ACL Manager_UserGuide.pdf
Transcript of ACL Manager_UserGuide.pdf
-
8/10/2019 ACL Manager_UserGuide.pdf
1/511
Corporate HeadquartersCisco Systems, Inc.170 West Tasman DriveSan J ose, CA 95134-1706USAhttp://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)Fax: 408 526-4100
User Guide for AC L ManagerSoftware Release 1.6
CiscoWorks
Customer Order Number: DOC-7816005=
Text Part Number: 78-16005-01
http://www.cisco.com/http://www.cisco.com/ -
8/10/2019 ACL Manager_UserGuide.pdf
2/511
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT
NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT
ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR
THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION
PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO
LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as
part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS AREPROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED
OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR
INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
CCIP, CCSP, the Cisco Arrow logo, the Cisco PoweredNetwork mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks
of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet,
ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo,
Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel,
EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys,
MGX, MICA, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar,
ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient,
TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not implya partnership relationship between Cisco and any other company. (0402R)
User Guide for ACL Manager
Copyright 2004 Cisco Systems, Inc. All rights reserved.
-
8/10/2019 ACL Manager_UserGuide.pdf
3/511
iii
User Guide for ACL Manager
78-16005-01
C O N T E N T S
Preface xvii
Audience xvii
Conventions xviii
Product Document ation xix
Related Documentation xxi
Additional Information Online xxiii
Obtaining Documentation xxiii
Cisco.com xxiii
Ordering Documentati on xxiv
Documentati on Feedback xxiv
Obtaining Technical A ssistance xxiv
Cisco TAC W ebsite xxv
Opening a TAC Case xxv
TAC Case Priority Definitions xxvi
Obtaining A dditional Publications and Informat ion xxvi
C H A P T E R 1 ACL Manager Overview 1-1
ACL Terms and Definit ions 1-1
W hat is ACL M anager? 1-4
ACL M anager Components 1-4
Benefits of ACL M anager 1-5
ACL M anager Functionalit y 1-7
ACL M anager Tools1-8
ACL M anager Privile ge Levels 1-9
-
8/10/2019 ACL Manager_UserGuide.pdf
4/511
Contents
iv
User Guide for ACL Manager
78-16005-01
Privileg e Levels and Tasks 1-10
C H A P T E R 2 ACL Definitions and Uses 2-1
Creating ACLs and Templates 2-1
ACL and Templat e Att ributes 2-2
Name, Number, and Type Attributes 2-3
Other A ttributes 2-4
ACL Propert ies (Use Detai ls) 2-4
ACL Uses 2-6
Use M odes and Contexts 2-6
C H A P T E R 3 Getting Started 3-1Before You Begin 3-2
Setting Up Resource M anager Essentials 3-2
ACL M anager Functions 3-3
Starting ACL M anager 3-8
Populating the Devices Folder 3-9Deleting Devices 3-11
Saving a Device View 3-11
Opening a Device View 3-12
Navigating in the ACL M anager M ain W indow 3-13
M y Changes Folder 3-15
Imported Entities Folder 3-16
Devices Folder 3-16
Out-of -Band Changes Folder 3-17
Using t he Find Feature 3-17
ACL M anager M enus 3-17
File M enu 3-18Edit M enu 3-20
-
8/10/2019 ACL Manager_UserGuide.pdf
5/511
v
User Guide for ACL Manager
78-16005-01
Contents
View M enu 3-21
ACL M enu 3-22
Versioning M enu 3-23
Tools M enu 3-24
Using the Device Stat e Icons 3-25
Using the Toolbar 3-27
Using Keyboard Shortcuts 3-29Keyboard Shortcuts for ACL M anager W indow 3-29
Keyboard Shortcuts for ACL M anager Dialog Boxes - W indow s 3-31
Keyboard Shortcuts for A CL M anager Dialog Boxes - Solaris 3-31
Printing 3-32
Performing a Complete Workflow Cycle 3-32Verifying Device Configuration Changes 3-33
Dow nloading the Changes to the Devices 3-36
Verifying That the Dow nload w as Successful 3-36
M anaging Out-of-Band Changes to Device Configuration 3-37
Checking for Out-of-Band Changes on Devices 3-37
View ing t he Out-of-Band Changes Report 3-39
Resolving Out-of-Band Changes 3-41
High-level W orkflow for Resolving Out-of-Band Changes 3-42
Resolving Out-of -Band Changes Based on Their Type 3-44
Using the Diff / M erge w ith Out-of-Band Changes Dialog Box and M ergeEditor 3-50
Backing Up and Restoring ACL M anager Data 3-54
Device Support in A CL M anager 3-54
C H A P T E R 4 Viewing and Editing ACLs 4-1
Creating ACLs 4-2
Creating a New ACL by Copying and Pasting an Existing ACL 4-4
-
8/10/2019 ACL Manager_UserGuide.pdf
6/511
Contents
vi
User Guide for ACL Manager
78-16005-01
Versioning ACLs 4-5
Defining ACL Uses 4-6
Viewing Existing ACLs 4-6
Edit ing ACLs 4-7
Deleting ACLs 4-9
M anipulating ACEs 4-10
Inserting a New ACE 4-10
Appending a New ACE 4-12
Inserting a Templat e 4-12
Appending a Comment 4-14
Inserting a Comment 4-15
Dow nloading Comments 4-17M aking Remark ACEs Dow nloadable 4-17
Reordering ACEs 4-19
Editing ACEs 4-20
Specifying Source and Dest ination Addresses 4-22
Specifying Source and Destinati on Ports 4-23
Specifying Protocol 4-24
Specifyin g ICM P-Type 4-24
Using the ACE Editor Buttons 4-25
Editing IP ACE Attributes 4-26
Editing IP Extended ACE Attributes 4-28
Editing IP Extended General Attributes 4-28Editing IP Extended A dvanced Att ributes 4-31
Editing IP Extended Other A tt ributes 4-34
Editing RATE LIM IT M AC ACE At tribut es 4-37
Edit ing RATE LIM IT PRECEDENCE ACE At tr ibu tes 4-38
Saving ACEs as a Templat e 4-38
View ing the Configuration Changes 4-40
-
8/10/2019 ACL Manager_UserGuide.pdf
7/511
vii
User Guide for ACL Manager
78-16005-01
Contents
Optim izing t he ACL 4-40
Using Time Range Definit ions 4-40
Versioning Time Range Definit ions 4-41
Creating a Time Range Definit ion 4-42
Time Range Defini t ion Absolute 4-42
Time Range Defini t ion Periodic 4-44
Time Range Definitions Absolute and Periodic 4-46Editing a Time Range Definition 4-47
Associating an A CE w ith a Time Range 4-48
View ing Associated ACLs on the Device 4-49
Configuring t he Time Zone on a Device 4-50
Dow nloading Time-based ACEs to t he Device 4-51
Expiry Type f or Tim e-based ACEs 4-51
Autom atic Expiry 4-51
M anual Expiry 4-51
Time Range E-mail N otif ication 4-52
Configuring Time Range E-mail 4-52
Time Range E-mai l Format 4-53M arking ACLs for Dow nload 4-54
Printing the ACL/ ACE 4-55
M anaging VLAN A ccess Contro l Lists (VACLS) 4-55
Editing VACEs 4-57
Editing IP VACE Attributes 4-57
Editing M AC VACE Att ributes 4-66
Creating Object Groups f or PIX ACLs 4-68
C H A P T E R 5 Using the Class Manager 5-1
Class M anager Overview 5-1
Class M anager Editors 5-2
-
8/10/2019 ACL Manager_UserGuide.pdf
8/511
Contents
viii
User Guide for ACL Manager
78-16005-01
Starting the Class M anager 5-3
Using the Class M anager Toolbar 5-4
Creating and Inserting Class Folders 5-4
Using Services and Service Classes 5-5
W orkflow for Using Service Classes 5-5
Creating a Service Class 5-6
Edit ing a Service Class 5-8Using Network Classes 5-8
W orkflow for Using Netw ork Classes 5-9
Creating a Net w ork Class 5-10
Editing a N etw ork Class 5-13
M arking a M aster Version of a Class 5-13
Identifying Class Uses 5-14
Identifying Service Class Uses 5-15
Identifying Network Class Uses 5-18
Handling Invalid Class Uses 5-21
Using the Class M anager: Example 5-23
C H A P T E R 6 Using the Template Manager 6-1
Starting the Template M anager 6-2
Using the Templat e M anager Toolbar 6-3
Static Templates and Variable Templates 6-3
The W orkflow for Templates 6-4
W orkflow f or a Static Template 6-4
W orkflow for a Variable Template 6-5
Creating Templat es 6-6
Creating a St atic Template and Adding A CEs 6-6
Creating a Variable Template and Adding ACEs 6-8Creating a Variable Template Instance and A ssigning Values 6-10
-
8/10/2019 ACL Manager_UserGuide.pdf
9/511
ix
User Guide for ACL Manager
78-16005-01
Contents
Reconcil ing Instances of Variable Templates 6-12
Including Another Template Within Your Template 6-14
