ACL Manager_UserGuide.pdf

8/10/2019 ACL Manager_UserGuide.pdf

1/511

Corporate HeadquartersCisco Systems, Inc.170 West Tasman DriveSan J ose, CA 95134-1706USAhttp://www.cisco.com

Tel: 408 526-4000

800 553-NETS (6387)Fax: 408 526-4100

User Guide for AC L ManagerSoftware Release 1.6

CiscoWorks

Customer Order Number: DOC-7816005=

Text Part Number: 78-16005-01
http://www.cisco.com/http://www.cisco.com/


2/511

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT

NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT

ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR

THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION

PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO

LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as

part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS AREPROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED

OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND

NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL

DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR

INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH

DAMAGES.

CCIP, CCSP, the Cisco Arrow logo, the Cisco PoweredNetwork mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks

of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet,

ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo,

Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel,

EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys,

MGX, MICA, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar,

ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient,

TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not implya partnership relationship between Cisco and any other company. (0402R)

User Guide for ACL Manager

Copyright 2004 Cisco Systems, Inc. All rights reserved.


3/511

iii


78-16005-01

C O N T E N T S

Preface xvii

Audience xvii

Conventions xviii

Product Document ation xix

Related Documentation xxi

Additional Information Online xxiii

Obtaining Documentation xxiii

Cisco.com xxiii

Ordering Documentati on xxiv

Documentati on Feedback xxiv

Obtaining Technical A ssistance xxiv

Cisco TAC W ebsite xxv

Opening a TAC Case xxv

TAC Case Priority Definitions xxvi

Obtaining A dditional Publications and Informat ion xxvi

C H A P T E R 1 ACL Manager Overview 1-1

ACL Terms and Definit ions 1-1

W hat is ACL M anager? 1-4

ACL M anager Components 1-4

Benefits of ACL M anager 1-5

ACL M anager Functionalit y 1-7

ACL M anager Tools1-8

ACL M anager Privile ge Levels 1-9


4/511

Contents

iv


78-16005-01

Privileg e Levels and Tasks 1-10

C H A P T E R 2 ACL Definitions and Uses 2-1

Creating ACLs and Templates 2-1

ACL and Templat e Att ributes 2-2

Name, Number, and Type Attributes 2-3

Other A ttributes 2-4

ACL Propert ies (Use Detai ls) 2-4

ACL Uses 2-6

Use M odes and Contexts 2-6

C H A P T E R 3 Getting Started 3-1Before You Begin 3-2

Setting Up Resource M anager Essentials 3-2

ACL M anager Functions 3-3

Starting ACL M anager 3-8

Populating the Devices Folder 3-9Deleting Devices 3-11

Saving a Device View 3-11

Opening a Device View 3-12

Navigating in the ACL M anager M ain W indow 3-13

M y Changes Folder 3-15

Imported Entities Folder 3-16

Devices Folder 3-16

Out-of -Band Changes Folder 3-17

Using t he Find Feature 3-17

ACL M anager M enus 3-17

File M enu 3-18Edit M enu 3-20


5/511

v


78-16005-01

Contents

View M enu 3-21

ACL M enu 3-22

Versioning M enu 3-23

Tools M enu 3-24

Using the Device Stat e Icons 3-25

Using the Toolbar 3-27

Using Keyboard Shortcuts 3-29Keyboard Shortcuts for ACL M anager W indow 3-29

Keyboard Shortcuts for ACL M anager Dialog Boxes - W indow s 3-31

Keyboard Shortcuts for A CL M anager Dialog Boxes - Solaris 3-31

Printing 3-32

Performing a Complete Workflow Cycle 3-32Verifying Device Configuration Changes 3-33

Dow nloading the Changes to the Devices 3-36

Verifying That the Dow nload w as Successful 3-36

M anaging Out-of-Band Changes to Device Configuration 3-37

Checking for Out-of-Band Changes on Devices 3-37

View ing t he Out-of-Band Changes Report 3-39

Resolving Out-of-Band Changes 3-41

High-level W orkflow for Resolving Out-of-Band Changes 3-42

Resolving Out-of -Band Changes Based on Their Type 3-44

Using the Diff / M erge w ith Out-of-Band Changes Dialog Box and M ergeEditor 3-50

Backing Up and Restoring ACL M anager Data 3-54

Device Support in A CL M anager 3-54

C H A P T E R 4 Viewing and Editing ACLs 4-1

Creating ACLs 4-2

Creating a New ACL by Copying and Pasting an Existing ACL 4-4


6/511

Contents

vi


78-16005-01

Versioning ACLs 4-5

Defining ACL Uses 4-6

Viewing Existing ACLs 4-6

Edit ing ACLs 4-7

Deleting ACLs 4-9

M anipulating ACEs 4-10

Inserting a New ACE 4-10

Appending a New ACE 4-12

Inserting a Templat e 4-12

Appending a Comment 4-14

Inserting a Comment 4-15

Dow nloading Comments 4-17M aking Remark ACEs Dow nloadable 4-17

Reordering ACEs 4-19

Editing ACEs 4-20

Specifying Source and Dest ination Addresses 4-22

Specifying Source and Destinati on Ports 4-23

Specifying Protocol 4-24

Specifyin g ICM P-Type 4-24

Using the ACE Editor Buttons 4-25

Editing IP ACE Attributes 4-26

Editing IP Extended ACE Attributes 4-28

Editing IP Extended General Attributes 4-28Editing IP Extended A dvanced Att ributes 4-31

Editing IP Extended Other A tt ributes 4-34

Editing RATE LIM IT M AC ACE At tribut es 4-37

Edit ing RATE LIM IT PRECEDENCE ACE At tr ibu tes 4-38

Saving ACEs as a Templat e 4-38

View ing the Configuration Changes 4-40


7/511

vii


78-16005-01

Contents

Optim izing t he ACL 4-40

Using Time Range Definit ions 4-40

Versioning Time Range Definit ions 4-41

Creating a Time Range Definit ion 4-42

Time Range Defini t ion Absolute 4-42

Time Range Defini t ion Periodic 4-44

Time Range Definitions Absolute and Periodic 4-46Editing a Time Range Definition 4-47

Associating an A CE w ith a Time Range 4-48

View ing Associated ACLs on the Device 4-49

Configuring t he Time Zone on a Device 4-50

Dow nloading Time-based ACEs to t he Device 4-51

Expiry Type f or Tim e-based ACEs 4-51

Autom atic Expiry 4-51

M anual Expiry 4-51

Time Range E-mail N otif ication 4-52

Configuring Time Range E-mail 4-52

Time Range E-mai l Format 4-53M arking ACLs for Dow nload 4-54

Printing the ACL/ ACE 4-55

M anaging VLAN A ccess Contro l Lists (VACLS) 4-55

Editing VACEs 4-57

Editing IP VACE Attributes 4-57

Editing M AC VACE Att ributes 4-66

Creating Object Groups f or PIX ACLs 4-68

C H A P T E R 5 Using the Class Manager 5-1

Class M anager Overview 5-1

Class M anager Editors 5-2


8/511

Contents

viii


78-16005-01

Starting the Class M anager 5-3

Using the Class M anager Toolbar 5-4

Creating and Inserting Class Folders 5-4

Using Services and Service Classes 5-5

W orkflow for Using Service Classes 5-5

Creating a Service Class 5-6

Edit ing a Service Class 5-8Using Network Classes 5-8

W orkflow for Using Netw ork Classes 5-9

Creating a Net w ork Class 5-10

Editing a N etw ork Class 5-13

M arking a M aster Version of a Class 5-13

Identifying Class Uses 5-14

Identifying Service Class Uses 5-15

Identifying Network Class Uses 5-18

Handling Invalid Class Uses 5-21

Using the Class M anager: Example 5-23

C H A P T E R 6 Using the Template Manager 6-1

Starting the Template M anager 6-2

Using the Templat e M anager Toolbar 6-3

Static Templates and Variable Templates 6-3

The W orkflow for Templates 6-4

W orkflow f or a Static Template 6-4

W orkflow for a Variable Template 6-5

Creating Templat es 6-6

Creating a St atic Template and Adding A CEs 6-6

Creating a Variable Template and Adding ACEs 6-8Creating a Variable Template Instance and A ssigning Values 6-10


