|
|
The following topics describe how to view and edit ACLs and ACEs:
You can display all ACLs on a particular device in the ACL Manager main window contents pane.
Step 1 Expand the device folder in the ACL Manager main window.
Step 2 Select ACL Definitions. The ACL definitions for the device are displayed in the right pane (see Figure 4-1).
ACLs are created under the ACL Definition folder for a particular device. After you create an ACL, you can add ACEs to it.
Step 1 Expand the device folder in the ACL Manager main window, then select ACL Definitions. The ACL definitions are displayed in the right pane (see Figure 4-1).
Step 2 Select ACL Definitions, then select New ACL from the ACL Definitions popup menu. The ACL Editor dialog box is displayed (see Figure 4-2).
Step 3 Enter the following information:
| Field | Description |
|---|---|
Type | Specifies the type of ACL that can be created on the device, for example: IP, IP_EXTENDED, IPX, IPX_EXTENDED, IPX_SAP, IPX_SUMMARY, RATE_LIMIT_MAC, RATE_LIMIT_PRECEDENCE. Select a type from the drop-down list box. (Only those types supported for the device IOS version and feature-set are available from the drop-down list.) After the ACL is created, you cannot change the type. |
Autonumber | Select Autonumber if you want the ACL Manager to select the first available number for you. |
Name or Number | Name---If the IOS version of the selected device does not support named ACLs, ACL Manager generates a unique number, and associates the ACL name with this number as an alias. Number---If Autonumber is not checked, enter a unique number that identifies the ACL. |
Comment | Enter comments to be associated with this ACL. |
Step 4 Click OK.
Use one of the ACL Use wizards to create an ACL Use (refer to Chapter 7, "ACL Manager Use Wizards").
You can use the ACL editor to change the ACL name or comments about the ACL.
Step 1 Expand the device folder in the ACL Manager main window.
Step 2 Select ACL Definitions. The ACLs are displayed in the right pane (see Figure 4-1).
Step 3 Right-click on the required ACL, then select Edit. The ACL Editor dialog box is displayed (see Figure 4-2).
Step 4 Enter the fields (refer to "Creating ACLs" for field descriptions), then click OK.
You can save an ACL as a new template. (To save ACEs as a template, refer to "Saving ACEs as a Template.")
Step 1 Expand the device folder in the ACL Manager main window.
Step 2 Select ACL Definitions. The ACLs are displayed in the right pane (see Figure 4-1).
Step 3 Select the ACL to save.
Step 4 Select File > Save ACL As to display the Save As Template dialog box (see Figure 4-3).
Step 5 Select the template directory to hold the new template.
Step 6 Enter the new template name, then click OK.
You can rename or renumber an existing ACL. Any ACL uses that reference the existing ACL are changed to reflect the new name.
Step 1 Expand the device folder in the ACL Manager main window.
Step 2 Select ACL Definitions. The ACLs are displayed in the right pane (see Figure 4-1).
Step 3 Right-click on the ACL to be renamed, then select Edit. The ACL Editor dialog box is displayed (see Figure 4-2).
Step 4 Change the information in the Name or number field, then click OK.
The ACL Manager provides many features for manipulating ACE entries for a particular ACL definition. You can:
You can insert a new ACE above the selected ACE.
Step 1 Expand the device folder in the ACL Manager main window.
Step 2 Expand ACL Definitions.
Step 3 Select the required ACL definition. The ACEs are displayed in the right pane (see Figure 4-4).
Step 4 Right-click on the ACE above which the new ACE is to be inserted, then select Insert ACE. The ACE Editor dialog box is displayed.
Step 5 Enter the parameters for the new ACL. Refer to "Editing ACEs."
Step 6 Click OK.
You can append a new ACE to the end of the current list.
Step 1 Expand the device folder in the ACL Manager main window.
Step 2 Expand ACL Definitions.
Step 3 Right-click on the required ACL definition, then select New ACE. The ACE Editor dialog box is displayed.