M arking a M aster Version of a Templat e or an Instance 6-15
Editing an Existing Templat e 6-17
Editing t he Contents of a Template 6-17
Creating and Inserting Template Folders 6-18
Using a Template in an ACL 6-19
Identifying Devices and Templates That Use an A CL Templat e 6-20
Handling Invalid Templat e Device Uses and Templat e N ested Uses 6-23
Updating Logical Entit ies 6-26
Saving Selected Template A CEs as a New Template 6-27
View ing the Template Device Use Summary 6-28
Deleting a Template 6-29
C H A P T E R 7 Creating and Using Policies 7-1
Role-based Access for Policies 7-1
Creating a Policy 7-2
Verifying an ACL/ Template A gainst a Policy 7-4
View ing Policy Verificati on Details 7-8
M andating Policy Verificati on 7-10
C H A P T E R 8 Searching for and Replacing ACLM Entities 8-1
Searching fo r Entit ies 8-2
Search Results Pane 8-4
Using the ACL M anager Device Selector 8-5
Using the Template Folder Brow ser 8-6
Form ing a Search Filt er8-6
Regular Expressions 8-7
-
8/10/2019 ACL Manager_UserGuide.pdf
10/511
Contents
x
User Guide for ACL Manager
78-16005-01
Operators 8-7
List of Search Att ributes 8-9
Using the Standard Search Context GUI 8-13
Replacing Entit ies 8-15
Undoing a Check Out 8-18
Using the Standard Replace Context GUI 8-19
C H A P T E R 9 Controlling Access Using ACLManager Roles 9-1
Populating A CL M anager w ith Role-based Data 9-2
Adding Users 9-3
Adding Devices 9-3
M anaging User Groups 9-4Creating a User Group 9-4
M odifying a User Group 9-8
Deleting a User Group 9-12
View ing all User Groups 9-15
M anaging Device Groups 9-16
Creating a Device Group 9-17
M odifying a Device Group 9-21
Deleting a Device Group 9-25
View ing all Device Groups 9-28
M anaging Tasks 9-29
Task Relationships 9-30Assigning Device Groups to Tasks or M odifying Assignment s 9-31
Using the Open User Group Option 9-35
C H A P T E R 10 Versioning ACL Manager Entities 10-1
Versioning Workflow10-3
Version Indicators 10-5
-
8/10/2019 ACL Manager_UserGuide.pdf
11/511
xi
User Guide for ACL Manager
78-16005-01
Contents
Gett ing the Latest Version of an Entity 10-5
Gett ing a Specific Version of an Entit y 10-6
Checking Out Entities 10-7
Checking Out a Specific Version of an Entity 10-9
Undoing the Check Out of an Entit y 10-9
Checking In Entities 10-10
M erging a Branch W ith a M ain Line Version 10-12
M erging Using the M erge Editor 10-13
M erging Using the M erge Editor: Example 10-16
M erging W ithout Using the M erge Editor 10-20
M erging W ithout Using the M erge Editor: Example 10-20
View ing the Version Graph of an Entity 10-23Comparing an Entit y w ith it s Latest Version 10-25
Comparing Any Tw o Versions of an Entity 10-26
View ing Version Details of an Entit y 10-27
View ing Details of a Specific Version of an Entit y 10-29
View ing the Versioning History of an ACL M anager Enti ty 10-30
Using the Version Diff Viewer 10-32
C H A P T E R 11 Approving or Rejecting Changes 11-1
Processing Change Requests 11-2
View ing Pending Change Requests 11-3Approving or Rejecting Change Requests 11-5
Change Request Status 11-7
View ing Details of a Changed Entit y 11-8
Viewing Processed Changes 11-11
E-mail N otif ication of Change 11-13
Enabling or Disabling Change Approval 11-14
-
8/10/2019 ACL Manager_UserGuide.pdf
12/511
Contents
xii
User Guide for ACL Manager
78-16005-01
C H A P T E R 12 ACL Manager Use Wizard 12-1
Defining ACL Uses 12-1
Defining an A CL Use w ith t he Use ACL W izard 12-2
Selecting Interfaces, Lines, SNM P Comm unity Sett ings or VLAN S 12-4
Selecting Interfaces for Packet Filtering w ith t he Use ACL W izard 12-4
Selecting Lines for Line Access w ith the Use A CL W izard 12-6
SNM P Communit y Sett ings w ith t he Use ACL W izard 12-8Selecting VLAN s for VLAN Packet Filt ering w ith Use A CL W izard 12-10
Completi ng the Use A CL W izard Summary 12-11
Displaying Use ACL W izard Results 12-12
Applying an A CL Template to a Specific Device 12-14
Selecting a Template with the Template Use Wizard 12-15
Selecting a Device 12-16
Displaying ACL Creation Results (Single Device) 12-18
Applying an ACL Template to M ultiple Devices 12-20
Selecting a Templat e 12-20
Selecting the Devices 12-21
Displaying ACL Creation Results (M ultipl e Devices) 12-22Defining ACL Uses for M ultiple Devices 12-24
Selecting Interfaces with the Template Use Wizard 12-25
Selecting Lines w ith t he Templat e Use W izard 12-27
SNM P Community Settings w ith t he Template Use W izard 12-29
Selecting VLAN s for VLAN Packet Filtering w ith Templat e UseWizard 12-31
Using the Use W izard to Address Vulnerabil ity in Your Netw ork:Example 12-32
C H A P T E R 13 Importing Configuration 13-1
Uploading the Configurati on and View ing the Import Summary 13-2Using the File Brow ser 13-7
-
8/10/2019 ACL Manager_UserGuide.pdf
13/511
xiii
User Guide for ACL Manager
78-16005-01
Contents
Using the Config Editor 13-8
Pasting Import ed Entit ies onto a Device 13-10
Pasting an Imported ACL onto a Device 13-10
Pasting Import ed ACEs and Comments on to a Device 13-11
Pasting Imported ACEs as a Template 13-12
Using the File Import Command Line Tool 13-12
Exampl e: File Im port Command Line Tool Usage 13-14
C H A P T E R 14 Validating ACEs 14-1
Performing a Validation Check on a Logical Entity 14-4
View ing ACE Validation Details 14-7
Validating M odified ACEs 14-9
C H A P T E R 15 Scheduling and Downloading 15-1
Enabling J ob A pproval 15-2
Scheduling Downloads 15-3
Selecting the Devices and the Changed Entit ies 15-6
Defining the J ob and Selecting the J ob Options 15-9
Scheduling the Dow nload Using the J ob Dow nload W izard 15-14
View ing the Job Summary 15-17
Browsing Job Status and Viewing Results 15-20
M arking Changes for Dow nload 15-27
View ing Pending M arks 15-30
Scheduling Job Downloads Using the Job Browser 15-32
Job M anagement Integration 15-32
Rescheduling Jobs 15-33
Canceling Pending Jobs and Purging Old Jobs 15-34
W hat to Do i f Your Dow nload Fai ls 15-35
-
8/10/2019 ACL Manager_UserGuide.pdf
14/511
Contents
xiv
User Guide for ACL Manager
78-16005-01
C H A P T E R 16 Optimizing ACLs 16-1
ACL Optimizer and Hits Optimizer 16-1
ACL Opti mizer 16-2
ACL Hits Optimizer 16-3
Using the ACL Optimizer 16-4
Using the ACL Hits Optimizer 16-7
Resetting Hi t Counters 16-11
Gett ing Hits from a Device 16-12
C H A P T E R 17 Generating Reports in ACL Manager 17-1
Time Range Event s in Selecte d Time Frame Report 17-2
Change Approval Status Report 17-3
Out-of -Band Changes Report 17-5
Role-based Access Control Reports 17-7
Approver Group M apping for Devices and Device Groups 17-8
M y Task M apping Report 17-9
Task M apping Report 17-11M y User Group M embership Report 17-12
User Group M embership Report 17-13
C H A P T E R 18 Troubleshooting ACL Manager 18-1
C H A P T E R 19 ACL Manager Usage Scenarios 5
Tracking and M itigating N etw ork Vulnerabi l i t ies 5
Prerequisites 6
Handling Vulnerabilties 6
Importing t he Published ACL into A CL M anager 7
Creating a Template Using t he Imported A CL 8
-
8/10/2019 ACL Manager_UserGuide.pdf
15/511
xv
User Guide for ACL Manager
78-16005-01
Contents
Deploying the Template on Devices 9
Deploying the ACL on the Devices 11
Tracking the Template Changes 12
M odifying the Template in case of New Vulnerabil i t ies and Deploying theChanges 13
Easy Deployment and Tracking of ACLs for Partner N etw orks 15
Prerequisites 16
Creating a Variable Template 17
Creating Variable Template Instances 19
Using Variable Template Instances 21
Tracking Instances 24
Using DNS N ames in an ACE and Deploying Updated DN S-IP M appings 27
Prerequisites 28
Using DNS Nam es in an ACE 28
Deploying Updated DN S Name - IP M appings 30
IND E X
-
8/10/2019 ACL Manager_UserGuide.pdf
16/511
Contents
xv i
User Guide for ACL Manager
78-16005-01
-
8/10/2019 ACL Manager_UserGuide.pdf
17/511
xvii
User Guide for ACL Manager
78-16005-01
Preface
User Guide for ACL Manager describes how to use the Access Control List
(ACL) Manager, a software tool for the management of access control lists on
Cisco routers, catalyst switches, and PIX devices.
