Question about managing Cisco switch ACLs

I'm working with cisco switches (4000 series) that have extensive ACLs with hundreds of entries to limit traffic between various servers. Every time servers need to connect to each other via a new port, it means modifying the ACL in notepad, then pasting the modified ACL to the switches. If there are several servers that need the same change, then it's copy-paste-copy-paste with the various servers' IP addresses into the modified ACL.

I'm wondering, does Cisco (or any other company) have a GUI tool that can modify and publish ACL changes to multiple switches? I'm thinking of something that might allow grouping servers that need identical ACLs together, then modifying a single ACL to apply to the group. It doesn't matter if the tool has to generate separate ACL lines for each server; I'm looking for something that simplifies management.

Reply to
Loading thread data ...

There are for sure some tools out there. Never looked really.


formatting link

One possible solution that is not exactly obvious is that the Checkpoint Firewall 1 management tool is (in my view) really fabulous and claims Cisco ACL support. It is kind of costly (no idea how much exactly but thousands) and I have no idea if it actually works on Cisco. You can get free one month evaluation software from your friendly checkpoint distributor. "SmartCentre" is the bit you need. It works for 15 days from installation then you can get a one month Evaluation license. Would be a bit of a learning curve if you hadn't used it before.

It *far* outclasses any other Firewall GUI I have seen. Pure magic. You edit offline then apply changes to the boxes. Can do versions, backups .........

In essence you define firewalls, hosts, networks, ports. Put then in arbitarily deep hierarchical named groups. Create rules using any of previous elements including stating which firewalls the rules apply to.

Please let us know how it goes whatever you do.

Reply to

Checkpoint Smart Center might work for me, since I'm in a Checkpoint shop. I've used it before and know that it's "supposed" to work with Cisco, but haven't actually used it for that purpose.

Reply to

You might take a look at ACL object groups...that might ease the pain a bit. :-)

ttripp wrote:

Reply to

Nor me - but it looks like it might be handy. No idea about support for reflexive ACLs or other bells and whistles but it seems unlikely that the basic stuff would not work. Might do something hopeless such as generating huge ACLs that dont fit in the config file but I would be surprised if it was not pretty decent.

hmmm - dont think that the 4500 does reflexive ACLs in hardware anyway. - forget.

Please post results if you get any.

Reply to
bod43 Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.