Step 4 Enter the parameters for the new ACE. Refer to "Editing ACEs."
Step 5 Click OK.
For information on editing ACE properties, refer to "Editing ACEs."
You can insert a template into an ACL by creating a "template include" ACE that references the template.
Step 1 Expand the device folder in the ACL Manager main window.
Step 2 Select ACL Definitions. The ACLs for the device are displayed in the right pane (see Figure 4-1).
Step 3 Right-click on the required ACL, then select New Include Template. The Template Selection window box is displayed (see Figure 4-5).
Step 4 Select the template to include. Click Expand to display a window showing the template details (see Figure 4-6).
Step 5 Click OK. The "include template" ACE is inserted, or is appended to the end of the ACL if you made no selection (see Figure 4-7).
Use the Comment Editor to append a comment to the end of an ACL or ACL template. You can also use the Comment Editor to insert a comment after an ACE (refer to "Inserting a Comment").
Step 1 Expand the device folder in the ACL Manager main window.
Step 2 Expand ACL Definitions.
Step 3 Right-click on the required ACL, then select New Comment. The Comment Editor dialog box is displayed (Figure 4-8).
Enter a one-line comment, then click OK. The comment is appended with the prefix "!." Figure 4-9 shows a comment inserted at the end of an ACL.
Use the Comment Editor to insert a comment after an ACE. You can also use the Comment Editor to append a comment at the end of an ACL or ACL template (refer to "Appending a Comment").
Step 1 Expand the device folder in the ACL Manager main window.
Step 2 Expand ACL Definitions.
Step 3 Select the ACL. The ACEs are displayed in the right pane.
Step 4 Right-click on the required ACE, then select Insert Comment. The Comment Editor dialog box is displayed (Figure 4-8).
Step 5 Enter your comment, then click OK.
Use the Move ACE Up and Move ACE Down toolbar buttons to move selected ACEs up or down.
Step 1 Expand the device folder in the ACL Manager main window.
Step 2 Expand ACL Definitions.
Step 3 Select the required ACL definition. The ACEs are displayed in the right pane (see Figure 4-4).
Step 4 Select the ACE to move. (You can select multiple ACEs using Shift and Control keys.)
Step 5 
To move the ACEs up one position, click the Move ACE Up icon.
To move the ACEs down one position, click the Move ACE Down icon.
Use the ACE Editor to edit an ACE.
Step 1 Expand the device folder ACL Manager main window.
Step 2 Expand ACL Definitions.
Step 3 Select the required ACL definition. The ACEs are displayed in the right pane (see Figure 4-4).
Step 4 Right-click on the ACE to be edited, then select Edit. The ACE Editor dialog box is displayed.
The format of the ACE editor dialog box and properties that can be edited depend on the ACL protocol type, as described in these sections:
Most ACE types require you to specify a source address, a destination address, or both.
To specify an IP address or hostname as the source or destination address, enter it directly into the appropriate ACE editor field.
To specify a network or network class as the source or destination address, use the following procedure.
Step 1 Click Source Address or Destination Address to open the Network/Class selector dialog box (see Figure 4-10).
Step 2 Select the desired network or network class.
Step 3 Click OK when you have finished.
The following table explains the buttons at the bottom of the ACE Editor dialog boxes:
| Button | Description |
|---|---|
Expand | Click to expand the ACE. Expansion of the ACE shows the ACE physical view---the actual IOS statements that implement the ACE. For example, if the source address field class translates to n IP addresses and the destination field class expands to m IP addresses, there will be nxm entries in the expanded ACE and in the actual IOS statements that implement the ACE. |
New | Click to save the current ACE and start editing a new one. You can then save changes to the current ACE and carry the settings into the new ACE or discard them. If you save, the main window is updated to display the saved ACE. |
Prev | Click to save the current ACE and load the previous one from the ACL. You can then save changes to the current ACE or discard them. If you save, the main window is updated to display the saved ACE. |
Next | Click to save the current ACE and load the next one from the ACL. You then have the option to save changes made to the current ACE. If you save, the main window is updated to display the saved ACE. |
Select an ACE that belongs to a standard IP ACL. Start the ACE Editor on this ACE (see Figure 4-11). The ACE being edited is shown in the display area above the Expand button.