This preface describes who should read User Guide for ACL Manager and
outlines the document conventions used in this manual.
AudienceThis publication is written for network operators, network administrators, and
system administrators. To use the ACL Manager application, you should have a
basic understanding of operation, management and the configuration of your
network. You should understand the basic ACL structure and configuration and
the concept of network and service definitions.
Preface
-
8/10/2019 ACL Manager_UserGuide.pdf
18/511
Conventions
xviii
User Guide for ACL Manager
78-16005-01
ConventionsThis document uses the following conventions:
Note Means reader take note. Notes contain helpful suggestions or references to
material not covered in the publication.
Caution Means reader be careful. In this situation, you might do something that could
result in equipment damage or loss of data.
Item Convention
Commands and keywords boldface font
Variables for which you supply values italic font
Displayed session and system information screen font
Information you enter boldface screenfont
Variables you enter italic screen font
Menu items and button names boldfacefont
Selecting a menu item in paragraphs Option > Network Preferences
Selecting a menu item in tables Option > Network Preferences
Preface
-
8/10/2019 ACL Manager_UserGuide.pdf
19/511
xix
User Guide for ACL Manager
78-16005-01
Product Documentation
Product Documentation
Note We sometimes update the printed and electronic documentation after original
publication. Therefore, you should also review the documentation on Cisco.com
for any updates.
Table 1describes the product documentation that is available.
Table1 Product Documentation
Document Title Available Formats
Release Notes for ACL
Manager 1.6
Printed document that was included with the product.
On Cisco.com:
a. Log into Cisco.com.
b. Go to:
http://www.cisco.com/univercd/cc/td/doc/product/
rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/
index.htm
Installation Guide for ACL
Manager
PDF on the product CD-ROM.
On Cisco.com:
a. Log into Cisco.com.
b. Go to: http://www.cisco.com/univercd/cc/td/doc/product
/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/
index.htm
Printed document available by order (part number
DOC-7816006=).1
Preface
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htm -
8/10/2019 ACL Manager_UserGuide.pdf
20/511
Product Documentation
xx
User Guide for ACL Manager
78-16005-01
User Guide for ACL Manager PDF on the product CD-ROM.
On Cisco.com:
a. Log into Cisco.com.
b. Go to:
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/
index.htm
Printed document available by order (part number
DOC-7816005=)
Supported Devices for ACL
Manager
1. Log into Cisco.com.
2. Go to:http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt
/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htm
Context-sensitive online help Select an option from the navigation tree, then click Help.
Click the Help button in the dialog box.
1. See the Obtaining Documentation.
Table1 Product Documentation (continued)
Document Title Available Formats
Preface
R l t dD t ti
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_6/index.htm -
8/10/2019 ACL Manager_UserGuide.pdf
21/511
xxi
User Guide for ACL Manager
78-16005-01
Related Documentation
Related Documentation
Note We sometimes update the printed and electronic documentation after original
publication. Therefore, you should also review the documentation on Cisco.com
for any updates.
Table 2describes the additional documentation that is available.
Table2 Related Documentation
Document Title Available Formats
Release Notes for CiscoWorks
Common Services 2.2 (Includes
CiscoView 5.5) on Windows1
On Cisco.com:
1. Log into Cisco.com.
2. Go to: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/index.htm
Installation and Setup Guide for
CiscoWorks Common Services 2.2
(includes CiscoView 5.5) on
Solaris
On Cisco.com:
1. Log into Cisco.com.
2. Go to:
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/
cw2000/cw2000_d/comser22/index.htm
Installation and Setup Guide for
CiscoWorks Common Services 2.2
includes CiscoView 5.5) on
Windows
On Cisco.com:
1. Log into Cisco.com.
2. Go to:
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/
cw2000/cw2000_d/comser22/index.htm .
CiscoWorks Common ServicesUser Guide 2.2
On Cisco.com:
1. Log into Cisco.com.
2. Go to:
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/
cw2000/cw2000_d/comser22/index.htm
Preface
RelatedDocumentation
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/index.htm -
8/10/2019 ACL Manager_UserGuide.pdf
22/511
Related Documentation
xxii
User Guide for ACL Manager
78-16005-01
Release Notes for Resource
Manager Essentials 3.5 on
Windows
On Cisco.com:
1. Log into Cisco.com.
2. Go to:
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/
cw2000/cw2000e/e_3_x/3_5/index.htmInstallation and Setup Guide for
Resource Manager Essentials 3.5
on Solaris
On Cisco.com:
1. Log into Cisco.com.
2. Go to:
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/
cw2000/cw2000e/e_3_x/3_5/index.htm
Installation and Setup Guide for
Resource Manager Essentials 3.5
on Windows
On Cisco.com:
1. Log into Cisco.com.
2. Go to:
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/
cw2000/cw2000e/e_3_x/3_5/index.htm
User Guide for Resource Manager
Essentials 3.5
On Cisco.com:
1. Log into Cisco.com.
2. Go to:
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/
cw2000/cw2000e/e_3_x/3_5/index.htm
Supported Device Table forResource Manager Essentials 3.5
On Cisco.com:1. Log into Cisco.com.
2. Go to:
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/
cw2000/cw2000e/e_3_x/3_5/index.htm
1. CiscoView 5.5 and Package Support Updater information in this document, is not applicable to the ACL Manager 1.6 release.
Table2 Related Documentation (continued)
Document Title Available Formats
Preface
Additional InformationOnline
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htmhttp://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000e/e_3_x/3_5/index.htm -
8/10/2019 ACL Manager_UserGuide.pdf
23/511
xx iii
User Guide for ACL Manager
78-16005-01
Additional Information Online
Additional Information OnlineYour application might support incremental device updates (IDUs). An IDU is a
software package that enables an application to support new devices. An IDU
might also contain bug fixes. You can download IDUs and their Readme files by
logging into Cisco.com.
Device packages are released cumulatively; that is, new device packages contain
the contents of any previous packages.
To determine which packages are installed on your CiscoWorks Server, select
Server Configuration>About the Server> Applications and Versions.
You can also obtain any published patches from the download site.
Obtaining DocumentationCisco documentation and additional literature are available on Cisco.com. Cisco
also provides several ways to obtain technical assistance and other technical
resources. These sections explain how to obtain technical information from Cisco
Systems.
Cisco.comYou can access the most current Cisco documentation on the World Wide Web at
this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
http://www.cisco.com
International Cisco websites can be accessed from this URL:
http://www.cisco.com/public/countries_languages.shtml
Preface
Documentation Feedback
http://www.cisco.com/http://www.cisco.com/http://www.cisco.com/univercd/home/home.htmhttp://www.cisco.com/http://www.cisco.com/public/countries_languages.shtmlhttp://www.cisco.com/http://www.cisco.com/public/countries_languages.shtmlhttp://www.cisco.com/http://www.cisco.com/univercd/home/home.htm -
8/10/2019 ACL Manager_UserGuide.pdf
24/511
ocu e a o eedbac
xxiv
User Guide for ACL Manager
78-16005-01
Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
Registered Cisco.com users (Cisco direct customers) can order Cisco product
documentation from the Ordering tool:
http://www.cisco.com/en/US/partner/ordering/index.shtml
Nonregistered Cisco.com users can order documentation through a local
account representative by calling Cisco Systems Corporate Headquarters
(California, USA) at 408 526-7208 or, elsewhere in North America, by
calling 800 553-NETS (6387).
Documentation FeedbackYou can submit e-mail comments about technical documentation to
You can submit comments by using the response card (if present) behind the front
cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Obtaining Technical AssistanceFor all customers, partners, resellers, and distributors who hold valid Cisco
service contracts, the Cisco Technical Assistance Center (TAC) provides
24-hour-a-day, award-winning technical support services, online and over the
phone. Cisco.com features the Cisco TAC website as an online starting point for
technical assistance. If you do not hold a valid Cisco service contract, pleasecontact your reseller.
