Explore. This takes
you to the device context, and highlights the ACL. You can do a merge, check
in the ACL, and download it to the device to make the device use valid.
In the case of a Template Nested Use, after the bulk update process completes, the
operation status is displayed in the Bulk Update dialog box.
To get the latest version of the template on to a device in your Devices folder,
select Versioning > Get Latest Version and set the latest version as the master
version (see Marking a Master Version of a Template or an Instance).
If you want to download selected ACLs from the Bulk Update dialog box, click
Initiate Download.
The Job Download Wizard appears. To create a job definition and schedule a
download, or to immediately download the selected entities using the Job
Download Wizard, see Chapter 15, Scheduling and Downloading.
You can download only those ACLs that are in the checked in state, using the
Inititate Download button.
If the ACL version on the device is changed, but still contains the master version
of the template that it did in its earlier version, then the TDU gets updated to
display the higher version of the ACL on the device.
6-25
Chapter 6
If the master version is changed for the template, but still contains your template,
then the TNU gets updated to display the higher version of the template.
You can update only those logical entities that are in the checked out state. Logical
entities must have a master version before they can be used or updated in an ACL
or a template.
6-26
78-16005-01
Chapter 6
Procedure
Step 1
From the ACL Manager Main Window select the ACL for which the logical
entities need to be updated.
or
From the Template Manager window, select the template for which the logical
entities need to be updated.
Step 2
Right-click on the selected ACL or template, and select Update Logical Entities
from the pop-up menu.
or
Select Tools > Update Logical Entities.
The logical entities are updated.
If you select variable template instances, only those logical entities which
correspond to variables will be updated.
Step 3
Procedure
Step 1
From the Template Manager main window, select the static template or variable
template instance that contains the required ACEs.
The ACEs for your selection, appear in the right pane.
6-27
Chapter 6
Step 2
Step 3
From the right pane select the required ACEs (contiguous or non-contiguous).
If you select even one ACE that has a variable in it, you must save the
template as a variable template.
You can only save ACE types that are not supported by variable templates, as
static templates.Variable templates are supported for IP, IP Extended, VACL
IP and PIX ACL types. If you try to save unsupported ACE types (such as
Rate Limit) as a variable template, that option will be disabled for you.
Step 4
Enter the name of the template and select an existing template folder to save the
new template.
Step 5
Click OK.
Step 6
Procedure
Step 1
Step 2
6-28
78-16005-01
Chapter 6
Description
Template/Instance
Master Version
Device Name
ACL Name
ACL Version
Instance Valid
Deleting a Template
You can delete a static template, a variable template or instances of variable
templates.
Procedure
Step 1
From the Template Manager window, select the template that you want to delete.
Step 2
6-29
Chapter 6
Deleting a Template
You are not a user with a CiscoWorks role of System Administrator. Only a
system administrator can delete templates.
or
Template Nested Uses (TNUs).
6-30
78-16005-01
C H A P T E R
Creating a Policy
7-1
Chapter 7
Creating a Policy
Procedure
Step 1
Create a user group for policies (see Chapter 9, Creating a User Group).
Step 2
Step 3
Step 4
group
where user group is the name of the user group that should have access to policies.
Step 5
Step 6
Creating a Policy
You can use the Template Manager to create policies. After you create a policy, it
is saved in a directory hierarchy. You can save your policies directly under the
Policy Root Directory or you can organize them by creating folders within the root
directory.
You can create policies only for three types of ACLs/templates: PIX, IP, and IP
Extended.
7-2
78-16005-01
Chapter 7
To create a policy:
Procedure
Step 1
Step 2
Right-click on Policy Root Directory and select New Folder, if you want to
create a folder under the Policy Root directory to store your policies. Else, go to
Step 5.
The New Folder dialog box appears.
Step 3
Step 4
Step 5
Right-click on the folder or on the Policy Root Directory and select New Policy.
The Policy Editor dialog box appears (see Policy Editor Dialog BoxFigure 7-1).
Figure 7-1
Step 6
Step 7
Step 8
7-3
Chapter 7
Step 9
Step 10
Step 11
Right-click on the policy and select Check In to check the policy in.
Step 12
Procedure
Step 1
Step 2
To verify:
7-4
78-16005-01
Chapter 7
Figure 7-2
Step 3
Policy Browser
Select the policy against which you want to verify the ACL/template and click
OK.
The Policy Verification Summary appears (see Figure 7-3).
Figure 7-3
7-5
Chapter 7
This summary displays the policy name and the verification status. The status can
be either Compliant, Noncompliant, or Error.
If the status is Error, the Description field displays the description of the error.
Step 4
This shows the Logical view of the policy and the ACEs.
The Policy ACEs column lists the rules within the policy. Compliant policy rules
are in green and noncompliant ones are in red.
The ACL/Template ACEs column lists the ACEs within the ACL/template that
was verified.
To navigate among the colored rows listed in the left and right panes, use the
arrow icons.
Step 5
7-6
78-16005-01
Chapter 7
Step 6
Select a policy rule in the left pane and a complying or noncomplying ACE on the
right pane and click Details to see further details.
The Policy Verification Details dialog box appears (see Figure 7-5).
Figure 7-5
This shows the relationship between the policy rule and the selected ACE in the
physical view.
See Viewing Policy Verification Details for more details.
7-7
Chapter 7
Procedure
Step 1
Select an invalid ACE in the right pane of the Policy Verification Results dialog
box (see Verifying an ACL/Template Against a Policy for the procedure to
invoke this dialog box)
Step 2
Click Details.
The Policy Verification Details dialog box appears (see Figure 7-6).
Figure 7-6
7-8
78-16005-01
Chapter 7
The following details are displayed in the Policy Verification Details dialog box:
The relationship between the first group of ACEs The selected logical entity
and the second group of ACEs is displayed
(ACEs, ACL, or template)
in-between the two groups.
from the right pane of the
Policy Verification Details
For example, the relationship between the groups
dialog box.
is displayed as:
Has a Non-Compliant Relationship with the
policy
or
Has a Compliant Relationship with the
policy
The ACEs that are displayed in the Policy Verification Details dialog box are
indexed:
Index
Example
Meaning
[1]
Sub-index Number
--> [1]
Step 3
7-9
Chapter 7
Note
Make sure that approvers are specified for ACLs and Templates to enable the
successful completion of mandatory policy verification.
The approvers for Template modification are specified only for the Mandatory
Policy Verification workflow.
To specify approvers for ACLs, use the Change Approval > Configure Change
Approval option.
7-10
78-16005-01
Chapter 7
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Procedure
Step 1
7-11
Chapter 7
Step 2
Step 3
Step 4
Step 5
7-12
78-16005-01
C H A P T E R
Replacing Entities
You can search the data that you can see in the logical view or physical view of
the ACL Manager Main Window, but you can replace only the data seen in the
logical view.
The ACLM versioned entities that can be searched includes:
ACLs
Global Uses
Interface Uses
Time Ranges
Templates
When you search for an ACE, the system also searches the included logical
entities such as Network Class, Service Class, and Templates also.
For example, if Host 1.1.1.1 is contained in a network class, which is used as the
Source Network Class of ACE in a template. The template in turn is included in
an ACL. The search filter (SRC_HOST = 1.1.1.1) will also list the included
template in the results, because the ACE in the template indirectly contains the
host.
8-1
Chapter 8
After searching for entities you can replace them. However, you can replace only
the ACEs within an ACL or template.
Advanced Search
The default values in the Search Base panel depend on the entity screen from
which you launched the Search window. You can change the default values by
clicking Clear Search.
For example, if you launch the Search window from an ACL, you can search only
on that ACL. If you click Clear Search and then perform a Search, you will be
able to search on all the specified devices or all the template folders.
8-2
78-16005-01
Chapter 8
Procedure
Step 1
Step 2
Step 3
Step 4
Select the Version to which you want to restrict the Search. You can select:
Latest To search for the version which is the latest when Search begins.
All Versions To search for all versions that exist when Search begins.
Advanced Selected by default. In this context, you can use all the Search
attributes.
Standard Allows you to use a limited set of Search attributes for IP/IP
Extended ACL definitions or templates.
b.
Click Search.
8-3
Chapter 8
b.
Click Search.
Note
Click Clear Search to clear the results and the search filter.
Step 6
Description
Device
Context
Index
Version
8-4
78-16005-01
Chapter 8
You can right-click on the rows of results and select one of these options:
Go to Context
Invokes the appropriate context for the entity.
For ACEs, ACLS, Timeranges, Global Uses, and Interface Uses, this option
will take you to the appropriate version of the entity on the device, and
highlight the result.
For Templates, and Template ACEs, this option will take you to the Template
Manager and then to the appropriate version of the entity.
View
Opens the appropriate editor for the result. This option is not available for
Global Uses and Interface Uses.
Replace
Select this option to invoke the Replace tab of the Search window.
Procedure
Step 1
Step 2
8-5
Chapter 8
Procedure
Step 1
Step 2
8-6
78-16005-01
Chapter 8
Regular Expressions
You can use regular expressions such as * and ['' ''] in the Search Filter.
Operators
A simple search expression specifies the search attribute and value(s) and contains
a single relational operator.
The valid relational operators are: = (for all attributes) and EQ, NEQ, GT, LT, and
Range for ports only. Make sure that you have at least a single space on either side
of the relational operator.
You can combine multiple simple search expressions by using the three logical
operators &, |, and ! along with braces. These three logical operators have the
same order of precedence. Use brackets appropriately to ensure operator
precedence.
See List of Search Attributes for a list of all the supported Search attributes.
8-7
Chapter 8
Search for ACEs with Source Host ending with 123.25 and Source Port equal
to 80:
(SRC_HOST = *123.25)&(SRC_PORT EQ 80)
or
(SRC_HOST = *123.25)&(SRC_PORT EQ http)
Search for ACEs with Source Network containing 123.25. and the mask
starting with 0.0. and Source Port not equal to 80:
(SRC_NW = *123.25.*/0.0.*)&(!(SRC_PORT EQ 80))
Search for ACEs with Source Network containing 123.25. and Source Port or
Destination Port equal to 80:
(SRC_HOST = *123.25.*)&((SRC_PORT EQ 80)|(DST_PORT EQ 80))
Search for ACEs using (Destination) Network Class and Service Class:
(DST_NW_CLASS = blrnw)&(DST_SV_CLASS = tcponlyports)
Search for ACEs using (Destination) Network Class and Destination port
range:
(DST_NW_CLASS = blrnw)&(DST_PORT RANGE 10 20)
where comment is present in the actual text you want to search for.
8-8
78-16005-01
Chapter 8
Description
Possible Values
ACL_NAME
Only IP is supported.
SRC_NW
SRC_HOST
ANY_SRC_IP
One of these:
DST_NW
Source Network
Address
Source Network
Class name
Destination Network
address with mask
1.1.1.0/0.0.0.128
DST_HOST
Destination Network
Host
8-9
Chapter 8
Attribute
Description
Possible Values
ANY_DST_IP
One of these:
ACTION
Destination
Network Address
Destination Host
name
Destination
Network Class
name
One of these:
Permit
Deny
Redirect
PRECEDENCE
Precedence level
0-7
TOS
Service level
0-15
LOG
Either of these:
LOG_INPUT
FRAGMENTS
True
False
Either of these:
True
False
Either of these:
True
False
DSCP
0-63
SRC_PORT
Source Port
SRC_SV_CLASS
8-10
78-16005-01
Chapter 8
Attribute
Description
Source Port
Source Service
Class
DST_PORT
Destination Port
DST_SV_CLASS
Destination Service
Class name
Possible Values
-
Destination Port
Destination Service
Class name
TCP_FLAG
ICMP_TYPE_CO
DE
ICMP_MSG
ICMP message
IGMP_TYPE
IGMP type
INLN_COMM
Inline comment in an
ACE
*comment*
where comment is present in the
actual text you want to search
for.
COMM_ACE
*comment*
where comment is present in the
actual text you want to search
for.
REMK_ACE
*comment*
where comment is present in the
actual text you want to search
for.
8-11
Chapter 8
Attribute
Description
Possible Values
VERS_COMM
*comment*
where comment is present in the
actual text you want to search
for.
TR_NAME
TR_TYPE
Either of these:
TR_EXP_TYPE
Note
Absolute
Periodic
manual or
automatic
INTERFACE
Interface name
ACL_USE_DESC
R
DIRECTION
Either of these:
In
Out
TMPL_NAME
TMPL_PROTOC
OL
Only IP is supported.
8-12
78-16005-01
Chapter 8
Standard Search
If you select Standard Search as the context type, you have to specify the
following attributes:
Field
Description
Name
Protocol
ACE
Protocol
8-13
Chapter 8
Field
Description
Source/
Destination
Address
Any
Maps to ANY_SRC_IP_OPERAND or
ANY_DST_IP_OPERAND
Network
Maps to SRC_NW_OPERAND or DST_NW_OPERAND
(searches only for networks)
Host
Maps to SRC_HOST_OPERAND or
DST_HOST_OPERAND (searches only for hosts or DNS
names)
Network Class
Maps to SRC_NW_CLASS_OPERAND or
DST_NW_CLASS_OPERAND (searches only for network
classes)
Source/
Destination
Ports
Service Class
Maps to SRC_SV_CLASS_OPERAND or
DST_SV_CLASS_OPERAND (searches for service classes)
8-14
78-16005-01
Chapter 8
Field
Description
Comments
Match all of Select this if you want the results that match all the above
the above
attributes.
Match any
Select this if you want the results that match any of the above
of the above attributes.
Replacing Entities
You can replace ACLM entities only after searching for them. However, you can
replace only ACEs within an ACL or template.
All the attributes that are applicable to Search are applicable to Replace also with
the following exceptions:
SRC_HOST/SRC_NW_CLASS
Replaces the source address in an ACE with a host, host IP address, DNS
name, or a network class.
SRC_NW
Replaces the source address in an ACE only with a valid network.
DST_HOST/DTS_NW_CLASS
Replaces the destination address in an ACE with a host, host IP address, DNS
name, or a network class.
DST_NW
Replaces the destination address in an ACE only with a valid network.
The attributes you specify in the Replace tab are independent of the Search
attributes. This means, you can search for a certain attribute and then replace the
results with a different attribute.
8-15
Chapter 8
Replacing Entities
Note
The system performs a minimum validation during Replace. Make sure you enter
appropriate values for the Replace attributes.
To use the Advanced replace option:
Procedure
Step 1
Step 2
Step 3
Advanced Replace
8-16
78-16005-01
Chapter 8
SRC_PORT EQ @/SJ/tcp%cisco_service
Replaces the source port with the service class, cisco_service from the folder
SJ.
If you have selected Standard as the context type, specify the various Replace
with parameters in the GUI.
See Using the Standard Replace Context GUI for details.
Step 4
Step 5
Skip Next to select the next row in the Search Results pane.
Replace All to replace all the ACEs listed in the Search Results pane.
When you click Replace or Replace All, ACL Manager does the following:
1.
Checks out the selected entity with Check Out comments, if any.
The Version column in the Search Results pane displays an asterisk (*) to
indicate that the entity is in the checked out state.
2.
3.
4.
This task is done only if you have selected Check In after Replace.
8-17
Chapter 8
Replacing Entities
Note
If Check In after Replace is not selected, the entity will remain in the
checked out state after the data is replaced.
To check in the entity later, repeat the Replace procedure after selecting
Check In after Replace.
When you have multiple ACEs of the same version of an ACL, replacing one of
the ACEs will result in the checking out of only one version of the ACL.
However, the status is updated for all the ACEs that belong to the same ACL
version, and this is reflected in the Version column. This allows you to replace
data selectively in different ACEs and when you check in, you will have only one
new version of the ACL.
