|
|
ACL Manager helps you manage Access Control Lists (ACLs) on Cisco routers running IOS. It presents a user-friendly graphical user interface that allows you to concentrate on the security of your network without having to learn complex IOS syntax.
ACL Manager runs as an additional component (an add-on) to Resource Manager Essentials (Essentials), and provides you with the means to easily address, solve, and reduce configuration problems related to ACLs.
The following topics introduce you to some of the concepts and features of ACL Manager:
Access Control List (ACL, ACL Definition) and Access Control Entry (ACE): An ACL consists of one or more ACEs that collectively define the network traffic profile. This profile can then be referenced by IOS features such as traffic filtering, priority or custom queuing, dynamic access control, encryption, Telnet access, and so on. Each ACE includes an action element ("permit" or "deny") and a filter element based upon criteria such as source address, destination address, protocol, protocol-specific parameters, and so on.
ACL Template (Template): A named set of ACEs. Templates can be inserted into ACLs (see Template Include ACE). Templates can include other templates.
ACL Use: ACL Use statements in a device configuration utilize or reference an ACL for some purpose. There are over 50 possible purposes, which include, for example: IP packet filtering, line access, traffic shaping, IP multicast rate limiting, SNMP server, IPX input SAP filtering, IPX router filtering, and so on.
ACL Use Modes and Contexts: ACLs can be used in various IOS configuration modes: global, router, route-map, crypto-map, line, and interface. Except for global, the configuration modes have named contexts within which ACL use statements can be created in IOS. The contexts for line mode are the actual vtys (for example, console, vty 0, vty 1, and so on); the contexts for interface mode are interface names (for example, Serial 0, Ethernet 0, TokenRing 0, and so on). ACL Manager allows use statements to be created only for line and interface modes. ACL Manager allows you to apply these statements only for line access and packet filtering.
Logical View: An abstract or high-level view of ACE statements in an ACL. The logical view could show ACEs using service and network class definitions, template include statements and comments.
Network: A network is a named IP address and mask combination. It is a subnet specification used in the source and destination fields of ACE statements.
Network Class: A network class is a named set of IP addresses, hostnames, IP address ranges, networks, or (recursively) other network classes that ACL Manager allows you to use in ACE source or destination fields.
Physical View: A low-level view of ACE statements in an ACL. The physical view maps one-to-one with the IOS commands corresponding to the ACE statements.
Scenario: The set of devices whose ACLs and ACL use statements you are currently editing. You can name a scenario and save it for future use. Note that you can edit devices in multiple scenarios simultaneously.
Service: Services are named TCP or UDP ports that can be used in individual ACEs to provide a specification of the network traffic to be matched by filter criteria.
Service Class: A service class consists of named port range specifications that ACL Manager allows you to use in ACE port specification fields. Service class definitions are recursive and can use other service or service class definitions.
Template: Refer to ACL Template.
Template Include ACE: A special ACE that proxies for, or represents, the set of ACEs corresponding to the template.
The ACL Manager application is designed for the experienced network administrator who already understands the structure and uses of ACLs. It allows users to create, modify, and deploy ACLs to multiple devices through a Windows Explorer-type interface. ACL Manager supports IP and IPX ACLs for IOS Releases 10.3 through 12.0. With ACL Manager, you can create ACL uses for traffic filtering and line access and, although you cannot create all types of ACL uses, all existing types of ACL uses are recognized and tracked. This means that if an ACL is used in a category other than traffic filtering or line access, the ACL references in those statements will be changed if the ACL name is changed. ACL Manager allows comments to be associated with an ACL or ACE, so that you can audit and track changes on a per-ACL or ACE-basis.
ACL Manager maintains a device model with attributes relevant to ACL management for managed IOS devices. The device model is initialized by obtaining configuration files from Config Archive and parsing relevant statements.