9/511

ix


78-16005-01

Contents

Reconcil ing Instances of Variable Templates 6-12

Including Another Template Within Your Template 6-14

M arking a M aster Version of a Templat e or an Instance 6-15

Editing an Existing Templat e 6-17

Editing t he Contents of a Template 6-17

Creating and Inserting Template Folders 6-18

Using a Template in an ACL 6-19

Identifying Devices and Templates That Use an A CL Templat e 6-20

Handling Invalid Templat e Device Uses and Templat e N ested Uses 6-23

Updating Logical Entit ies 6-26

Saving Selected Template A CEs as a New Template 6-27

View ing the Template Device Use Summary 6-28

Deleting a Template 6-29

C H A P T E R 7 Creating and Using Policies 7-1

Role-based Access for Policies 7-1

Creating a Policy 7-2

Verifying an ACL/ Template A gainst a Policy 7-4

View ing Policy Verificati on Details 7-8

M andating Policy Verificati on 7-10

C H A P T E R 8 Searching for and Replacing ACLM Entities 8-1

Searching fo r Entit ies 8-2

Search Results Pane 8-4

Using the ACL M anager Device Selector 8-5

Using the Template Folder Brow ser 8-6

Form ing a Search Filt er8-6

Regular Expressions 8-7


10/511

Contents

x


78-16005-01

Operators 8-7

List of Search Att ributes 8-9

Using the Standard Search Context GUI 8-13

Replacing Entit ies 8-15

Undoing a Check Out 8-18

Using the Standard Replace Context GUI 8-19

C H A P T E R 9 Controlling Access Using ACLManager Roles 9-1

Populating A CL M anager w ith Role-based Data 9-2

Adding Users 9-3

Adding Devices 9-3

M anaging User Groups 9-4Creating a User Group 9-4

M odifying a User Group 9-8

Deleting a User Group 9-12

View ing all User Groups 9-15

M anaging Device Groups 9-16

Creating a Device Group 9-17

M odifying a Device Group 9-21

Deleting a Device Group 9-25

View ing all Device Groups 9-28

M anaging Tasks 9-29

Task Relationships 9-30Assigning Device Groups to Tasks or M odifying Assignment s 9-31

Using the Open User Group Option 9-35

C H A P T E R 10 Versioning ACL Manager Entities 10-1

Versioning Workflow10-3

Version Indicators 10-5


11/511

xi


78-16005-01

Contents

Gett ing the Latest Version of an Entity 10-5

Gett ing a Specific Version of an Entit y 10-6

Checking Out Entities 10-7

Checking Out a Specific Version of an Entity 10-9

Undoing the Check Out of an Entit y 10-9

Checking In Entities 10-10

M erging a Branch W ith a M ain Line Version 10-12

M erging Using the M erge Editor 10-13

M erging Using the M erge Editor: Example 10-16

M erging W ithout Using the M erge Editor 10-20

M erging W ithout Using the M erge Editor: Example 10-20

View ing the Version Graph of an Entity 10-23Comparing an Entit y w ith it s Latest Version 10-25

Comparing Any Tw o Versions of an Entity 10-26

View ing Version Details of an Entit y 10-27

View ing Details of a Specific Version of an Entit y 10-29

View ing the Versioning History of an ACL M anager Enti ty 10-30

Using the Version Diff Viewer 10-32

C H A P T E R 11 Approving or Rejecting Changes 11-1

Processing Change Requests 11-2

View ing Pending Change Requests 11-3Approving or Rejecting Change Requests 11-5

Change Request Status 11-7

View ing Details of a Changed Entit y 11-8

Viewing Processed Changes 11-11

E-mail N otif ication of Change 11-13

Enabling or Disabling Change Approval 11-14


12/511

Contents

xii


78-16005-01

C H A P T E R 12 ACL Manager Use Wizard 12-1

Defining ACL Uses 12-1

Defining an A CL Use w ith t he Use ACL W izard 12-2

Selecting Interfaces, Lines, SNM P Comm unity Sett ings or VLAN S 12-4

Selecting Interfaces for Packet Filtering w ith t he Use ACL W izard 12-4

Selecting Lines for Line Access w ith the Use A CL W izard 12-6

SNM P Communit y Sett ings w ith t he Use ACL W izard 12-8Selecting VLAN s for VLAN Packet Filt ering w ith Use A CL W izard 12-10

Completi ng the Use A CL W izard Summary 12-11

Displaying Use ACL W izard Results 12-12

Applying an A CL Template to a Specific Device 12-14

Selecting a Template with the Template Use Wizard 12-15

Selecting a Device 12-16

Displaying ACL Creation Results (Single Device) 12-18

Applying an ACL Template to M ultiple Devices 12-20

Selecting a Templat e 12-20

Selecting the Devices 12-21

Displaying ACL Creation Results (M ultipl e Devices) 12-22Defining ACL Uses for M ultiple Devices 12-24

Selecting Interfaces with the Template Use Wizard 12-25

Selecting Lines w ith t he Templat e Use W izard 12-27

SNM P Community Settings w ith t he Template Use W izard 12-29

Selecting VLAN s for VLAN Packet Filtering w ith Templat e UseWizard 12-31

Using the Use W izard to Address Vulnerabil ity in Your Netw ork:Example 12-32

C H A P T E R 13 Importing Configuration 13-1

Uploading the Configurati on and View ing the Import Summary 13-2Using the File Brow ser 13-7


13/511

xiii


78-16005-01

Contents

Using the Config Editor 13-8

Pasting Import ed Entit ies onto a Device 13-10

Pasting an Imported ACL onto a Device 13-10

Pasting Import ed ACEs and Comments on to a Device 13-11

Pasting Imported ACEs as a Template 13-12

Using the File Import Command Line Tool 13-12

Exampl e: File Im port Command Line Tool Usage 13-14

C H A P T E R 14 Validating ACEs 14-1

Performing a Validation Check on a Logical Entity 14-4

View ing ACE Validation Details 14-7

Validating M odified ACEs 14-9

C H A P T E R 15 Scheduling and Downloading 15-1

Enabling J ob A pproval 15-2

Scheduling Downloads 15-3

Selecting the Devices and the Changed Entit ies 15-6

Defining the J ob and Selecting the J ob Options 15-9

Scheduling the Dow nload Using the J ob Dow nload W izard 15-14

View ing the Job Summary 15-17

Browsing Job Status and Viewing Results 15-20

M arking Changes for Dow nload 15-27

View ing Pending M arks 15-30

Scheduling Job Downloads Using the Job Browser 15-32

Job M anagement Integration 15-32

Rescheduling Jobs 15-33

Canceling Pending Jobs and Purging Old Jobs 15-34

W hat to Do i f Your Dow nload Fai ls 15-35


14/511

Contents

xiv


78-16005-01

C H A P T E R 16 Optimizing ACLs 16-1

ACL Optimizer and Hits Optimizer 16-1

ACL Opti mizer 16-2

ACL Hits Optimizer 16-3

Using the ACL Optimizer 16-4

Using the ACL Hits Optimizer 16-7

Resetting Hi t Counters 16-11

Gett ing Hits from a Device 16-12

C H A P T E R 17 Generating Reports in ACL Manager 17-1

Time Range Event s in Selecte d Time Frame Report 17-2

Change Approval Status Report 17-3

Out-of -Band Changes Report 17-5

Role-based Access Control Reports 17-7

Approver Group M apping for Devices and Device Groups 17-8

M y Task M apping Report 17-9

Task M apping Report 17-11M y User Group M embership Report 17-12

User Group M embership Report 17-13

C H A P T E R 18 Troubleshooting ACL Manager 18-1

C H A P T E R 19 ACL Manager Usage Scenarios 5

Tracking and M itigating N etw ork Vulnerabi l i t ies 5

Prerequisites 6

Handling Vulnerabilties 6

Importing t he Published ACL into A CL M anager 7

Creating a Template Using t he Imported A CL 8


15/511

xv


78-16005-01

Contents

Deploying the Template on Devices 9

Deploying the ACL on the Devices 11

Tracking the Template Changes 12

M odifying the Template in case of New Vulnerabil i t ies and Deploying theChanges 13

