|
|
The Class Manager provides the means to lessen the time-consuming task of defining individual ACEs and to improve the consistency of the ACEs. These topics describe the Class Manager and how it works:
You can use the Class Manager to define networks, network classes, services, and service classes. These can be used within ACEs in an ACL or a template.
For example, suppose you use the Class Manager to define a network class called users, consisting of IP address ranges and hostnames of host machines belonging to a set of users, and another network class called fileservers, consisting of IP address ranges and hostnames for a set of server machines. You can now use the ACE editor in ACL Manager to create a single statement that replaces the multiple statements that would otherwise be necessary to achieve the same effect:
permit tcp ftp from @users to @fileservers
Similarly, if you create a network class called Engineering_Hosts, containing the host machines Eng1, Eng2, and Eng3; and another network class called Marketing_Hosts, containing the host machines Mkt1 and Mkt2, you could now create the ACE:
permit ip from Engineering_Hosts to Marketing_Hosts
In IOS, this single statement translates into the equivalent of following six statements:
permit ip from host Eng1 to Mkt1 permit ip from host Eng1 to Mkt2 permit ip from host Eng2 to Mkt1 permit ip from host Eng2 to Mkt2 permit ip from host Eng3 to Mkt1 permit ip from host Eng3 to Mkt2
You can also use Class Manager to create named TCP or UDP ports or port ranges (services and service classes) for use in ACEs.
There are six Class Manager editors:
The Class Manager editors allow you to create the appropriate Class Manager entities. You can create a new service using the Service Editor (refer to "Creating a New Service"). However, some services are predefined and cannot be modified. You can create a service class consisting of one or more services or port ranges (refer to "Creating a New Service Class").
Similarly, you can create a network class (refer to "Creating a New Network Class") using a range of IP addresses, DNS host names, networks, and other network classes. You can also create a named network (refer to "Creating a New Network").
You need to start the Class Manager before creating or editing network and service classes.
Step 1 Select Tools > Class Manager from the ACL Manager main window. The Class Manager window is displayed (see Figure 5-1).
The following icons are specific to the Class Manager toolbar:
New Service---opens a dialog box to create a new service.
New Service Class---opens a dialog box to create a new service class.
New Network---opens a dialog box to create a new network.
New Network Class---opens a dialog box to create a new network class.
The ACL Manager maintains a list of names of well-known TCP and UDP port numbers. You can create new port number to name associations using Class Manager. These are known as services. You cannot edit well-known services, but you can rename and change the port number of services that you create.
You can reduce the complexity of setting up ACEs by creating Service Classes. Service classes comprise sets of TCP or UDP ports or port ranges. These classes are used in an ACL or ACL template to reduce the time-consuming task of defining individual ACEs for a given set of services or sockets.
You can perform the following operations on services and service classes:
Use the following procedure to create a new service from the Class Manager window. To edit an existing service definition, refer to "Editing a Service."
Step 1 Select Services in the Class Manager left pane (see Figure 5-1).
Step 2 Click on the New Service icon in the Class Manager toolbar. The Service Editor dialog box is displayed (see Figure 5-2).
Step 3 Set the appropriate fields, as follows:
| Field | Description |
|---|---|
Protocol | Protocol for the service; either TCP or UDP. |
Name | Name to be given to the service definition. |
Port Number | Port number. |
Step 4 Click OK when you have finished.
Use the following procedure to edit an existing service definition from the Class Manager window.
Step 1 Select the Services folder in the left pane (see Figure 5-1). The service definitions are displayed in the right pane.
Step 2 Right-click on the service to edit, then select Edit. The Service Editor dialog box is displayed (see Figure 5-2).
Step 3 Make your changes, then click OK.
Use the following procedure to create a new service class from the Class Manager window. To edit an existing service class, refer to "Editing a Service Class."
Step 1 Select the Service Classes folder in the left pane.
Step 2 Click on the New Service Class icon. The Service Class Editor dialog box is displayed (see Figure 5-3).
Step 3 Set the appropriate fields, as follows:
| Field | Description |
|---|---|
Name | Name of the service class. |
Protocol | Protocol for the service; either TCP or UDP. |
Port Range | Defines a range (lowest and highest) of port addresses to be added to the service class. |
Service Classes | Lists all defined service classes that can be added to this service class. |
Services | Lists all defined services that can be added to this service class. |
Classes/Services/Ranges | Shows the classes, services and port ranges belonging to this service class. Click Add to add an item from a left pane into Classes/Services/Ranges. Click Remove to remove an item from Classes/Services/Ranges. |
Step 4 Click OK to apply the changes and close the dialog box.