Preface
Obtaining Technical Assistance
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htmhttp://www.cisco.com/en/US/partner/ordering/index.shtmlhttp://www.cisco.com/en/US/partner/ordering/index.shtmlhttp://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htmhttp://www.cisco.com/public/countries_languages.shtml -
8/10/2019 ACL Manager_UserGuide.pdf
25/511
xxv
User Guide for ACL Manager
78-16005-01
g
Cisco TAC Website
The Cisco TAC website provides online documents and tools for troubleshooting
and resolving technical issues with Cisco products and technologies. The Cisco
TAC website is available 24 hours a day, 365 days a year. The Cisco TAC website
is located at this URL:
http://www.cisco.com/tac
Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID
and password. If you have a valid service contract but do not have a login ID or
password, register at this URL:
http://tools.cisco.com/RPF/register/register.do
Opening a TAC Case
Using the online TAC Case Open Tool is the fastest way to open P3 and P4 cases.
(P3 and P4 cases are those in which your network is minimally impaired or for
which you require product information.) After you describe your situation, the
TAC Case Open Tool automatically recommends resources for an immediate
solution. If your issue is not resolved using the recommended resources, your case
will be assigned to a Cisco TAC engineer. The online TAC Case Open Tool is
located at this URL:
http://www.cisco.com/tac/caseopen
For P1 or P2 cases (P1 and P2 cases are those in which your production network
is down or severely degraded) or if you do not have Internet access, contact Cisco
TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2
cases to help keep your business operations running smoothly.
To open a case by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447
For a complete listing of Cisco TAC contacts, go to this URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
Preface
Obtaining Additional Publications and Information
http://www.cisco.com/tachttp://tools.cisco.com/RPF/register/register.dohttp://www.cisco.com/tac/caseopenhttp://www.cisco.com/warp/public/687/Directory/DirTAC.shtmlhttp://www.cisco.com/warp/public/687/Directory/DirTAC.shtmlhttp://www.cisco.com/tac/caseopenhttp://tools.cisco.com/RPF/register/register.dohttp://www.cisco.com/tac -
8/10/2019 ACL Manager_UserGuide.pdf
26/511
xxvi
User Guide for ACL Manager
78-16005-01
TAC Case Priority Definitions
To ensure that all cases are reported in a standard format, Cisco has established
case priority definitions.
Priority 1 (P1)Your network is down or there is a critical impact to your
business operations. You and Cisco will commit all necessary resources around
the clock to resolve the situation.
Priority 2 (P2)Operation of an existing network is severely degraded, or
significant aspects of your business operation are negatively affected by
inadequate performance of Cisco products. You and Cisco will commit full-time
resources during normal business hours to resolve the situation.
Priority 3 (P3)Operational performance of your network is impaired, but most
business operations remain functional. You and Cisco will commit resources
during normal business hours to restore service to satisfactory levels.
Priority 4 (P4)You require information or assistance with Cisco productcapabilities, installation, or configuration. There is little or no effect on your
business operations.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions isavailable from various online and printed sources.
Cisco Marketplace provides a variety of Cisco books, reference guides, and
logo merchandise. Go to this URL to visit the company store:
http://www.cisco.com/go/marketplace/
The Cisco Product Catalogdescribes the networking products offered by
Cisco Systems, as well as ordering and customer support services. Access theCisco Product Catalog at this URL:
http://cisco.com/univercd/cc/td/doc/pcat/
Cisco Presspublishes a wide range of general networking, training and
certification titles. Both new and experienced users will benefit from these
publications. For current Cisco Press titles and other information, go to Cisco
Press online at this URL:
http://www.ciscopress.com
Preface
Obtaining Additional Publications and Information
http://www.cisco.com/go/marketplace/http://cisco.com/univercd/cc/td/doc/pcat/http://www.cisco.com/warp/public/687/Directory/DirTAC.shtmlhttp://www.ciscopress.com/http://www.ciscopress.com/http://cisco.com/univercd/cc/td/doc/pcat/http://www.cisco.com/go/marketplace/http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml -
8/10/2019 ACL Manager_UserGuide.pdf
27/511
xxvii
User Guide for ACL Manager
78-16005-01
Packetmagazine is the Cisco quarterly publication that provides the latest
networking trends, technology breakthroughs, and Cisco products and
solutions to help industry professionals get the most from their networking
investment. Included are networking deployment and troubleshooting tips,
configuration examples, customer case studies, tutorials and training,
certification information, and links to numerous in-depth online resources.
You can access Packet magazine at this URL:
http://www.cisco.com/packet
iQ Magazineis the Cisco bimonthly publication that delivers the latestinformation about Internet business strategies for executives. You can access
iQ Magazine at this URL:
http://www.cisco.com/go/iqmagazine
Internet Protocol Journalis a quarterly journal published by Cisco Systems
for engineering professionals involved in designing, developing, and
operating public and private internets and intranets. You can access the
Internet Protocol Journal at this URL:
http://www.cisco.com/ipj
TrainingCisco offers world-class networking training. Current offerings in
network training are listed at this URL:
http://www.cisco.com/en/US/learning/index.html
Preface
Obtaining Additional Publications and Information
http://www.cisco.com/packethttp://www.cisco.com/go/iqmagazinehttp://www.cisco.com/ipjhttp://www.cisco.com/en/US/learning/index.htmlhttp://www.cisco.com/en/US/learning/index.htmlhttp://www.cisco.com/ipjhttp://www.cisco.com/go/iqmagazinehttp://www.cisco.com/packethttp://www.ciscopress.com/ -
8/10/2019 ACL Manager_UserGuide.pdf
28/511
xxviii
User Guide for ACL Manager
78-16005-01
-
8/10/2019 ACL Manager_UserGuide.pdf
29/511
C H A P T E R
1-1
User Guide for ACL Manager
78-16005-01
1ACL Manager Overview
ACL Manager helps you manage Access Control Lists (ACLs) on Cisco routers
running IOS, Catalyst switches running Catalyst OS, and PIX devices running
PIX OS. It presents a user-friendly graphical user interface that allows you to
concentrate on the security of your network without learning the complex syntaxof ACLs.
ACL Manager allows you to easily address, solve, and reduce configuration
problems related to ACLs.
These topics introduce you to some of the concepts and features of ACL Manager:
ACL Terms and Definitions
What is ACL Manager?
ACL Manager Tools
ACL Manager Privilege Levels
ACL Terms and DefinitionsAccess Control Entry (ACE): An Access Control Entry (ACE) is an individual
permit or deny statement within an Access Control List (ACL).
Each ACE includes an action element (permit or deny) and a filter element
based upon criteria such as source address, destination address, protocol,
protocol-specific parameters, and so on.
Chapter1 ACL Manager Overview
ACL Terms and Definitions
-
8/10/2019 ACL Manager_UserGuide.pdf
30/511
1-2
User Guide for ACL Manager
78-16005-01
Access Control List (ACL, ACL Definition): An Access Control List (ACL)
consists of one or more Access Control Entries (ACEs) that collectively define the
network traffic profile. This profile can then be referenced by IOS, Catalyst OS,
or PIX OS features such as traffic filtering, priority or custom queuing, dynamic
access control, encryption, Telnet access, and so on.
The generic term ACL refers to IOS ACLs, VLAN ACLs, and PIX ACLs.
Wherever the term VACL is used, it applies only to VLAN ACL. Wherever the
term IOS ACL is used, it applies only to Router ACL. Wherever the term PIX ACL
is used, it applies only to an ACL on a PIX device.
ACL Manager Entity: A generic term used in ACL Manager for ACEs, ACLs,
ACL Uses, Time Ranges, Templates, Networks, Network Classes, Services and
Service Classes.
ACL Template (Template): A named set of ACEs. Templates can be inserted into
ACLs (see Template Include ACE on page 1-3). Templates can include other
templates.
ACL Use: ACL Use statements in a device configuration utilize or reference an
ACL for some purpose. There are over 50 possible purposes, which include, for
example: IP packet filtering, line access, traffic shaping, IP multicast rate
limiting, SNMP server, and so on.
ACL Use Modes and Contexts: ACLs can be used in various IOS configuration
modes: global, router, route-map, crypto-map, line, and interface.
Except for global, the configuration modes have named contexts within whichACL Use statements can be created in IOS. The contexts for line mode are the
actual vtys (for example, console, vty 0, vty 1, and so on). The contexts for
interface mode are interface names (for example, Serial 0, Ethernet 0,
TokenRing 0, and so on).