Easy Deployment and Tracking of ACLs for Partner N etw orks 15

Prerequisites 16

Creating a Variable Template 17

Creating Variable Template Instances 19

Using Variable Template Instances 21

Tracking Instances 24

Using DNS N ames in an ACE and Deploying Updated DN S-IP M appings 27

Prerequisites 28

Using DNS Nam es in an ACE 28

Deploying Updated DN S Name - IP M appings 30

IND E X


16/511

Contents

xv i


78-16005-01


17/511

xvii


78-16005-01

Preface

User Guide for ACL Manager describes how to use the Access Control List

(ACL) Manager, a software tool for the management of access control lists on

Cisco routers, catalyst switches, and PIX devices.

This preface describes who should read User Guide for ACL Manager and

outlines the document conventions used in this manual.

AudienceThis publication is written for network operators, network administrators, and

system administrators. To use the ACL Manager application, you should have a

basic understanding of operation, management and the configuration of your

network. You should understand the basic ACL structure and configuration and

the concept of network and service definitions.

Preface


18/511

Conventions

xviii


78-16005-01

ConventionsThis document uses the following conventions:

Note Means reader take note. Notes contain helpful suggestions or references to

material not covered in the publication.

Caution Means reader be careful. In this situation, you might do something that could

result in equipment damage or loss of data.

Item Convention

Commands and keywords boldface font

Variables for which you supply values italic font

Displayed session and system information screen font

Information you enter boldface screenfont

Variables you enter italic screen font

Menu items and button names boldfacefont

Selecting a menu item in paragraphs Option > Network Preferences

Selecting a menu item in tables Option > Network Preferences

Preface


19/511

xix


78-16005-01

Product Documentation


Note We sometimes update the printed and electronic documentation after original

publication. Therefore, you should also review the documentation on Cisco.com

for any updates.

Table 1describes the product documentation that is available.

Table1 Product Documentation

Document Title Available Formats

Release Notes for ACL

Manager 1.6

Printed document that was included with the product.

On Cisco.com:

a. Log into Cisco.com.

b. Go to:

http://www.cisco.com/univercd/cc/td/doc/product/

rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/

index.htm

Installation Guide for ACL

Manager

PDF on the product CD-ROM.

On Cisco.com:


b. Go to: http://www.cisco.com/univercd/cc/td/doc/product

/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/

index.htm

Printed document available by order (part number

DOC-7816006=).1

Preface
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htm


20/511


xx


78-16005-01

User Guide for ACL Manager PDF on the product CD-ROM.

On Cisco.com:


b. Go to:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/

index.htm

Printed document available by order (part number

DOC-7816005=)

Supported Devices for ACL

Manager

1. Log into Cisco.com.

2. Go to:http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt

/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htm

Context-sensitive online help Select an option from the navigation tree, then click Help.

Click the Help button in the dialog box.

1. See the Obtaining Documentation.

Table1 Product Documentation (continued)


Preface

R l t dD t ti
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htm


21/511

xxi


78-16005-01

Related Documentation


Note We sometimes update the printed and electronic documentation after original

publication. Therefore, you should also review the documentation on Cisco.com

for any updates.

Table 2describes the additional documentation that is available.

Table2 Related Documentation


Release Notes for CiscoWorks

Common Services 2.2 (Includes

CiscoView 5.5) on Windows1

On Cisco.com:


2. Go to: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/index.htm

Installation and Setup Guide for

CiscoWorks Common Services 2.2

(includes CiscoView 5.5) on

Solaris

On Cisco.com:


2. Go to:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/

cw2000/cw2000_d/comser22/index.htm


CiscoWorks Common Services 2.2

includes CiscoView 5.5) on

Windows

On Cisco.com:


2. Go to:


cw2000/cw2000_d/comser22/index.htm .

CiscoWorks Common ServicesUser Guide 2.2

On Cisco.com:


2. Go to:


cw2000/cw2000_d/comser22/index.htm

Preface

RelatedDocumentation
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/index.htm


22/511


xxii


78-16005-01

Release Notes for Resource

Manager Essentials 3.5 on

Windows

On Cisco.com:


2. Go to:


cw2000/cw2000e/e_3_x/3_5/index.htmInstallation and Setup Guide for

Resource Manager Essentials 3.5

on Solaris

On Cisco.com:


2. Go to:


cw2000/cw2000e/e_3_x/3_5/index.htm


Resource Manager Essentials 3.5

on Windows

On Cisco.com:


2. Go to:



User Guide for Resource Manager

Essentials 3.5

On Cisco.com:


2. Go to:



Supported Device Table forResource Manager Essentials 3.5

On Cisco.com:1. Log into Cisco.com.

2. Go to:



1. CiscoView 5.5 and Package Support Updater information in this document, is not applicable to the ACL Manager 1.6 release.

Table2 Related Documentation (continued)


Preface

Additional InformationOnline
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htm


23/511

xx iii


78-16005-01

Additional Information Online

Additional Information OnlineYour application might support incremental device updates (IDUs). An IDU is a

software package that enables an application to support new devices. An IDU

might also contain bug fixes. You can download IDUs and their Readme files by

logging into Cisco.com.

Device packages are released cumulatively; that is, new device packages contain

the contents of any previous packages.

To determine which packages are installed on your CiscoWorks Server, select

Server Configuration>About the Server> Applications and Versions.

You can also obtain any published patches from the download site.

Obtaining DocumentationCisco documentation and additional literature are available on Cisco.com. Cisco

also provides several ways to obtain technical assistance and other technical

resources. These sections explain how to obtain technical information from Cisco

Systems.

Cisco.comYou can access the most current Cisco documentation on the World Wide Web at

this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:

http://www.cisco.com

International Cisco websites can be accessed from this URL:

http://www.cisco.com/public/countries_languages.shtml

Preface

Documentation Feedback
http://www.cisco.com/http://www.cisco.com/http://www.cisco.com/univercd/home/home.htmhttp://www.cisco.com/http://www.cisco.com/public/countries_languages.shtmlhttp://www.cisco.com/http://www.cisco.com/public/countries_languages.shtmlhttp://www.cisco.com/http://www.cisco.com/univercd/home/home.htm


24/511

ocu e a o eedbac

xxiv


78-16005-01

Ordering Documentation

You can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Cisco documentation in these ways:

Registered Cisco.com users (Cisco direct customers) can order Cisco product

documentation from the Ordering tool:

http://www.cisco.com/en/US/partner/ordering/index.shtml

Nonregistered Cisco.com users can order documentation through a local

account representative by calling Cisco Systems Corporate Headquarters

(California, USA) at 408 526-7208 or, elsewhere in North America, by

calling 800 553-NETS (6387).

Documentation FeedbackYou can submit e-mail comments about technical documentation to

[email protected].

You can submit comments by using the response card (if present) behind the front

cover of your document or by writing to the following address:

Cisco Systems

Attn: Customer Document Ordering

170 West Tasman Drive

San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical AssistanceFor all customers, partners, resellers, and distributors who hold valid Cisco

service contracts, the Cisco Technical Assistance Center (TAC) provides

24-hour-a-day, award-winning technical support services, online and over the

phone. Cisco.com features the Cisco TAC website as an online starting point for

technical assistance. If you do not hold a valid Cisco service contract, pleasecontact your reseller.

