Re: Best way of managing many ACLs on a FWSM?

cco1 · ‎11-24-2006

Hi!

It seems that the most comfortable way of managing ACLs is to use the "configure net" command.

Is there perhaps an even better way to do this?

In contrary to a Cat6000, where i can use rsh to script FWSM-commands, i always have to log in to the FWSM and use the specific commands. Is this right?

How do you manage large lists of ACLs on a FWSM???

Thanks.

Regards,

Marco

a12288 · ‎11-24-2006

use object-group

cco1 · ‎11-27-2006

Hi!

My problem is not, that i have to many ACLs. My problem is, that i have to log in manually to the FWSM and THEN type in the commands.

Can i do that completely remote by creating a script on a linux pc and using rsh/rcp or whatever to get all commands to the FWSM?

Thanks,

Marco

cco1 · ‎11-29-2006

Anyone any idea?

jgervia_2 · ‎11-29-2006

Hello,

Actually you can tftp configuration changes up into the configuration using the copy command

conf t

copy tftp running-config

You can actually have it 'run' a script using no commands and other things.

Personally, for large ACLs, we briefly take the ACL off the interface (no access-list blah) and then copy the redifined access list up there using tftp, and then apply it to the interface. This is a little safer than editing a running ACL using tftp, and it also makes sure we know exactly what's going to be in the configuration.

Also, it's helpful to be able to prepare ahead of time and review the entire ACL rather than just the commands you would be running.

--Jason

Please rate this message if it helped solve some or all of the issue/question.

cco1 · ‎12-04-2006

Hi Jason!

In your posting you said, i could run a script. But my problem is, that i can't use rsh like on a Router to get the commands to the FWSM.

How would a remote script (running on a linux pc) look like?

Is there any documentation?

Thanks.

kerrythompson · ‎12-07-2006

We use Expect (an extenstion to the TCL scripting language) to create scripts to run commands on FWSMs and other Cisco boxes.

You can basically write a script which connects via ssh (or telnet if you really want) run the commands you chose, and check the results. It works very well.

I don't have any examples handy, but could dig them up if you want.

cco1 · ‎12-21-2006

Thanks.

I also tried Expect and it works well.

Nevertheless, it would be a nice feature for the next release, to allow rsh/rcp since it works well on Cat6500 too.

Regards,

Marco

varakantam · ‎12-22-2006

Marco,

You used SSH to the switch and use "session slot" in your script to achieve the same result

lowen · ‎12-27-2006

A somewhat related problem arises in multiple context mode. In many environments, it's likely that you would want to re-use certain elements like names and object-groups in many contexts.

Currently, when you need to edit a name or object-group that is common to many contexts, you have to manually edit it in each context. It would be great if you could define object-groups or "blocks" of names in the admin context or system space, and just use an "inherit" or "import" command to define these in other contexts. You would then just need to edit the master version in the admin context to make the change in all contexts. Of course, you would need a mechanism to "push" the changes and recompile the acl's in the inheriting contexts.

I'm currently at about a dozen contexts (and growing fast), with some elements common to all contexts. It's beginning to reach a point where the lack of such a facility is a major annoyance. What is the proper avenue to make a feature request for something like this? Thanks.

Larry