Procedure
Step 1
Step 2
8-18
78-16005-01
Chapter 8
Standard Replace
If you choose Standard Replace as the context type, you have to specify the
parameters in the Replace with fields.
The parameters you can specify for Replace are described below:
Field
Description
Name
Protocol
ACE
Protocol
8-19
Chapter 8
Replacing Entities
Field
Description
Source/
Destination
Address
Source/
Destination
Ports
8-20
78-16005-01
C H A P T E R
Note
This feature is available to you only if you have enabled Role-based Access
Control at the time of installing ACL Manager.
To enable Role-based Access Control, see the Installation Guide for
ACL Manager.
A Role in ACL Manager is a relationship among user groups, device groups and
tasks.
The key features of Role-based Access Control in ACL Manager are:
part of more than one user group. The privileges they enjoy, are the
collective privileges of all the groups they belong to.
9-1
Chapter 9
The Role-based system in ACL Manager uses only the System Administrator
and Network Administrator roles of CiscoWorks.
The other Roles of CiscoWorks, such as, Network Operator, Approver, and
Guest, are not used.
User, admin is the super user for CiscoWorks. User, admin has the privilege
of performing all tasks on all devices. Admin also creates users, associates
them with user groups, device groups and tasks.
All ACL Manager users, other than admin, are CiscoWorks Network
Administrators.
Adding Users
Adding Devices
Managing Tasks
Procedure
Step 1
Step 2
Step 3
9-2
78-16005-01
Chapter 9
Step 4
Step 5
Note
Your login determines whether you can do these tasks. That is, if you are a user
with the CiscoWorks Role of System Administrator, then you can add users and
devices to CiscoWorks. You can also manage user groups, device groups, and
tasks.
Adding Users
Before creating user groups in ACL Manager, you should add users with
CiscoWorks Network Administrator privileges.
You can add users, if you are a user with the CiscoWorks Role of System
Administrator.
To add users, select Server Configuration > Setup > Security on your
CiscoWorks desktop.
See Setting Up the CiscoWorks Server on Cisco.com, for the procedure.
Adding Devices
Before creating device groups in ACL Manager, you should add devices to
CiscoWorks.
You can add devices, if you are a user with a CiscoWorks Role of System
Administrator.
To add devices, select Administration > Inventory > Add Devices from
Resource Manager Essentials, on your CiscoWorks desktop.
See the User Guide for Resource Manager Essentials 3.5, on Cisco.com, for the
procedure.
9-3
Chapter 9
Note
You can manage user groups if you are a user with the CiscoWorks Role of System
Administrator.
Procedure
Step 1
9-4
78-16005-01
Chapter 9
The first Create User Group dialog box opens (see Figure 9-1).
Figure 9-1
Step 2
Step 3
Click Next.
9-5
Chapter 9
The second Create User Group dialog box opens (see Figure 9-2).
Figure 9-2
Step 4
Select users from the All Users box and click Add.
The users move to the Selected Users box.
Step 5
To remove a user from the Selected Users box, select a user and click Delete.
To remove all users from the Selected Users box, click Delete All.
Select user groups from the All User Groups box and click Add.
The user groups move to the Selected User Groups box.
To remove a user group from the Selected User Groups box, select a user
group and click Delete.
9-6
78-16005-01
Chapter 9
Step 6
To remove all user groups from the Selected User Groups box, click Delete
All.
Click Finish.
The third Create User Group window opens (see Figure 9-3).
Figure 9-3
9-7
Chapter 9
Procedure
Step 1
9-8
78-16005-01
Chapter 9
Figure 9-4
Step 2
Step 3
Click Next.
The second Modify User Group dialog box opens (see Figure 9-5).
9-9
Chapter 9
Figure 9-5
Step 4
To add users, select the users from the All Users box and click Add.
The users move to the Selected Users box.
To remove existing users, the select users from the Selected Users box and
click Delete.
To remove all users from the Selected Users box, click Delete All.
9-10
78-16005-01
Chapter 9
To add user groups, select the user groups from the All User Groups box and
click Add.
The user groups move to the Selected User Groups box.
Step 5
To remove existing user groups, select the user groups from the Selected User
Groups box and click Delete.
To remove all user groups from the Selected User Groups box, click Delete
All.
Click Finish.
The third Modify User Group window opens (see Figure 9-6).
Figure 9-6
9-11
Chapter 9
Procedure
Step 1
9-12
78-16005-01
Chapter 9
Figure 9-7
Step 2
Step 3
Click Finish.
The second Delete User Group window opens to indicate that the user group is
deleted (see Figure 9-8).
9-13
Chapter 9
Figure 9-8
9-14
78-16005-01
Chapter 9
Procedure
Step 1
9-15
Chapter 9
Figure 9-9
Step 2
Click on the groups to view the users and the user groups within them.
9-16
78-16005-01
Chapter 9
Note
You can manage device groups if you are a user with the CiscoWorks Role of
System Administrator.
Procedure
Step 1
9-17
Chapter 9
Step 2
Step 3
Click Next.
The second Create Device Group dialog box opens (see Figure 9-11).
9-18
78-16005-01
Chapter 9
Step 4
Select devices from the All Devices box and click Add.
The devices move to the Selected Devices box.
To remove a device from the Selected Devices box, select a device, and click
Delete.
To remove all devices from the Selected Devices box, click Delete All.
9-19
Chapter 9
Step 5
Select device groups from the All Device Groups box, and click Add.
The device groups move to the Selected Device Groups box.
Step 6
To remove a device group from the Selected Device Groups box, select a
device group, and click Delete.
To remove all device groups from the Selected Device Groups box, click
Delete All.
Click Finish.
The third Create Device Group window opens (see Figure 9-12).
Figure 9-12 Create Device Group Window-3
9-20
78-16005-01
Chapter 9
Procedure
Step 1
9-21
Chapter 9
Step 2
Step 3
Click Next.
The second Modify Device Group dialog box opens (see Figure 9-14).
9-22
78-16005-01
Chapter 9
Step 4
To add devices, select the devices from the All Devices box, and click Add.
The devices move to the Selected Devices box.
To remove existing devices, select devices from the Selected Devices box and
click Delete.
To remove all devices from the Selected Devices box, click Delete All.
To add device groups, select the device groups from the All Device Groups
box and click Add.
The device groups move to the Selected Device Groups box.
9-23
Chapter 9
Step 5
To remove existing device groups, select the device groups from the Selected
Device Groups box, and click Delete.
To remove all device groups from the Selected Device Groups box, click
Delete All.
Click Finish.
The third Modify Device Group window opens (see Figure 9-15).
Figure 9-15 Modify Device Group Window-3
9-24
78-16005-01
Chapter 9
Procedure
Step 1
9-25
Chapter 9
Step 2
Step 3
Click Finish.
The second Delete Device Group window opens to indicate that the device group
is deleted (see Figure 9-17).
9-26
78-16005-01
Chapter 9
9-27
Chapter 9
Procedure
Step 1
9-28
78-16005-01
Chapter 9
Step 2
Click on the device groups to view the devices and the device groups within them.
Managing Tasks
A standard set of tasks is available to all user groups in ACL Manager. The tasks
are:
Approve Changes
Download ACLs
Immediate Download
User Guide for ACL Manager
78-16005-01
9-29
Chapter 9
Managing Tasks
Modify ACLs
View ACLs
Modifying a task-device group association (you can assign more than one
device group to a task).
Note
You can manage tasks if you are a user with the CiscoWorks Role of System
Administrator.
Task Relationships
A user group can do certain tasks when you assign device groups to tasks (see
Assigning Device Groups to Tasks or Modifying Assignments). However, these
tasks are inter-related, and because of this inter-relationship, a user group can do
certain tasks even if you have not specifically assigned a device group to a task
within it.
For example, for a user group, if you have assigned device groups to the Modify
ACLs task, then that user group can also view ACLs, even if you have not
explicitly assigned device groups to the View ACLs task.
9-30
78-16005-01
Chapter 9
This table explains what tasks the user groups can perform if you assign device
groups to these tasks:
Task
Relationship
Approve Changes
Download ACLs
Immediate
Download
Modify ACLs
For a user group, if you assign device groups to the View ACLs task alone, then
the user group can only view ACLs.
Procedure
Step 1
9-31
Chapter 9
Managing Tasks
Step 2
Select the User Group that you want to assign tasks to, or modify task assignment.
Step 3
Click Next.
The Task Assignment for User Group window opens (see Figure 9-20) with the
name of the selected user group in the title bar.
9-32
78-16005-01
Chapter 9
Step 4
Double-click the All Tasks folder to see the tasks available for the selected User
Group.
Step 5
Select a task, right click on it, and then select Add/Remove Device Group....
The Device Group Assignment dialog box opens (see Figure 9-21).
9-33
Chapter 9
Managing Tasks
Step 6
To add a device group, select the device group from the Device Groups box,
and click Add.
The device group moves to the Assigned Device Groups box.
To remove an assigned device group, select the device group from the
Assigned Device Groups box and click Remove.
The device group moves to the Device Groups box.
To see the details of the devices within a device group, select a device group,
and click Details.
A dialog box displays the devices within the selected device group.
Step 7
Click OK.
The Task Assignment for User Group window shows the updated assignment of
device groups, for the tasks.
9-34
78-16005-01
Chapter 9
Step 8
Procedure
Step 1
In the Task Assignment for User Group dialog box, select File > Open
Usergroup....
The Open Usergroup dialog box opens.
Step 2
Step 3
9-35
Chapter 9
Managing Tasks
9-36
78-16005-01
C H A P T E R
10
ACLs
Time Ranges
Templates
Network Classes
Service Classes
10-1
Chapter 10
You can perform all your activities from the ACL Manager Main Window for
these entities:
ACLs
Time Ranges
If you have not yet started ACL Manager, open the ACL Manager Main Window
using the procedure in Chapter 3, Starting ACL Manager.
You can perform all your activities from the Template Manager window for these
entities:
Static Templates
Variable Templates
Policies
If you have not yet started Template Manager, open the Template Manager
window using the procedure in Chapter 6, Using the Template Manager.
Select the templates or the variable template instances from the required template
folder in the Template Manager window. You can use the Versioning Menu of the
Template Manager for versioning the templates or instances.
You can perform all your activities from the Class Manager window for these
entities:
Service Classes
Network Classes
If you have not yet started Class Manager, open the Class Manager window using
the procedure in Chapter 5, Using the Class Manager.
You can also perform some of the versioning activities like Check In and Check
out by right-clicking on the template or template instance of a variable template
and selecting the required versioning option. Also see Version Indicators.
These topics describe versioning for ACL Manager entities:
Versioning Workflow
10-2
78-16005-01
Chapter 10
Checking In Entities
Versioning Workflow
This section describes the workflow for:
New entities
Checked in entities.
Create an entity.
Until you check it in, it is in the New state denoted by [*].
2.
Check out the entity. Multiple users can check out the same version of an
entity.
Until you check it in, it is in the Checked-Out state denoted by [n*], where n
is the version number of the checked-out entity.
10-3
Chapter 10
Versioning Workflow
2.
enabled, for ACLs and templates, then the entity moves to the pending
state, indicating that the version has been submitted for approval. This
information is displayed in the right view.
For example, if a ACL100 [1] has been modified and submitted for
approval, and if the selection is on the ACL Definitions folder, the left
view would indicate 100[1*], and the right view would indicate
100[1*Pending].
If policy verification is enabled for ACLs and templates, and the checked
in ACL or template fails to comply with the policy, it is automatically
sent for Change Approval (for details, see Chapter 7, Mandating Policy
Verification.
The entity moves to a Checked In state, denoted by a number in square
shows you the differences between your version and the higher version.
You can select what needs to be merged.
After your merged version is ready, you need to check it in at least twice,
to move the ACL to the Checked-In state before the new main line
version is created. See Merging a Branch With a Main Line Version.
Other entities, like ACL Uses or Time Ranges, ACL Manager informs
10-4
78-16005-01
Chapter 10
Version Indicators
The version indicators for entities are as follows:
Version Indicators
Description
[*]
[n]
[n*]
In ACL Manager, a mainline version is one which has a whole number as its
version number. A branch version is one which does not have a whole number as
its version number. For an entity there can be only one mainline version, but more
than one branch versions.
10-5
Chapter 10
Procedure
Step 1
Select the required entity from its respective folder. For example, select an ACL
from the ACL Definitions folder.
Step 2
Select Version ing > Get Latest Version from the Main Menu of your window.
The latest version of the entity available in the versioning repository, appears in
its folder and is indicated by a change in version number.
If the version of the entity that you already have, is the latest available version,
there will be no change in the version number after this operation.
You can also get a specific version of an entity into your window (see Getting a
Specific Version of an Entity).
Procedure
Step 1
Select the required entity from its respective folder. For example, select an ACL
from the ACL Definitions folder.
Step 2
Select Version ing > Version Graph from the Main Menu of your window.
The Version Graph dialog box opens (see Figure 10-10).
10-6
78-16005-01
Chapter 10
Step 3
In the Version Graph dialog box, select the version of the entity that you want to
get and click Get.
The selected version of the entity appears in the ACL Manager Main Window.
You can get a specific version of an entity, only if it is successfully checked in. If
the entity is checked out, or checked in but awaiting change approval processing,
you cannot get a specific version of the entity.
You can also get the latest version of an entity (see Getting the Latest Version of
an Entity).
Procedure
Step 1
Select the required entity from its folder and right-click on it. (You can select
multiple entities within a folder. This is possible only from the right view.)
A pop-up menu appears.
Step 2
Step 3
Click Yes.
The Check Out dialog box appears (see Figure 10-1).
10-7
Chapter 10
Step 4
Description
Comment
Apply same
comment to all
Check Outs
Exclusive
Checkout
Click OK.
The entity is checked out.
10-8
78-16005-01
Chapter 10
You can also check out a specific version of an entity (see Checking Out a
Specific Version of an Entity).
Procedure
Step 1
In the Version Graph dialog box, select the version that you want to check out.
Step 2
Step 3
Step 4
Click OK.
The entity is checked out.
10-9
Chapter 10
Checking In Entities
Procedure
Step 1
Select the required entity from its respective folder. For example, select an ACL
from the ACL Definitions folder.
Step 2
Select Version ing > Undo Check Out from the Main Menu of your window.
ACL Manager displays a message that all your changes will be lost if you proceed.
For example, if you undo a check out for an ACL, a message appears:
This will delete all changes made to the ACL. Do you want to continue?
Step 3
Click Yes.
The check out is canceled.
Checking In Entities
After your changes to an entity version are complete, you must check in the entity.
The entity will move to a checked-in state. If change approval has been enabled,
for ACLs and templates, then the entity moves to the pending state, indicating that
the version has been submitted for approval. This information is displayed in the
right view.
For example, if a ACL100 [1] has been modified and submitted for approval, and
if the selection is on the ACL Definitions folder, the left view would indicate
100[1*], and the right view would indicate 100[1*Pending].
If policy verification is enabled for ACLs and templates, and the checked in ACL
or template fails to comply with the policy, it is automatically sent for Change
Approval (see Chapter 11 Approving or Rejecting Changes).
You can also select multiple entities and check them in.
Procedure
Step 1
Select the required entity from its respective folder, right-click on it. (You can
select multiple entities for checking in.)
A pop-up menu appears.
10-10
78-16005-01
Chapter 10
Step 2
Step 3
Fields
Description
Comment
Apply same
comment to all
Check Ins
If a higher version of the entity does not exist in the Versioning repository, at
the time of your check in, the entity is checked in.
10-11
Chapter 10
After you click OK in the message box, ACL Manager checks out the latest
main line version. This version also has the information from your branch
version.
When you check it in for the second time, the Check In dialog box appears
again. Enter your comments in the Check In dialog box and click OK.
ACL Manager prompts you to do a merge.