Preface

Obtaining Technical Assistance
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htmhttp://www.cisco.com/en/US/partner/ordering/index.shtmlhttp://www.cisco.com/en/US/partner/ordering/index.shtmlhttp://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htmhttp://www.cisco.com/public/countries_languages.shtml


25/511

xxv


78-16005-01

g

Cisco TAC Website

The Cisco TAC website provides online documents and tools for troubleshooting

and resolving technical issues with Cisco products and technologies. The Cisco

TAC website is available 24 hours a day, 365 days a year. The Cisco TAC website

is located at this URL:

http://www.cisco.com/tac

Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID

and password. If you have a valid service contract but do not have a login ID or

password, register at this URL:

http://tools.cisco.com/RPF/register/register.do

Opening a TAC Case

Using the online TAC Case Open Tool is the fastest way to open P3 and P4 cases.

(P3 and P4 cases are those in which your network is minimally impaired or for

which you require product information.) After you describe your situation, the

TAC Case Open Tool automatically recommends resources for an immediate

solution. If your issue is not resolved using the recommended resources, your case

will be assigned to a Cisco TAC engineer. The online TAC Case Open Tool is

located at this URL:

http://www.cisco.com/tac/caseopen

For P1 or P2 cases (P1 and P2 cases are those in which your production network

is down or severely degraded) or if you do not have Internet access, contact Cisco

TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2

cases to help keep your business operations running smoothly.

To open a case by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)

EMEA: +32 2 704 55 55

USA: 1 800 553-2447

For a complete listing of Cisco TAC contacts, go to this URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

Preface

Obtaining Additional Publications and Information
http://www.cisco.com/tachttp://tools.cisco.com/RPF/register/register.dohttp://www.cisco.com/tac/caseopenhttp://www.cisco.com/warp/public/687/Directory/DirTAC.shtmlhttp://www.cisco.com/warp/public/687/Directory/DirTAC.shtmlhttp://www.cisco.com/tac/caseopenhttp://tools.cisco.com/RPF/register/register.dohttp://www.cisco.com/tac


26/511

xxvi


78-16005-01

TAC Case Priority Definitions

To ensure that all cases are reported in a standard format, Cisco has established

case priority definitions.

Priority 1 (P1)Your network is down or there is a critical impact to your

business operations. You and Cisco will commit all necessary resources around

the clock to resolve the situation.

Priority 2 (P2)Operation of an existing network is severely degraded, or

significant aspects of your business operation are negatively affected by

inadequate performance of Cisco products. You and Cisco will commit full-time

resources during normal business hours to resolve the situation.

Priority 3 (P3)Operational performance of your network is impaired, but most

business operations remain functional. You and Cisco will commit resources

during normal business hours to restore service to satisfactory levels.

Priority 4 (P4)You require information or assistance with Cisco productcapabilities, installation, or configuration. There is little or no effect on your

business operations.


Information about Cisco products, technologies, and network solutions isavailable from various online and printed sources.

Cisco Marketplace provides a variety of Cisco books, reference guides, and

logo merchandise. Go to this URL to visit the company store:

http://www.cisco.com/go/marketplace/

The Cisco Product Catalogdescribes the networking products offered by

Cisco Systems, as well as ordering and customer support services. Access theCisco Product Catalog at this URL:

http://cisco.com/univercd/cc/td/doc/pcat/

Cisco Presspublishes a wide range of general networking, training and

certification titles. Both new and experienced users will benefit from these

publications. For current Cisco Press titles and other information, go to Cisco

Press online at this URL:

http://www.ciscopress.com

Preface

http://www.cisco.com/go/marketplace/http://cisco.com/univercd/cc/td/doc/pcat/http://www.cisco.com/warp/public/687/Directory/DirTAC.shtmlhttp://www.ciscopress.com/http://www.ciscopress.com/http://cisco.com/univercd/cc/td/doc/pcat/http://www.cisco.com/go/marketplace/http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml


27/511

xxvii


78-16005-01

Packetmagazine is the Cisco quarterly publication that provides the latest

networking trends, technology breakthroughs, and Cisco products and

solutions to help industry professionals get the most from their networking

investment. Included are networking deployment and troubleshooting tips,

configuration examples, customer case studies, tutorials and training,

certification information, and links to numerous in-depth online resources.

You can access Packet magazine at this URL:

http://www.cisco.com/packet

iQ Magazineis the Cisco bimonthly publication that delivers the latestinformation about Internet business strategies for executives. You can access

iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

Internet Protocol Journalis a quarterly journal published by Cisco Systems

for engineering professionals involved in designing, developing, and

operating public and private internets and intranets. You can access the

Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

TrainingCisco offers world-class networking training. Current offerings in

network training are listed at this URL:

http://www.cisco.com/en/US/learning/index.html

Preface

http://www.cisco.com/packethttp://www.cisco.com/go/iqmagazinehttp://www.cisco.com/ipjhttp://www.cisco.com/en/US/learning/index.htmlhttp://www.cisco.com/en/US/learning/index.htmlhttp://www.cisco.com/ipjhttp://www.cisco.com/go/iqmagazinehttp://www.cisco.com/packethttp://www.ciscopress.com/


28/511

xxviii


78-16005-01


29/511

C H A P T E R

1-1


78-16005-01

1ACL Manager Overview

ACL Manager helps you manage Access Control Lists (ACLs) on Cisco routers

running IOS, Catalyst switches running Catalyst OS, and PIX devices running

PIX OS. It presents a user-friendly graphical user interface that allows you to

concentrate on the security of your network without learning the complex syntaxof ACLs.

ACL Manager allows you to easily address, solve, and reduce configuration

problems related to ACLs.

These topics introduce you to some of the concepts and features of ACL Manager:

ACL Terms and Definitions

What is ACL Manager?

ACL Manager Tools

ACL Manager Privilege Levels

ACL Terms and DefinitionsAccess Control Entry (ACE): An Access Control Entry (ACE) is an individual

permit or deny statement within an Access Control List (ACL).

Each ACE includes an action element (permit or deny) and a filter element

based upon criteria such as source address, destination address, protocol,

protocol-specific parameters, and so on.

Chapter1 ACL Manager Overview



30/511

1-2


78-16005-01

Access Control List (ACL, ACL Definition): An Access Control List (ACL)

consists of one or more Access Control Entries (ACEs) that collectively define the

network traffic profile. This profile can then be referenced by IOS, Catalyst OS,

or PIX OS features such as traffic filtering, priority or custom queuing, dynamic

access control, encryption, Telnet access, and so on.

The generic term ACL refers to IOS ACLs, VLAN ACLs, and PIX ACLs.

Wherever the term VACL is used, it applies only to VLAN ACL. Wherever the

term IOS ACL is used, it applies only to Router ACL. Wherever the term PIX ACL

is used, it applies only to an ACL on a PIX device.

ACL Manager Entity: A generic term used in ACL Manager for ACEs, ACLs,

ACL Uses, Time Ranges, Templates, Networks, Network Classes, Services and

Service Classes.

ACL Template (Template): A named set of ACEs. Templates can be inserted into

ACLs (see Template Include ACE on page 1-3). Templates can include other

templates.

ACL Use: ACL Use statements in a device configuration utilize or reference an

ACL for some purpose. There are over 50 possible purposes, which include, for

example: IP packet filtering, line access, traffic shaping, IP multicast rate

limiting, SNMP server, and so on.

ACL Use Modes and Contexts: ACLs can be used in various IOS configuration

modes: global, router, route-map, crypto-map, line, and interface.