You can edit the fields as follows:
| Field | Description |
|---|---|
Permission | A radio button that determines whether the ACE is a "permit" or "deny" statement. |
Log Options | If the IOS version permits this function, enable logging so that the optimization function can later use the hit-rate information. |
Source Address | Defines the source address in the ACE. This field is mandatory. |
Source Mask | Defines the wildcard mask to be applied to the source address. This field is optional. |
Comment | You can add a comment about this ACE. The comment appears in-line. This field is optional. |
Select an ACE that belongs to an IP Extended ACL, then start the ACE Editor on this ACE.
There are three tabbed sections, each with a different format, as described in these topics:
Click the General tab to display the IP Extended (General) properties that can be edited (see Figure 4-12). The ACE being edited is displayed above the Expand button.
You can edit the fields as follows:
| Field | Description |
|---|---|
Protocol | Drop-down list box that allows you to select from various protocols, such as TCP, IP, ICMP, IGMP. You can also enter a protocol name or number. |
Permission | A radio button that determines whether the ACE is a "permit" or "deny" statement. |
Log Options | If the IOS permits this function, enable logging. There are two kinds of logging: log and log-input. |
Source Address | Defines the source address in the ACE. The keyword any is allowed. This field is mandatory. |
Source Mask | Defines the wildcard mask for the source address. This field is optional. |
Destination Address | Defines the destination address in the ACE. The keyword any is allowed. This field is mandatory. |
Destination Mask | Defines the wildcard mask for the destination address.This field is optional. |
Destination Port | If the protocol selected is TCP or UDP, this field specifies the destination port for this ACE. The port relationship is assumed to be "=." |
Comment | You can add a comment about this ACE. The comments will appear in-line. This field is optional. |
Click the Advanced tab to display the IP Extended (Advanced) properties that can be edited (see Figure 4-13). The ACE being edited is displayed above the Expand button.
You can edit the fields as follows:
| Field | Description |
|---|---|
TCP flags | Select these check boxes to cause the TCP packets to be filtered according to the setting of the appropriate flags (ACK, FIN, PSH, RST, SYN, and URG). Selecting ACK and RST is equivalent to checking Established. This field is not available on all IOS versions. |
Source Port Operator | Select an operator from the drop-down list box to define the operation to be performed on the source:
This field is available only if the protocol selected in the General tab is TCP or UDP. Only the eq operator is available if Service Class is selected. |
Source Port Start | Defines the source port or the start of a range of ports if you selected range as the relation. You can enter a port name or select a name from the drop-down list box. |
Source Port End | Applies only if the source operator is range. You can enter a port name or select a name from the drop-down list box. |
Destination Port Operator | Select an operator from the drop-down list box to define the operation to be performed on the destination:
This field is available only if the protocol selected in the General tab is TCP or UDP. Only the eq operator is available if Service Class is selected. |
Destination Port Start | Defines the destination port or the start of a range of ports if you selected range as the relation. You can enter a port name or select a name from the drop-down list box. |
Destination Port End | Applies only if the destination operator is range. You can enter a port name or select a name from the drop-down list box. |
ICMP Type | ICMP packets can be filtered by message type (a number in the range 0 to 255). This field is optional. |
ICMP Code | ICMP packets that are filtered by message type can also be matched by the message code (a number in the range 0 to 255). This field is optional. |
ICMP Message | ICMP packets can be filtered by a message name, or message type and code name. Select the message name from the list displayed in the drop-down list box. This field is optional. |
IGMP Type | IGMP packets can be filtered by message type (a number in the range 0 to 15 or a message name in the drop-down list box). This field is optional. |
Click the Other tab to display the IP Extended (Other) properties that can be edited (see Figure 4-14). The ACE being edited is displayed in the window above the Expand button.
