|
|
ACL Manager provides you with a launch point for performing many of the tasks involved with ACL management. You can also perform these tasks by making appropriate selections from the Essentials navigation tree. The following topics describe how to get started with ACL Manager:
Before you can begin using the ACL Manager applications or tools, you must ensure that:
Each ACL Manager selection from Essentials launches an application or performs an operation from the set of tools provided with ACL Manager. The following table describes each task, the associated tool, and the launch point from Essentials:
| Task | Tool | Essentials Launch Point |
|---|---|---|
Creating and editing ACLs | ACL Manager | Tasks > ACL Management |
Viewing ACLs; providing an organized view of ACLs and ACL uses in a scenario | ACL Manager | Tasks > ACL Management |
Creating ACL uses from ACL templates | Use Wizard | Tasks > ACL Management |
Downloading ACLs and uses to devices | Downloader | Tasks > ACL Management |
Browsing, deleting, and resubmitting jobs | Job Browser | Tasks > ACL Management |
Creating, editing, and viewing ACL templates | Template Manager | Admin > ACL Management > Edit Templates |
Creating services, service classes, networks and network classes | Class Manager | Admin > ACL Management > Edit Classes |
Resetting device hit counters before using Hits Optimizer | Hits Resetter | Admin > ACL Management > Reset Hit Counter |
Deleting scenarios |
| Tasks > ACL Management |
Additional tools are available from within some of the above applications to assist in performing the main tasks. The following table describes the subtasks and launch points:
| Subtask | Tool | Launch Point |
|---|---|---|
Creating and editing ACLs and Templates | ACL Editor | ACL Manager, Template Manager |
Creating and editing ACEs | ACE Editor | ACL Manager, Template Manager |
Viewing config file differences | Difference Viewer | ACL Manager, Downloader |
Optimizing ACLs | Optimizer, Hits Optimizer | ACL Manager |
Browsing templates to include within ACLs | Template Browser | ACL Manager, Template Manager, Template Use Wizard |
Browsing, deleting, and/or resubmitting jobs | Job Browser | ACL Manager |
You must have Essentials installed and running in order to use ACL Manager. In addition, you must populate the device inventory with those devices to be managed by ACL Manager.
Step 1 Install and start Essentials. Refer to the appropriate Essentials installation manual.
Step 2 Select Admin > Inventory > Add Devices to populate your network inventory with the devices to be managed by the ACL Manager.
Start ACL Manager using the following procedure.
Step 1 Select Tasks > ACL Management > Edit ACLs from the Essentials navigation tree to start ACL Manager (see Figure 3-1). The scenario selection window appears (see Figure 3-2).
Step 2 Select or enter a scenario name. If you are using ACL Manager for the first time, there are no scenario names in either list box.
Step 3 Set the remaining fields for your scenario, as follows:
| Field | Description |
|---|---|
Scenario Name | Name of this scenario. |
Global Scenario | Select this check box to make the scenario available for read-only access by all Essentials users. If unchecked, your scenario will not be visible to other Essential users. |
Add Devices to Scenario | Select this check box to allow devices to be added to an already existing scenario. |
Read Config From Device | Select this check box to synchronize the Config Archive with the devices in the scenario (get the configuration file) before starting ACL Manager. |
Recover Scenario | Select this check box to open the auto-saved version of the scenario instead of the last saved version; a tilde (~) is then appended to the end of the scenario name in the ACL Manager main window. This check box is available only if ACL Manager exited abnormally and detected an auto-save version of the scenario that you are attempting to open. |
Auto Save Period (in minutes) | Defines how often changes to the scenario are saved. Use the autosave option for a scenario to guard against browser crashes. |
Step 4 Click Next. If you are creating a new scenario, the device selection dialog box is displayed (see Figure 3-3).
Step 5 Select a device view from the Views column, for example, All Devices. The devices corresponding to the selected view will appear in the Devices column.
Step 6 Select the devices for your scenario from the Devices column, then click Finish. The ACL Manager main window is launched (see Figure 3-6).
After your edits are complete with respect to the creation and modification of ACL, ACE, and ACL Use statements, you can save your scenario. You can save the scenario under the name used when you opened the scenario or under a different name.
To save the scenario using the existing name, select File > Save Scenario from ACL Manager.
Use the following procedure to save the scenario under a different name.
Step 1 Select File > Save Scenario As from ACL Manager. The Save As Scenario dialog appears (see Figure 3-4).
Step 2 Enter a new scenario name, then click OK. The scenario is saved with the new name.