Use the following procedure to edit an existing service class from the Class Manager window. To create a new service class, refer to "Creating a New Service Class."
Step 1 Select the Service Class folder in the left pane (see Figure 5-1). The service classes are displayed in the right pane.
Step 2 Right-click on the service class to be edited, then select Edit. The Service Class Editor dialog box is displayed (see Figure 5-3).
Step 3 Make your changes, then click OK.
Use the following procedure to edit an existing or new service class entry from the Class Manager window.
Step 1 Select the Service Class folder in the left pane, then select the service class to be edited.
Step 2 Right-click the service class entry to be edited, then select Edit. The Service Class Entry Editor dialog box is displayed.
Step 3 Make your changes, then click OK.
A network is defined by an IP address, a network mask, and its name. You can perform the following operations on networks and network classes:
Use the following procedure to create or edit a network from the Class Manager window. To edit an existing network, refer to "Editing a Network."
Step 1 Click Networks in the left pane (see Figure 5-1).
Step 2 Click on the New Network icon in the Class Manager toolbar. The Network Editor dialog box is displayed (see Figure 5-4).
Step 3 Set the appropriate fields, as follows:
| Field | Description |
|---|---|
Network name | Name to be given to the network definition. |
IP address | Network IP address. |
Mask | Mask (IP dotted notation). |
Step 4 Click OK when you have finished.
Use the following procedure to edit an existing network definition from the Class Manager window. To create a new network, refer to "Creating a New Network."
Step 1 Select the Networks folder in the left pane (see Figure 5-1). The network definitions are displayed in the right pane.
Step 2 Right-click on the network to edit, then select Edit. The Network Editor dialog box is displayed (see Figure 5-4).
Step 3 Make your changes, then click OK.
Use the following procedure to create a new network class from the Class Manager window. To edit an existing network class definition, refer to "Editing a Network Class."
Step 1 Select the Network Classes folder in the left pane (see Figure 5-1).
Step 2 Click on the New Network Class icon. The Network Class Editor dialog box is displayed (see Figure 5-5).
Step 3 Set the appropriate fields, as follows:
| Field | Description |
|---|---|
Name | Network class name. |
Hosts | Name of a host to be added to the network class. |
Address Range | Defines a range of IP addresses to be added to the network class. |
Network Classes | Lists all defined network classes that can be added to this network class. |
Networks | Lists all defined networks that can be added to this network class. |
Hosts/Address Ranges | Shows the hosts and address ranges defined so far in this network class. |
When setting the above fields, you can:
Click Add to add a field from a left pane to a right pane.
Click Remove to remove a field from the right pane.
Step 4 Click OK to apply the changes and close the dialog box.
Use the following procedure to edit an existing network class from the Class Manager window.
Step 1 Select the Network Class folder in the left pane (see Figure 5-1). The network classes are displayed in the right pane.
Step 2 Right-click on the network class to be edited, then select Edit. The Network Class Editor dialog box is displayed (see Figure 5-5).
Step 3 Make your changes, then click OK.
Use the following procedure to edit an existing network class entry from the Class Manager window.
Step 1 Select the Network Class folder in the left pane, then select the network class to be edited.
Step 2 Right-click the network class entry to be edited, then select Edit. The Network Class Entry Editor dialog box is displayed.
Step 3 Make your changes, then click OK.
This example shows how to use Class Manager to create a complex ACL with one logical ACE, but multiple physical ACEs.
Step 1 Create a network definition called MainDataCenter. Use the IP dot notation address and a network mask to define a range of IP addresses (see Figure 5-6).
Step 2 Use the Network Class Editor to define a network class containing all the end host addresses of the workstations used in the group called USR-Finance (see Figure 5-7).
Step 3 Create a service class called StandardServices, that includes the desired range of services (for example, pop2, pop3, Telnet, ftp-data, ftp, and port range 1024 to 1034).
Step 4 Use ACL Manager, the ACE editor, and the Network/Class Selector to create one logical ACE of the form:
permit tcp standardservice from @USR-Finance to @MainDataCenter
This can be interpreted as permitting TCP traffic for all 11 source addresses specified in the class @USR-Finance to the destination address specified by MainDataCenter on the ports specified by the StandardServices.
Posted: Fri Oct 1 12:16:30 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.