You will now have to merge the entity with the main line version:
To merge an ACL or a template, see Merging Using the Merge Editor.
To merge any entity other than an ACL or a template, see Merging Without
Using the Merge Editor.
After you merge your version with the latest available version, check in the
merged version again.
At any point during a check in, if a higher version is in existence, ACL Manager
will prompt you to do a check in and a merge again.
Before checking in an ACL after creation or modification, you can use ACL
Manager tools to:
Verify the ACL against a policy (see Chapter 7, Creating and Using
Policies)
10-12
78-16005-01
Chapter 10
ACL Manager then prompts you to merge your branch with the latest version of
the entity. The merge operation can be done in two ways depending on the ACL
Manager entities:
If the entity is an ACL, or a template, you can merge the entity using the
Merge Editor, a tool provided by ACL Manager. See Merging Using the
Merge Editor.
If it is any other entity, you will have to do a manual merge operation. See
Merging Without Using the Merge Editor.
Procedure
Step 1
Select your branch version in the ACL Manager Main Window or the Template
Manager main window, right-click and select Check In from the pop-up menu.
The Check In dialog box appears.
Step 2
Enter your comments in the Check In dialog box and click OK. See Checking In
Entities for details of the fields and options in the Check In dialog box.
Since a higher version of the ACL or template exists at the time of your check in,
a message appears:
Check in has created a branch since the checked out version was not
the latest one. Another check in will be required to merge with the
main branch.
Step 3
Click OK.
Your branch version is replaced by a checked out, main line version in the
ACL Manager Main Window or the Template Manager main window.
User Guide for ACL Manager
78-16005-01
10-13
Chapter 10
Step 4
Select this version, right-click and select Check In again from the pop-up menu.
The Check In dialog box appears.
Step 5
Enter your comments in the Check In dialog box, and click OK. See Checking
In Entities for details of the Check In dialog box.
The Merge Editor opens (see Figure 10-3).
Figure 10-3 Merge Editor
The ACEs in the latest version of the entity appear in the lower left pane.
10-14
78-16005-01
Chapter 10
The arrowhead icons (<, >) indicate the ACEs that differ from the base
version that was checked out.
Representation
Changed
Lines
Step 6
Deleted Lines
Unchanged
Lines
Black text.
Step 7
Click Checkin.
The merged version is checked in.
Note
10-15
Chapter 10
Procedure Reference
Check In
Checking In Entities
Check Out
Merging ACLs
Procedure
Step 1
Assume that you are checking out Version 1 of an ACL, and check it out.
There is already a Version 2 of the ACL in the versioning repository. If you look
at its Version Graph dialog box at this point, you will see that a checked out copy
of Version 1 has been created for you, and has your user name, on it
(see Figure 10-4).
10-16
78-16005-01
Chapter 10
Step 2
Step 3
Enter your comments in the Check In dialog box, and click OK.
Since a higher version (Version 2) exists for the ACL, ACL Manager displays a
message that there is a higher version of the ACL, and that you should do a check
in again, to merge the branch with the main line version.
ACL Manager creates branch version 1.1, for your checked out version.
At the same time, it creates a checked out version of the latest version that exists
in the repository, and this too, has your user name.
If you look at the Version Graph dialog box at this point, you see a branch
Version 1.1, merging with the latest checked- out version, also a branch, with your
username (see Figure 10-5).
In the ACL Manager Main Window, the version information for this ACL shows
[2*].
10-17
Chapter 10
Step 4
Step 5
Enter your comments in this Check In dialog box and click OK.
At the time of checking this version in, you are prompted to do a merge. When
you proceed, the ACL Merge dialog box opens (see Figure 10-6).
Figure 10-6 Example Window: 3
10-18
78-16005-01
Chapter 10
Step 6
Step 7
Check in the ACL again from the ACL Merge window, by clicking the CheckIn
button.
The ACL version is checked in.
If you view the Version Graph dialog box at this point, you see the ACL checked
in as Version 3 (see Figure 10-7).
Figure 10-7 Example Window: 4
In the ACL Manager Main Window, the version information for this ACL
shows [3].
10-19
Chapter 10
Procedure Reference
Check In
Checking In Entities
Check Out
Merging ACLs
10-20
78-16005-01
Chapter 10
Procedure
Step 1
Assume that you are checking out Version 1 of Ethernet0, and check it out.
There is already a Version 2 of Ethernet0 in the versioning repository. If you look
at its Version Graph dialog box at this point, you will see that a checked out copy
of Version 1 has been created for you, and has your user name, on it
(see Figure 10-4).
Figure 10-8 Example Window:1
Step 2
Step 3
Enter your comments in the Check In dialog box, and click OK.
Since a higher version (Version 2) exists for Ethernet0, ACL Manager displays a
message that there is a higher version of Ethernet0, and that you should do a check
in again, to merge the branch with the main line version.
ACL Manager creates branch version 1.1, for your checked out version.
At the same time, it creates a checked out version of the latest version that exists
in the repository, and this too, has your user name.
If you look at the Version Graph dialog box at this point, you see a branch
Version 1.1, merging with the latest checked- out version, also a branch, with your
username (see Figure 10-5).
10-21
Chapter 10
In the ACL Manager Main Window, the version information for this Ethernet0
shows [2*].
Figure 10-9 Example Window: 2
Step 4
Step 5
Enter your comments in this Check In dialog box and click OK.
At the time of checking this version in, you are prompted to do a merge.
Step 6
Step 7
Step 8
Step 9
Repeat Step 1 and Step 2 until you feel that the merge process is complete.
Step 10
10-22
78-16005-01
Chapter 10
Procedure
Step 1
Select the required entity from its respective folder. For example, select an ACL
from the ACL Definitions folder.
Step 2
Select Versioning > Version Graph from the Main Menu of your window.
The Version Graph dialog box opens (see Figure 10-10).
Figure 10-10 The Version Graph dialog box
10-23
Chapter 10
Description
The branches
The merges
The users who have Represented by their user names. The user name
checked out the
appears only when a version is in the checked-out state.
versions
The user name appears in a box with a red background.
Step 3
10-24
78-16005-01
Chapter 10
You can use the buttons in the Version Graph dialog box to perform these tasks on
any of the versions of the entity:
Table 10-1 Versioning Tasks
Step 4
Button
Action or Task
Get
Check Out
Diff
Close
Details
Help
10-25
Chapter 10
To compare the version of an entity in your window, with its latest version:
Procedure
Step 1
Select the required entity from its respective folder. For example, select an ACL
from the ACL Definitions folder.
Step 2
Select Versioning > Compare with Latest Version from the Main Menu of your
window.
The Version DiffViewer opens (see Figure 10-13).
Step 3
For details of the Version DiffViewer, see Using the Version Diff Viewer
Step 4
Click OK.
The Version DiffViewer closes.
Procedure
Step 1
Select the two versions, in the Version Graph dialog box, that you wish to
compare. To do this by hold down the Ctrl key and clicking on the versions.
10-26
78-16005-01
Chapter 10
Step 2
Click Diff.
The Version DiffViewer opens (see Figure 10-13).
For details of the Version DiffViewer, see Using the Version Diff Viewer.
Step 3
Click OK to exit.
Procedure
Step 1
Select the required entity from its respective folder. For example, select an ACL
from the ACL Definitions folder.
Step 2
Select Versioning > Version Details from the Main Menu of your window.
The Version Details window opens (see Figure 10-11). This window shows the
details of an ACL version.
10-27
Chapter 10
Description
Entity Version Version number of the entity for which the details are
displayed, and versioning state of the entity (checked in,
checked out, etc.)
Entity Name
or Number
Entity Type
Type of the entity. For example, in the case of ACLs this could
be IP, IP Extended, etc.
Device
Created By
Created On
Creator
Comment
10-28
78-16005-01
Chapter 10
There may be minor differences between the version details displayed for the
various entities. For example, in the case of Time Range version details, the Time
Range Type information does not appear, as this field is not applicable for Time
Ranges.
Step 3
Click OK to exit.
Procedure
Step 1
Click on the version you want to view in the Version Graph dialog box.
Step 2
Click Details.
The Version Details window opens (see Figure 10-11). For information on the
fields in the window, see Viewing Version Details of an Entity.
Step 3
Click OK to exit after you view the details of the selected version,.
10-29
Chapter 10
Procedure
Step 1
Select the required entity from its respective folder. For example, select an ACL
from the ACL Definitions folder.
Step 2
Select Versioning > History from the Main Menu of your window.
The Version History dialog box opens (see Figure 10-12). This dialog box shows
the history of an ACL version.
Figure 10-12 Versioning History Dialog Box
10-30
78-16005-01
Chapter 10
If the selected entity is in the newly created state, then version history will not be
available for the entity. The following message appears:
Unable to view history.
Entity Name: This entity does not exist in the versioning database.
It may not have been checked in.
The entity (ACL, ACL use, or Time Range, etc.) and the name or number of the
entity are displayed as the heading of the Version History dialog box.
The fields in the Version History dialog box are:
Field
Description
Version
Creator
Created On
State
Parent
Versions
Creator
Comment
You can perform various versioning tasks, using the buttons in the Version History
dialog box, any of the versions of the entity (see Table 10-1 for details).
To see the Version Graph, click Version Graph.
If you click on a required version, the Get, Check Out, Delete, and Details buttons
are enabled.
The Diff button is enabled when you select two versions by holding down the Ctrl
key and clicking on them.
10-31
Chapter 10
Your version of the entity appears in the left pane, and the version selected for
comparison, in the right pane.
In the case of an Out-of Band change, the selected version of the entity appears in
the left pane, and the Out-of-Band version, in the right pane.
10-32
78-16005-01
Chapter 10
Representation
Changed
Lines
Unchanged
Lines
Black text.
If your entity is an ACL, you can see the Logical View and the Physical View of
the ACL, by clicking on these tabs.
The Logical View shows an abstract or high-level view of the ACEs in the ACL.
Here, you see the names of hosts, templates, services, service classes, networks
or network classes used in the ACEs.
The Physical View is a low-level view, and maps to the IOS commands
corresponding to the ACE statements. The host names are resolved to IP
addresses, service names are replaced by port numbers, etc.
The concept of Logical and Physical views does not apply to all the other entities
and you find the same contents in both these tabs, for these entities.
The Previous Difference and the Next Difference icons allow you to navigate
between the differences.
Click OK to exit the Version DiffViewer.
10-33
Chapter 10
10-34
78-16005-01
C H A P T E R
11
Note
This feature is available to you only if you have enabled Role-based Access
Control at the time of installing ACL Manager. To configure Role-based Access
Control, see the Installation Guide for ACL Manager.
To enable Change approval, see Enabling or Disabling Change Approval.
If you have not enabled this, see Chapter 15 Enabling Job Approval).
To receive change approval email notification, on Windows server, set the SMTP
server using Resource Manager > System Configuration.
On Solaris, since your machine acts as the SMTP server, the email notifications
are sent by default, if the SMTP daemon is running.
Change approval can be enabled ACL Manager, on a need basis, for ACLs, and
for job downloads. For ACL or template modifications, change approval, if
enabled, would become applicable compulsorily, if the ACL or template does not
comply with a policy. For more details, see the topic, Mandating Policy
Verification in Chapter 11.
Changes are version controlled in ACL Manager. After the changes are made, the
checked out entities can be passed through the change approval process before
they are checked into the versioning system. That is, authorized approvers can
validate changes proposed to entities, such as ACLs, before these changes are
implemented.
11-1
Chapter 11
A job definition will go through the Change Approval process, if you have
configured ACL Manager for Change Approval.
Jobs scheduled for immediate download will not go through the change approval
process.
If a job has been defined but not scheduled, the deadline for change approval is
indefinite.
When a change is submitted, approvers (users authorized to approve changes) will
be notified about the change requests by e-mail. Similarly, users who have
submitted change requests for approval will be notified by e-mail after their
change requests have been processed (either approved or rejected).
These topics describe change approval processing in ACL Manager:
11-2
78-16005-01
Chapter 11
Procedure
Step 1
11-3
Chapter 11
Description
Priority
Change ID
Submitter
Submitted At
Process By
Last date and time on or before which the change request has to
be approved by the approvers.
Status
Comments
Step 2
Highlight a change request and click Next to process it. You can select only one
change request at a time.
The Approve or Reject Changes window opens (see Figure 11-2).
See the topic Approving or Rejecting Change Requests for information on
approving or rejecting changes.
11-4
78-16005-01
Chapter 11
11-5
Chapter 11
Description
Change ID
Priority
Status
Submitter
Change Type
Submitted At
Process By
Submitter
Comments
Changed
Entities
Changed
Entity Status
Action
Approver
Comments
11-6
78-16005-01
Chapter 11
Procedure
Step 1
Highlight a Changed Entity within the Changed Entities table (see Figure 11-2),
and select either Approve or Reject.
You can select more than one Changed Entity from the table for processing.
Step 2
Click Finish.
The status of the change request is updated accordingly (see Change Request
Status).
Description
Pending
Partial
Approved
Rejected
Expired
When all the changes within a change request are approved, the user who had put
up the change request for approval will receive an auto-generated email indicating
that the request has been approved (see E-mail Notification of Change).
11-7
Chapter 11
Procedure
Step 1
Highlight a changed entity within the Changed Entities table in the Approve or
Reject Changes window and click Entity Details.
The Changed Entity Details window opens (see Figure 11-3).
Figure 11-3 The Changed Entity Details Window
11-8
78-16005-01
Chapter 11
Description
Changed Entity
Status
Approved
Rejected
Approver Group
Status
Name
11-9
Chapter 11
Field
Description
Time
Comments
Step 2
Click Back to return to the Approve or Reject Changes window (see Figure 11-2).
Step 3
11-10
78-16005-01
Chapter 11
Procedure
Step 1
Select Administration > Change Approval > Processed Changes from ACL
Manager.
The Processed Changes window opens (see Figure 11-4).
Figure 11-4 The Processed Changes Window
11-11
Chapter 11
Description
Priority
Change ID
Submitter
Submitted At
Process By
Last date and time on or before which the change request has to
be approved by the approvers.
Status
Comments
Step 2
Approved.
Rejected.
Highlight a processed change request and click Next to view it. You can select
only one change request at a time.
The Approve or Reject Changes window opens with the details of the Processed
Change (see Figure 11-2). For information displayed in the fields in this window,
see Approving or Rejecting Change Requests.
To view more details of each processed changed entity, within the change request,
in the Approve or Reject Changes window, highlight a Changed Entity and click
Details.
The Changed Entity Details window opens (see Figure 11-3). For information
displayed in the fields in this window, see Viewing Details of a Changed Entity.
11-12
78-16005-01
Chapter 11
Submitted
Approved
Rejected
Expired
Description
Change ID
Status
Pending
Approved
Rejected
Priority
Submitter ID
Submitter
Email
Submission
Time
Expiry Time
Last date and time on or before which the change request has to
be approved by the approvers.
Grouping
Type
11-13
Chapter 11
Field
Description
Submitter
Comments
Approver
Group
Approver
Approver
Comments
Status
Status for the specified Approver Group, if there are more than
one Approver Groups assigned to the changed entity.
Procedure
Step 1
Select Administration > Change Approval > Configure Change Approval from
ACL Manager.
The Change Approval Policy dialog box opens (see Figure 11-5).
11-14
78-16005-01
Chapter 11
Step 2
To enable change approval processing for the required features, select their
check boxes.
To disable change approval processing for the required features, uncheck the
boxes against the features.
Click Next.
A message appears that your change is successfully updated for the selected
feature.
After you enable change approval, ensure that you specify the approvers using the
Role-based Access Control feature of ACL Manager (see Chapter 9 Populating
ACL Manager with Role-based Data).