ACL Manager comprises a GUI that is integrated with the Essentials front-end. This interface provides the means to create, edit, and view ACLs. It is a split-panel view with the devices in the scenario represented in a tree structure in the left pane. When you select a node in the left pane, the right pane displays the contents of the selection and its attributes. The display in the right pane is context sensitive. The ACL Manager GUI also provides access to editing tools and other functions, such as the Template Manager, Class Manager, Use Wizard, and ACL Downloader and Optimizer. Refer to "ACL Manager Tools."
Network problems are frequently introduced at the time devices are configured, and fixing such problems is both expensive and time-consuming. Also, since router configurations are interdependent, network complexity increases exponentially with the number of routers, and configuration problems become harder to detect and avoid. The result is either operational or latent configuration problems. ACL Manager solves these problems by providing inventory and change audit features that simplify the processes for setting up and changing device configurations.
In addition, ACL construction must be extremely precise, because an incorrect filter can cause a security problem or incapacitate a network. Writing filters is time-consuming: it might be necessary to write many lines of IOS commands to configure coexisting network filters for different protocols. ACL Manager alleviates these problems by providing a GUI that shields users from having to know IOS syntax in order to create ACLs.
ACL Manager provides the following benefits:
ACL Manager comprises a suite of modules and tools designed to simplify the management of ACLs and ACL use statements. The suite contains five major modules: ACL Manager, Template Manager, Class Manager, Template Use Wizard, and ACL Downloader. Refer to "ACL Manager Tools" for a description of the tools provided by ACL Manager.
The ACL Manager suite is integrated with the Essentials Config Archive and Inventory applications. It uses device information from Inventory, and reads the configuration contained in the Config Archive to create a model of the ACLs and ACL use statements in the device configuration.
The ACL Manager module provides a tree view to display this information in a Windows Explorer-type GUI. When you change device ACLs and ACL use statements, ACL Manager generates the appropriate IOS commands (config deltas) to implement the configuration changes.
A download mechanism is provided to enable you to apply the configuration changes to the appropriate devices. The Config Archive is updated automatically after a successful ACL Manager download.
Some of the tasks that the ACL Manager suite enables you to perform include:
ACL Manager provides the following tools for ACL development:
1. Select a use type (either packet filtering or line access).
2. Select a device or set of devices.
3. Select a template or an ACL on a device.
4. Select an interface or a line.
ACL Manager incorporates the privilege levels defined by Essentials:
| Level | Directory | Description |
|---|---|---|
0 | HD | Help Desk |
1 | AP | Approver |
2 | NO | Network Operator |
4 | NA | Network Administrator |
8 | SA | System Administrator |
ACL Manager tasks require various privilege levels, and your ability to perform these tasks depends on your assigned privilege level. You should contact your system administrator to find out your privilege level and which tasks you can access.
ACL Manager tasks are usually performed with network operator or network administrator privileges. You can view the tasks that can be performed at each level by going to the Essentials navigation tree and selecting CiscoWorks2000 Server > Setup > Security
> Permission Reports.
Users with network operator privileges can perform the following tasks from
ACL Management:
In addition to all the tasks that available to a network operator, users with network administrator privileges can perform the following tasks from ACL Management:
Users with network administrator privileges can also perform the following tasks from Administration > ACL Management:
Check the following requirements before using the Client Application Manager (CAM) to install ACL Manager on your local machine. (Refer to your installation instructions for complete ACL Manager system requirements.)
The client system must:
This is different from Essentials. You can access Essentials from a client machine running either Windows NT 4.0 or Windows 95.
This is different from Essentials. You can access Essentials from a client machine with either Navigator 4.05 or Navigator 4.5.
The Java Virtual Machine (2424) that comes with Internet Explorer 4.01 is not Y2K-compliant. To make Internet Explorer 4.01 Y2K-compliant, you should download one of the following Java Virtual Machines from www.microsoft.com: 1520, 2436, 3165, or 3167.
The client system must:
Posted: Fri Sep 29 08:26:14 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.