Open for Voting
over 2 years ago

Access Control List Management Features

Enhancement to Configuration Manager that has a workflow something like this;  Create ACL {For which group? - choose location, device,etc}  -> Type of ACL { Wizard or create from template} -> Associate ACL {Which object to apply ACL to ? - pick from vty,interface, etc. } -> Networks { choose networks and hosts - permit, deny } ->  Finalize {Show / Evaluate / Apply}.  Review {Ability to DIFF/analyze these ACLS} and evaluate filters, ability to execute inline edits, redistribute while in editing tool. ability to optimize for performace based upon hits.

Parents Comment Children
  • You have my attention with this. 1) what’s the cost? 2) can I try it out without totally messing up my snippets and current NCM?

    Thanks!

  • Hi

    Glad to hear this.

    1)

    FSM is licensed by number of "devices" that you import into the FSM inventory. Typically, you would import all firewalls (that FSM supports) and routers involved in security (that have NAT, ACL.. statements in their configs).

    Note that the Packet Tracer feature, looks at routing tables of all routers that are on the path that you want to test. So those intermediary routers needs to be imported as well, if you plan to use this feature.

    As far as the price, you can go to the OnLine Quote page here, to see the price per "device" (as defined above)

    2)

    Yes absolutelly. 95% of what FSM does is read only from your NCM db (to get the configs). So absolutely safe.

    The reminder 5% is script execution, which does not impact the NCM DB or snippets.

    It's like if you pasted a script in NCM's script window and executed it against a device. Nothing more. No impact on DB and or snippets.

  • So I looked at this and it seems really kludgy. The optimizer is cool, but managing ACLs with it just seems cumbersome. it doesn't feel integrated or like it has a good work flow. It's definitely firewall-focused as well and that is something we just dont' need at the moment. Maybe after you guys SWize it will be better.

  • I'll ping you off line, Jessica.