11-15
Chapter 11
11-16
78-16005-01
C H A P T E R
12
Define Uses for previously created ACLs, or ACLs that have been newly
created from templates. See:
Defining ACL Uses
Step 2
12-1
Chapter 12
Step 3
Step 4
To create a Use, in your left pane of the ACL Manager Main Window, right-click
on the ACL to be applied, then select Use ACL.
The Use Selection window appears (see Figure 12-1).
You can also display the ACL Use Selection dialog box by clicking the Create
Uses button in the ACL Results dialog box.
Procedure
Step 1
If you have created or selected an IOS ACL (see Figure 12-1), select one of these
from the Use Selection window
Packet Filtering
Line Access
If the ACL created or selected is a VACL, select VLAN Packet Filtering from the
Use Selection window. (In such a case, the Use Selection window displays only
VLAN Packet Filtering).
12-2
78-16005-01
Chapter 12
Step 2
Click Next.
Based on your Use selection in Step 1, the following dialog boxes are displayed:
Line Selection dialog box If you selected line access. (See Selecting Lines
for Line Access with the Use ACL Wizard).
Summary dialog box If you selected SNMP TFTP Server. (See Completing
the Use ACL Wizard Summary).
VLAN Selection dialog box If you selected VLAN Packet Filtering. (See
Selecting VLANs for VLAN Packet Filtering with Use ACL Wizard).
12-3
Chapter 12
Interfaces. (See Selecting Interfaces for Packet Filtering with the Use ACL
Wizard).
Lines. (See Selecting Lines for Line Access with the Use ACL Wizard).
SNMP Community Settings. (See SNMP Community Settings with the Use
ACL Wizard).
VLANs. (See Selecting VLANs for VLAN Packet Filtering with Use ACL
Wizard).
Selecting Interfaces for Packet Filtering with the Use ACL Wizard
To select interfaces for packet filtering:
Procedure
Step 1
From the Interface Selection window, (see Figure 12-2), select the incoming (In)
and outgoing (Out) interfaces of the device for which you are defining the Use.
12-4
78-16005-01
Chapter 12
Alternatively, instead of manually selecting the In and Out interfaces, you can
select either or both these options:
this text field. The ACL will be applied on all incoming interfaces of the
device, that start with the string that you have specified. For example, you
can enter Fast in the text field to apply the ACL on all the FastEthernet
interfaces of the device, in the incoming direction.
To apply the ACL on all the interfaces in the incoming direction, enter *
12-5
Chapter 12
this text field. The ACL will be applied on all outgoing interfaces of the
device, that start with the string you have specified. For example, you can
enter Eth in the text field to apply the ACL on all the Ethernet interfaces
of the device, in the outgoing direction.
To apply the ACL on all the interfaces in the outgoing direction, enter *
Click Next to display the Summary dialog box (see Completing the Use ACL
Wizard Summary).
Selecting Lines for Line Access with the Use ACL Wizard
Procedure
Step 1
From the Line Selection window (see Figure 12-3), select the incoming (In) and
outgoing (Out) lines to which you want to apply the ACL.
12-6
78-16005-01
Chapter 12
Alternatively, instead of manually selecting the In and Out lines, you can select
either or both these options:
field. The ACL will be applied on all incoming lines of the device that
start with the string that you have specified. For example, you can enter
au in the text field to apply the ACL on all the aux lines of the device, in
the incoming direction.
To apply the ACL on all the lines in the incoming direction, enter * in
Apply on all lines of this device in out direction starting withApply the
ACL on all or the selected lines of the device, in the outgoing direction:
12-7
Chapter 12
To select the lines, enter the starting characters of the line in this text
field. The ACL will be applied on all outgoing lines of the device that
start with the string you have specified. For example, you can enter vt in
the text field to apply the ACL on all the vty lines of the device, in the
outgoing direction.
To apply the ACL on all the lines in the outgoing direction, enter * in the
text field.
Step 2
Click Next to display the Summary dialog box (see Completing the Use ACL
Wizard Summary).
In the SNMP Community Settings dialog box (see Figure 12-4), enter the
Community String. This is a mandatory field.
12-8
78-16005-01
Chapter 12
Step 2
Step 3
Select Access Type. By default, Access Type is read only. You can select
Read/Write mode if required.
Step 4
Click Next.
The Summary dialog box appears for the selections made for this ACL (see
Completing the Use ACL Wizard Summary).
12-9
Chapter 12
Selecting VLANs for VLAN Packet Filtering with Use ACL Wizard
Procedure
Step 1
Select the VLAN(s) for the device (see Figure 12-5) from the Use Selection
dialog box.
Figure 12-5 VLAN Selection
Step 2
Click Next.
The Summary dialog box appears (see Completing the Use ACL Wizard
Summary).
12-10
78-16005-01
Chapter 12
Procedure
Step 1
From the Summary dialog box, select Check out and Overwrite Latest Version
of Existing ACL Uses? to automatically check out and overwrite the latest
version of an existing ACL Use on any of the following:
12-11
Chapter 12
Step 2
SNMP TFTP Server list on the device (for SNMP TFTP Server)
Click Finish to display the Results window (see Displaying Use ACL Wizard
Results).
Procedure
Step 1
12-12
78-16005-01
Chapter 12
Step 2
Packet Filtering The ACL is now installed for Packet filtering on the
specified interfaces.
Line Access The ACL is now installed for Line access on the specified
lines.
SNMP Community Access The ACL is now installed for the device.
SNMP TFTP Server list The ACL is now installed for the device.
VLAN Packet Filtering The ACL is now installed for the selected VLAN.
If you want to check the Use statements, go to the ACL Manager Main Window
and navigate to:
12-13
Chapter 12
To invoke the ACL Use Selection dialog box again, you can click Create Uses.
See Defining an ACL Use with the Use ACL Wizard.
For more information on templates, see Chapter 6,Using the Template Manager.
You can create an ACL from an existing template on a specific device, and create
a Use for it by:
Step 1
Step 2
Selecting a Device.
Step 3
Step 4
In the ACL Manager Main Window, select the device on which you want to create
an ACL, from the template, then select Apply Template.
The Template Selection window appears (see Figure 12-8).
12-14
78-16005-01
Chapter 12
From the Template Selection window (see Figure 12-8), select the template to be
applied.
Figure 12-8 Template Selection
If you want to view the contents of the template, click Expand. The expanded
template appears in the ACE Expanded window (see Figure 12-9).
12-15
Chapter 12
Click Close when you are finished, to exit the ACE Expanded window.
Step 2
Selecting a Device
Procedure
Step 1
In the Device Selection dialog box (see Figure 12-10), the device that you selected
in the ACL Manager Main Window, for applying the template, is highlighted.
12-16
78-16005-01
Chapter 12
Step 2
ACL
Append to ACLTo add the new ACL at the end of the existing ACL.
Overwrite the ACLTo overwrite the existing ACL with the one that you
are creating.
12-17
Chapter 12
Click Finish.
The ACL Results window appears, with the details of the ACL that you have
created (see Displaying ACL Creation Results (Single Device)).
12-18
78-16005-01
Chapter 12
Click Close if you only want to create an ACL out of the template.
or
Click Create Uses to create Uses for such newly created ACLs.
When you click the Create Uses button, the Selection dialog box (Figure 12-1)
appears. (See Defining an ACL Use with the Use ACL Wizard).
For the complete workflow to create Uses for packet filtering, line access, SNMP
Community Access, SNMP TFTP Server or VLAN filtering, see the section,
Defining ACL Uses.
12-19
Chapter 12
If you are already in ACL Manager Main Window, display the Template Selection
Window by selecting Tools > ACL Use Wizard from the ACL Manager Main
Window.
You can apply a template to multiple devices by:
Step 1
Selecting a Template.
Step 2
Step 3
Step 4
Selecting a Template
Procedure
Step 1
From the Template Selection dialog box (see Figure 12-8), select the template to
be applied.
If you want to see the contents of the template, click Expand.
The ACE Expanded dialog box appears with the details of the expanded template
(see Figure 12-9).
Click Close when you are finished in the ACE Expanded dialog box.
12-20
78-16005-01
Chapter 12
Step 2
From the Device Selection window (see Figure 12-12), select the required devices
to which the template will be applied.
Figure 12-12 Devices Selection
12-21
Chapter 12
Step 2
ACL
Append to ACLTo add the new ACL at the end of the existing ACL.
Overwrite the ACLTo overwrite the existing ACL with the one that you
are creating.
Step 3
Deselect Autonumber the New ACL and enter the ACL name or number in
the ACL name or number text field.
Click Finish.
The ACL Results dialog box appears, with the details of the ACLs that you have
created (see Displaying ACL Creation Results (Multiple Devices)).
12-22
78-16005-01
Chapter 12
Procedure
Step 1
View the results of the ACL creation, in the Results dialog box (see Figure 12-13).
Figure 12-13 ACL Creation Results
The ACL Creation field displays Failed if the ACL was not created successfully.
Otherwise, it displays OK.
12-23
Chapter 12
Step 2
Either:
Click Close to exit the Results dialog box, after creating ACLs out of the
template,
or
Click Create Uses to create Uses for the newly created ACLs.
The Use Selection dialog box appears (see Figure 12-1). For details see, Defining
ACL Uses for Multiple Devices.
If you have created or selected an IOS ACL (see Figure 12-1), select one of these
from the Use Selection window
Packet Filtering
Line Access
If you have created or selected a VACL, select VLAN Packet Filtering from the
Use Selection window. (In such a case, the Use Selection window displays only
VLAN Packet Filtering).
Step 2
Click Next.
Based on your Use selection in Step 1, the following dialog boxes are displayed:
Line Selection dialog box If you selected Line Access. (See Selecting
Lines with the Template Use Wizard).
12-24
78-16005-01
Chapter 12
Summary dialog box If you selected SNMP TFTP Server. (See Completing
the Use ACL Wizard Summary). The summary will appear for all the selected
devices.
VLAN Selection dialog box If you selected VLAN Packet Filtering (see
Selecting VLANs for VLAN Packet Filtering with Template Use Wizard).
Step 3
View the Summary. (See Completing the Use ACL Wizard Summary).
Step 4
Packet Filtering The ACL is now installed for packet filtering on the
specified interfaces on the selected devices.
Line Access The ACL is now installed for line access on the specified lines
on the selected devices.
SNMP Community Access The ACL is now installed for the selected
devices.
SNMP TFTP Server list The ACL is now installed for the selected devices.
VLAN Packet Filtering The ACL is now installed for the selected VLAN
on the selected devices.
From the Interface Selection window for the first device, select the incoming (In)
and outgoing (Out) interfaces of the device.
12-25
Chapter 12
To select the same interfaces on all subsequent devices, select Treat all
subsequent devices similar to this device? If you select this option and
subsequent devices do not have the specified interfaces, the subsequent devices
will be skipped.
Alternatively, instead of manually selecting the In and Out interfaces, you can
select either or both these options:
this text field. The template will be applied on all incoming interfaces of
the device, that start with the string that you have specified. For example,
you can enter Fast in the text field to apply the template on all the
FastEthernet interfaces of the device, in the incoming direction.
12-26
78-16005-01
Chapter 12
this text field. The template will be applied on all outgoing interfaces of
the device, that start with the string you have specified. For example, you
can enter Eth in the text field to apply the template on all the Ethernet
interfaces of the device, in the outgoing direction.
To apply the template on all the interfaces in the outgoing direction, enter *
in the text field.
If you also select Treat all subsequent devices similar to this device? along with
one or both the above options, then the template will be applied on all the
subsequent devices, for all the interfaces existing on those devices. Also see
Using the Use Wizard to Address Vulnerability in Your Network: Example.
Step 2
Click Next.
The Summary dialog box appears (see Completing the Use ACL Wizard
Summary).
From the Line Selection window for the first device, select the incoming (In) and
outgoing (Out) lines of the device to which the template will be applied.
12-27
Chapter 12
To select the same lines on all subsequent devices, select Treat all subsequent
devices similar to this device? If you select this option and subsequent devices
do not have the specified lines, the subsequent devices will be skipped.
Alternatively, instead of manually selecting the In and Out lines, you can select
either or both these options:
field. The template will be applied on all incoming lines of the device that
start with the string that you have specified. For example, you can enter
au in the text field to apply the template on all the aux lines of the device,
in the incoming direction.
To apply the template on all the lines in the incoming direction, enter *
12-28
78-16005-01
Chapter 12
Apply on all lines of this device in out direction starting withApply the
template on all or the selected lines of the device, in the outgoing direction:
To select the lines, enter the starting characters of the line in this text
field. The template will be applied on all outgoing lines of the device that
start with the string you have specified. For example, you can enter vt in
the text field to apply the template on all the vty lines of the device, in
the outgoing direction.
To apply the template on all the lines in the outgoing direction, enter * in the
text field.
If you also select Treat all subsequent devices similar to this device? along with
one or both the above options, then the template will be applied on all the
subsequent devices, for all the lines existing on those devices. Also see Using the
Use Wizard to Address Vulnerability in Your Network: Example.
Step 2
Click Next.
The Summary dialog box appears (see Completing the Use ACL Wizard
Summary).
12-29
Chapter 12
Step 2
Step 3
Select Access Type. By default, Access Type is read only. You can select
Read/Write mode if required.
To select the same settings on all subsequent devices, select Treat all subsequent
devices similar to this device?
Step 4
Click Next.
Step 5
If you have not selected Treat all subsequent devices similar to this device?
repeat the steps in this procedure for all devices.
After you select the last device, the Summary dialog box appears (see Completing
the Use ACL Wizard Summary).
12-30
78-16005-01
Chapter 12
Selecting VLANs for VLAN Packet Filtering with Template Use Wizard
Procedure
Step 1
To select the same VLANs on all subsequent devices, select Treat all subsequent
devices similar to this device? If you select this option and subsequent devices
do not have the specified VLANs, the subsequent devices will be skipped.
12-31
Chapter 12
Alternatively, without selecting any VLANs on any of the devices, you can select
the option Apply on all VLANs of this Device, to apply the template on all the
VLANs of the device.
If you also select Treat all subsequent devices similar to this device? along with
the above option, then the template will be applied on all the subsequent devices,
for all the VLANs existing on those devices. Also see Using the Use Wizard to
Address Vulnerability in Your Network: Example.
Step 2
Click Next.
The Summary dialog box appears (see Completing the Use ACL Wizard
Summary).
12-32
78-16005-01
Chapter 12
Procedure
Step 1
Apply on all interfaces of this device in "in" direction starting with and Treat
all subsequent devices similar to this device?
Step 2
Similarly, you can select all three options. Then, all the interfaces will have uses
in both directions for all the devices.
These options are also enabled for a single device. This feature is applicable to
IOS, Catalyst and PIX devices.
After selecting this option, you should also choose one of these options:
Prepend to ACLTo add the new ACL at the beginning of the existing ACL
Append to ACLTo add the new ACL at the end of the existing ACL.
Overwrite the ACLTo overwrite the existing ACL with the one that you are
creating.
12-33
Chapter 12
12-34
78-16005-01
C H A P T E R
13
Importing Configuration
ACL Manager enables you to import Cisco Device Configurations that conform
to the IOS, Catalyst OS and PIX formats, from an external source. After you
import the configurations, you can paste them onto devices that ACL Manager is
managing, and thereafter use ACL Manager to manage the imported
configurations.
You can import the configurations from:
The ACL Manager server, by entering the path to the file in the File Import
Wizard, or using a File Browser in the wizard.
or
Your local machine, using a text editor (Config Editor of ACL Manager).
You can use the File Import Wizard in ACL Manager to import the configurations.
After you import the configurations, ACL Manager parses them and places them
in a folder, Imported Entities, under the Root folder within your ACL Manager
Main Window. This folder is a location for temporary storage of the imported
configurations, from where they are pasted onto devices.
