How to Manage ACLs

---

ACLs are the containers for the rules that govern network access through your routers. Traffic that arrives at a router port is either accepted or blocked according to the rules contained in an Access Control List (ACL). The ACL is examined from top to bottom, with the first rule that matches the packet determining the fate of that packet (dropped or forwarded). If there are no matching rules, the packet is denied. To change this behavior, add a rule that permits everything as the last rule in the ACL.

Managing ACLs could involve one or more of the following tasks:

• Creating an ACL
• Copying an ACL
• Moving an ACL
• Translating ACLs
• Renaming an ACL
• Editing an ACL
• Deleting an ACL
• Creating an ACL Folder

Creating an ACL

Use these steps to create an ACL in the Cataloged ACLs folder:

1. In the ACL Manager tab, open the ACL Editor by clicking .
2. In the left-panel tree, expand the Cataloged ACLs folder and select the folder where you want to create the ACL.
3. Right-click on the folder and select Create ACL <ACL Type>.
4. Type the name for your new ACL and click OK. ACL names must be alpha-numeric characters only and cannot include spaces. The new ACL appears in the left-panel tree.

   	NOTE:	When ACL Manager enforces an ACL to a device, the name of the ACL on the device may not be the same as it appears in ACL Manager. ACL Manager attempts to use the same name on the device whenever possible. However, in certain situations a different name will be used. Because of this, an ACL may have a different name on each device it is enforced to. A different name will be used in the following circumstances: If the ACL name is non-numeric and the device only supports numeric names, or if the name is otherwise invalid on the device. If the name is in the Standard ACL range (1-99) but the ACL is an extended ACL, or if the name is in the Extended ACL range (100-199) but it is a Standard ACL. If another ACL with the same name already exists on the device. If the same ACL already exists on the device but with a different name, then the existing ACL will be maintained rather than creating a new one. The same ACL may have a different name on the device each time it is enforced. If its rules have been changed, it is more efficient to update the device in a way that does not preserve the name.

5. Select the Description tab in the right panel and type a description for the new ACL.
6. Select your new ACL in the left panel and add rules.

Copying an ACL

Sometimes its easier to start with an ACL that nearly matches your needs, than to create a new one from scratch. In those situations, you can copy an ACL from one location and paste it to another, then redefine one or more of its rules to create a new ACL.

1. In the ACL Manager tab, open the ACL Editor by clicking .
2. In the left-panel tree, expand the folders and select the ACL being copied.
3. Right-click on the ACL and select Copy from the menu.
4. Right-click on the destination folder (the Cataloged ACLs folder or sub-folder) and select Paste from the menu.
5. Edit the ACL as needed.

Moving an ACL

You can move ACLs from one location to another within the Cataloged ACLs folder using drag-and-drop or cut-and-paste.

1. In the ACL Manager tab, open the ACL Editor by clicking .
2. In the left-panel tree, expand the folders to select the ACL being moved and see its destination.
3. Move the ACL to the destination folder (the Cataloged ACLs folder or sub-folder) using drag-and-drop or cut-and-paste.

Translating ACLs

ACL Manager lets you translate ACLs between the five supported ACL types (X-Series, N-Series 6.x, S/K/N 7.x+, XSR, and Common). When ACLs have been copied or cut, you can paste and translate them into a target location in the Cataloged ACLs folder as a different ACL type. When there is no direct translation from one type to another, the ACL Translation View lets you review the resulting ACL prior to translation. To translate an ACL:

1. Copy or Cut an ACL from the left-panel tree in the ACL Editor. To cut or copy multiple ACLs, use the right-panel ACL Details tab.
2. Select a target location in the Cataloged ACLs folder where you want to paste the translated ACL, right-click and select Paste and Translate <ACL type>. The ACL type selected determines the ACL type following translation.
3. If there are no conflicts in the translation, the translated ACLs are pasted to the target location in the Cataloged ACLs folder. If conflicts are detected, the ACL Translation View opens where you can make decisions about how the translation will be performed. The top section lists the ACLs where a conflict was detected. The lower-left panel shows the rules for the ACL selected in the top panel with their original parameters. The lower-right panel shows how the rules will be changed if translated. Rules where a conflict exists are marked in the lower-left panel with an exclamation mark in the list; select the rule to view a comment below that describes the nature of the conflict.
4. To resolve conflicts:
   1. Select an ACL from the top panel and examine the lower-right potential translation results panel.
   2. If you decide that the translation should not be performed on the selected ACL, remove the Check in the Translate column for this ACL in the top panel. Otherwise, leave the Translate column checked.
   3. Repeat steps a and b as needed, until all ACL/rule conflicts have been resolved.
5. After you've reviewed all the ACLs for conflicts, click OK. The ACLs with the Translate column checked are translated and pasted into the target. ACLs where the Translate checkbox is not checked are not translated, but are also pasted into the target.