Except for global, the configuration modes have named contexts within whichACL Use statements can be created in IOS. The contexts for line mode are the

actual vtys (for example, console, vty 0, vty 1, and so on). The contexts for

interface mode are interface names (for example, Serial 0, Ethernet 0,

TokenRing 0, and so on).

ACL Manager allows you to create Use statements only for line, interface and

global modes. ACL Manager allows you to apply these statements only for line

access, packet filtering, and SNMP server access controls. VACLs can be usedonly for packet filtering and redirection on VLANs. For VACL Uses, the mode is

VLAN and the contexts are the VLANs defined on the switch.

Device View: A set of devices grouped according to common attributes or

user-defined characteristics. You can use views to monitor groups of devices.

IOS ACLs: Also known as Router ACLs. They are used in routers for packet

filtering on interfaces, line access, SNMP access, route maps, and other purposes.




31/511

1-3


78-16005-01

Logical View: An abstract or high-level view of ACE statements in an ACL. The

logical view could show ACEs using service and network class definitions,

template include statements and comments.

Network: A network is a named IP address and mask combination. It is a subnet

specification used in the source and destination fields of ACE statements.

Network Class: A network class is a named set of IP addresses, hostnames, IP

address ranges, or networks that ACL Manager allows you to use in ACE source

or destination fields.

Out-of-band Change: Out-of-Band (OOB) changes are the ACL-related changes

that have been made to the device configuration outside ACL Manager, directly

on the device.

Physical View: A low-level view of ACE statements in an ACL. The physical

view, maps one-to-one with the IOS, Catalyst OS, or PIX OS commands

corresponding to the ACE statements.

PIX ACLs:PIX ACLs are similar to Router/IOS ACLs in terms of theirdefinition, but they are used by PIX devices to access control packets.

Service: Services are named TCP or UDP ports that can be used in individual

ACEs to provide a specification of the network traffic to be matched by filter

criteria.

Service Class: A service class consists of named port range specifications that

ACL Manager allows you to use in ACE port specification fields.

Template: See ACL Template on page 1-2.

Template Include ACE: A special ACE that proxies for, or represents, the set of

ACEs corresponding to the template.

View: See Device View on page 1-2.

VLAN Access Lists (VACLs): VACLs are similar to Router/IOS ACLs in terms

of their definition, but they are used by Catalyst 6000 family switches to access

control all packets it switches, including packets bridged within a VLAN.




32/511

1-4


78-16005-01

What is ACL Manager?The ACL Manager application is designed for the experienced network

administrator who already understands the structure and uses of ACLs. It allows

you to create, modify, and deploy ACLs to multiple devices through a Windows

Explorer-type interface. ACL Manager supports ACLs for:

IOS releases 10.3 through 12.2

CatOS releases 5.3 through 7.6

PIXOS releases 5.1 through 6.3

Using ACL Manager, you can create ACL uses for traffic filtering, line access, and

SNMP server access. Although you cannot create all types of ACL uses,

ACL Manager recognizes and tracks all existing types of ACL uses (such as

router, route-map, and crypto-map). This means that if you rename an ACL that

is referenced in uses other than traffic filtering or line access, the use statement is

updated with the new ACL name.

ACL Manager allows comments to be associated with an ACL or ACE, so that you

can audit and track the changes on an ACL or ACE.

ACL Manager Components

ACL Manager maintains a device model with attributes relevant to ACLmanagement for managed devices (routers, switches and PIX devices). The device

model is initialized by obtaining configuration files from Config Archive and

parsing relevant statements.

ACL Manager comprises a GUI that is integrated with the CiscoWorks desktop.

This split-panel interface provides the means to create, edit, and view ACLs.

When you select a node in the left pane, the right pane displays the contents of thenode and its attributes. The display in the right pane is context sensitive.

The ACL Manager GUI also provides access to editing tools and other functions,

such as the Template Manager, Class Manager, Policy Verification Wizard, ACE

Validator, Use Wizard, ACL Downloader, Optimizer, and Hits Optimizer. See

ACL Manager Tools.




33/511

1-5


78-16005-01

Benefits of ACL Manager

Network problems are frequently introduced when devices are configured, and

fixing such problems is both expensive and time-consuming. Also, since

router/switch configurations are interdependent, network complexity increases

exponentially with the number of routers, and configuration problems become

harder to detect and avoid.

The result is either operational or latent configuration problems. ACL Manager

solves these problems by providing inventory and change audit features thatsimplify the processes for setting up and changing device configurations.

In addition, ACL construction must be extremely precise. This is because an

incorrect filter can cause a security problem or incapacitate a network. Writing

filters is time-consuming. It might be necessary to write many lines of IOS,

Catalyst OS, or PIX OS commands to configure coexisting network filters for

different protocols. With ACL Managers GUI, you need not know IOS, Catalyst

OS, or PIX OS syntax to create ACLs.ACL Manager:

Provides a uniform interface that insulates the user from any differences in

ACL features for the supported IOS, Catalyst OS, and PIX OS versions.

Is easy to use and ensures high productivity for the user.

Supports Secure Sockets Layer (SSL) for secure client to server

communication.

Supports Secure Shell (SSH) for secure server to device communication.

Maintains versions of ACL manager entities.

Reduces device configuration time dramatically.

Reduces installation costs.

Provides greater security through a role-based model. Enables controlling and tracking of all changes made to ACLs, ACL uses,

templates, etc.

Allows monitoring of the system by logging all the changes made during a

user session.

Enables easy access to information about devices and the changes made to

them, through the reports generation feature.




34/511

1-6


78-16005-01

Easily detects changes directly applied to device configuration (using telnet,

etc.)

Is integrated with Resource Manager Essentials and uses the Config Archive,

Inventory, Change Audit Service, and Transport facilities.

Provides a browser-based GUI and integrates the task flow with the Resource

Manager Essentials GUI.

Allows you to fully exploit the ACL features in IOS, Catalyst OS, and PIX

OS.

Reduces operation time when deploying ACLs to several devices.

Provides for automated deployment of ACLs.

Enables you to apply VACLs on Private VLANs.

Allows novice operators to safely deploy, previously set up, complex ACLs,

through flexible templates. Templates also allow users to establish policies

and to standardize on ACL uses.

Supports policy verification. Enables you to create and enforce policies. (A

policy is a set of rules that specifies tasks (ACEs) that you must include in the

ACL.)

Enables you to perform a check for the validity of ACEs within a ACL,

VACL, or a template.

Removes the drudgery of entering ACL configurations repeatedly on multiple

devices by providing point-and-click copy and paste functionality.

Minimizes human error in ACL creation by reducing the necessity of creating

multiple ACEs. It does this by allowing the use of classes.

Improves network throughput by enabling ACL optimization.

Permits the use of Domain Name System (DNS) names in ACE source and

destination fields. ACL Manager will automatically perform a DNS look-up

and convert these fields to the appropriate IP addresses.




35/511

1-7


78-16005-01

ACL Manager Functionality

ACL Manager comprises a suite of modules and tools designed to simplify the

management of ACLs and ACL Use statements. The suite contains five major

modules: ACL Manager, Template Manager, Class Manager, Use Wizard, and

ACL Downloader. See ACL Manager Toolsfor a description of the tools

provided by ACL Manager.

The ACL Manager suite is integrated with the Resource Manager Essentials

Config Archive and Inventory applications. It uses device information fromInventory, and reads the configuration contained in the Config Archive to create

a model of the ACLs and ACL Use statements in the device configuration.

The ACL Manager module provides a tree view to display this information in a

Windows Explorer-type GUI. When you change device ACLs and ACL Use

statements, ACL Manager generates the appropriate IOS, Catalyst OS, or PIX OS

commands (config deltas) to implement the configuration changes.

A download mechanism is provided to enable you to apply the configurationchanges to the appropriate devices. The Config Archive is updated automatically

after a successful ACL Manager download.