When you import configurations from external sources:
You can import only the running configurations and not the startup
configurations.
You can import into ACL Manager, one or more files that are already on the
ACL Manager server.
From a client machine, you can copy the contents of the file into the Config
Editor in the File Import Wizard and then upload the configuration into
ACL Manager.
13-1
Chapter 13
Importing Configuration
You can import a configuration file from another server via a mounted file
system, where the ACL Manager server is running. (The configuration file on
the mounted file system should be readable by casuser.)
You can import a text file that contains an ACL without a name (for example,
the configuration in the text file may contain some, or all, the ACEs from a
named IP Extended ACL, but the ACL name may not be present in the file).
In this case, ACL Manager will generate a name for the ACL. You can rename
the ACL.
The tasks you can perform using the File Import Wizard are:
Procedure
Step 1
13-2
78-16005-01
Chapter 13
Importing Configuration
Uploading the Configuration and Viewing the Import Summary
A file on the ACL Manager server (see the procedural step, Select Upload
Config from File.)
or
A file on your local machine (see the procedural step, Select Upload Config
from Editor.).
b.
Enter the full path of the configuration file in the Config File text box
or
Click Config file.
The File Browser dialog box appears (see Figure 13-3).
13-3
Chapter 13
Importing Configuration
c.
Use the File Browser dialog box to select the text file (see Using the File
Browser).
The name of the selected file appears in the text box in the Config File text
box of the Upload Config pane.
To view the contents of the configuration file, click View Config.
b.
Step 2
c.
Copy the required configuration from a file on your local machine, paste it
into the Config Editor dialog box, and edit it as required (for details, see
Using the Config Editor).
d.
Click OK in Config Editor, to return to the Upload Config pane of the File
Import Wizard.
13-4
78-16005-01
Chapter 13
Importing Configuration
Uploading the Configuration and Viewing the Import Summary
Step 3
Click Next.
The Import Summary pane appears (see Figure 13-2).
Figure 13-2 Import Summary Window
Description
Name, or number, of the entity. For example, 100.
Type of the entity. For example, ACL.
13-5
Chapter 13
Importing Configuration
Field
Description
Details
Details of the ACL. For example, IP.
Import Status These are the states of success:
Click Finish.
The entity is imported into ACL Manager, and placed in a temporary storage
folder, (Root > Imported Entities > Router, Switch, or Pix), in your
ACL Manager Main Window. You can do these operations on these imported
entities:
Rename
Delete
13-6
78-16005-01
Chapter 13
Importing Configuration
Uploading the Configuration and Viewing the Import Summary
Procedure
Step 1
Select the required file from the list of configuration files displayed in the File
Browser dialog box (see Figure 13-3).
You can also enter the complete path of a valid file that exists on the
ACL Manager server.
The name of the selected file appears in the File text box. (
13-7
Chapter 13
Importing Configuration
Step 2
Click OK.
13-8
78-16005-01
Chapter 13
Importing Configuration
Uploading the Configuration and Viewing the Import Summary
Procedure
Step 1
Copy and paste configuration from a text file on your local machine, into Config
Editor (see Figure 13-4).
or
Enter Cisco Device Configurations into Config Editor.
Figure 13-4 Config Editor Dialog Box
Step 2
Click OK.
To print out the configuration that you have copied into, or entered into Config
Editor, click Print.
13-9
Chapter 13
Importing Configuration
Paste an imported ACL onto a device (see Pasting an Imported ACL onto a
Device).
Procedure
Step 1
In the ACL Manager Main Window, add the required device in your Devices
folder.
Step 2
Copy the required ACL from Root > Imported Entities > Router, Switch, or
Pix.
Step 3
Step 4
Note
13-10
78-16005-01
Chapter 13
Importing Configuration
Pasting Imported Entities onto a Device
Procedure
Step 1
In the ACL Manager Main Window, add the required device in your Devices
folder.
Step 2
Step 3
Step 4
Check out an existing ACL, and paste the copied ACEs within it in the ACL
Definitions folder
or
Create a new ACL and paste the ACEs in this ACL.
An error message appears if the device does not support some or all, of the ACEs
that you have pasted in the ACL.
(You can follow the steps in this procedure to paste imported Remark ACEs on to
a device.
An error message appears if the device does not support Remark ACEs.)
Any statement that is preceded by a bang (!) in the Cisco Device Configuration
format, can be imported into ACL Manager, as a non-downloadable comment.
Using the Comment Editor, you can make this a downloadable comment (see
Chapter 4, Downloading Comments).
Note
Check in the newly added ACL or the modified ACL, before downloading
it to the device.
13-11
Chapter 13
Importing Configuration
Procedure
Step 1
Step 2
Step 3
Step 4
Note
With the File Import command line tool, you cannot import a configuration file
that is on your local machine. To import a file from your local machine, you can
use the File Import Wizard (see Uploading the Configuration and Viewing the
Import Summary). This tool does not support https.
13-12
78-16005-01
Chapter 13
Importing Configuration
Using the File Import Command Line Tool
The configuration file that you wish to import, should have read permissions.
It should be readable by casuser.
You should be a root user to run the script that invokes the import utility. The
CiscoWorks username and password supplied to the script should have net
admin privileges.
To view the usage details of the File Import command line tool,
at the command line, enter:
import
--------------------------------------------------------------------
13-13
Chapter 13
Importing Configuration
for a router
for a switch
If you do not use this option, the tool discovers the device type.
-n
Prevents the tool from overwriting existing ACLs with the same name
or number.
-u
-p
Valid password.
The imported configuration file appears in the Imported Entities folder of your
ACL Manager Main Window, for the respective category of device (router, or
switch).
Note
Close the Imported Entities folder under Root and reopen it to see the imported
configuration file.
13-14
78-16005-01
C H A P T E R
14
Validating ACEs
ACL Manager enables you to perform a check for the validity of ACEs within a
ACL, VACL, or a template, using the ACE Validator.
Packet filtering ACLs are usually large, and may consist of hundreds of ACEs. In
medium, or large sized networks, administrators may need to modify ACLs
several times in a week. Modification of an ACL consists of one or more of these
operations:
Editing of ACEs
During the ACL modification process, new ACEs may be introduced or existing
ones modified. An ACL is order-dependent, and therefore, any modification has
the potential of inadvertently changing the semantics of the ACL.
The main objective of the ACE Validator is to minimize the human error that
could occur while an administrator makes modifications to an ACL. The ACE
Validator checks for and displays a report of the invalid relationships between one
or more sets of entities (ACEs in an ACL, or a template (a static template or a
variable template instance).
Note
In this chapter, ACEs that cause side effects such as redundancy or conflict with
other ACEs in an ACL or template, are termed invalid. However, this term does
not indicate that the syntax of the invalid ACEs is incorrect. It means that the
relationship between a pair of selected ACEs is invalid.
14-1
Chapter 14
Validating ACEs
The ACE Validation feature of ACL Manager detects and displays the following
invalid relationships between ACEs that may change the semantics of an ACL:
Invalid Relationship
Meaning
Redundant
If an ACE is redundant.
For example, a modified ACE may have a larger
address scope than some of the ACEs appearing below
it within the ACL, and therefore make them redundant.
Conflict
Redundant-conflict
Unresolvable
A single ACE within a logical entity (ACL or template), and validate it with
the other ACEs in the entity.
Multiple ACEs within a logical entity (ACL or template), and validate the
selected ACEs with the other ACEs in the entity.
An entire logical entity (ACL or template), and validate each ACE in the
selected entity with the other ACEs in the entity.
14-2
78-16005-01
Chapter 14
Validating ACEs
The ACE validation check runs only on logical entities (ACLs, ACEs within
an ACL, and templates) within ACL Manager.
The ACE validation check runs only on the following types of ACLs, and
static templates that contain these ACLs:
IP Standard
IP Extended
VACL IP
The ACE validation check is a reporting tool. If the ACL or the template you
selected contains invalid ACEs, the ACE validation check displays these in
the ACE Validation Results dialog box (see Performing a Validation Check
on a Logical Entity for the procedure on using the ACE Validation results
dialog box).
However, you cannot use this dialog box to make changes to an invalid ACE.
You should use your ACL Manager Main Window, (or the Template Manager
in the case of template ACEs) to make the appropriate modifications.
The ACE Validation Results dialog box remains open while you work within
the ACL Manager Main Window.
The ACE Validation Results dialog box does not refresh automatically when
you make modifications to the invalid ACEs in the Results dialog box.
To update the results displayed in the ACE Validation Results dialog box,
click the Refresh button (see Figure 14-1). ACL Manager runs another
validation check on the modified ACEs and are updated in the ACE
Validation Results dialog box.
The ACE or ACL on which you want to perform an ACE validation check
need not be in a checked out state, because the validation check is a read-only
operation.
14-3
Chapter 14
Validating ACEs
Procedure
Step 1
From the ACL Manager Main Window, select either an ACL or one or more ACEs
(by holding down the Ctrl or Shift key) in an ACL. The selected entity should be
in its logical view.
To enable the logical view for the selected entity, select View > Logical View in
the ACL Manager Main Window.
Follow this procedure from within the Template Manager on a static template or
a variable template instance, to perform validation of the template ACEs.
Step 2
Right-click and select ACE Validator from the menu that pops up
or
Select Tools > ACE Validator.
The ACE Validation Results dialog box appears (see Figure 14-1).
14-4
78-16005-01
Chapter 14
Validating ACEs
Performing a Validation Check on a Logical Entity
The ACE Validation Results dialog box may not appear immediately if you are
running the validation check on a large ACL or on a large number of ACEs.
However, you can continue with other tasks, using ACL Manager during the
validation check.
The left pane displays the selected ACEs with the invalid ACEs highlighted in red.
Step 3
Color Highlight
Meaning
White
Valid
Red
Invalid
Light green
Redundant
14-5
Chapter 14
Validating ACEs
Step 4
Color Highlight
Meaning
White
Valid
Maroon
Conflict
Dark pink
Redundant-conflict
Blue
Unresolvable
Use the arrow icons to navigate among the colored ACEs listed in the left and right
panes.
To see the details of an invalid relationship that a pair of ACEs share, select
an invalid ACE in the right pane.
The Details button in the ACE Validation Results dialog box is enabled.
If you click the Details button, the ACE Validation Details dialog box appears
(see Figure 14-2).
ACE Validation Details dialog box displays the relationship details between
selected pairs of ACEs. For details about the ACE Validation Details dialog
box, see Viewing ACE Validation Details.
You can keep both the ACE Validation Results dialog box and the ACL Manager
Main Window open, together. This enables you to check for the invalid entities
and make your corrections, without closing one window and opening the other.
If you have made modifications to an entity in your Devices folder, (or in the
Template Manager) click Refresh in the ACE Validation Results dialog box, to
perform a validation check on the modified entities.
Step 5
14-6
78-16005-01
Chapter 14
Validating ACEs
Viewing ACE Validation Details
Procedure
Step 1
Select an invalid ACE in the right pane of the Validation Results dialog box (see
Performing a Validation Check on a Logical Entity) and click Details.
The ACE Validation Details dialog box appears (see Figure 14-2).
Figure 14-2 ACE Validation Details
The following details are displayed in the ACE Validation Details dialog box:
14-7
Chapter 14
Validating ACEs
Invalid Relationship
The invalid relationship between the first group of The selected logical entity
ACEs and the second group of ACEs is displayed (ACEs, ACL, or template)
in-between the two groups.
from the right pane of the
For example, the relationship between the groups ACE Validation Results
dialog box.
is displayed as:
Has a redundant relationship with the ACE
or
Has a conflicting relationship with the ACE
The ACEs that are displayed in the ACE Validation Details dialog box are
indexed:
Index
Example
Meaning
[1]
Sub-index Number
--> [1]
Step 2
14-8
78-16005-01
Chapter 14
Validating ACEs
Validating Modified ACEs
Procedure
Step 1
Select the required ACL from within your ACL Manager Main Window.
Step 2
Select ACL > Show All Changes from the ACL Manager Main Menu.
The ACEs that you modified (either edited, or added) are highlighted in the right
pane of the ACL Manager Main Window in light lavender color.
ACEs that you may have deleted, are not displayed.
You can right-click on the highlighted ACEs and select ACE Validator from the
pop-up menu.
The ACE Validation Results dialog box appears.
To use this dialog box, see Performing a Validation Check on a Logical Entity.
14-9
Chapter 14
Validating ACEs
14-10
78-16005-01
C H A P T E R
15
Create a job definition and save it for another user with download access to
the device, to download the job.
The tasks you can perform using the Job Download Wizard and the Job Browser
are:
Scheduling Downloads
Rescheduling Jobs
15-1
Chapter 15
Procedure
Step 1
Select Resource Manager Essentials > Administration > Job Approval > Edit
Preferences.
Step 2
Step 3
Select the Enable Job Approval check box to enable or disable Job Approval in
ACL Manager.
Step 4
To receive email notification, set the SMTP server on Windows 2000 server using
Resource Manager Essentials > System Configuration.
15-2
78-16005-01
Chapter 15
Note
Scheduling Downloads
You can use the Job Download Wizard to select the devices or the specific
changed entities (ACLs, ACL Uses or Time Ranges) in your Devices folder, and
schedule downloads.
Permissions to create job definitions and schedule job downloads are based on
your ACL Manager role, if role-based access control is enabled. To enable
role-based access control, see the Installation Guide for ACL Manager.
Depending upon your role, you can perform these tasks:
Role
Download ACLs
Tasks
15-3
Chapter 15
Scheduling Downloads
Role
Modify ACLs
Tasks
Immediate
Download
Download Wizard.
Scheduling downloads using the Job Browser,
Procedure
Step 1
In the ACL Manager Main Window, do one of the following to display the Job
Download Wizard:
15-4
78-16005-01
Chapter 15
Procedure
Step 1
Select the devices and the changed entities for the device. See Selecting the
Devices and the Changed Entities.
Step 2
Select the job definition options to apply. See Defining the Job and Selecting the
Job Options.
15-5
Chapter 15
Scheduling Downloads
You can choose to schedule the download. See Scheduling the Download Using
the Job Download Wizard.
If you do not schedule a download, or if you do not have permissions to schedule
a download, another user with download rights can schedule a download using the
Job Browser. See Scheduling Job Downloads Using the Job Browser.
Step 3
Procedure
Step 1
Click the Expand icons for the devices in the Select Changed Entities pane.
The changed entities within the devices, appear. These changed entities could be
ACL Definitions, ACL Uses or Time Ranges.
Step 2
Click the Expand icons for ACL Definitions, ACL Uses, or Time Ranges.
The changed ACLs, ACL Uses, or Time Ranges within the folders appear in the
pane. The version of each entity appears in brackets against its name or number.
15-6
78-16005-01
Chapter 15
The icons for the changed entities indicate the changes are:
Icons
Meaning
Newly created ACL.
Modified ACL.
Deleted ACL.
15-7
Chapter 15
Scheduling Downloads
Icons
Meaning
Deleted Interface Use.
ACL Manager allows you to select the changed entities that should be downloaded
for each device.
You can select the check box:
15-8
78-16005-01
Chapter 15
Click Next.
The Select Job Options panel of the Job Download Wizard opens. See Defining
the Job and Selecting the Job Options.
In the Select Changed Entities pane of the Job Download Wizard, before you
move on to specify the job options, you can verify the configuration changes on
the entities.
To see the configuration changes on the entities, select the check boxes for the
entities and click on the Diff button. The Config Diff Viewer opens, and you can
see the differences in configuration, for the selected changed entities. For details,
see Chapter 3, Verifying Device Configuration Changes.
Procedure
Step 1
Select the changed entities for download in the Select Changed Entities pane of
the Job Download Wizard (see Selecting the Devices and the Changed Entities).
Step 2
Click Next.