You can edit the fields as follows:
| Field | Description |
|---|---|
Precedence | Packets can be filtered by precedence level, as specified by a number in the range 0 to 7, or by name. You can select a name from the drop-down list box. |
TOS | Packets can be filtered by type of service level, as specified by a number in the range 0 to 15, or by name. You can select a name from the drop-down list box. |
Dynamic Name | Specifies the name of a dynamic access list. This field is optional. |
Dynamic Timeout (minutes) | Specifies a maximum time limit (in minutes) that a temporary access list entry can remain within the dynamic access list. The default is infinite and allows an entry to remain permanently. This field is optional. |
Time Range Name | Specifies a named time range, which combines at most one fixed interval and zero, or more, periodic intervals during which this ACL entry is in effect. This range must have been already set up on the device (available only on IOS releases later than 12.0(1)T). |
Evaluate ACL | Select this check box to nest a reflexive access list within an ACL. Enter the name of a reflexive ACL. This field is optional. |
Reflexive ACL | Select this check box if this entry should create and insert dynamic entries into a reflexive ACL. This is used to filter IP traffic so that TCP or UDP session traffic is permitted through the firewall only if session originated from within the internal network. This field is optional. |
Reflexive Timeout (minutes) | Reflexive access list entries expire after no packets in the session have been detected for a certain length of time (the timeout period, in minutes). If you do not specify a timeout for the reflexive list, the list uses the global timeout value. This field is optional. |
Select an ACL with IPX protocol and open the ACE Editor to display the properties that can be edited (see Figure 4-15). The ACE being edited is displayed above the Expand button.
You can edit the fields as follows:
| Field | Description |
|---|---|
Permission | A radio button that determines whether the ACE is a "permit" or "deny" statement. |
Source Network | Defines the source IPX network in the ACE. The keyword any is allowed. This field is mandatory. |
Source Node | Defines the source IPX node in the ACE. This field is optional. |
Source Mask | Defines the wildcard mask to be applied to the source IPX node. This field is optional. |
Destination Network | Defines the destination IPX network of the ACE. The keyword any is allowed. This field is optional. |
Destination Node | Defines the destination IPX node of the ACE. This field is optional. |
Destination Mask | Defines the wildcard mask to be applied to the destination IPX node. This field is optional. |
Select an ACL with IPX Extended protocol and open the ACE Editor to display the properties that can be edited (see Figure 4-16). The ACE being edited is displayed above the Expand button.
You can edit the fields as follows:
| Field | Description |
|---|---|
Protocol | Select a protocol (any, ncp, netbios, rip, sap, spx) from the drop-down list box. This field is mandatory. |
Permission | A radio button that determines whether the ACE is a "permit" or "deny" statement. |
Logging | If the IOS permits this function, enables logging. |
Time Range Name | Specifies a named time range, that is a combination of at most one fixed interval and zero or more periodic intervals during which this ACL entry is in effect. This time range must have already been set up on the device (available only on IOS releases later than 12.0(1)T). |
Source Network | Defines the source network address. This field is mandatory. |
Source Network Mask | Defines the wildcard mask to be applied to the source network address. This field is optional. |
Source Node | Defines the source node. This field is optional. |
Source Node Mask | Defines the wildcard mask to be applied to the source node address. This field is optional. |
Source Socket | Defines the source socket. Click on the drop-down list box to select the socket. This field is optional. |
Destination Network | Defines the destination network address. This field is mandatory. |
Destination Network Mask | Defines the wildcard mask to be applied to the destination network address. This field is optional. |
Destination Node | Defines the destination node. This field is optional. |
Destination Node Mask | Defines the wildcard mask to be applied to the destination node address. This field is optional. |
Destination Socket | Defines the destination socket. Click on the drop-down list box to select the socket. This field is optional. |
Select an ACL with IPX SAP protocol and open the ACE Editor to display the properties that can be edited (see Figure 4-17). The ACE being edited is displayed above the Expand button.