ACL Manager allows you to create Use statements only for line, interface and
global modes. ACL Manager allows you to apply these statements only for line
access, packet filtering, and SNMP server access controls. VACLs can be usedonly for packet filtering and redirection on VLANs. For VACL Uses, the mode is
VLAN and the contexts are the VLANs defined on the switch.
Device View: A set of devices grouped according to common attributes or
user-defined characteristics. You can use views to monitor groups of devices.
IOS ACLs: Also known as Router ACLs. They are used in routers for packet
filtering on interfaces, line access, SNMP access, route maps, and other purposes.
Chapter1 ACL Manager Overview
ACL Terms and Definitions
-
8/10/2019 ACL Manager_UserGuide.pdf
31/511
1-3
User Guide for ACL Manager
78-16005-01
Logical View: An abstract or high-level view of ACE statements in an ACL. The
logical view could show ACEs using service and network class definitions,
template include statements and comments.
Network: A network is a named IP address and mask combination. It is a subnet
specification used in the source and destination fields of ACE statements.
Network Class: A network class is a named set of IP addresses, hostnames, IP
address ranges, or networks that ACL Manager allows you to use in ACE source
or destination fields.
Out-of-band Change: Out-of-Band (OOB) changes are the ACL-related changes
that have been made to the device configuration outside ACL Manager, directly
on the device.
Physical View: A low-level view of ACE statements in an ACL. The physical
view, maps one-to-one with the IOS, Catalyst OS, or PIX OS commands
corresponding to the ACE statements.
PIX ACLs:PIX ACLs are similar to Router/IOS ACLs in terms of theirdefinition, but they are used by PIX devices to access control packets.
Service: Services are named TCP or UDP ports that can be used in individual
ACEs to provide a specification of the network traffic to be matched by filter
criteria.
Service Class: A service class consists of named port range specifications that
ACL Manager allows you to use in ACE port specification fields.
Template: See ACL Template on page 1-2.
Template Include ACE: A special ACE that proxies for, or represents, the set of
ACEs corresponding to the template.
View: See Device View on page 1-2.
VLAN Access Lists (VACLs): VACLs are similar to Router/IOS ACLs in terms
of their definition, but they are used by Catalyst 6000 family switches to access
control all packets it switches, including packets bridged within a VLAN.
Chapter1 ACL Manager Overview
What is ACL Manager?
-
8/10/2019 ACL Manager_UserGuide.pdf
32/511
1-4
User Guide for ACL Manager
78-16005-01
What is ACL Manager?The ACL Manager application is designed for the experienced network
administrator who already understands the structure and uses of ACLs. It allows
you to create, modify, and deploy ACLs to multiple devices through a Windows
Explorer-type interface. ACL Manager supports ACLs for:
IOS releases 10.3 through 12.2
CatOS releases 5.3 through 7.6
PIXOS releases 5.1 through 6.3
Using ACL Manager, you can create ACL uses for traffic filtering, line access, and
SNMP server access. Although you cannot create all types of ACL uses,
ACL Manager recognizes and tracks all existing types of ACL uses (such as
router, route-map, and crypto-map). This means that if you rename an ACL that
is referenced in uses other than traffic filtering or line access, the use statement is
updated with the new ACL name.
ACL Manager allows comments to be associated with an ACL or ACE, so that you
can audit and track the changes on an ACL or ACE.
ACL Manager Components
ACL Manager maintains a device model with attributes relevant to ACLmanagement for managed devices (routers, switches and PIX devices). The device
model is initialized by obtaining configuration files from Config Archive and
parsing relevant statements.
ACL Manager comprises a GUI that is integrated with the CiscoWorks desktop.
This split-panel interface provides the means to create, edit, and view ACLs.
When you select a node in the left pane, the right pane displays the contents of thenode and its attributes. The display in the right pane is context sensitive.
The ACL Manager GUI also provides access to editing tools and other functions,
such as the Template Manager, Class Manager, Policy Verification Wizard, ACE
Validator, Use Wizard, ACL Downloader, Optimizer, and Hits Optimizer. See
ACL Manager Tools.
Chapter1 ACL Manager Overview
What is ACL Manager?
-
8/10/2019 ACL Manager_UserGuide.pdf
33/511
1-5
User Guide for ACL Manager
78-16005-01
Benefits of ACL Manager
Network problems are frequently introduced when devices are configured, and
fixing such problems is both expensive and time-consuming. Also, since
router/switch configurations are interdependent, network complexity increases
exponentially with the number of routers, and configuration problems become
harder to detect and avoid.
The result is either operational or latent configuration problems. ACL Manager
solves these problems by providing inventory and change audit features thatsimplify the processes for setting up and changing device configurations.
In addition, ACL construction must be extremely precise. This is because an
incorrect filter can cause a security problem or incapacitate a network. Writing
filters is time-consuming. It might be necessary to write many lines of IOS,
Catalyst OS, or PIX OS commands to configure coexisting network filters for
different protocols. With ACL Managers GUI, you need not know IOS, Catalyst
OS, or PIX OS syntax to create ACLs.ACL Manager:
Provides a uniform interface that insulates the user from any differences in
ACL features for the supported IOS, Catalyst OS, and PIX OS versions.
Is easy to use and ensures high productivity for the user.
Supports Secure Sockets Layer (SSL) for secure client to server
communication.
Supports Secure Shell (SSH) for secure server to device communication.
Maintains versions of ACL manager entities.
Reduces device configuration time dramatically.
Reduces installation costs.
Provides greater security through a role-based model. Enables controlling and tracking of all changes made to ACLs, ACL uses,
templates, etc.
Allows monitoring of the system by logging all the changes made during a
user session.
Enables easy access to information about devices and the changes made to
them, through the reports generation feature.
Chapter1 ACL Manager Overview
What is ACL Manager?
-
8/10/2019 ACL Manager_UserGuide.pdf
34/511
1-6
User Guide for ACL Manager
78-16005-01
Easily detects changes directly applied to device configuration (using telnet,
etc.)
Is integrated with Resource Manager Essentials and uses the Config Archive,
Inventory, Change Audit Service, and Transport facilities.
Provides a browser-based GUI and integrates the task flow with the Resource
Manager Essentials GUI.
Allows you to fully exploit the ACL features in IOS, Catalyst OS, and PIX
OS.
Reduces operation time when deploying ACLs to several devices.
Provides for automated deployment of ACLs.
Enables you to apply VACLs on Private VLANs.
Allows novice operators to safely deploy, previously set up, complex ACLs,
through flexible templates. Templates also allow users to establish policies
and to standardize on ACL uses.
Supports policy verification. Enables you to create and enforce policies. (A
policy is a set of rules that specifies tasks (ACEs) that you must include in the
ACL.)
Enables you to perform a check for the validity of ACEs within a ACL,
VACL, or a template.
Removes the drudgery of entering ACL configurations repeatedly on multiple
devices by providing point-and-click copy and paste functionality.
Minimizes human error in ACL creation by reducing the necessity of creating
multiple ACEs. It does this by allowing the use of classes.
Improves network throughput by enabling ACL optimization.
Permits the use of Domain Name System (DNS) names in ACE source and
destination fields. ACL Manager will automatically perform a DNS look-up
and convert these fields to the appropriate IP addresses.
Chapter1 ACL Manager Overview
What is ACL Manager?
-
8/10/2019 ACL Manager_UserGuide.pdf
35/511
1-7
User Guide for ACL Manager
78-16005-01
ACL Manager Functionality
ACL Manager comprises a suite of modules and tools designed to simplify the
management of ACLs and ACL Use statements. The suite contains five major
modules: ACL Manager, Template Manager, Class Manager, Use Wizard, and
ACL Downloader. See ACL Manager Toolsfor a description of the tools
provided by ACL Manager.
The ACL Manager suite is integrated with the Resource Manager Essentials
Config Archive and Inventory applications. It uses device information fromInventory, and reads the configuration contained in the Config Archive to create
a model of the ACLs and ACL Use statements in the device configuration.
The ACL Manager module provides a tree view to display this information in a
Windows Explorer-type GUI. When you change device ACLs and ACL Use
statements, ACL Manager generates the appropriate IOS, Catalyst OS, or PIX OS
commands (config deltas) to implement the configuration changes.
A download mechanism is provided to enable you to apply the configurationchanges to the appropriate devices. The Config Archive is updated automatically
after a successful ACL Manager download.
ACL Manager uses Java Plug-in. The plug-in improves the performance of
ACL Manager, and it is provided with the CiscoWorks application. (See the topic
Installing the Java Plug-in in Chapter 3 of the User Guide for CiscoWorks
Server).
Some of the tasks that the ACL Manager suite enables you to perform include:
Identifying when an ACL was last modified and applied (Other Attributes
in Chapter ).
Navigating around devices to see which ACLs are defined and where they are
usedeven ACL Uses that are not supported for creation by ACL Manager
are listed (Viewing Existing ACLsin Chapter 4).