Step 3 Enter the following information, then click Save As:
| Field | Description |
|---|---|
Save Scenario As | Name by which the new scenario will be referred to. The old scenario will still be available. |
Global Scenario | Select this check box if the new scenario is to be available for read-only access to all other Essential users. |
You can delete a scenario directly from the Essentials navigation tree using the following procedure.
Step 1 Select Tasks > ACL Management > Delete Scenarios. The Delete Scenarios dialog box appears (see Figure 3-5).
Step 2 Select the scenarios, then click Finish.
The ACL Manager main window is shown in Figure 3-6.
The following table describes the ACL Manager main window:
| Item | Description |
|---|---|
Folder (left pane) | Shows a hierarchy of items starting with the scenario, the routers in the scenario, and ACLs and ACL use contexts, in expanding and collapsing folders. To expand or collapse a folder, click the + or - icon next to the folder, or double-click the folder. |
Contents (right pane) | Shows the attributes of any item selected in the folder pane. The contents are empty if there are no attributes associated with the selected item. |
Status area (bottom left) | Indicates the status of the application. The following status is displayed in this area:
|
Item count area (bottom right) | Shows the number of items contained in the currently selected object:
|
View mode area (bottom center) | Shows the view mode for viewing ACEs. If you are in an ACL context and in physical view mode, the contents pane has a gray background. No editing operations are permitted in physical view mode, except for reordering ACEs. |
To modify the settings for an editable item in the folder pane, select the item and then select an appropriate command from a menu. For convenience, you can right-click some actions to display the options in a popup menu. (See specific tasks for more information.)
The following pull-down menus are available from the ACL Manager main window:
| Menu | Description |
|---|---|
File | Operations at the scenario level, and other disk file oriented operations such as saving ACLs and saving ACEs as templates. |
Edit | Operations that change the contents of the active view. |
View | Operations that affect the active view display. |
ACL | Operations that are related to ACLs and ACEs. |
Tools | Tools to assist in the tasks of ACL management. |
Help | Operations related to online help. |
The following are available from the File menu:
| Selection | Description |
|---|---|
Open Scenario | Closes the current scenario and brings up a dialog box from which you can select another scenario to open. |
Close Scenario | Closes the scenario. If the scenario has not yet been saved, you will be prompted to save it. |
Save Scenario | Saves the changes you made to the open scenario. |
Save Scenario As | Saves the changes you made to the open scenario in a new scenario. The new scenario will be opened. The old scenario will still be available. |
Save ACL As | Saves the selected ACL as a template (refer to Chapter 4, "Saving ACLs as Templates"). |
Save ACE As | Saves the selected ACEs as a template (refer to Chapter 4, "Saving ACEs as a Template"). The selected ACEs are replaced with a single template include ACE. |
Exit | Exits the ACL Manager. |
The following are available from the Edit menu:
| Selection | Description |
|---|---|
Undo | Undoes the last edit operation, if possible. Note that some editing operations are irreversible; for example, deleting an ACL use statement, or expanding inline. |
Cut | Copies the current selection to the paste buffer and deletes it (refer to Chapter 4, "Editing ACLs"). You can select one or more ACLs or ACEs. |
Copy | Copies the current selection to the paste buffer (refer to Chapter 4, "Editing ACLs"). You can select one or more ACLs or ACEs. |
Paste | Pastes the contents of the paste buffer in front of the current selection. If there is no current selection, the contents are appended to the end of the contents pane. In the case of objects that are shown as sorted (for example, ACLs and templates), the list in the contents pane is resorted after the pasting. |
Delete | Deletes the current selection. The selection can be one or more devices, ACLs, ACEs, or ACL use statements. |
Move ACE Up | Moves the selected ACEs up one position. |
Move ACE Down | Moves the selected ACEs down one position. |
Apply Template | Launches the Template Use Wizard on the selected device (refer to Chapter 7, "ACL Manager Use Wizards"). You can then select the use type (packet filtering or line access), the template to be used, the ACL name to be created, and the interfaces or lines on which to create a use statement. |
Use ACL | Launches the Template Use Wizard on the selected device for the selected ACL (refer to Chapter 7, "ACL Manager Use Wizards"). You can then select the use type (packet filtering or line access) and the interfaces or lines on which to create a use statement. |
Edit | Launches the appropriate editor on the current selection. For example, if the selection is an ACL, ACL Editor will be launched; if the selection is an ACE, ACE Editor will be launched. |
Insert ACL | Launches the ACL Editor to create a new ACL and inserts it into the device. |
Insert ACE | Launches the ACE Editor to create a new ACE and inserts it into the current ACL context before the current selection. |
Include Template | Launches the Template Browser to insert a new template include statement into the current ACL context, before the current ACE. |
Insert Comment | Launches a dialog to insert a one-line comment into the current ACL context, before the current ACE. |
Insert Time Range | Launches the Time Range Editor to create a new time range definition on the device. |