You can edit the fields as follows:
| Field | Description |
|---|---|
Permission | A radio button that determines whether the ACE is a "permit" or "deny" statement. |
Network | Defines the network in the ACE. This field is mandatory. |
Network Mask | Defines the wildcard mask to be applied to the network address. This field is optional. |
Node | Defines the node in the ACE. This field is optional. |
Node Mask | Defines an wildcard mask to be applied to the node. This field is optional. |
Service Type | Select a service type on which to filter from the drop-down list box. This field is optional. |
Server Name | Defines the name of the server that provides the service. This field is optional. |
Select an ACL with IPX SUMMARY protocol and open the ACE Editor to display the properties that can be edited (see Figure 4-18). The ACE being edited is displayed above the Expand button.
You can edit the fields as follows:
| Field | Description |
|---|---|
Permission | A radio button that determines whether the ACE is a "permit" or "deny" statement. |
Network | Defines the network in the ACE. This field is mandatory. |
Network Mask | Defines the wildcard mask to be applied to the network address. This field is optional. |
Interface Name | Defines the interface name. You can select the interface from the drop-down list box. This field is optional. |
Ticks | Metrics assigned to the route summary. This field is optional. |
Area Count | The maximum number of NLSP areas to which the router summary can be redistributed. This field is optional. |
Select an ACL with RATE LIMIT MAC protocol and open the ACE Editor to display the properties that can be edited (see Figure 4-19). The ACE being edited is displayed above the Expand button.
You can edit the fields as follows:
| Field | Description |
|---|---|
MAC Address | Defines the MAC address. |
Select an ACL with RATE LIMIT PRECEDENCE protocol and open the ACE Editor to display the properties that can be edited (see Figure 4-20).
"
You can edit the fields as follows:
| Field | Description |
|---|---|
Precedence | Select this check box if packets are to be filtered by precedence level. You can specify a number in the range from 0 to 7 or a name. |
Precedence Mask | Select this check box if packets are to be matched by mask for filtering by precedence level. Enter the precedence mask (a two-digit hexadecimal number). |
You can save selected ACEs as a new template. For information on saving ACLs as a template, refer to "Saving ACLs as Templates."
Step 1 Expand the device folder ACL Manager main window.
Step 2 Expand ACL Definitions.
Step 3 Select the required ACL definition.
Step 4 The ACEs for the definition are displayed in the right pane (see Figure 4-4).
Step 5 Select the ACEs to form the new template. You cannot select noncontiguous ACEs to save as a template.
Step 6 Select File > Save ACEs As to display the Save As Template dialog box (see Figure 4-3).
Step 7 Select the template directory to hold the new template.
Step 8 Enter the new template name, then click OK. The selected ACEs are replaced by an "include template" statement in the ACL.
Use the following procedure to view the changes you have made to ACLs or ACL use in the device configuration.
Step 1 From the ACL Manager main window, select Tools > Diff Viewer to display the Config Diff View window (see Figure 4-21).
Step 2 Select the device whose configuration changes you want to examine.
Step 3 Select the ACL or ACL use to view (see Figure 4-22).
In this example, there are three changes from the original configuration for ACL 100 in device aclm7505-1:
Step 4 Click Config to view the complete new configuration file (see Figure 4-23).
Step 5 Click OK to return to the Config Diff View.
Step 6 Click Delta to view configuration file changes since the last download. This shows the configuration commands that will be sent to the device to make the required changes to the device configuration (see Figure 4-24).
Step 7 Click OK to return to the Config Diff View.
After you have created or edited the ACL, ACL Manager examines the ACEs and performs redundancy checks such as removing redundant ACEs.
You can also use the Optimizer to determine if further optimization is possible (refer to Chapter 9, "Optimizing ACLs").
Posted: Fri Oct 1 12:13:17 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.