The Select Job Options pane of the Wizard appears. (see Figure 15-3).
15-9
Chapter 15
Scheduling Downloads
Step 3
Enter a name for the job in the Job Definition Name field.
Step 4
Enter a description for the job definition, in the Job Definition Description field.
Use a description you can locate easily if you want to browse the jobs later.
Step 5
Select any one of the Failure Policy options to define the Failure Policy for the job
by selecting the appropriate radio button.
The failure policy that you specify here, determines the action to be taken by
ACL Manager if the job download fails.
Failure Policy Option
Description
Rollback on Failure
Continue on Failure
15-10
78-16005-01
Chapter 15
Step 6
Description
Stop on Failure
Select one of configuration download options to define the Execution Policy for
the job by selecting the appropriate radio button:
The Execution Policy that you specify here determines the mode of download of
configuration on the devices.
buttons.
b. Click OK.
To copy the running configuration to the startup files of the device, after the
download is complete, select Update Startup Configuration.
Note
15-11
Chapter 15
Scheduling Downloads
Check the Schedule Job Definition option to schedule a job using the Job
Download Wizard, if it is enabled for you.
15-12
78-16005-01
Chapter 15
See this table for details of the Schedule Job Definition option:
Schedule Job
Definition
Option
Enabled
Descriptions
You have role-based access to the devices for which you are
defining the job.
To schedule a job using the Job Download Wizard:
1.
2.
2.
You do not have role-based access to the devices for which you
are defining the job.
The Job Summary pane of the Job Download Wizard appears
when you click the Next button in the Schedule Job pane.
See Viewing the Job Summary for details.
If you have created any job definitions but not scheduled them,
a user with a Downloader role can access your job definitions
using the Job Browser and schedule a job download.
See Browsing Job Status and Viewing Results for details.
15-13
Chapter 15
Scheduling Downloads
Step 8
Click Next.
If you have checked the Schedule Job Definition box in Step 5, the Schedule
Job pane appears next (see Figure 15-4) in the Job Download Wizard. See
Scheduling the Download Using the Job Download Wizard, for details.
If you have not checked the Schedule Job Definition box in Step 5, or it is
disabled for you, the Job Summary pane appears next (see Figure 15-5) in the
Job Download Wizard. See Viewing the Job Summary, for details.
If you have enabled change approval for the job, the Job Definition will go
through change approval processing, after you have created it. See,
Approving or Rejecting Changes, for details.
15-14
78-16005-01
Chapter 15
Procedure
Step 1
Select one of these Protocol Options from the Schedule Job pane:
15-15
Chapter 15
Scheduling Downloads
Step 2
Schedule AtRuns the job at a future date and time. Specify the date and the
time in hours and minutes.
If you want ACL Manager to override any out-of-band changes that may not have
been resolved, select Override Out-of-band Changes. See Managing
Out-of-Band Changes to Device Configuration.
If you select this option, the changes that you have scheduled for
downloading on to the selected devices, will supersede any configuration
changes that may have been directly on the device.
If you do not select this option, the job will run only if the configuration on
the device matches the baseline configuration. If you schedule a job and
someone changes the device configuration in the meantime, the job will fail.
The devices are not physically remote, in case you have selected TFTP as the
download protocol, to avoid transport-related download failures.
If you have PIX devices in your network along with other devices, you create
two different job definitions, one for PIX devices, and the other for CatOS
and IOS devices, because this option is not available for PIX devices.
15-16
78-16005-01
Chapter 15
After using the Minimal Download Verification option, if you want to verify that
your changes have reached the devices, you can run a check on the devices for
Out-of-Band changes.
For details about checking for Out-of-Band changes, see Chapter 15 Managing
Out-of-Band Changes to Device Configuration.
If you want to be notified about the job download status after completion, select
Email me.
Step 3
Click Next.
The job is scheduled and the Job Summary pane appears. See Viewing the Job
Summary.
Procedure
Step 1
Specify the job options and click the Next button in the Select Job Options pane.
or
Specify the job options, schedule a job download, and then click the Next button
in the Schedule Download pane.
See Step 7 of the procedure in Defining the Job and Selecting the Job Options,
for details.
The Job Summary pane appears (see Figure 15-5).
15-17
Chapter 15
Scheduling Downloads
The changed entities that you selected for the job definition, appear in the
Selected Entities table of the Job Summary pane.
The columns in the Selected Entities table are:
Column
Description
Device
Entity Name
Entity Type
Version
Change Category
15-18
78-16005-01
Chapter 15
Description
Definition Options Displays the options that you selected in the Select Job
Options pane.
Download Options Displays the options that you selected in the Schedule
Download pane.
This tab is enabled only if you have scheduled a job using
the Schedule Download pane of the Job Download Wizard.
In the Job Summary pane, you can verify the following Job Definition and Job
Download options that you may have already specified using the Job Download
Wizard:
If you want to change any of the options, use the Back button to navigate to the
appropriate pane of the Job Download Wizard. Make the necessary changes and
return to the Job Summary pane.
Step 2
Click Finish after you complete your verification of the Job Summary.
ACL Manager displays the Job Definition ID in a pop-up message box, for your
reference. The Job Definition and the Job Download options (if you have specified
them), are saved.
You can use the Job ID to track the status of the job. ACL Manager alerts you if
there is a problem with a job schedule time, see Browsing Job Status and
Viewing Results.
The device configuration does not change until a job runs and configuration
changes are downloaded to the device.
To open the Config Diff Viewer, click the Diff button in the Select Changed
Entities pane of the Job Download Wizard, see Defining the Job and Selecting
the Job Options. You can also select Tools > Diff Viewer in the ACL Manager
Main Window to open the Config Diff Viewer.
15-19
Chapter 15
View all scheduled jobs, their status and other details, such as the creator, the
scheduler, the approver, the time of creation, scheduled time of download,
and completion time of download.
Schedule job downloads using the Job Browser, if you have role-based
download access to the devices (see Scheduling Job Downloads Using the
Job Browser.)
Procedure
Step 1
Select either:
ACL Manager > Job Management > Job Browser from the CiscoWorks
desktop.
or
Tools > Job Browser from the ACL Manager Main Window.
The Job Browser dialog box displays all job definitions and scheduled jobs (see
Figure 15-6).
15-20
78-16005-01
Chapter 15
If you want to display jobs based on Job Status or Job User, click on the required
radio button. The information in the browser is filtered based on your selection.
Step 2
Description
Job Definition
ID
Definition Name Name of the job definition that was entered in the Select Job
Options pane of the job Download Wizard.
Creator
Time Created
Description
Job Status
Scheduler
15-21
Chapter 15
Column
Description
Job ID
Scheduled At
Finish Time
Approval ID
Meaning
Running
Job is running.
Pending
Scheduled
Pending (Approved)
Rejected
Failed
Partial success
Success
15-22
78-16005-01
Chapter 15
Action
Close
Refresh
Schedule
Results
Reschedule
Delete
Help
If you want to view the job status by device, select the job and click Results. The
Job Results window displays the status for all devices for that job (see
Figure 15-7).
15-23
Chapter 15
The Status column in the Job Results window can have these values:
Status
Meaning
Not attempted
Pending
Partial
15-24
78-16005-01
Chapter 15
Status
Meaning
Pre-download
failure
Downloaded
Rejected
15-25
Chapter 15
If you want to see the results of the download on the changed entities, select a
device from the Job Results dialog box (see Figure 15-7) and click Entity
Details....
The Job Entity Details window appears (see Figure 15-9).
Figure 15-9 Job Entity Details Window
The Job Definition ID and the Device Name details appear in the Job Entity
Details dialog box.
15-26
78-16005-01
Chapter 15
Description
Entity
Type
Status
The Status column in the Job Entity Details window can have these values:
Status
Meaning
Verify failed
Pending
Downloaded
The group that downloads ACLs, based on their roles, if you have enabled
Role-based Access Control (see Chapter 9 Managing Tasks)
The users who define the jobs can mark the version of the entities that they want
the users with Download ACLs role, to download to the device.
This way, only the marked versions of the entities, are downloaded to the device.
15-27
Chapter 15
Procedure
Step 1
Select ACL Manager > Edit ACLs from ACL Manager to display the Edit ACLs
dialog box (see Chapter 3, Starting ACL Manager).
Step 2
Click Next, after checking the required options. For details on the options in this
dialog box (see Chapter 3, Starting ACL Manager).
The ACL Manager Main Window appears.
Step 3
In the ACL Manager Main Window, select Tools > Mark Changes for
Download....
The Mark Changes for Download dialog box appears (see Figure 15-10).
Figure 15-10 Mark Changes for Download
Step 4
Step 5
Select the entities (ACLs, ACL Uses or Time Ranges) that you want to mark for
the next run, by clicking their check boxes.
15-28
78-16005-01
Chapter 15
Step 6
Click OK.
A message appears that you will lose the existing marks for the entities you have
selected.
Step 7
Task
Diff
2.
OK
Cancel
Help
15-29
Chapter 15
Procedure
Step 1
Select ACL Manager > Job Management > Pending Marks Browser from the
CiscoWorks desktop.
or
Open it from the Mark Changes for Download dialog box using the Show Pending
Marks button (see Marking Changes for Download).
The Pending Marks Browser appears (see Figure 15-11).
Figure 15-11 Pending Marks Browser
15-30
78-16005-01
Chapter 15
Description
Device Name
Entity Name
Entity Type
Entity Version
Change Category
Entity Status
Marked Time
Approval ID
If you want to display jobs based on Job Status or Job User, click on the required
radio button. The information in the browser is filtered based on your selection.
To refresh the data in the browser, click Refresh.
If you want to delete a mark, select it, and click Delete. A message prompts you
to confirm the deletion. Click Yes to delete the mark.
If you want to schedule a download for a marked entity, select it, and click
Schedule. This button is enabled only for user with a Downloader role.
The Schedule Job dialog box opens. To schedule the job, see the procedure in the
topic, Scheduling the Download Using the Job Download Wizard.
15-31
Chapter 15
Procedure
Step 1
ACL Manager > Job Management > Job Browser from the CiscoWorks
desktop.
or
Tools > Job Browser from the ACL Manager Main Window.
Select the job definition that you want to schedule for download, and click
Schedule.
The Job Download dialog box appears. The options in this dialog box are the same
as those in the Schedule Job pane of the Job Download Wizard. See Scheduling
the Download Using the Job Download Wizard.
Step 3
Click OK.
The job is scheduled.
Get information on all the jobs that are running, including ACL Manager
jobs.
Remove jobs.
(For details of ACL Manager Jobs, see Browsing Job Status and Viewing
Results, see Figure 15-7).
15-32
78-16005-01
Chapter 15
Use the Job Resource Manager (JRM) of CiscoWorks to browse jobs, release
resources, stop and remove jobs.
Select Server Configuration > Administration > Job Management from the
CiscoWorks desktop, to perform these tasks.
Rescheduling Jobs
You can edit and reschedule jobs that have or have not been completed, using the
ACL Manager Job Browser.
To reschedule a job:
Procedure
Step 1
Select either of the following to display the Job Browser dialog box:
ACL Manager > Job Management > Job Browser from the CiscoWorks
desktop.
or
Tools > Job Browser from the ACL Manager Main Window.
Step 3
Change the download options, schedule the date and time, and click OK.
If the job that you are rescheduling has failed devices, the following message
appears:
Job contains failed devices. Do you want to reschedule for failed
devices only?
Click Yes to reschedule the job download for only the failed devices. A new job
is created for these failed devices, while the old job remains intact.
15-33
Chapter 15
To reschedule the job for all the devices, click No. A new job (with a new job ID)
will be created.
A device is said to be a failed device if:
If you reschedule the download only on the failed devices, the download will be
faster.
Procedure
Step 1
To display the Job Browser dialog box, select either of the following:
ACL Manager > Job Management > Job Browser from the CiscoWorks
desktop.
or
Tools > Job Browser from the ACL Manager Main Window.
Step 3
Click Delete.
15-34
78-16005-01
Chapter 15
Workaround
Ensure that the device is reachable and you can telnet to the device.
An Out-of-Band change
was detected on the device
on which the download is
running, and you have not
checked the option
overwrite Out-of-Band
changes
15-35
Chapter 15
Workaround
Click the Reschedule button in the Job Browser, and reschedule the
download to take place after 15-20 minutes.
or
Before rescheduling, you can check details of the job that is already
running, as follows:
If you are sure it is an ACL Manager job, use the Job Browser to
currently on the device, use the JRM Job Manager to see the job
details.
On the CiscoWorks desktop:
1.
2.
Select the required job and click on the Job Details button.
The Job Results window of ACL Manager appears (see Figure 15-7).
3.
Check the job details here and reschedule your job accordingly, by
clicking the Reschedule button in the Job Browser (see Figure 15-6).
15-36
78-16005-01
C H A P T E R
16
Optimizing ACLs
These topics describe optimization and how you can optimize your ACLs for
better performance:
Each packet through an interface may be compared against all the ACE
statements in an ACL used on the interface until one of the statements is a
hit.
16-1
Chapter 16
Optimizing ACLs
Using ACL Optimizer or Hits Optimizer changes the physical view of the ACL. it
does not change the logical view. Any change made to the logical view (including
re-ordering ACEs) will re-create the physical view, hence the optimizations will
be lost and need to be re-done.
ACL Optimizer
The goal of the ACL Optimizer is to minimize the number of ACEs in an ACL. It
accomplishes this by:
Removing covered ACEs. In the following example, the second original ACE
covers the first.
Original ACEs
Optimized ACEs
Original ACEs
Optimized ACEs
16-2
78-16005-01
Chapter 16
Optimizing ACLs
ACL Optimizer and Hits Optimizer
Merging covered ACE port ranges: In the following example, the port range
for the second original ACE combines with the port range of the first original
ACE to cover the entire set of port ranges:
Original ACEs
Optimized ACEs
Original ACEs
Optimized ACEs
Original ACEs
Optimized ACEs
Optimized ACEs
16-3
Chapter 16
Optimizing ACLs
Reordering ACEs is performed only if the new order does not change ACL
semantics. For example, ACL Manager will not reorder ACEs in the following
way:
Original ACEs (# Hits)
Note
Standard IP ACLs and VACLs do not support Hit Counters, so the Hits Optimizer
is not available for these types of ACLs.
Procedure
Step 1
From the ACL Manager Main Window, select the ACL that you want to optimize.
In Figure 16-1, ACL 7 is selected.
16-4
78-16005-01
Chapter 16
Optimizing ACLs
Using the ACL Optimizer
Step 2
16-5
Chapter 16
Optimizing ACLs
Step 3
16-6
78-16005-01
Chapter 16
Optimizing ACLs
Using the ACL Hits Optimizer
Step 4
If you are satisfied with the optimization, click Done to return to the previous
display.
Step 5
16-7
Chapter 16
Optimizing ACLs
Procedure
Step 1
From the ACL Manager Main Window, select the ACL you want to optimize, for
example, ACL 103 (see Figure 16-4).
Figure 16-4 ACL to be Hit Optimized
Step 2
16-8
78-16005-01
Chapter 16
Optimizing ACLs
Using the ACL Hits Optimizer
Step 3
16-9
Chapter 16
Optimizing ACLs
If you are satisfied with the optimization, click Done to return to the previous
display.
Step 4
16-10
78-16005-01
Chapter 16
Optimizing ACLs
Resetting Hit Counters
Procedure
Step 1
Step 2
Select All Devices, then select those devices for which you want the hit counter
reset to zero.
Step 3
Click Finish.
16-11
Chapter 16
Optimizing ACLs
Procedure
Step 1
In the ACL Manager Main Window, select a device from the Devices folder.
Step 2
Note
You should be in the physical view of an ACL to view the hits from a
device.
