18 Replies Latest reply on Aug 29, 2012 6:38 PM by fcaron

    Cisco ACL Manager

    dclick

      Im probablly in the wrong place, but I dont use Orion. I am looking for a tool that will help manage ACL's on Cisco firewalls and routers.  Does solarwinds have a product that can do that?

        • Re: Cisco ACL Manager

          Hi dclick - we currently have some tools that will automate downloading and uploading configs (Toolset for Cisco only, NCM for a boatload of other devices types), but nothing that does ACL creation or analysis.  Of course, you could use NCM's Policy Report to look for holes or ensure a certain ruleset was present.

          We have ofter thought about adding some ACL functionality to the Toolset, what kinds of operations / interactions were you looking to do?

          --Greg

            • Re: Cisco ACL Manager
              dclick

              simple management, error checking (you need an OUT for every IN, and visa versa), things like that.

               

              I have some ACL's that have 200 entries - its gets to be a bear when using notepad or the toolset viewer, and there isnt an easy way to isolate just the ACL you want to work on.

              • Re: Cisco ACL Manager

                Hi Greg:

                I'm about to purchase NCM and would be very curious to know what your plans are for an ACL tool.  Currently, we are developing some automation using HP Opsware for rolling ACLs.  It would be nice if Solar Winds had a full fledged tool to create and implement ACLs.  I'm happy to supply more details if needed.

                -Matt

              • Re: Cisco ACL Manager
                KittCarson

                We are also interested in ACL management as a more modular component within NCM.  The features we are interested in are;

                1. Ability to manage routers, L3 switches, PIX firewalls and ASAs  (which NCM does nicely)

                2. Ability to modularize portions of rules - for instance, specific rules for say test networks or guest wireless.

                     A.  Modular in that you can save the snippets for later use; as components independent of the overall config: As ACEs in a list.

                    B.  Then combine your ACE lists in the order you want them evaluated with the capability of remarks in between each ACE section. 

                    C.  The new management tool/system needs to be integrated with the Configuation Management Product even if we need a client.   We need to do everything from the Orion web interface.

                3. Integration with our NCM system.  We are critical infrastructure also.  This is a requirement.

                Thanks.  I think you guys are uniquely positioned to accomplish this sort of capability.

                  • Re: Cisco ACL Manager
                    networkguy09

                    I've been looking everywhere for an ACL manager and haven't had any luck. What I am looking for is something that would simplify mass editing of our access list. For example, let's say I have 100 locations with various access lists at each adding up to 1,000 lines of code. Each location is the same, but different.. Meaning it's access list name is different and it's subnets are different, but each rule is the same (ie allow "main server" to communicate to "mail server"). Today when we add/remove/ or modify rules we have to go out and edit every single access list in notepad. This is very time consuming as you might imagine. It would be wonderful to be able to edit one "template" and have it adjust the other access lists accordingly then deploy with NCM. I suppose if it was that simple, everyone would have this functionality, especially Cisco.

                      • Re: Cisco ACL Manager
                        pyro13g

                        Why do you edit in notepad for routers?  Is your IOS really old?

                          • Re: Cisco ACL Manager
                            mavturner

                            networkguy09,

                            This is definitely something we hear. We are considering addressing this use case in NCM or providing a tool in Toolset. As you are aware, we don't currently have any solution for this.

                            Just out of curiosity, when you make these changes, do all of your ACLs have the same name? If so, it may be possible to have NCM config templates help you with this.

                            Mav

                              • Re: Cisco ACL Manager
                                networkguy09


                                Why do you edit in notepad for routers?  Is your IOS really old?

                                 



                                That's how we do things. I'm only a few years out of college with little experience of how other companies do things. Is there a better way? We're currently on the 124-15 train. My colleagues have been doing it this way for years and all of them have been in IT for decades, so I haven't questioned their method much.

                                 



                                Just out of curiosity, when you make these changes, do all of your ACLs have the same name? If so, it may be possible to have NCM config templates help you with this.

                                Mav

                                 



                                Our access list have different names. For example, we use the sub-interface name, like: GigabitEthernet0/1.101 Each access list has a different number.

                                  • Re: Cisco ACL Manager
                                    KittCarson

                                    Ours are identical content at the top.  Then, at the bottom they have a custom section for the fields that could be variables such as local ip addresses in a WAn or some custom need.

                                    For instance,

                                    ip access-list extended Development Segment
                                     remark ### Be sure to update all replica ACLs!
                                     remark ### DCHP-BOOTP
                                     permit udp any host 255.255.255.255 eq bootps
                                     permit udp host 0.0.0.0 host 255.255.255.255
                                     remark ### Private Addresses deny
                                     deny   ip 192.168.0.0 0.0.255.255 any
                                     deny   ip 172.16.0.0 0.15.255.255 any
                                     remark ### Remote File Servers
                                     permit ip any host X.X.X.X
                                     permit ip any host X.X.X.X
                                     remark ### Custom

                                     permit ip any X.X.X.X 0.0.0.255

                                    All the ACLs have the same names.  But they are modular in design so we would like a system that can apply them with the special section through merging or some other system.  Right now it is two passes.  They are 100 - 125 lines.  These are usually on layer 3 switches or routers. 

                                    The ASA is a bit more complex.  We certainly want to leverage object groups.  the probelm is the same though.   

                                • Re: Cisco ACL Manager
                                  networkguy09

                                  Why do you edit in notepad for routers?  Is your IOS really old?

                                  I am interested to know what the better solution is.

                            • Re: Cisco ACL Manager
                              JessicaWalsh

                              Hello.

                              Did you ever get an answer/solution for this? I have NCM 7 and we currently manage our ACLS with snippets. However, we have to manually choose the devices every time we apply a change. I am trying to find a way to migrate the snippets into the web-based portion of NCM.

                              • Re: Cisco ACL Manager
                                dclick

                                I have, since making this post a few years back, become a Solarwinds user. I would still be interested in any ACL manager that is out there.

                                • Re: Cisco ACL Manager
                                  KittCarson

                                  I posted an idea for a feature request that I sincerely hope encapsulates everyones many enquiries over the last three or four years for a comprehensive solution.  It is certainly in Solarwinds best interest to optomize their configuration management, log management, and policy features by providing an editing, ACL management module.  Please check it out and volte in the NCM Ideas area.

                                  1 of 1 people found this helpful