Quick Tip: Using Groups to Manage Router ACLs

Here's a tip that will help make managing Cisco router access lists with Firewall Builder easier. Let's look at a quick example that assumes we have a router connecting a branch office to the WAN with the following configuration:

Firewall Builder generates a named access list for each interface and direction pair that is defined in the router's Policy rule set. Our example router is configured with two interfaces, and each interface can have an inbound and outbound access list applied, so there are a total of four potential access lists that Firewall Builder can generate for this router.

If each of these access lists has 10 rules, and there are 4 access lists, that becomes 40 rules to keep track of and organize. And since the order of the rules in the access lists matter, it's important to make sure things are sequenced correctly.

Firewall Builder's rule groups provide an easy way to identify which rules belong with which access list (interface / direction pair). Here's an example where I have 4 groups setup that map to each of the access lists that Firewall Builder will generate. Right now each group has only two rules, but using this system makes it easy to keep track of things even if you have hundreds of rules per interface.

As you can see from this example, I like to name my groups with the interface name and the direction it will be applied on the interface ("IN" or "OUT").

Creating a Rules Group. To create a Group of rules you need to have a rule defined that will be added to the newly created group. Right click on the rule and select New Group from the top of the menu. Enter the name of the group you want to use and click OK to create the group.

The group starts out in a collapsed mode, so click on the arrow to the left of the group name to expand it.

Expanding and collapsing groups makes it easy for you to focus on just the interface rules that your are working on right now.

To add a new rule to the group, right-click on a rule in the group and select "Insert New Rule" to add a rule above the existing rule and select "Add New Rule Below" to add a rule below the existing rule.

Note that you can copy rules between groups, just be careful to make sure you update the rule to match the correct interface and direction. We hope this tip helps you save time when managing Cisco router access lists with Firewall Builder!

For more information about using Firewall Builder to manage access lists on Cisco routers, check out our Getting Started Guide.


Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.