ACL Manager uses Java Plug-in. The plug-in improves the performance of

ACL Manager, and it is provided with the CiscoWorks application. (See the topic

Installing the Java Plug-in in Chapter 3 of the User Guide for CiscoWorks

Server).

Some of the tasks that the ACL Manager suite enables you to perform include:

Identifying when an ACL was last modified and applied (Other Attributes

in Chapter ).

Navigating around devices to see which ACLs are defined and where they are

usedeven ACL Uses that are not supported for creation by ACL Manager

are listed (Viewing Existing ACLsin Chapter 4).

Creating new ACLs (Creating ACLsin Chapter 4).

Editing an existing ACL and returning it to its device (Editing ACLsin

Chapter 4).

Reordering ACEs (Reordering ACEsin Chapter 4).

Naming, renaming, and numbering ACLs. Making the appropriate changes in

the rest of the configuration file (Deleting ACLsin Chapter 4).


ACL Manager Tools


36/511

1-8


78-16005-01

Saving an ACL as a template, and associating it with a logical name (Editing

ACLsin Chapter 4).

Creating an alias for an ACL and using it in a device where named ACLs

are not supported (Editing ACLsin Chapter 4).

Naming networks and services and creating classes containing host

addresses, address ranges, networks, or other classes, and using them in ACL

definitions (Using the Class Managerin Chapter 5).

Creating and editing templates (Using the Template Managerin Chapter 6).

Applying ACL templates or ACLs for packet filtering or line access on

devices (Defining ACL Usesin Chapter 12).

Deploying ACLs on a group of devices (Scheduling Downloadsin

Chapter 15).

Scheduling and downloading to modified ACL and ACL Use statements

and/or changes in meta-information, such as comments and template include

statements, to devices (Scheduling Downloadsin Chapter 15).

Optimizing ACL statements to eliminate redundancies, compressing entries,

and adjusting order of ACEs for maximum performance (Optimizing ACLs

in Chapter 16).

ACL Manager ToolsACL Manager provides the following tools for ACL development:

Class ManagerEnables you to create and edit services, service classes,

networks, and network classes. You can then use these definitions in ACE

source and destination fields, saving you the trouble of entering multiple IOS,

Catalyst OS, or PIX OS commands covering all possible combinations of

source and destination field components (see Chapter 5, Using the ClassManager).

Template ManagerEnables you to create and edit ACL templates (see

Chapter 6,Using the Template Manager).

Use Wizardand its variantsEnable you to define ACL uses, (see

Chapter 12, ACL Manager Use Wizard).

Job BrowserDisplays the status of download jobs (see Chapter 15,Scheduling and Downloading).




37/511

1-9


78-16005-01

DownloaderEnables you to schedule and download the modified ACL and

ACL Use statements and/or changes in meta-information such as comments,

and template include statement creations, to devices (see Chapter 15,

Scheduling and Downloading).

OptimizerEnables you to examine an ACL to see if optimization is possible

after an ACL has been created or edited (see Chapter 16, Optimizing

ACLs).

Hits OptimizerReorders ACEs within an ACL in accordance with the

hit-rate (see Chapter 16, Optimizing ACLs). Diff ViewerDisplays the configuration changes you have made to ACLs

(see Chapter 16, Optimizing ACLs).

ACL Manager Privilege LevelsACL Manager incorporates the privilege levels defined by Resource Manager

Essentials.

ACL Manager tasks require various privilege levels, and your ability to perform

these tasks depends on your assigned privilege level. You should contact yoursystem administrator to find out your privilege level and which tasks you can

access.

ACL Manager tasks are usually performed with network operator or network

administrator privileges. You can view the tasks that can be performed at each

level by going to the CiscoWorks desktop and selecting

Server Configuration > Setup > Security > Permission Reports .

Level Directory Description

0 HD Help Desk

1 AP

Approver2 NO Network Operator

4 NA Network Administrator

8 SA System Administrator




38/511

1-10


78-16005-01

Privilege Levels and Tasks

This table describes the various privilege levels and their respective tasks:

Privilege Level Task

Network Operator View ACLs

Use ACL Templates

Browse Download Jobsbrowse

and cancel download jobs

Approver Approve/Reject Job Downloads

View ACLs

Network Administrator Edit ACLscreate and edit ACLs

Schedule Downloads

Edit ACL Templates

Edit Class Definitions

Reset Hit Counter

View ACLs


39/511

C H A P T E R

2-1


78-16005-01

2ACL Definitions and Uses

This chapter explain how to define and use ACLs and ACL templates and describe

ACL use. The topics covered are:

Creating ACLs and Templates

ACL and Template Attributes

ACL Properties (Use Details)

ACL Uses

Creating ACLs and TemplatesYou can create ACLs in several ways: Using a combination of the ACL Editor and the ACE Editor.

Using the cut, copy, and paste features; by cutting or copying ACLs or ACEs

from one device or ACL and then pasting them to other devices or ACLs.

Using the import feature to import ACLs. ACL Manager allows you to import

Cisco device configurations that conform to the IOS, Catalyst OS and PIX

formats, from an external source.

Similarly, there are several ways you can create templates:

Using the Template Manager in the same way that you create an ACL using

the Template Editor and the ACE Editor.

Saving portions of an ACL (a set of ACEs) as a template.

Chapter2 ACL Definitions and Uses



40/511

2-2


78-16005-01

Saving an existing ACL as a template.

Importing ACEs and saving them as a template.

ACL and Template AttributesEach ACL or template has the following attributes:

After you start ACL Manager (see Chapter 3, Getting Started), you can use the

following procedure to view the ACL definitions for a particular device.

To view ACLs and their attributes:

Procedure

Step1 Expand the Devices folder in the ACL Manager Main Window.

Step2 Select the device, and then select ACL Definitions.

The ACLs and their attributes appear in the right pane (see Figure 2-1).

Attribute Description

Name/Number Name or number of the ACL (IOS or PIX), or the ACL

template.

For a VACL, number is not applicable.

Version Version and the state of the ACL. For example, Checked

In, Checked Out.

Type Associated ACL type (see Name, Number, and Type

Attributes).




41/511

2-3


78-16005-01

Figure2-1 Displaying ACL Definitions

Name, Number, and Type Attributes

Each ACL must be identified by a name or a number. A number used to identify

an ACL must be within a specified range of numbers that is valid for the ACL type

(see the following table).

IOS and PIX ACLs can be identified by either a name or a number. VACLs areidentified by name only.

You have the option of letting the ACL Manager select a number for you (the

Autonumber feature). If you select Autonumber, ACL Manager uses the first

available number in the appropriate range to identify the ACL.

ACL Type Range

IP Standard 1 to 99 (also 1300 to 1399 in some IOS

versions).

IP Extended 100 to 199 (also 2000 to 2699 in some

IOS versions).




42/511

2-4


78-16005-01

Named ACLs are not supported on some versions of device IOS. In which case,

the ACL name is shown with an automatically generated number appended to the

name and enclosed in parentheses.

For Rate Limit ACLs, ACL Manager distinguishes the ACL from a standard IP

ACL by appending the string rate-limit to the number.

Other Attributes

The Version attribute is also displayed in the ACL Manager Main Window,besides the Name/Number and the Type attribute, The Version column of the

window displays the versions of the ACLs in the ACL definitions folder and also

their state that is whether the ACLs are checked in, checked out, etc.

ACL Properties (Use Details)Certain elements in ACL Manager, such as devices, ACLs, and router interfaces,

have associated properties. For an ACL, the properties that you see are actually

its Use details, as shown in the following table:

Rate Limit MAC 1 to 99

Rate Limit

Precedence

100 to 199

ACL Type Range

Property Description

ACL Uses Uses defined for the ACL.Use Context Context for the Use.

IOS/Catalyst OS

Command

IOS/Catalyst OS command that implements the Use.

