Open for Voting
over 2 years ago

Access Control List Management Features

Enhancement to Configuration Manager that has a workflow something like this;  Create ACL {For which group? - choose location, device,etc}  -> Type of ACL { Wizard or create from template} -> Associate ACL {Which object to apply ACL to ? - pick from vty,interface, etc. } -> Networks { choose networks and hosts - permit, deny } ->  Finalize {Show / Evaluate / Apply}.  Review {Ability to DIFF/analyze these ACLS} and evaluate filters, ability to execute inline edits, redistribute while in editing tool. ability to optimize for performace based upon hits.

  • FormerMember
    FormerMember over 6 years ago in reply to EBeach

    Hi EBeach..

    I tried to use Custome ACL update.ncm-template and it returned with error's. Could please help in this.

    Config Change Template Errors: Custom ACL update

    This config change template cannot be executed because of the following errors:

    An error occurred during script parsing. Position: Line 169, Character 38 Error message: no viable alternative at character '"' Please check script syntax.

    Thanks ,
    Mahesh Chindarkar
  • I created a config change template that might help. Custom ACL update.ncm-template

  • I completely agree with you JustinY.  I have no need or justification for FSM (as it can't manage my firewalls anyway), but definitely feel that ACL management should be a subset of an application called Network Configuration Manager.  Especially since the data is being pulled from the NCM database (Now Orion Core) device configuration files.  It is like an add-on for an add-on.  Sure seems like there should be an out-of-the-box "ACL" compliance report that could be applied by device type, ip range, or group membership.  This is a compliance feature, not a Firewall Management function.

  • Honestly I think FWSM is a crock.  That whole product is just a select set of features that should have just been put in NCM.  Compliance Reports anyone?  From NCM or FWSM?  They should just combine the products/teams and get to work on making NCM better.

    I use the same ACL between many devices so I would LOVE to have one place to edit the ACL and have NCM make sure that ACL matches on every device its deployed to.  Service Templates.

  • FormerMember
    FormerMember over 8 years ago in reply to wsniegowski

    You can trick compliance rules like this:

    ip access-list extended some-acl-name\r

    permit ip 192.168.0.0 0.0.255.255 10.0.0.0 0.0.0.255\r

    deny    ip 192.168.0.0 0.0.255.255 any\r

    permit ip any any\r


    Shockingly that will work and makes rules more readable.  When you hit the return character in the rule, NCM reads it as a \n emoticons_wink.png


    Also, you need to escape .'s ie \. as a dot is any character and that wouldn't be a specific regex, it would be a good enough regex if the device only allows IP's emoticons_happy.png