16-12
78-16005-01
C H A P T E R
17
All change requests that are approved, rejected, expired, or pending approval.
You can view the reports in your browser window, save them for review later, or
print them out for reference.
Your login determines the type of reports that you can generate. That is, you can
generate reports of only those devices for which you have rights, based on the user
group that you belong to, when Role-based Access Control is enabled.
To enable Role-based Access Control, see the Installation Guide for ACL
Manager.
You can generate the following reports:
17-1
Chapter 17
Procedure
Step 1
Select Administration > ACL Manager Reports > Time Range Changes.
The first Time Range Events in Selected Time Frame Report dialog box opens.
Step 2
Step 3
Step 4
Enter the end time in hours (0 to 23) and minutes (0 to 59). The end time should
be greater than the start time.
Step 5
Click Next.
The second Time Range Events in Selected Time Frame Report dialog box opens.
Step 6
From the Available Event Types box, select the events that you require for the
report, and click Add.
The selected events move to the Selected Event Types box.
Step 7
Click Next.
The third Time Range Events in Selected Time Frame Report dialog box opens.
Step 8
Select a device view from the Views column, for example, All Devices.
The devices corresponding to the selected view appear in the Devices column.
Step 9
Select the devices for which you would like to see the report.
ACL Manager allows you to select any device from the Device Selector dialog
box. If you do not have access rights to some of the devices, you will see a
message indicating this. Only the devices that you have rights to access, are
selected.
17-2
78-16005-01
Chapter 17
Step 10
Click Finish.
The Time Range Events in Selected Time Frame Report opens in a separate
browser window.
The fields in the Time Range Events in Selected Time Frame Report are:
Fields
Explanation
Device ID
Occurred Event Type Type of the event. For example, Time Range Active,
Time Range Expired.
Comments
Type of Change
Recorded At
17-3
Chapter 17
Procedure
Step 1
Select Administration > ACL Manager Reports > Change Approval Status.
The Change Approval Status Report dialog box opens.
Step 2
Select the change request status from the drop-down list box.
Step 3
Click Next.
The Approver Group dialog box opens.
Step 4
Step 5
Click Finish.
The Change Approval Status Report opens in a separate browser window.
17-4
78-16005-01
Chapter 17
Explanation
Change ID
Status of Request
Submitter Name
Submitter Comments
Submitted Time
Approver Group Name Name of the Approver Group that has rights to approve
this change request.
Approver Comments
Approver Name
Approval Time
17-5
Chapter 17
Procedure
Step 1
Step 2
From the Available Event Types box, select the events that you require for the
report, and click Add.
The selected events move to the Selected Event Types box.
Step 3
Click Next.
The second Out-of-Band Changes Report dialog box opens.
Step 4
Select a device view from the Views column, for example, All Devices.
The devices corresponding to the selected view appear in the Devices column.
Step 5
Select the devices for which you would like to see the report.
ACL Manager allows you to select any device from the Device Selector dialog
box. If you do not have access rights to some of the devices, you will see a
message indicating this. Only the devices that you have rights to access, are
selected.
Step 6
Click Next.
The third Out-of-Band Changes Report dialog box opens.
Step 7
Enter the start date and end date to specify the period for which you want to see
the Out-of-Band changes.
Step 8
Click Finish.
The Out-of-Band Changes Report opens in a separate browser window.
17-6
78-16005-01
Chapter 17
Explanation
Device Name
Type of Change
Entity Type
Entity Name/ID
Detected At
If Resolved
Resolved or unresolved.
Handled By
17-7
Chapter 17
Procedure
Step 1
Select Administration > ACL Manager Reports > Approver Group Mapping
for Devices.
The Approver Group Mapping for Devices Report dialog box opens.
Step 2
Select one of these options as your filter criteria for the report and click Next:
Step 3
Explanation
Device Name
Device Group Name Name of the Device Group for the device.
Device Group
Members
17-8
78-16005-01
Chapter 17
Fields
Explanation
Approver Group
Name
Approver Group
Members
If you had selected Use Device Groups as Filter Criterion, the Approver Group
Mapping for Device Groups Report opens in a separate browser window.
The fields in the Approver Group Mapping for Device Groups Report are:
Fields
Explanation
Device Group Name Name of the Device Group for the device.
Device Group
Members
Approver Group
Name
Approver Group
Members
Procedure
Step 1
17-9
Chapter 17
Step 2
Select one of these options as your filter criteria for the report and click Next:
Step 3
Explanation
User Name
Task Name
Device Name
17-10
78-16005-01
Chapter 17
If you had selected Use Device Groups as Filter Criterion, the fields in the My
Task Mapping Report are:
Fields
Explanation
User Name
Task Name
Device Group Name Name of the device group that you have access to.
Procedure
Step 1
Step 2
Step 3
Step 4
Click Finish.
The Task Mapping of User Group to Device Group Report opens in a separate
browser window.
17-11
Chapter 17
The fields in the Task Mapping of User Group to Device Group Report are:
Fields
Explanation
Task Name
Explanation
User Name
User Group
Membership
17-12
78-16005-01
Chapter 17
Procedure
Step 1
Select Administration > ACL Manager Reports > User Group Membership.
The User Group Membership Report dialog box opens.
Step 2
Step 3
Click Finish.
The User Group Membership Report opens.
The fields in the User Group Membership Report are:
Fields
Explanation
User Name
User Group
Membership
17-13
Chapter 17
17-14
78-16005-01
C H A P T E R
18
Symptom
Probable Causes
Possible Solution
18-1
Chapter 18
Symptom
Probable Causes
Possible Solution
Error Message:
Start RmeGatekeeper.
To start RmeGatekeeper:
1.
2.
18-2
78-16005-01
Chapter 18
Symptom
Probable Causes
Download Failed
Possible Solution
To do this:
1.
2.
TACACS username and password If you are using TACACS, match the
in Resource Manager Essentials do TACACS username and password in
not match device.
Resource Manager Essentials
inventory with the device.
Do not specify the Local username
and password in the Resource
Manager Essentials inventory.
Download Job status:
Download Failed
Check that:
For TFTP download,
ACL Manager uses the SNMP
SNMP Write Community string
write Community string as well as
has been updated in the Resource
SNMP read Community string
Manager Essentials Inventory.
18-3
Chapter 18
Symptom
Probable Causes
Possible Solution
18-4
78-16005-01
C H A P T E R
19
Note
19-5
Chapter 19
We recommend that users update the ACLs on applicable devices based on Cisco
Product Security Incident Response Team (PSIRT) Security Advisories. Updating
ACLs to mitigate vulnerabilities is a repetitive and cumbersome process since in
most cases it involves making the same changes on a number of devices.
This scenario describes how to mitigate the vulnerabilities using ACL Manager
effectively.
Prerequisites
In this scenario, you will use the following ACL Manager tools and features:
File Import (see the chapter Importing Configuration in the User Guide for
ACL Manager).
Template Manager (see the chapter Using the Template Manager in the User
Guide for ACL Manager).
Use Wizard (see the chapter ACL Manager Use Wizard in the User Guide
for ACL Manager).
ACL Downloader (see the chapter Scheduling and Downloading in the User
Guide for ACL Manager).
Handling Vulnerabilties
When a related vulnerability is announced, Cisco Systems posts the advisory on
http://psirt.cisco.com.
To tackle a vulnerability using ACL Manager, you must:
Procedure
Step 1
Import the published ACL into ACL Manager (see Importing the Published ACL
into ACL Manager).
Step 2
Create a template using the imported ACL (see Creating a Template Using the
Imported ACL)
19-6
78-16005-01
Chapter 19
Step 3
Step 4
Deploy the ACL on devices (see Deploying the ACL on the Devices).
Procedure
Step 1
Go to the appropriate web page and copy the ACEs recommended in the PSIRT
Security advisory from the web page.
For example, for the vulnerability being discussed in this example, the advisory
is available at:
http://www.cisco.com/warp/public/707/cisco-sa-2030717-blocked.shtml
Select and copy these ACEs (which help secure a Cisco IOS interface that is
blocked by IPv4 packets):
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny 103 any any
access-list 101 permit ip any any
Step 2
From the CiscoWorks desktop, select ACL Manager > Edit ACL Templates.
The Template Manager main window opens.
Step 3
Step 4
Select the option Upload Config from Editor in the File Import wizard, and click
Config Editor.
The Config Editor dialog box opens.
Step 5
Paste the ACEs that you copied from the web page (http://psirt.cisco.com) in
Step 1, into this window.
User Guide for ACL Manager
78-16005-01
19-7
Chapter 19
Step 6
Click OK.
If the ACL that you copied (ACL 101) already exists in the Imported Entities
folder of ACL Manager, select Replace Already Existing Entities, in the File
Import wizard.
Step 7
Click Next.
The Import Summary window opens and displays the ACL that you imported.
Step 8
Click Finish
Procedure
Step 1
In the left pane of the Template Manager main window, go to Root > Imported
Entities > Router > ACL Definitions.
Step 2
Step 3
Step 4
Step 5
Step 6
Enter a name for the template that you are creating. For example, Vulnerabilities.
Ensure that you select the template type as Static.
Step 7
Select OK.
Step 8
From the Template Manager main window, go to Root > Template Root
Directory > Vulnerabilities.
Step 9
19-8
78-16005-01
Chapter 19
Step 10
Step 11
In the Check In dialog box, enter an appropriate check-in comment and click OK.
The template, Vulnerabilities, is checked in.
Step 12
Right-click on the template, Vulnerabilities, and select Set Master Version from
the pop-up menu.
This version will be deployed on the devices.
Procedure
Step 1
From the Template Manager main menu, select Tools > ACL Manager.
The ACL Manager Main Window appears.
Step 2
From the ACL Manager Main Menu, select Tools > ACL Use Wizard.
The Template Selection dialog box appears.
Step 3
Navigate to the location (or folder) where you have created the template
Vulnerabilities.
Step 4
Select the template Vulnerabilities. (Click Expand if you want to verify the
constituent ACEs.)
Step 5
Click Next.
The Device Selection dialog box appears.
Step 6
Select the devices on which you want to deploy the template Vulnerabilities.
Step 7
Enter a name for the ACL in the ACL Name or Number field. For example, the
ACL name can be Vulnerabilities_eliminator.
Before entering a name ensure that Autonumber the New ACL? is not selected
in the Device Selection dialog box.
19-9
Chapter 19
If you are deploying the template for the first time, you should select only these
two options from the Device Selection dialog box
When you deploy the template subsequently, you may select other options.
Step 8
Click Finish.
The Results window appears and displays the devices and the ACL. In this
window, the template that you earlier selected (Vulnerabilities) is included in the
ACL that is created on the selected devices.
Step 9
Step 10
Step 11
Click Next.
The Interface Selection dialog box appears, displaying the interfaces of the first
device.
In this dialog box, you can choose all the interfaces or select some of them in the
incoming or outgoing directions, or in both directions.
If you want to tackle the vulnerabilities on all the interfaces for the device in the
incoming direction, enter * in the text field for the option Apply on all the
interfaces in the in direction starting with. This will select all the interfaces
in the incoming direction.
Also select the checkbox for the option Treat all subsequent devices similar to
this device?
For details of other options, see the chapter ACL Manager Use Wizard in the
User Guide for ACL Manager.
Step 12
Click Next.
The Summary window appears, with the interfaces for all the devices on which
this ACL has been used.
Step 13
Ensure that Checkout and overwrite latest version of existing ACl Uses? is
selected.
19-10
78-16005-01
Chapter 19
Step 14
Click Finish.
The results window appears with the ACL Vulnerabilities_eliminator applied on
the inside direction of all the interfaces of the devices you have selected.
Step 15
Click Close.
Procedure
Step 1
From the ACL Manager Main menu, select Tools > ACL Downloader.
The Select Changes Entities pane of the Job Download wizard appears, displaying
all the devices on which you have modified the ACLs and their uses.
Step 2
Select only those devices on which you want to deploy the ACL Vulnerabilities_
eliminator.
Step 3
Select their respective ACL Uses folder. Also select the ACL created on those
devices.
If you are sure that the only changes that have occurred, are those made through
the Use Wizard (that is, the creation of the ACL Vulnerabilities_eliminator and its
Uses), select the option All Entities, at the root level. This selects all the changed
entities under it.
Step 4
Click Diff to go to the respective devices and see what is being downloaded
on them.
Click Delta if you want to see the actual IOS commands being generated for
the devices.
Click Next.
The Select Job Options pane of the Job Download wizard appears.
Step 5
Step 6
Retain the default selections for the options in this pane and click Next.
The Select Job Definitions pane of the Job Download wizard appears.
19-11
Chapter 19
Step 7
Select TFTP as your download protocol if you have selected many devices, since
the download will be faster.You may also select Minimal Download Verification
for a quicker job download.
Step 8
Step 9
Click Email me if you want to receive an email regarding your job status.
Step 10
Click Next.
The Job Summary pane of the Job Download wizard appears.
Step 11
Select Finish.
The download job is created.
To verify this job, you can navigate to the Job Browser (ACL Manager > Job
Management > Job Browser) and see the status of your job. If you have
configured email, you will receive an email after the job is complete.
Procedure
Step 1
Step 2
From the CiscoWorks desktop, select ACL Manager > Edit ACL Templates to
open the Template Manager main window.
Step 3
Navigate to the template, Vulnerabilities and open the Template Device Uses
folder.
All the devices to which this template has been deployed, are listed in the right
pane.
19-12
78-16005-01
Chapter 19
Procedure
Step 1
Go to the appropriate web page and copy the ACEs recommended in the advisory
from the web page.
For example, for the vulnerability being discussed in this example, the advisory
is available at:
http://www.cisco.com/warp/public/707/cisco-sa-2030717-blocked.shtml
Win32.Blaster Worm ACEs:
! --- block TFTP
access-list 115 deny udp any any eq 69
! --- block W32.Blaster related protocols
access-list 115 deny tcp any any eq 135
access-list 115 deny udp any any eq 135
! --- block other vulnerable MS protocols
access-list
access-list
access-list
access-list
access-list
access-list
115
115
115
115
115
115
deny
deny
deny
deny
deny
deny
udp
udp
tcp
udp
tcp
tcp
any
any
any
any
any
any
any
any
any
any
any
any
eq
eq
eq
eq
eq
eq
137
138
139
139
445
593
19-13
Chapter 19
Step 2
Use the File Import Wizard as before, to import the ACL 115 into ACL Manager.
For the procedure, see Importing the Published ACL into ACL Manager.
The ACEs are imported.
Step 3
Go to Root > Imported Entities > Router > ACL Definitions In the left pane of
the Template Manager main window.
Step 4
Step 5
Right-click in the right pane where the ACEs are displayed and select Copy.
Step 6
Step 7
Step 8
Step 9
Select Paste.
The ACEs that you copied, are pasted.
Step 10
Right-click on the template, and select Check-in from the pop-up menu that
appears.
Step 11
In the Check In dialog box, enter an appropriate check-in comment and click OK.
The template, Vulnerabilities, is checked in.
Step 12
Right-click on the template, Vulnerabilities, and select Set Master Version from
the pop-up menu.
This version will be deployed on the devices.
Step 13
Step 14
Step 15
19-14
78-16005-01
Chapter 19
Step 16
Select all the rows in the Bulk Update dialog box and click Initiate Download.
The Job Download wizard appears. Schedule a download job (see Deploying the
ACL on the Devices
Step 17
After a successful job download, open Template Manager and open the folder
Template Device Uses.
You will see that all the Template Device Uses in the right view are now displayed
as true.
Following this process, tackling vulnerabilities will become easier, using ACL
Manager. You only need to update an existing template, perform Bulk Update and
then download the template to the devices. Since the ACL Uses already exist on
the devices, you do not need to modify the uses.
