Showing results for 
Search instead for 
Did you mean: 
Create Post

Access Control List Management Features

Access Control List Management Features

Enhancement to Configuration Manager that has a workflow something like this;  Create ACL {For which group? - choose location, device,etc}  -> Type of ACL { Wizard or create from template} -> Associate ACL {Which object to apply ACL to ? - pick from vty,interface, etc. } -> Networks { choose networks and hosts - permit, deny } ->  Finalize {Show / Evaluate / Apply}.  Review {Ability to DIFF/analyze these ACLS} and evaluate filters, ability to execute inline edits, redistribute while in editing tool. ability to optimize for performace based upon hits.

Level 16

A feature like this can help take NCM to the next level.  Vendor compatability being the hard part I would think.

If there was ACL compare ability, such as we have multiple outside routers with "the same" ACL on all, it would help alot.

Level 11

I would dearly love to see this. right now we're usign snippets for acls and you can't create a historical log of who did what.

Level 15

We just introduced a new product which covers this need: FSM, Firewall Security Manager, more here

Level 11

You have my attention with this. 1) what’s the cost? 2) can I try it out without totally messing up my snippets and current NCM?


Level 15


Glad to hear this.


FSM is licensed by number of "devices" that you import into the FSM inventory. Typically, you would import all firewalls (that FSM supports) and routers involved in security (that have NAT, ACL.. statements in their configs).

Note that the Packet Tracer feature, looks at routing tables of all routers that are on the path that you want to test. So those intermediary routers needs to be imported as well, if you plan to use this feature.

As far as the price, you can go to the OnLine Quote page here, to see the price per "device" (as defined above)


Yes absolutelly. 95% of what FSM does is read only from your NCM db (to get the configs). So absolutely safe.

The reminder 5% is script execution, which does not impact the NCM DB or snippets.

It's like if you pasted a script in NCM's script window and executed it against a device. Nothing more. No impact on DB and or snippets.

Level 11

So I looked at this and it seems really kludgy. The optimizer is cool, but managing ACLs with it just seems cumbersome. it doesn't feel integrated or like it has a good work flow. It's definitely firewall-focused as well and that is something we just dont' need at the moment. Maybe after you guys SWize it will be better.

Level 11

I would also like to see NCM be able to write to the Event logs with a description that you could input each up you pushed out a snippet. that would help track business reasons for changes.

Level 15

I'll ping you off line, Jessica.

Level 11

Less robust option, but if I could  upload a repository of snippets (basically text files) into a template or basic script, then I could execute them from the web and possibly get a log of notes for the changes. I don't think NCM will do this now.

Level 18


Thank you for the ideas. They are ver helpful for us to understand the use cases. I'll follow up with you offline.