Creating and Managing IP ACLs for WAAS Devices
This section provides guidelines and an example of how to use the WAAS Central Manager GUI to create and manage IP ACLs for your WAAS devices.
When you create an IP ACL, you should note the following important points:
-
IP ACL names must be unique within the device.
-
IP ACL names must be limited to 30 characters and contain no white space or special characters.
-
Each WAAS Central Manager device can manage up to 50 IP ACLs and a total of 500 conditions per device.
-
When the IP ACL name is numeric, numbers 1 through 99 denote standard IP ACLs and numbers 100 through 199 denote extended IP ACLs. IP ACL names that begin with a number cannot contain nonnumeric characters.
-
The WAAS Central Manager GUI allows the association of standard IP ACLs with SNMP and WCCP. Any device that attempts to access one of these applications associated with an ACL must be on the list of trusted devices to be allowed access.
-
You can associate any previously configured standard IP ACL with SNMP and WCCP; however, you can associate an extended IP ACL only with the WCCP application.
-
You can delete an IP ACL, including all conditions and associations with network interfaces and applications, or you can delete only the IP ACL conditions. Deleting all conditions allows you to change the IP ACL type if you choose to do so. The IP ACL entry continues to appear in the IP ACL listing; however, it is in effect nonexistent.
-
If you specify an empty ACL for any of the ACL types used by WAAS, it has the effect of permitting all traffic.
To use the WAAS Central Manager GUI to create and modify an IP ACL for a single WAE, associate an IP ACL with an application, and then apply it to an interface on the WAE, follow these steps:
Step 1 From the WAAS Central Manager menu, choose
Devices >
device-name
.
Step 2 Choose
Configure > Network > TCP/IP Settings > IP ACL
.
The IP ACL window appears. By default, there are no IP ACLs defined for a WAE. The IP ACL window indicates if there are currently no IP ACLs configured for the WAE.
Step 3 Click
Add IP ACL
on the table heading row.
The IP ACL window appears. Fill in the fields as follows:
-
In the Name field, enter a name (for example, test1), observing the naming rules for IP ACLs.
By default, this new IP ACL is created as a standard ACL.
Note IP ACL names must be unique within the device, must be limited to 30 characters, and cannot contain any white spaces or special characters.
-
If you want to change this default setting and create this new ACL as an extended ACL, choose
Extended
from the ACL Type drop-down list.
Step 4 Click
OK
to save the IP ACL named test1. IP ACLs without any conditions defined do not appear on the individual devices.
Step 5 Add conditions to the standard IP ACL named test1 that you just created:
a. Click the
Add IP ACL Condition
in the table below.
The IP ACL Condition window appears. (See Figure 9-1.)
Note The number of available fields for creating IP ACL conditions depends on the type of IP ACL that you have created, either standard or extended.
Figure 9-1 Creating a New Condition for an Extended IP ACL Window
b. Enter values for the properties that are enabled for the type of IP ACL that you are creating, as follows:
– To set up conditions for a standard IP ACL, go to Step 6.
– To set up conditions for an extended IP ACL, go to Step 7.
Step 6 Set up conditions for a standard IP ACL:
a. From the drop-down list, choose a purpose (
Permit
or
Deny
).
b. In the Source IP field, enter the source IP address.
c. In the Source IP Wildcard field, enter a source IP wildcard address.
d. Click
OK
to save the condition.
IP ACL conditions for the newly created IP ACL and its configured parameters are displayed in the table below.
e. To add another condition to the IP ACL, select it in the above table and click on Add IP ACL Condition. Enter the details of the condition in the window and click OK to save the additional condition.
f. If you want a newly created IP ACL condition to appear in a particular position, select the position and click Insert. The IP ACL condition is placed in the selected position.
To reorder your list of conditions, select the condition (or multiple consecutive conditions) and use the Up or Down arrows. Click
Save Moved Rows
to commit the changes.
Alternately, you can select one or multiple consecutive conditions and click Move to, to specify the row number where the IP ACL condition should be positioned. This is especially helpful when there are numerous conditions listed in the table. Once you are satisfied with all your entries and the order in which the conditions are listed, click
Save Moved Rows
to commit the changes.
Note The order of the conditions listed in the WAAS Central Manager GUI becomes the order in which IP ACLs are applied to the device.
Click a column heading to sort by any configured parameter.
Table 9-1
describes the fields in a standard IP ACL.
Table 9-1 Standard IP ACL Conditions
|
|
|
Purpose
|
Permit
|
Specifies whether a packet is to be passed (
Permit
) or dropped (
Deny
).
|
Source IP
1
|
0.0.0.0
|
Number of the network or host from which the packet is being sent, specified as a 32-bit quantity in 4-part dotted decimal format.
|
Source IP Wildcard
1
|
255.255.255.255
|
Wildcard bits to be applied to the source, specified as a 32-bit quantity in 4-part dotted decimal format. Place a 1 in the bit positions that you want to ignore and identify bits of interest with a 0.
|
Step 7 Set up conditions for an extended IP ACL:
a. From the drop-down list, choose a purpose (
Permit
or
Deny
).
b. From the Extended Type drop-down list, choose
Generic
,
TCP
,
UDP
, or
ICMP
. (See
Table 9-2
.)