Expand ACE(s) Inline | Replaces the current logical ACEs selection with the physical equivalent. This action loses all comments, and cannot be undone. |
Go to ACL | Changes the contents pane view context from the ACL use to the ACL being used in the selected use. |
The following are available from the View menu:
| Selection | Description |
|---|---|
Logical View | Changes the view mode to logical. |
Physical View | Changes the view mode to physical. |
Left Pane | Makes the folder pane visible, if it was previously invisible. |
Refresh Device | Executes a refresh operation on selected devices. If any device is in a STALE state, the state will change to OK. |
Update Device Status | Determines the current states of the selected devices. States can be one of: OK, STALE, UNMANAGED, and UNREACHABLE. |
Recompute Physical View | Replaces the current physical view with one regenerated from the current selection. The selection can be on a device, one or more ACLs, or one or more ACEs. Regeneration could involve:
Use this function if you suspect that a template, class definition, or DNS name has changed since it was last applied to a device. |
Properties | Displays a window showing the properties of the selected object. Properties can be displayed for: devices, interfaces, and ACLs. (ACL properties are actually use details for the ACL.) |
Users | Displays a window showing the current Essentials users of the selected devices and the scenario in which the devices are used. |
The following are available from the ACL menu:
| Selection | Description |
|---|---|
New ACL | Launches the ACL Editor to create a new ACL. |
New ACE | Launches the ACE Editor to create a new ACE in the current ACL context. The new ACE is appended to the end of the list of ACEs in the contents pane. |
New Include Template | Launches the Template Browser to select a template to append a template include ACE to the current ACL context. |
New Comment | Launches a dialog box to enter a one-line comment which is appended to the end of the list of ACEs in the contents pane. |
New Time Range | Launches the Time Range Editor to create a new time range definition on the device. |
The following are available from the Tools menu:
| Selection | Description |
|---|---|
ACL Use Wizard | Launches the ACL Use Wizard (refer to Chapter 7, "Applying an ACL Template to a Specific Device"). |
ACL Downloader | Launches the Downloader (refer to Chapter 8, "Scheduling and Downloading"). |
Job Browser | Launches the Job Browser (refer to Chapter 8, "Browsing Job Status and Results"). |
Diff Viewer | Launches the Diff Viewer (refer to Chapter 8, "Verifying the Configuration Changes"). |
Class Manager | Launches the Class Manager (refer to Chapter 5, "Using the Class Manager"). |
Template Manager | Launches the Template Manager (refer to Chapter 6, "Using the Template Manager"). |
Optimizer | Launches the Optimizer (refer to Chapter 9, "Optimizing ACLs"). |
Hits Optimizer | Launches the Hits Optimizer (refer to Chapter 9, "Optimizing ACLs"). |
The following table describes the ACL Manager toolbar icons:
| Icon | Description |
|---|---|
| Open Scenario---Closes the scenario and opens a dialog box from which you can open another scenario for editing. The action is equivalent to selecting File > Open Scenario. |
| Save Scenario---Saves the open scenario to disk (on the server). The action is equivalent to selecting File > Save Scenario. |
| New ACL---Brings up the ACL Editor (refer to "Creating ACLs" in Chapter 4). The action is equivalent to selecting |
| Cut---Deletes the current selection and copies it into the paste buffer (refer to "Editing ACLs" in Chapter 4). The selection can be on one or more ACLs or ACEs. The action is equivalent to selecting Edit > Cut. |
| Copy---Copies the current selection into the paste buffer (refer to "Editing ACLs" in Chapter 4). The action is equivalent to selecting Edit > Copy. |
| Paste---Pastes the contents of the paste buffer in front of the current selection. If there is no current selection, the contents are appended to the end of the contents pane. The action is equivalent to selecting Edit > Paste. |
| Delete---Deletes the current selection. The selection can be on one or more devices, ACLs, ACEs, or ACL use statements. The action is equivalent to selecting Edit > Delete. |
| Undo---Undoes last edit operation, provided that the undo is possible. Some editing operations are irreversible; for example, deleting an ACL use statement. The action is equivalent to selecting Edit > Undo. |
| Up One Level---Changes the left pane selection context to be at the next higher level. |
| Move selected ACE up---Reorders the selected ACEs by shifting them up one position. The action is equivalent to selecting |
| Move selected ACE down---Reorders the selected ACEs by shifting them down one position. The action is equivalent to selecting Edit > Move ACEs Down. |
| Template Use Wizard---Launches the Use Wizard. The action is equivalent to selecting Tools > Use Wizard. |
| ACL Downloader---Launches the Downloader. The action is equivalent to selecting Tools > Downloader. |
| Job Browser---Launches the Job Browser. The action is equivalent to selecting Tools > Job Browser. |
| Class Manager---Launches the Class Manager. The action is equivalent to selecting Tools > Class Manager. |
| Template Manager---Launches the Template Manager. The action is equivalent to selecting Tools > Template Manager. |
| Properties---Displays properties of the current selection. The selection can be on a device, ACL, or interface. ACL "properties" are actually their uses in the device. The action is equivalent to selecting View > Properties. |
The typical ACL Manager workflow involves the following sequence of tasks:
Step 1 Creating a scenario or opening an existing scenario (refer to "Starting ACL Manager").