Description Description of the Use, taken from the IOS/Catalyst OS

reference manual. You cannot change this description.




43/511

2-5


78-16005-01

After you start ACL Manager (see Chapter 3,Getting Started), follow this

procedure to view the ACL properties for a particular device.

Procedure

Step1 Expand the Devices folder in the ACL Manager Main Window.

Step2 Select the device, then expand ACL Definitions.

Step3 Right-click on the required ACL, then select Properties.

The ACL Properties window appears (see Figure 2-2).

Figure2-2 ACL Properties WindowSupported ACL Uses

Unsupported ACL Uses are shown as OTHER. (See Figure 2-3)

Figure2-3 ACL Properties WindowUnsupported ACL Uses


ACL Uses


44/511

2-6


78-16005-01

Tip You can also view the properties by selecting the ACL to be examined and thenselecting the toolbar button or View > Propertiesfrom the ACL Manager Main

Menu.

ACL UsesYou can define ACL Uses for line access, packet filtering, SNMP community

access, SNMP TFTP server, and VLAN packet filtering.

You can view ACL Uses of other types, such as router, route-map, and crypto-map

using ACL Manager.

Use Modes and ContextsACL Manager detects the Use modes for ACLs in a selected device. Depending

on which Uses ACL Manager detects, the following modes can appear when you

select ACL Usesin the left pane:

Global

Router

Route Map

Crypto Map

Line

Interface

VLAN

These modes correspond to router configuration modes in IOS. Except forconfiguration mode global, all Use modes can have one or more Use contexts

associated with them. Use contexts for line and interface are the actual vtys or

lines and interfaces existing on the router.


ACL Uses


45/511

2-7


78-16005-01

Use this procedure to view ACL Use information for a particular device:

Procedure

Step1 Expand the Devices folder in the ACL Manager Main Window, select the device,

then expand ACL Uses.

Step2 Expand the mode (for example, Interface).

Step3 Select the specific context to be displayed (for example, Ethernet0).

Information about the ACL Use appears in the right pane (see Figure 2-4).

Figure2-4 Displaying ACL Use ModeInterface


ACL Uses


46/511

2-8


78-16005-01

The attributes of the ACL Use information are:

Attribute Description

ACLs ACL used in this context.

IOS Command IOS command that implements the use.

Description Description of the Use, taken from the IOS

reference manual. You cannot change this

description.


47/511

C H A P T E R

3-1


78-16005-01

3Getting Started

ACL Manager provides you with a launch point for performing many of the tasks

involved with ACL management.

These topics describe how to get started with ACL Manager:

Before You Begin

ACL Manager Functions

Starting ACL Manager

Printing

Navigating in the ACL Manager Main Window

Using the Device State Icons ACL Manager Menus

Using the Toolbar

Using Keyboard Shortcuts

Performing a Complete Workflow Cycle

Managing Out-of-Band Changes to Device Configuration

Backing Up and Restoring ACL Manager Data

Chapter3 Getting Started

Before You Begin

B f Y B i


48/511

3-2


78-16005-01

Before You BeginBefore you can begin using the ACL Manager applications or tools, you must

ensure that:

ACL Manager server has been installed on a server machine with RME

already installed (see Setting Up Resource Manager Essentials).

The RME Inventory application has been updated with device information for

those devices whose ACLs you intend to manage with ACL Manager.

Enable the Role-based Access Control feature, if required. (For details about

how to enable this feature, see the Installation Guide for ACL Manager).

Note We strongly recommend that you become familiar with the discussion of ACL

Terms and Definitionsin Chapter 1before proceeding further.

Setting Up Resource Manager EssentialsYou must have Resource Manager Essentials (RME) installed and running in

order to use ACL Manager. In addition, you must populate the device inventory

with those devices to be managed by ACL Manager.

To set up Resource Manager Essentials:

Procedure

Step1 Install and start RME.

See the appropriate RME installation guide for details.

Step2 From the CiscoWorks desktop, select Resource Manager Essentials >Administration > Inventory > Add Devices to populate your network inventory

with the devices to be managed by the ACL Manager.

Step3 Ensure that Java, JavaScript, and Accept all cookies are enabled in your browser

settings.

If these settings are not enabled, you will not be able to log in to RME.



ACLM F ti


49/511

3-3


78-16005-01

ACL Manager FunctionsThe ACL Manager functions are located in the ACL Manager drawer on the

CiscoWorks desktop. See Figure 3-1.

Figure3-1 ACL Manager

The options available within the ACL Manager drawer are:

Edit ACLs

Edit ACL Templates

Edit Class Definition

Out-of-Band Changes

Job Management

ACL Manager Reports

Administration

Each ACL Manager selection launches an application or performs an operation

from the set of tools provided by ACL Manager.



Table 3 1 describes each task the associated tool and the launch point from the


50/511

3-4


78-16005-01

Table 3-1describeseach task, the associated tool, and the launch point from the

ACL Manager drawer on the CiscoWorks desktop:

Table 3-2describes the subtasks, and the launch points, from the ACL Manager

drawer on the CiscoWorks desktop:

Table3-2

Table3-1

Task Tool ACL Manager Launch Point

Creating and editing ACLs ACL Manager Edit ACLs

Creating, editing, and viewing ACL templates Template

Manager

Edit ACL Templates

Creating services, service classes, networks

and network classes

Class Manager Edit Class Definition

Listing Out-of-Band changes ACL Manager Out-of-Band Changes

Handling Out-of-Band changes ACL Manager Edit ACLs

Managing ACL Manager jobs (using the Job

Browser or the Pending Marks Browser.)

ACL Manager Job Management

Generating ACL Manager reports ACL Manager ACL Manager Reports

Administering ACL Manager (resetting the

hit counter). If Role-based Access Control

and Change Approval have been enabled, the

administrative tasks associated with these

features also appear here.

ACL Manager Administration

Subtask Navigation Path

Browsing, deleting, and resubmitting jobs ACL Manager > Job Management > Job Browser

Viewing changed entities that are marked for

downloading, scheduling downloads of

marked entities

ACL Manager > Job Management > Pending Marks

Browser

Generating Time Range Changes report ACL Manager > ACL Manager Reports > Time Range

Changes



S bt k N i ti P th


51/511

3-5


78-16005-01

Table 3-3provides the launch points for the Role-based Administration task and

its subtasks, from the ACL Manager drawer on the CiscoWorks desktop.

Note These tasks and sub-tasks appear within the ACL Manager drawer only if you

have enabled Role-based Access Control at the time of installing ACL Manager.

To enable Role-based Access Control, see the Installation Guide for ACL

Manager.

Generating Out-of-Band Changes report ACL Manager > ACL Manager Reports > Out-of-BandChanges

Resetting device hit counters before using

Hits Optimizer

ACL Manager > Administration > Reset Hit Counter

Subtask Navigation Path

Table3-3

Rolebased Administration Task Navigation Path

Role-based Administration ACL Manager > Administration > Rolebased Administration.

Rolebased Administration Subtask Navigation Path

User Management Subtask

Creating user groups ACL Manager > Administration > User Management > Create User

Group

Modifying user groups ACL Manager > Administration > User Management > Modify

User Group

Deleting user groups ACL Manager > Administration > User Management > Delete User

Group

Viewing all user groups ACL Manager > Administration > User Management > Show All

User Groups

Device Management Subtask

Creating device groups ACL Manager > Administration > Device Management > Create

Device Group

Modifying device groups ACL Manager > Administration > Device Management > Modify

Device Group



Table3-3


52/511

3-6


78-16005-01

Table 3-4provides the launch points for the Change Approval task and its

subtasks, from the ACL Manager drawer on the CiscoWorks desktop.

Note These tasks and sub-tasks appear within the ACL Manager drawer only if you

have enabled Change Approval at the time of installing ACL Manager.

To enable Change Approval, see the Installation Guide for ACL Manager.