Creating new ACLs (Creating ACLsin Chapter 4).
Editing an existing ACL and returning it to its device (Editing ACLsin
Chapter 4).
Reordering ACEs (Reordering ACEsin Chapter 4).
Naming, renaming, and numbering ACLs. Making the appropriate changes in
the rest of the configuration file (Deleting ACLsin Chapter 4).
Chapter1 ACL Manager Overview
ACL Manager Tools
-
8/10/2019 ACL Manager_UserGuide.pdf
36/511
1-8
User Guide for ACL Manager
78-16005-01
Saving an ACL as a template, and associating it with a logical name (Editing
ACLsin Chapter 4).
Creating an alias for an ACL and using it in a device where named ACLs
are not supported (Editing ACLsin Chapter 4).
Naming networks and services and creating classes containing host
addresses, address ranges, networks, or other classes, and using them in ACL
definitions (Using the Class Managerin Chapter 5).
Creating and editing templates (Using the Template Managerin Chapter 6).
Applying ACL templates or ACLs for packet filtering or line access on
devices (Defining ACL Usesin Chapter 12).
Deploying ACLs on a group of devices (Scheduling Downloadsin
Chapter 15).
Scheduling and downloading to modified ACL and ACL Use statements
and/or changes in meta-information, such as comments and template include
statements, to devices (Scheduling Downloadsin Chapter 15).
Optimizing ACL statements to eliminate redundancies, compressing entries,
and adjusting order of ACEs for maximum performance (Optimizing ACLs
in Chapter 16).
ACL Manager ToolsACL Manager provides the following tools for ACL development:
Class ManagerEnables you to create and edit services, service classes,
networks, and network classes. You can then use these definitions in ACE
source and destination fields, saving you the trouble of entering multiple IOS,
Catalyst OS, or PIX OS commands covering all possible combinations of
source and destination field components (see Chapter 5, Using the ClassManager).
Template ManagerEnables you to create and edit ACL templates (see
Chapter 6,Using the Template Manager).
Use Wizardand its variantsEnable you to define ACL uses, (see
Chapter 12, ACL Manager Use Wizard).
Job BrowserDisplays the status of download jobs (see Chapter 15,Scheduling and Downloading).
Chapter1 ACL Manager Overview
ACL Manager Privilege Levels
-
8/10/2019 ACL Manager_UserGuide.pdf
37/511
1-9
User Guide for ACL Manager
78-16005-01
DownloaderEnables you to schedule and download the modified ACL and
ACL Use statements and/or changes in meta-information such as comments,
and template include statement creations, to devices (see Chapter 15,
Scheduling and Downloading).
OptimizerEnables you to examine an ACL to see if optimization is possible
after an ACL has been created or edited (see Chapter 16, Optimizing
ACLs).
Hits OptimizerReorders ACEs within an ACL in accordance with the
hit-rate (see Chapter 16, Optimizing ACLs). Diff ViewerDisplays the configuration changes you have made to ACLs
(see Chapter 16, Optimizing ACLs).
ACL Manager Privilege LevelsACL Manager incorporates the privilege levels defined by Resource Manager
Essentials.
ACL Manager tasks require various privilege levels, and your ability to perform
these tasks depends on your assigned privilege level. You should contact yoursystem administrator to find out your privilege level and which tasks you can
access.
ACL Manager tasks are usually performed with network operator or network
administrator privileges. You can view the tasks that can be performed at each
level by going to the CiscoWorks desktop and selecting
Server Configuration > Setup > Security > Permission Reports .
Level Directory Description
0 HD Help Desk
1 AP
Approver2 NO Network Operator
4 NA Network Administrator
8 SA System Administrator
Chapter1 ACL Manager Overview
ACL Manager Privilege Levels
-
8/10/2019 ACL Manager_UserGuide.pdf
38/511
1-10
User Guide for ACL Manager
78-16005-01
Privilege Levels and Tasks
This table describes the various privilege levels and their respective tasks:
Privilege Level Task
Network Operator View ACLs
Use ACL Templates
Browse Download Jobsbrowse
and cancel download jobs
Approver Approve/Reject Job Downloads
View ACLs
Network Administrator Edit ACLscreate and edit ACLs
Schedule Downloads
Edit ACL Templates
Edit Class Definitions
Reset Hit Counter
View ACLs
-
8/10/2019 ACL Manager_UserGuide.pdf
39/511
C H A P T E R
2-1
User Guide for ACL Manager
78-16005-01
2ACL Definitions and Uses
This chapter explain how to define and use ACLs and ACL templates and describe
ACL use. The topics covered are:
Creating ACLs and Templates
ACL and Template Attributes
ACL Properties (Use Details)
ACL Uses
Creating ACLs and TemplatesYou can create ACLs in several ways: Using a combination of the ACL Editor and the ACE Editor.
Using the cut, copy, and paste features; by cutting or copying ACLs or ACEs
from one device or ACL and then pasting them to other devices or ACLs.
Using the import feature to import ACLs. ACL Manager allows you to import
Cisco device configurations that conform to the IOS, Catalyst OS and PIX
formats, from an external source.
Similarly, there are several ways you can create templates:
Using the Template Manager in the same way that you create an ACL using
the Template Editor and the ACE Editor.
Saving portions of an ACL (a set of ACEs) as a template.
Chapter2 ACL Definitions and Uses
ACL and Template Attributes
-
8/10/2019 ACL Manager_UserGuide.pdf
40/511
2-2
User Guide for ACL Manager
78-16005-01
Saving an existing ACL as a template.
Importing ACEs and saving them as a template.
ACL and Template AttributesEach ACL or template has the following attributes:
After you start ACL Manager (see Chapter 3, Getting Started), you can use the
following procedure to view the ACL definitions for a particular device.
To view ACLs and their attributes:
Procedure
Step1 Expand the Devices folder in the ACL Manager Main Window.
Step2 Select the device, and then select ACL Definitions.
The ACLs and their attributes appear in the right pane (see Figure 2-1).
Attribute Description
Name/Number Name or number of the ACL (IOS or PIX), or the ACL
template.
For a VACL, number is not applicable.
Version Version and the state of the ACL. For example, Checked
In, Checked Out.
Type Associated ACL type (see Name, Number, and Type
Attributes).
Chapter2 ACL Definitions and Uses
ACL and Template Attributes
-
8/10/2019 ACL Manager_UserGuide.pdf
41/511
2-3
User Guide for ACL Manager
78-16005-01
Figure2-1 Displaying ACL Definitions
Name, Number, and Type Attributes
Each ACL must be identified by a name or a number. A number used to identify
an ACL must be within a specified range of numbers that is valid for the ACL type
(see the following table).
IOS and PIX ACLs can be identified by either a name or a number. VACLs areidentified by name only.
You have the option of letting the ACL Manager select a number for you (the
Autonumber feature). If you select Autonumber, ACL Manager uses the first
available number in the appropriate range to identify the ACL.
ACL Type Range
IP Standard 1 to 99 (also 1300 to 1399 in some IOS
versions).
IP Extended 100 to 199 (also 2000 to 2699 in some
IOS versions).
Chapter2 ACL Definitions and Uses
ACL Properties (Use Details)
-
8/10/2019 ACL Manager_UserGuide.pdf
42/511
2-4
User Guide for ACL Manager
78-16005-01
Named ACLs are not supported on some versions of device IOS. In which case,
the ACL name is shown with an automatically generated number appended to the
name and enclosed in parentheses.
For Rate Limit ACLs, ACL Manager distinguishes the ACL from a standard IP
ACL by appending the string rate-limit to the number.
Other Attributes
The Version attribute is also displayed in the ACL Manager Main Window,besides the Name/Number and the Type attribute, The Version column of the
window displays the versions of the ACLs in the ACL definitions folder and also
their state that is whether the ACLs are checked in, checked out, etc.
ACL Properties (Use Details)Certain elements in ACL Manager, such as devices, ACLs, and router interfaces,
have associated properties. For an ACL, the properties that you see are actually
its Use details, as shown in the following table:
Rate Limit MAC 1 to 99
Rate Limit
Precedence
100 to 199
ACL Type Range
Property Description
ACL Uses Uses defined for the ACL.Use Context Context for the Use.
IOS/Catalyst OS
Command
IOS/Catalyst OS command that implements the Use.
Description Description of the Use, taken from the IOS/Catalyst OS
reference manual. You cannot change this description.
Chapter2 ACL Definitions and Uses
ACL Properties (Use Details)
-
8/10/2019 ACL Manager_UserGuide.pdf
43/511
2-5
User Guide for ACL Manager
78-16005-01
After you start ACL Manager (see Chapter 3,Getting Started), follow this
procedure to view the ACL properties for a particular device.