Renaming an ACL

You can rename ACLs in the Cataloged ACLs folder, but not in the Imported ACLs folder. To rename an ACL:

1. In the ACL Manager tab, open the ACL Editor by clicking .
2. Expand the Cataloged ACLs folder and select the ACL being renamed. Right-click on the ACL and select Rename ACL from the menu.
3. Type the name for your new ACL. ACL names must be alpha-numeric characters only and cannot include spaces. Click OK.

   	NOTE:	When ACL Manager enforces an ACL to a device, the name of the ACL on the device may not be the same as it appears in ACL Manager. ACL Manager attempts to use the same name on the device whenever possible. However, in certain situations a different name will be used. Because of this, an ACL may have a different name on each device it is enforced to. A different name will be used in the following circumstances: If the ACL name is non-numeric and the device only supports numeric names, or if the name is otherwise invalid on the device. If the name is in the Standard ACL range (1-99) but the ACL is an extended ACL, or if the name is in the Extended ACL range (100-199) but it is a Standard ACL. If another ACL with the same name already exists on the device. If the same ACL already exists on the device but with a different name, then the existing ACL will be maintained rather than creating a new one. The same ACL may have a different name on the device each time it is enforced. If its rules have been changed, it is more efficient to update the device in a way that does not preserve the name.

Editing an ACL

Editing ACLs consists of adding or Deleting Rules or Rearranging the order of existing rules. Refer to How to Create Rules to learn how to add rules to an ACL.

Deleting Rules

In the ACL Editor, you can delete rules from the left-panel tree or from the right-panel Editor tab.

1. In the ACL Manager tab, open the ACL Editor by clicking .
2. Expand the left-panel tree as necessary and select the ACL where you are deleting the rule or rules.
3. Select the Editor tab in the right panel.
4. Select the rules being deleted from the table. Hold the Shift key while clicking to select consecutive rules from the table or hold the Control key to select non-consecutive rules.
5. Click the right-panel Delete button.

Rearranging Rules

The order of rules in an ACL determines how packets will be managed. The ACL is examined from top to bottom, with the first rule that matches an incoming packet determining the fate of that packet (dropped or forwarded) according to the action specified in the rule.

1. In the ACL Manager tab, open the ACL Editor by clicking .
2. Expand the left-panel tree as necessary and select the ACL where you are rearranging rules.
3. Select the Editor tab in the right panel.
4. Select the rule being moved.
5. Click the Move Up or Move Down buttons to change the position of the rule. You can also click Move To, enter an index number, and  press Enter.

Deleting an ACL

ACLs can be deleted from any folder in the ACL Editor left panel tree or from the right-panel ACL Details tab.

1. In the ACL Manager tab, open the ACL Editor by clicking .
2. Expand ACL folders as necessary and select the ACL being deleted from either the left panel tree or the right-panel ACL Details tab.
3. Right-click on the ACL and select Delete from the menu.

Creating an ACL Folder

ACL Folders provide a container for managing ACLs. They let you create administrative groups of ACLs, such as ACLs that are applied to specific areas of your network or ACLs that may have similar parameters. ACL folders can be created at any level in the Cataloged ACLs folder in the ACL Editor left-panel tree, including in another ACL folder. However, aside from organizing folders and ACLs into a logical order, there is no inheritance or other significance to the hierarchy.

To create an ACL Folder:

1. In the ACL Manager tab, open the ACL Editor by clicking .
2. In the left-panel tree, expand the Cataloged ACLs folders as necessary, and select the location for the folder.
3. Right-click and select Create Folder.
4. Enter the ACL folder name and click OK. The new folder is created.

Empty folders will be deleted when you close the ACL Editor.

---

Related Information

For information on related windows:

• ACL Editor

For information on related tasks:

• How to Create ACL Rules