Deleting device groups ACL Manager > Administration > Device Management > Delete

Device Group

Viewing all device groups ACL Manager > Administration > Device Management > Show All

Device Groups

Task Management Subtasks

Assigning or modifying tasks ACL Manager > Administration > Tasks Management >

Assign/Modify Tasks

Table3 3

Rolebased Administration Task Navigation PathRole-based Administration ACL Manager > Administration > Rolebased Administration.

Rolebased Administration Subtask Navigation Path

Table3-4

Change Approval Task Navigation Path

Change Approval ACL Manager > Administration > Change Approval

Change Approval Subtask Navigation Path

Approving or rejecting changes

to ACL Manager entities

ACL Manager > Administration > Change Approval >

Approve Reject ChangesViewing processing changes ACL Manager > Administration > Change Approval >

Processed Changes

Configuring change approval ACL Manager > Administration > Change Approval >

Configure Change Approval



Table 3-5provides the launch points for the Reports for Change Approval and


53/511

3-7


78-16005-01

p p p g pp

Role-Based Access Control, from the ACL Manager drawer on the CiscoWorks

desktop.

Note These ACL Manager Reports appear within the ACL Manager drawer only if you

have enabled Role-based Access Control or Change Approval at the time of

installing ACL Manager.

To enable Role-based Access Control or Change Approval, see the Installation

Guide for ACL Manager.

Table3-5

Task Navigation Path

Generating Change Approval

Status report

ACL Manager > ACL Manager Reports > Change Approval Status

Generating Approver Group

Mapping report for devices

ACL Manager > ACL Manager Reports > Approver Group

Mapping

Generating My Task Mapping

report

ACL Manager > ACL Manager Reports > My Task Mapping

Generating Task Mapping report ACL Manager > ACL Manager Reports > Task Mapping

Generating My User Group

Membership report

ACL Manager > ACL Manager Reports > My User Group

Membership

Generating User Group

Membership report

ACL Manager > ACL Manager Reports > User Group Membership



StartingACLManager


54/511

3-8


78-16005-01

Starting ACL ManagerACL Manager uses Java Plug-in. This plug-in improves the performance of

ACL Manager, and it is provided with the CiscoWorks application (see the topic

Installing the Java Plug-in in Chapter 3 of User Guide for CiscoWorks Server).

To start ACL Manager:

Procedure

Step1 Select ACL Manager>Edit ACLs.

The ACL Manager Main Window appears (see Figure 3-2).

Figure3-2 ACL Manager Main Window

Note In some browser versions, you will get a security warning asking for

permission to install and execute some code from Cisco Systems. Select

Yesto proceed.



The ACL Manager Main Window is a central point within ACL Manager for


55/511

3-9


78-16005-01

managing ACL Manager entities such as ACLs, time ranges, ACL uses, object

groups, etc. You can also store imported entities, view and manage your specificchanges to ACL Manager entities, and resolve Out-of-Band changes. For more

information see Navigating in the ACL Manager Main Window.

Step2 Navigate to the Root > Devicesfolder.

Step3 Right-click on the Devices folder and select Add Device(s) from the pop-up

menu. For more information, see Populating the Devices Folder.

The Device Selector dialog box appears.Step4 Select a device view from the Views column, for example, All Devices.

The devices corresponding to the selected view appear in the Devices column.

Step5 Select the required devices from the Devices column, then click Add.

The devices appear in the Selected Devices column.

Step6 Click OK.

The selected devices appear in the Devices folder of the ACL Manager Main

Window.

Populating the Devices FolderYou can add devices to your Devices folder using the Add Devices option. You

can select one,many, or all devices from a selected device view. (A view is a

named set of devices.)

You can also populate the Devices folder using the Open Device View option. You

can open a required Device View and get the entire list of devices in that view, in

your Devices folder in the ACL Manager Main Window. You cannot select a

subset of devices from a selected view, using the Open Device View option.

For details see Opening a Device View.



To add devices, in the ACL Manager Main Window:


56/511

3-10


78-16005-01

Procedure

Step1 Right-click on the Devices folder and select Add Device(s) from the pop-up

menu.

The Device Selector dialog box appears with these options:

FilterAllows you to select devices using basic and custom filter criteria.

The basic filter criteria allows you to filter by domain name, device type,

or software version.

The custom filtering option allows you to define your own filter criteria.

If you check the User Filter option, all future view selections will use the

current filter settings.

Previous SelectionLists previously selected devices.

All DevicesList all managed devices already integrated into the server.

My Private ViewsLists the private device views that you have created. A

Private View contains the groups of devices that you had previously saved as

a Private view. See Saving a Device View.

Custom ViewsLists the custom device views that you and other users have

created.

System ViewsLists pre-defined, dynamic device views (by device

category).

Step2 Select a device view from the Views column, for example, My Private Views.

The devices corresponding to the selected view appear in the Devices column.

Step3 Select all the devices from the view, or a subset of the devices in the view, and

click Add.

The devices appear in the Selected Devices column.

Step4 Click OK.

The selected devices appear in the Devices folder of the ACL Manager Main

Window.



Deleting Devices


57/511

3-11


78-16005-01

g

Deleting a device from the Devices folder in the ACL Manager Main Window will

not delete any changes that you may have made to the device. These changes are

stored in the My Changes folder of the ACL Manager Main Window.

To delete a device from the Devices folder:

Procedure

Step1 Select the device and select the delete key on your keyboard.

A message appears that deleting the device will not delete your changes:

Deleting the selected devices will not delete your changes. All your

changes are still available in the My Changes folder. Do you want

to continue?

Step2 Confirm the deletion by clicking OKin the message box.

The device is deleted. However your changes to the device, are stored in the My

Changes folder in the ACL Manager Main Window.

In the My Changes folder, if you select a change made to a deleted device and

select File > Explorefrom the ACL Manager Main Menu, the deleted device is

restored to the Devices folder.

Saving a Device View

You can save a set of devices in the ACL Manager Main Window, as a private or

custom Device View.

Procedure

Step1 Select the Devices folder in the ACL Manager Main Window, and right-click on it.

A pop-up menu appears.

Step2 SelectSave As Device View.

The Save As Private/Custom Static Device View dialog box appears.



Step3 Select the View typeCustom or Private.


58/511

3-12


78-16005-01

Custom View View that you or other users can select.

Private View View that only you can select.

Step4 Enter a name for the view.

You can also enter a description for the view.

To overwrite an existing view, select Overwrite an existing view.

Step5 Click OK.

Opening a Device View

You can open a required Device View and get the entire list of devices in that view,

in your Devices folder in the ACL Manager Main Window.

Procedure

Step1 Select the Devices folder in the ACL Manager Main Window, and right-click on it.

A pop-up menu appears.

Step2 SelectOpen Device View.The Device Selector dialog box appears.

You can select a view from the following views in the Devices column:

My Private ViewsLists the device views that you have created. A Private

View contains the groups of devices that you had previously saved as a Private

view. See Saving a Device View

Custom ViewsLists the custom device views that you and the other usershave created.

System ViewsLists pre-defined, dynamic device views (by device

category).

After you select a view, the devices in the view appear in the Devicescolumn. You

cannot select a subset of devices from a view.



Step3 Click OK.


59/511

3-13


78-16005-01

All the devices in the view that you selected, appear in the Devices folder in the

ACL Manager Main Window.

Navigating in the ACL Manager Main Window

The ACL Manager Main Window is shown in Figure 3-3.

Figure3-3 ACL Manager Main WindowFolders Expanded

The following table describes the ACL Manager Main Window:

Item Description

Folder (left

pane)

Displays a hierarchy of folders within the Root folder:

My Changes (see My Changes Folder).

Imported Entities (see Imported Entities Folder).

Devices

ACL Manager_UserGuide.pdf

Documents

Transcript of ACL Manager_UserGuide.pdf