Procedure
Step1 Expand the Devices folder in the ACL Manager Main Window.
Step2 Select the device, then expand ACL Definitions.
Step3 Right-click on the required ACL, then select Properties.
The ACL Properties window appears (see Figure 2-2).
Figure2-2 ACL Properties WindowSupported ACL Uses
Unsupported ACL Uses are shown as OTHER. (See Figure 2-3)
Figure2-3 ACL Properties WindowUnsupported ACL Uses
Chapter2 ACL Definitions and Uses
ACL Uses
-
8/10/2019 ACL Manager_UserGuide.pdf
44/511
2-6
User Guide for ACL Manager
78-16005-01
Tip You can also view the properties by selecting the ACL to be examined and thenselecting the toolbar button or View > Propertiesfrom the ACL Manager Main
Menu.
ACL UsesYou can define ACL Uses for line access, packet filtering, SNMP community
access, SNMP TFTP server, and VLAN packet filtering.
You can view ACL Uses of other types, such as router, route-map, and crypto-map
using ACL Manager.
Use Modes and ContextsACL Manager detects the Use modes for ACLs in a selected device. Depending
on which Uses ACL Manager detects, the following modes can appear when you
select ACL Usesin the left pane:
Global
Router
Route Map
Crypto Map
Line
Interface
VLAN
These modes correspond to router configuration modes in IOS. Except forconfiguration mode global, all Use modes can have one or more Use contexts
associated with them. Use contexts for line and interface are the actual vtys or
lines and interfaces existing on the router.
Chapter2 ACL Definitions and Uses
ACL Uses
-
8/10/2019 ACL Manager_UserGuide.pdf
45/511
2-7
User Guide for ACL Manager
78-16005-01
Use this procedure to view ACL Use information for a particular device:
Procedure
Step1 Expand the Devices folder in the ACL Manager Main Window, select the device,
then expand ACL Uses.
Step2 Expand the mode (for example, Interface).
Step3 Select the specific context to be displayed (for example, Ethernet0).
Information about the ACL Use appears in the right pane (see Figure 2-4).
Figure2-4 Displaying ACL Use ModeInterface
Chapter2 ACL Definitions and Uses
ACL Uses
-
8/10/2019 ACL Manager_UserGuide.pdf
46/511
2-8
User Guide for ACL Manager
78-16005-01
The attributes of the ACL Use information are:
Attribute Description
ACLs ACL used in this context.
IOS Command IOS command that implements the use.
Description Description of the Use, taken from the IOS
reference manual. You cannot change this
description.
-
8/10/2019 ACL Manager_UserGuide.pdf
47/511
C H A P T E R
3-1
User Guide for ACL Manager
78-16005-01
3Getting Started
ACL Manager provides you with a launch point for performing many of the tasks
involved with ACL management.
These topics describe how to get started with ACL Manager:
Before You Begin
ACL Manager Functions
Starting ACL Manager
Printing
Navigating in the ACL Manager Main Window
Using the Device State Icons ACL Manager Menus
Using the Toolbar
Using Keyboard Shortcuts
Performing a Complete Workflow Cycle
Managing Out-of-Band Changes to Device Configuration
Backing Up and Restoring ACL Manager Data
Chapter3 Getting Started
Before You Begin
B f Y B i
-
8/10/2019 ACL Manager_UserGuide.pdf
48/511
3-2
User Guide for ACL Manager
78-16005-01
Before You BeginBefore you can begin using the ACL Manager applications or tools, you must
ensure that:
ACL Manager server has been installed on a server machine with RME
already installed (see Setting Up Resource Manager Essentials).
The RME Inventory application has been updated with device information for
those devices whose ACLs you intend to manage with ACL Manager.
Enable the Role-based Access Control feature, if required. (For details about
how to enable this feature, see the Installation Guide for ACL Manager).
Note We strongly recommend that you become familiar with the discussion of ACL
Terms and Definitionsin Chapter 1before proceeding further.
Setting Up Resource Manager EssentialsYou must have Resource Manager Essentials (RME) installed and running in
order to use ACL Manager. In addition, you must populate the device inventory
with those devices to be managed by ACL Manager.
To set up Resource Manager Essentials:
Procedure
Step1 Install and start RME.
See the appropriate RME installation guide for details.
Step2 From the CiscoWorks desktop, select Resource Manager Essentials >Administration > Inventory > Add Devices to populate your network inventory
with the devices to be managed by the ACL Manager.
Step3 Ensure that Java, JavaScript, and Accept all cookies are enabled in your browser
settings.
If these settings are not enabled, you will not be able to log in to RME.
Chapter3 Getting Started
ACL Manager Functions
ACLM F ti
-
8/10/2019 ACL Manager_UserGuide.pdf
49/511
3-3
User Guide for ACL Manager
78-16005-01
ACL Manager FunctionsThe ACL Manager functions are located in the ACL Manager drawer on the
CiscoWorks desktop. See Figure 3-1.
Figure3-1 ACL Manager
The options available within the ACL Manager drawer are:
Edit ACLs
Edit ACL Templates
Edit Class Definition
Out-of-Band Changes
Job Management
ACL Manager Reports
Administration
Each ACL Manager selection launches an application or performs an operation
from the set of tools provided by ACL Manager.
Chapter3 Getting Started
ACL Manager Functions
Table 3 1 describes each task the associated tool and the launch point from the
-
8/10/2019 ACL Manager_UserGuide.pdf
50/511
3-4
User Guide for ACL Manager
78-16005-01
Table 3-1describeseach task, the associated tool, and the launch point from the
ACL Manager drawer on the CiscoWorks desktop:
Table 3-2describes the subtasks, and the launch points, from the ACL Manager
drawer on the CiscoWorks desktop:
Table3-2
Table3-1
Task Tool ACL Manager Launch Point
Creating and editing ACLs ACL Manager Edit ACLs
Creating, editing, and viewing ACL templates Template
Manager
Edit ACL Templates
Creating services, service classes, networks
and network classes
Class Manager Edit Class Definition
Listing Out-of-Band changes ACL Manager Out-of-Band Changes
Handling Out-of-Band changes ACL Manager Edit ACLs
Managing ACL Manager jobs (using the Job
Browser or the Pending Marks Browser.)
ACL Manager Job Management
Generating ACL Manager reports ACL Manager ACL Manager Reports
Administering ACL Manager (resetting the
hit counter). If Role-based Access Control
and Change Approval have been enabled, the
administrative tasks associated with these
features also appear here.
ACL Manager Administration
Subtask Navigation Path
Browsing, deleting, and resubmitting jobs ACL Manager > Job Management > Job Browser
Viewing changed entities that are marked for
downloading, scheduling downloads of
marked entities
ACL Manager > Job Management > Pending Marks
Browser
Generating Time Range Changes report ACL Manager > ACL Manager Reports > Time Range
Changes
Chapter3 Getting Started
ACL Manager Functions
S bt k N i ti P th
-
8/10/2019 ACL Manager_UserGuide.pdf
51/511
3-5
User Guide for ACL Manager
78-16005-01
Table 3-3provides the launch points for the Role-based Administration task and
its subtasks, from the ACL Manager drawer on the CiscoWorks desktop.
Note These tasks and sub-tasks appear within the ACL Manager drawer only if you
have enabled Role-based Access Control at the time of installing ACL Manager.
To enable Role-based Access Control, see the Installation Guide for ACL
Manager.
Generating Out-of-Band Changes report ACL Manager > ACL Manager Reports > Out-of-BandChanges
Resetting device hit counters before using
Hits Optimizer
ACL Manager > Administration > Reset Hit Counter
Subtask Navigation Path
Table3-3
Rolebased Administration Task Navigation Path
Role-based Administration ACL Manager > Administration > Rolebased Administration.
Rolebased Administration Subtask Navigation Path
User Management Subtask
Creating user groups ACL Manager > Administration > User Management > Create User
Group
Modifying user groups ACL Manager > Administration > User Management > Modify
User Group
Deleting user groups ACL Manager > Administration > User Management > Delete User
Group
Viewing all user groups ACL Manager > Administration > User Management > Show All
User Groups
Device Management Subtask
Creating device groups ACL Manager > Administration > Device Management > Create
Device Group
Modifying device groups ACL Manager > Administration > Device Management > Modify
Device Group
Chapter3 Getting Started
ACL Manager Functions
Table3-3
-
8/10/2019 ACL Manager_UserGuide.pdf
52/511
3-6
User Guide for ACL Manager
78-16005-01
Table 3-4provides the launch points for the Change Approval task and its
subtasks, from the ACL Manager drawer on the CiscoWorks desktop.
Note These tasks and sub-tasks appear within the ACL Manager drawer only if you
have enabled Change Approval at the time of installing ACL Manager.
To enable Change Approval, see the Installation Guide for ACL Manager.