Table 9-2 Extended IP ACL Conditions
|
|
|
Purpose
|
Permit
|
Specifies whether a packet is to be passed or dropped. Choices are Permit or Deny.
|
Extended Type
1
|
Generic
|
Specifies the Internet protocol to be applied to the condition.
When selected, the GUI window refreshes with applicable field options enabled. The options are generic, TCP, UDP, or ICMP.
|
After you choose a type of extended IP ACL, various options become available in the GUI, depending on what type you choose.
c. In the fields that are enabled for the chosen type, enter the data. (For more information, see Table 9-4 through Table 9-7.)
d. Click
OK
to save the condition.
IP ACL conditions for the newly created IP ACL and its configured parameters are displayed in the table below.
e. To add another condition to the IP ACL, select it in the above table and click on Add IP ACL Condition. Enter the details of the condition in the window and click OK to save the additional condition.
f. If you want a newly created IP ACL condition to appear in a particular position, select the position and click Insert. The IP ACL condition is placed in the selected position.
To reorder your list of conditions, select the condition (or multiple consecutive conditions) and use the Up or Down arrows. Click Save Moved Rows to commit the changes.
Alternately you can select one or multiple consecutive conditions and click Move to, to specify the row number where the IP ACL condition should be positioned. This is especially helpful when there are numerous conditions listed in the table. Once you are satisfied with all your entries and the order in which the conditions are listed, click Save Moved Rows to commit the changes.
Note The order of the conditions listed in the WAAS Central Manager GUI becomes the order in which IP ACLs are applied to the device.
Click a column heading to sort by any configured parameter.
Step 8 Modify or delete an individual condition from an IP ACL:
a. Select the name of the IP ACL whose condition you want to modify. A list of all the conditions that are currently applied to the IP ACL appears in the IP ACL Conditions table below. Select the condition and click Edit.
b. To modify the condition, change any allowable field as necessary in the IP ACL Condition window and click OK to save the modifications.
c. To delete the condition, select it and click
Delete on the table
header.
d. To reorder your list of conditions, use the Up or Down arrows or Move to column outlined in Step 6 f and 7 f above.
Step 9 Associate a standard IP ACL with SNMP or WCCP:
a. Click the
Edit
icon next to the name of the device for which you want to associate a standard IP ACL with SNMP or WCCP.
b. Choose
Configure > Network > TCP/IP Settings > IP ACL Feature Usage
. The IP ACL Feature Settings window appears.
c. From the drop-down lists, choose the name of an IP ACL for SNMP or WCCP. (For more details, see
Table 9-3
.) If you do not want to associate an IP ACL with one of the applications, choose
Do Not Set
.
Table 9-3 IP ACL Feature Settings
WAAS Central Manager GUI Parameter
|
|
SNMP
|
Associates a standard IP ACL with SNMP. This option is supported for all WAAS devices.
|
WCCP
|
Associates any IP ACL with WCCP Version 2. This option is supported only for WAAS devices that are operating in WCCP interception mode and not for WAAS Central Manager devices.
|
d. Click
Submit
to save the settings.
Step 10 Apply an IP ACL to an interface:
a. Click the
Edit
icon next to the name of the device for which you want to apply an IP ACL to an interface on the WAE.
b. Choose
Configure > Network > Network Interfaces
.
The Network Interfaces window for the device appears. This window displays all the interfaces available on that device.
c. Click the
Edit
icon next to the name of the interface to which you want to apply an IP ACL. The Network Interface settings window appears.
d. From the Inbound ACL drop-down list at the bottom of the window, choose the name of an IP ACL.
e. From the Outbound ACL drop-down list, choose the name of an ACL.
The only network interface properties that can be altered from the WAAS Central Manager GUI are the inbound and outbound IP ACLs. All other property values are populated from the device database and are read-only in the WAAS Central Manager GUI.
Step 11 Click
Submit
to save the settings.
Step 12 To use an IP ACL to define the traffic that should be intercepted, see the “Configuring Interception Access Control Lists” section.
Step 13 (Optional) Delete an IP ACL:
a. Click the
Edit
icon next to the name of the device that has the IP ACL that you want to delete.
b. Choose
Configure > Network > TCP/IP Settings > IP ACL
.
If you created conditions for the IP ACL, you have two options for deletion:
–
Delete ACL
—Removes the IP ACL, including all conditions and associations with network interfaces and applications.
–
Delete All Conditions
—Removes all the conditions, while preserving the IP ACL name.
c. To delete the entire IP ACL and its conditions, select the IP ACL and click Delete. You are prompted to confirm your action. Click
OK
. The record is deleted.
d. To delete only the conditions, select the condition/ multiple conditions (consecutive or non - consecutive conditions) and click Delete. When you are prompted to confirm your action, click
OK
. The conditions are deleted.
To define an IP ACL from the CLI, you can use the
ip access-list
global configuration command, and to apply the IP ACL to an interface on the WAAS device, you can use the
ip access-group
interface configuration command. To configure the use of an IP ACL for SNMP, you can use the
snmp-server access-list
global configuration command. To specify an IP ACL that the WAE applies to the inbound WCCP redirected traffic that it receives, you can use the
wccp access-list
global configuration command. To configure an interception ACL, you can use the
interception access-list
global configuration command.