19-15
Chapter 19
Prerequisites
In this scenario, you will use the following ACL Manager tools and features:
Template Manager (see the chapter Using the Template Manager in the User
Guide for ACL Manager).
Class Manager (see the chapter Using the Class Manager in the User Guide
for ACL Manager)
Use Wizard (see the chapter ACL Manager Use Wizard in the User Guide
for ACL Manager).
ACL Downloader (see the chapter Scheduling and Downloading in the User
Guide for ACL Manager).
To deploy, manage and track ACLs for partner networks you must:
Step 1
Step 2
Step 3
Step 4
19-16
78-16005-01
Chapter 19
Procedure
Step 1
ACL Manager > Edit ACL Templates from the CiscoWorks desktop
or
Tools > Template Manager from the ACL Manager Main Window.
Step 2
Step 3
Select File > New Folder from the Template Manager main menu.
The New Folder dialog box appears.
Step 4
Step 5
Click OK.
Step 6
Select the folder, Partners, from the Template Manager main window.
Step 7
Right-click and from the pop-up menu that appears, select New Template.
The Template Editor appears.
Step 8
Step 9
Step 10
Step 11
Click OK.
The template apac-partners is created.
For our example, this template will contain the following ACEs:
Example ACEs
! --- Allow web access
permit tcp <partners-network> any eq www
! --- Allow ftp access
permit tcp <partners-network> any eq ftp
permit tcp <partners-network> any eq ftp-data
19-17
Chapter 19
Procedure
Step 1
Select the new template, apac-partners, that you created, right-click on it.
A pop-up menu appears
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Click OK.
The ACE is displayed in the right pane of the Template Manager main window.
This ACE contains the variable element, partner-net, which is displayed as:
$<partners-network>
Step 8
Similarly create the other ACEs, that you need for this example (see Example
ACEs).
Note
In the ACE Editor, the variable that you created earlier is available in the
Variable drop-down box.
19-18
78-16005-01
Chapter 19
Step 9
After you create all the required ACEs, right click on the template apac-partners.
A popup menu appears.
Step 10
Step 11
In the Check In dialog box, enter an appropriate check-in comment and click OK.
The template apac-partners is checked in.
Step 12
Right-click on the template, apac-partners, and select Set Master Version from
the pop-up menu.
The master version for the template is set.
Step 13
Create instances for the template, apac-partners (see Creating Variable Template
Instances).
Frontier Networks
Procedure
Step 1
Step 2
Select this folder, right-click and from the pop-up menu that appears, select New
Instance.
The Instance Editor appears.
Step 3
Step 4
19-19
Chapter 19
Step 5
Click OK.
The Frontier-partner instance is created within the Instances folder. All the parent
variable template ACEs are copied to the instance. These are displayed in the right
pane when you select the instance. The new instance will be in the checked-out
state.
To assign the values to the variable elements in the ACEs, select the instance that
you have created (Frontier-partner).
The ACEs are displayed in the right pane.
Step 6
In this dialog box, you can only assign values to the variables. Everything else
will be disabled.
For our example, we will assume that you have already created a network
class corresponding to each partner. We will call these network classes,
Frontier-network and Ganga-network.
To create network classes, see the chapter Using the Class Manager in the
User Guide for ACL Manager.)
Step 7
Step 8
Select the network class, Frontier-network, from the Network Class Browser
dialog box.
Step 9
Click OK.
The value, Frontier-network is assigned to the variable $<partner-net> and
appears in blue italics in the right pane of the Template Manager main window.
If this variable appears elsewhere in ACL Manager, the system will assign the
value for that variable, in all the ACEs.
Step 10
Check in the Instance, after assigning the values to all the variables in the
instances.
19-20
78-16005-01
Chapter 19
Step 11
Procedure
Step 1
Invoke the ACL Manager Main Window by selecting Tools > ACL Manager from
the Template Manager main window.
Step 2
Navigate to the device to which you want to deploy the template instances.
You can either:
Select an existing ACL and insert the template (see Selecting an Existing
ACL).
or
You can use ACL Use Wizard to create a new ACL consisting only of the new
instance (see Creating a New ACL Using the ACL Use Wizard).
19-21
Chapter 19
Procedure
Step 1
Select the ACL from the ACL Definitions folder, right-click and check it out.
Step 2
Navigate the appropriate position among existing ACEs and right-click and select
Include Template.
The Template Selection dialog box appears.
Step 3
Step 4
Procedure
Step 1
Select Tools > ACL Use Wizard from the Template Manager main window.
The Template Selection dialog box appears.
Step 2
Step 3
Click Next.
The Device Selection dialog box appears.
Step 4
Step 5
Step 6
Enter a name for the ACL in the ACL name or number field. For example,
Frontier-partner-access.
19-22
78-16005-01
Chapter 19
Step 7
Step 8
Step 9
Click Next.
The Interface Selection dialog box appears.
Step 10
Select the interface on which you want to use the ACL (access-group statement)
in the incoming direction (direction may vary based on your requirements).
If you have selected multiple devices, select the option Treat all Subsequent
Devices Similar to this Device? if the interfaces that you have selected exist on
these devices.
Step 11
Click Next.
The Summary dialog box appears with the uses created on the specified interfaces.
Step 12
Select the option Checkout and Overwrite the Latest version of ACL Uses?
Step 13
Click Finish.
The Results dialog box appears.
Step 14
Click Close.
Similarly follow these steps for creating the ACL Use for Ganga Electronics Inc.
Procedure
Step 1
From the Template Manager main menu, select Tools > ACL Downloader.
The Select Changes Entities pane of the Job Download wizard appears.
Step 2
Step 3
19-23
Chapter 19
Step 4
Step 5
Tracking Instances
In this scenario, we shall consider two cases:
Procedure
Step 1
After making the appropriate changes, in the Template Manager, navigate to the
instance Frontier-partner, and check it out.
Step 2
Select the instance, right-click and select Update Logical Entities in the pop-up
menu.
This updates all the variable elements with the latest version of the Frontier-net
network class, which you modified.
Step 3
19-24
78-16005-01
Chapter 19
Step 4
Step 5
Double-click on the instance and select the folder Template Device Uses.
The template instance validity is displayed as false in the right pane.
Step 6
Step 7
Step 8
Select all the rows in the Bulk Update dialog box and click Initiate Download.
The Job Download wizard appears.
Step 9
Procedure
Step 1
Navigate to the parent variable template in the Template Manager main window.
Step 2
Step 3
19-25
Chapter 19
Step 4
Step 5
Step 6
Select the parent variable template which has changed, and right click.
Step 7
Step 8
For our example, select both the options Check In Instances after
Reconciliation and Set the Master Version.
Step 9
Click OK.
The Reconcile Results window appears with the results of the reconciliation
operation.
19-26
78-16005-01
Chapter 19
Step 10
If new variables have been introduced in the variable template, the system
will not be able to check in the instances.The Reconcile Results window will
show the appropriate results. To successfully check in, you need to assign
values to the newly introduced variables.
Step 11
Step 12
Step 13
Select all the rows in the Bulk Update dialog box and click Initiate Download.
The Job Download wizard appears.
Step 14
19-27
Chapter 19
If at the time of including DNS name in an ACE, DNS name does not get resolved
to an IP address, ACL Manager gives you a choice to keep the DNS name as it is,
or to proceed without using the DNS name.
Prerequisites
In this scenario, you will use the following ACL Manager tools and features:
ACE Editor (see the chapter Viewing and Editing ACLs in the User Guide
for ACL Manager).
ACL Downloader (see the chapter Scheduling and Downloading in the User
Guide for ACL Manager).
To use DNS names in an ACE and deploy updated DNS-IP mappings, follow these
steps:
Step 1
Step 2
Procedure
Step 1
From the ACL Manager Main Window, invoke the ACE Editor (see the chapter
Viewing and Editing ACLs in the User Guide for ACL Manager).
Step 2
In the ACE Editor, enter the required DNS names for the source address, the
destination address, or for both source and destination addresses.
Step 3
19-28
78-16005-01
Chapter 19
Step 4
Click OK.
If you click Yes, the ACE will contain the unresolvable DNS name.
If you click No, the ACE Editor window will continue to remain open. You
can fill the correct DNS name, and then click OK.
Note
You can also directly use a network class consisting of DNS names.
Step 5
Repeat Step 4 until you complete the task of providing DNS names in the ACEs.
Step 6
Step 7
Click Tools > ACL Downloader from the ACL Manager Main Window.
The Select Changed Entities dialog box appears.
Step 8
Step 9
Click Next.
The Select Job Options pane of the Job Download Wizard appears.
This pane has a group titled Unresolvable DNS Names, with two options:
Step 10
Step 11
Step 12
Click Next.
The Schedule Job pane of the wizard appears.
Step 13
78-16005-01
19-29
Chapter 19
Step 14
Click Finish.
The job is created, and is downloaded at the scheduled time.
Procedure
Step 1
In the ACL Manager Main Window, select the ACL or the ACLs which you think
have DNS names for which the DNS name to IP mapping has changed.
Step 2
Right-click on the required ACL or ACLs and select Mark for Download.
A dialog box appears with the message:
The existing marks for the entities you have selected will be lost,
do you want to proceed?
Step 3
Step 4
Select Yes.
The Select Job Options panel appears.
Step 5
Step 6
Step 7
Click Finish.
The job is created and scheduled for download.
19-30
78-16005-01
Chapter 19
Step 8
To verify that the updated IP addresses have been downloaded, navigate to the Job
Browser (ACL Manager > Job Management > Job Browser).
Step 9
In the Job Browser, select the job that you have just created.
If the job status is Success, click Results.
The Job Results dialog box appears.
Step 10
Select the device on which you have downloaded the ACLs and click Device
Details.
The Device Results dialog box appears.
This dialog box shows the actual ACEs downloaded to the device. You will see
here that the updated IP addresses have been downloaded.
19-31
Chapter 19
19-32
78-16005-01
I N D EX
creating 4-42
including periodic attributes in 4-46
access, controlling (see user roles) 9-1
ACE Editor dialog box buttons, using 4-25
ACEs (Access Control Entries)
adding
to a static template 6-6
to a variable template 6-8
associating with a time range 4-48
definition of 1-1
downloading 4-17
marking for 4-54
remark ACEs, making downloadable 4-17
time-based 4-51
editing 4-20
printing 4-55
reordering 4-19
saving
as ACE templates 4-38
as templates 4-38
time-based, downloading to a device 4-51
time ranges, associating with 4-48
validating 14-1
modified ACEs, validating 14-9
validation check on a logical entity,
performing 14-4
validation details, viewing 14-7
working with 4-10
comments, appending 4-14
comments, inserting 4-15
IN-1
Index
ACL templates
comments to, appending 4-14
creating 3-4
defining and using 2-1
attributes 2-2
creating 2-1
definition of 1-2
editing 6-17
launch point for 3-4
template contents 6-17
template folders, creating and
inserting 6-18
viewing 3-4
IN-2
78-16005-01
Index
appending
identifying
cautions
significance of xviii
invoking 5-3
launching 3-24
IN-3
Index
using 5-8
workflow for using 5-9
overview 1-8
service classes
creating 5-6
editing 5-8
managingservices and service classes,
managing
services classes
using 5-5
workflow for using 5-5
services, managing 5-5
toolbar, using 5-4
using 5-1
class uses
devices that use, identifying 5-14
identifying 5-14
comments
appending to an ACL or template 4-14
inserting after an ACE 4-15
comparing
IN-4
78-16005-01
Index
ACLs 4-9
templates 6-29
downloading to 3-36
using 13-12
ACLs 13-10
views
definition of 1-2
opening 3-12
saving 3-11
Diff Viewer
creating 9-17
launching 3-25
deleting 9-25
overview 1-9
modifying 9-21
using 4-40
documentation
devices
(see also device configurations,
importing) 13-1
additional
online xxiii
IN-5
Index
obtaining xxiii
related xxi
Downloader
launching 3-24
overview 1-9
advanced 4-62
general 4-58
other 4-65
editing
ACEs 4-20
e-mail notifications
configuring 4-52
entities 8-1
replacing 8-15
check out, undoing 8-18
Standard Replace context GUI, using 8-19
searching for 8-2
ACL Manager Device Selector, using 8-5
search attributes list 8-9
search filter, forming 8-6
IN-6
78-16005-01
Index
H
Help Desk privilege level, overview 1-9
Hits Optimizer
launching 3-25
overview 1-9
inserting
IN-7
Index
advanced 4-62
general 4-58
other 4-65
M
MAC VACE attributes for VACLs,
editing 4-66
Job Browser
main window
IN-8
78-16005-01
Index
Import 3-19
Print 3-19
Tools 3-24
ACL Downloader 3-24
Copy 3-20
Cut 3-20
Versioning 3-23
Edit 3-20
Check In 3-23
Find 3-20
Go to ACL 3-21
History 3-24
Paste 3-20
Replace 3-20
View 3-21
Go to Line 3-21
File 3-18
Properties 3-21
Exit 3-19
Explore 3-18
marking
IN-9
Index
using 5-8
workflow 5-9
O
object groups, creating for PIX ACLs 4-68
OOB (out-of-band) changes to device
configurations, managing 3-37
devices, checking for changes on 3-37
change report, viewing 3-39
Diff/Merge 3-50
editing 5-13
IN-10
78-16005-01
Index
creating 7-2
verification of, mandating 7-10
overview 1-1
privilege levels 1-9
printing
ACEs 4-55
ACLs 4-55
benefits 1-5
components 1-4
PIX ACLs
IN-11
Index
saving
ACEs as ACE templates 4-38
ACLs as templates 4-9
scheduling and downloading 15-1, 5
service classes
creating 5-6
definition of 1-3
editing 5-8
IN-12
78-16005-01
Index
services
Telnet troubleshooting
definition of 1-3
workflow 5-5
starting
ACL Manager 3-8
devices, deleting from Devices folder 3-11
devices folder, populating 3-9
device view, opening 3-12
device view, saving 3-11
Find feature, using 3-17
main window, navigating in 3-13
Class Manager 5-3
contents 6-17
template folders, creating and
inserting 6-18
identifying devices that use an ACL
template 6-20
including another template within a
template 6-14
invalid template device uses, handling 6-22
launching 3-24
78-16005-01
IN-13
Index
automatically 4-51
manually 4-51
creating 4-42
absolute 4-42
U
updating logical entities for ACLs and
templates
procedure 6-26
IN-14
78-16005-01
Index
creating 9-4
deleting 9-12
modifying 9-8
creating 9-17
deleting 9-25
modifying 9-21
interfaces 12-4
lines 12-6
VLANs 12-10
uses 2-6
creating 4-6
definition of 1-2
modes and definitions 2-6
Use wizard, using 12-1
ACL template, applying to a multiple
devices 12-20
devices, selecting 12-21
results, displaying 12-22
V
VACLs (VLAN Access Lists)
definition of 1-3
managing 4-55
VACEs, editing 4-57
IN-15
Index
workflow 10-3
ACLs 4-5
viewing
ACE validation details 14-7
ACLs 4-1
associated with time ranges on a
device 4-49
configuration changes in 4-40
verifying
ACLs or templates against a policy 7-4
device configuration changes 3-33
download success 3-36
Verify Policy function, launching 3-25
versioning
ACL Manager entities 10-1
checking out entities 10-7
comparing an entity with its latest
version 10-25
comparing two versions of an entity 10-26
details of a specific version, viewing 10-29
history, viewing 10-30
IN-16
78-16005-01
Index
W
workflows
complete 3-32
for defining templates 6-4
static 6-4
variable 6-5
for downloading changes to devices 3-36
for managing out-of-bound changes 3-37
for verifying device configuration
changes 3-33
for verifying downloads of device
changes 3-36
for versioning ACL Manager entities 10-3
IN-17
Index
IN-18
78-16005-01