Deleting device groups ACL Manager > Administration > Device Management > Delete
Device Group
Viewing all device groups ACL Manager > Administration > Device Management > Show All
Device Groups
Task Management Subtasks
Assigning or modifying tasks ACL Manager > Administration > Tasks Management >
Assign/Modify Tasks
Table3 3
Rolebased Administration Task Navigation PathRole-based Administration ACL Manager > Administration > Rolebased Administration.
Rolebased Administration Subtask Navigation Path
Table3-4
Change Approval Task Navigation Path
Change Approval ACL Manager > Administration > Change Approval
Change Approval Subtask Navigation Path
Approving or rejecting changes
to ACL Manager entities
ACL Manager > Administration > Change Approval >
Approve Reject ChangesViewing processing changes ACL Manager > Administration > Change Approval >
Processed Changes
Configuring change approval ACL Manager > Administration > Change Approval >
Configure Change Approval
Chapter3 Getting Started
ACL Manager Functions
Table 3-5provides the launch points for the Reports for Change Approval and
-
8/10/2019 ACL Manager_UserGuide.pdf
53/511
3-7
User Guide for ACL Manager
78-16005-01
p p p g pp
Role-Based Access Control, from the ACL Manager drawer on the CiscoWorks
desktop.
Note These ACL Manager Reports appear within the ACL Manager drawer only if you
have enabled Role-based Access Control or Change Approval at the time of
installing ACL Manager.
To enable Role-based Access Control or Change Approval, see the Installation
Guide for ACL Manager.
Table3-5
Task Navigation Path
Generating Change Approval
Status report
ACL Manager > ACL Manager Reports > Change Approval Status
Generating Approver Group
Mapping report for devices
ACL Manager > ACL Manager Reports > Approver Group
Mapping
Generating My Task Mapping
report
ACL Manager > ACL Manager Reports > My Task Mapping
Generating Task Mapping report ACL Manager > ACL Manager Reports > Task Mapping
Generating My User Group
Membership report
ACL Manager > ACL Manager Reports > My User Group
Membership
Generating User Group
Membership report
ACL Manager > ACL Manager Reports > User Group Membership
Chapter3 Getting Started
Starting ACL Manager
StartingACLManager
-
8/10/2019 ACL Manager_UserGuide.pdf
54/511
3-8
User Guide for ACL Manager
78-16005-01
Starting ACL ManagerACL Manager uses Java Plug-in. This plug-in improves the performance of
ACL Manager, and it is provided with the CiscoWorks application (see the topic
Installing the Java Plug-in in Chapter 3 of User Guide for CiscoWorks Server).
To start ACL Manager:
Procedure
Step1 Select ACL Manager>Edit ACLs.
The ACL Manager Main Window appears (see Figure 3-2).
Figure3-2 ACL Manager Main Window
Note In some browser versions, you will get a security warning asking for
permission to install and execute some code from Cisco Systems. Select
Yesto proceed.
Chapter3 Getting Started
Starting ACL Manager
The ACL Manager Main Window is a central point within ACL Manager for
-
8/10/2019 ACL Manager_UserGuide.pdf
55/511
3-9
User Guide for ACL Manager
78-16005-01
managing ACL Manager entities such as ACLs, time ranges, ACL uses, object
groups, etc. You can also store imported entities, view and manage your specificchanges to ACL Manager entities, and resolve Out-of-Band changes. For more
information see Navigating in the ACL Manager Main Window.
Step2 Navigate to the Root > Devicesfolder.
Step3 Right-click on the Devices folder and select Add Device(s) from the pop-up
menu. For more information, see Populating the Devices Folder.
The Device Selector dialog box appears.Step4 Select a device view from the Views column, for example, All Devices.
The devices corresponding to the selected view appear in the Devices column.
Step5 Select the required devices from the Devices column, then click Add.
The devices appear in the Selected Devices column.
Step6 Click OK.
The selected devices appear in the Devices folder of the ACL Manager Main
Window.
Populating the Devices FolderYou can add devices to your Devices folder using the Add Devices option. You
can select one,many, or all devices from a selected device view. (A view is a
named set of devices.)
You can also populate the Devices folder using the Open Device View option. You
can open a required Device View and get the entire list of devices in that view, in
your Devices folder in the ACL Manager Main Window. You cannot select a
subset of devices from a selected view, using the Open Device View option.
For details see Opening a Device View.
Chapter3 Getting Started
Starting ACL Manager
To add devices, in the ACL Manager Main Window:
-
8/10/2019 ACL Manager_UserGuide.pdf
56/511
3-10
User Guide for ACL Manager
78-16005-01
Procedure
Step1 Right-click on the Devices folder and select Add Device(s) from the pop-up
menu.
The Device Selector dialog box appears with these options:
FilterAllows you to select devices using basic and custom filter criteria.
The basic filter criteria allows you to filter by domain name, device type,
or software version.
The custom filtering option allows you to define your own filter criteria.
If you check the User Filter option, all future view selections will use the
current filter settings.
Previous SelectionLists previously selected devices.
All DevicesList all managed devices already integrated into the server.
My Private ViewsLists the private device views that you have created. A
Private View contains the groups of devices that you had previously saved as
a Private view. See Saving a Device View.
Custom ViewsLists the custom device views that you and other users have
created.
System ViewsLists pre-defined, dynamic device views (by device
category).
Step2 Select a device view from the Views column, for example, My Private Views.
The devices corresponding to the selected view appear in the Devices column.
Step3 Select all the devices from the view, or a subset of the devices in the view, and
click Add.
The devices appear in the Selected Devices column.
Step4 Click OK.
The selected devices appear in the Devices folder of the ACL Manager Main
Window.
Chapter3 Getting Started
Starting ACL Manager
Deleting Devices
-
8/10/2019 ACL Manager_UserGuide.pdf
57/511
3-11
User Guide for ACL Manager
78-16005-01
g
Deleting a device from the Devices folder in the ACL Manager Main Window will
not delete any changes that you may have made to the device. These changes are
stored in the My Changes folder of the ACL Manager Main Window.
To delete a device from the Devices folder:
Procedure
Step1 Select the device and select the delete key on your keyboard.
A message appears that deleting the device will not delete your changes:
Deleting the selected devices will not delete your changes. All your
changes are still available in the My Changes folder. Do you want
to continue?
Step2 Confirm the deletion by clicking OKin the message box.
The device is deleted. However your changes to the device, are stored in the My
Changes folder in the ACL Manager Main Window.
In the My Changes folder, if you select a change made to a deleted device and
select File > Explorefrom the ACL Manager Main Menu, the deleted device is
restored to the Devices folder.
Saving a Device View
You can save a set of devices in the ACL Manager Main Window, as a private or
custom Device View.
Procedure
Step1 Select the Devices folder in the ACL Manager Main Window, and right-click on it.
A pop-up menu appears.
Step2 SelectSave As Device View.
The Save As Private/Custom Static Device View dialog box appears.
Chapter3 Getting Started
Starting ACL Manager
Step3 Select the View typeCustom or Private.
-
8/10/2019 ACL Manager_UserGuide.pdf
58/511
3-12
User Guide for ACL Manager
78-16005-01
Custom View View that you or other users can select.
Private View View that only you can select.
Step4 Enter a name for the view.
You can also enter a description for the view.
To overwrite an existing view, select Overwrite an existing view.
Step5 Click OK.
Opening a Device View
You can open a required Device View and get the entire list of devices in that view,
in your Devices folder in the ACL Manager Main Window.
Procedure
Step1 Select the Devices folder in the ACL Manager Main Window, and right-click on it.
A pop-up menu appears.
Step2 SelectOpen Device View.The Device Selector dialog box appears.
You can select a view from the following views in the Devices column:
My Private ViewsLists the device views that you have created. A Private
View contains the groups of devices that you had previously saved as a Private
view. See Saving a Device View
Custom ViewsLists the custom device views that you and the other usershave created.
System ViewsLists pre-defined, dynamic device views (by device
category).
After you select a view, the devices in the view appear in the Devicescolumn. You
cannot select a subset of devices from a view.
Chapter3 Getting Started
Starting ACL Manager
Step3 Click OK.
-
8/10/2019 ACL Manager_UserGuide.pdf
59/511
3-13
User Guide for ACL Manager
78-16005-01
All the devices in the view that you selected, appear in the Devices folder in the
ACL Manager Main Window.
Navigating in the ACL Manager Main Window
The ACL Manager Main Window is shown in Figure 3-3.
Figure3-3 ACL Manager Main WindowFolders Expanded
The following table describes the ACL Manager Main Window:
Item Description
Folder (left
pane)
Displays a hierarchy of folders within the Root folder:
My Changes (see My Changes Folder).
Imported Entities (see Imported Entities Folder).
Devices