Manage ACLs on Cisco ASA and Nexus devices
Use NCM to help you manage the access control lists (ACLs) for your Cisco ASA and Cisco Nexus devices. Find rules that are not being applied as intended, and identify unnecessary or redundant rules that can be removed. Streamlining ACLs makes them easier to manage and saves CPU and memory on your devices.
- Display the ACLs on a device.
- Compare ACLs on the same device or different devices.
- Display the rules in an ACL.
- Identify rules that have not been applied.
- Investigate overlapping rules in an ACL.
- Display information about objects or objects groups in a rule.
Display the access control lists on a device
Before you can complete other management tasks, you must display a list of the ACLs on a device.
- Choose My Dashboards > Network Configuration > Configuration Management.
-
Double-click the name of a Cisco ASA or Cisco Nexus device.
The Node Details page opens.
-
From the menu on the left, choose Access Lists.
The Access Lists page lists the ACLs configured for that device. If an ACL has changed, click the arrow to display a list of previous versions.
A warning icon indicates that the ACL contains overlapping rules. You can display the ACL rules to find out which rules overlap.
Compare ACLs
Use NCM to quickly locate the differences between ACLs or ACL versions. For example, you can compare two versions of the same ACL to determine what changed, or to verify that changes were implemented correctly. You can compare ACLs on different nodes to verify that the same rules are being applied on both devices.
Compare ACLs on the same device
- Display the list of ACLs on a device.
-
Select the ACLs or ACL versions to compare.
To compare the current version to a previous version, expand the node to list previous versions.
-
At the top of the page, click Compare ACL.
The rules from both ACLs are displayed beside each other. The line number of rules with differences are highlighted.
Compare ACLs on different devices
To compare ACLs on different devices, first select two ACLs on the same device, and then change one of the ACLs being compared.
- Display the list of ACLs on a device.
-
Select the ACL that you want to compare, and any other ACL on that node. (You will change the second selection later.)
-
At the top of the page, click Compare ACL.
The rules from both ACLs are displayed beside each other. The line number of rules with differences are highlighted.
- Change the second ACL to an ACL on a different device:
- Near the top of the page, click Change ACLs Compared.
- Select the node, interface, name, and version of the ACL you want to compare.
- Click Change.
Display ACL rules
When you display ACL rules, also known as Access Control Entries (ACEs), SolarWinds NCM identifies overlapping rules, which might require additional investigation.
- Display the list of ACLs on a device.
-
Click an ACL name.
The rules (or ACEs) are listed on the Rules of This Access List page. The right column shows the number of hits, and a warning icon indicates that the rule overlaps another rule.
Use the search and filter options to find a specific rule quickly. Or use filters to display all rules that meet certain criteria.
Click Edit Filter Properties to change the options available for filtering.
Identify rules that have not been applied
-
On the right side of each line, the ACL browser displays the hit count for the rule. The hit count indicates the number of times the rule has been applied.
By default, rules are sorted by line number.
-
To sort the list by hit count, click the down-arrow on the sort menu and choose Hit Count.
Rules that have never been applied (0 hits) are at the top of the list.
Investigate overlapping rules
-
Point to the warning icon that identifies a rule that overlaps another rule.
A message describes the issue.
-
Click Show the details.
A dialog box displays the preceding rules that shadow the rule or make it redundant.
Display information about objects or object groups
-
If an object or object group is listed as the source or destination of a rule, click the name of an object or object group.
Information about the current version of the object or object group is shown on the right.
-
To view information about a previous version of the object or object group, select a version from the drop-down menu.
- To compare another version to the currently selected version, click Compare Diff and select the version.