Step 2 Creating ACLs (refer to "Creating ACLs" in Chapter 4) or editing existing ACLs, or both (refer to "Editing ACLs" in Chapter 4).
Step 3 Creating and editing ACEs (refer to "Editing ACEs" in Chapter 4).
Step 4 Creating ACL use statements (refer to "Defining ACL Uses" in Chapter 7).
Step 5 Saving the scenario (refer to "Saving Scenarios").
Step 6 Viewing and verifying the changes made to the device configuration during editing (refer to "Verifying Device Configuration Changes").
Step 7 Scheduling a download job and downloading the ACL and ACL use modifications to devices (refer to "Downloading the Changes to the Devices").
Step 8 Verify that the download was completed successfully (refer to"Verifying That the Download Was Successful").
You can view the changes made after you created the scenario using the Diff Viewer. With Diff Viewer, you can see new, deleted, and modified ACLs and ACL uses. You can also see the new IOS configuration that represents the ACLs and ACL Uses for the devices in your scenario as well as the IOS config "deltas." IOS deltas represent the commands that are to be downloaded to the devices in your scenario in order to implement the changes to the device configuration.
Refer to "Viewing the Configuration Changes" in Chapter 4 for full information on launching and using the Diff Viewer.
After saving the scenario and verifying the changes to be downloaded to the devices that were modified in your scenario, you can schedule a job to download the IOS commands to the devices. Refer to Chapter 8, "Scheduling and Downloading," for further information.
After scheduling the download, you can monitor the job status using the Job Browser. Your job can be in one of three states: PENDING, SUCCESSFULLY DOWNLOADED, or DOWNLOAD FAILED. Use the Job Browser to find out if your job failed. If the job failed, you can find out why, and resubmit the job. If the job has not yet started, you can edit the job parameters, make changes to the job scenario, and submit the modified job.
Refer to Chapter 8, "Scheduling and Downloading," for further information.
This section contains topics relating to advanced use of ACL Manager.
A device becomes stale when the device configuration from which the scenario was derived is modified outside the scenario. This can happen in the following situations:
The device status will be changed to STALE (that is, its icon is grayed out and its status is set to STALE) when:
It is not possible to download to a stale device until it is refreshed. However, it should be noted that any edits made to the stale device in the client scenario will be lost on refreshing.
Three device configuration states are relevant to ACL Manager:
Ideally, the configuration on the device is always in synch with that in the base scenario. However, asynchronous changes on the device can happen outside the scope of ACL Manager; for example, devices can be accessed and configurations modified directly through the CLI.
To provide a current version of the device config, the configuration in the base scenario is reconciled with the device:
The representation of ACLs and ACL use statements in user scenarios are based on a device configuration that was obtained from the device when the scenario was created.
If the device configuration from which a user scenario was derived is modified outside the scenario---for example, via the CLI, or by another scenario being downloaded while the device in the original scenario is being edited---then the basis for the edits in the original scenario is invalidated.
If this happens, ACL Manager sets the device status to STALE. You can continue to make modifications to the device but will be unable to download them to the device.
You must refresh a stale device before attempting to download ACL and ACL Use statement modifications to it. Refreshing a device reconciles the device configuration in the scenario with the configuration on the device. You could lose modifications on a device that becomes stale unless you take the precautions described in "How to Avoid Losing Edits When Refreshing a Device."
You can avoid losing edits prior to refreshing a stale device by:
Alternatively, you could save the scenario under another name---this preserves the edits in the scenario with the new name.
Posted: Fri Oct 1 12:12:37 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.
