CUSTOM ACL SYSTEM DOCUMENTATION

Document Managed by Network Operations

Summary & Goals

The Custom ACL System within NetDB allows both Network Operations Staff and Local Administrators to create and edit custom ACLs that will be auto-applied to networks which reference those ACLs. Network Operations staff will have control over both the content and actual application of UCS-authored ACLs while still allowing the UCS a significant amount of control. The system will provide a syntactically correct ACL line editting interface to prevent typos.

Technical Overview

The Custom ACL System combines ACL Blocks into ACL templates which output standard IOS ACLs. The ACL Blocks can be written by both Network Operations and local administrators. The resulting ACLs are then auto-pushed a router once the specific ACL template is applied to a specific network via a Network Attribute object in NetDB.

Tool Terms & Definitions

  • ACL Templates
    • An ACL Template is made up of Template Lines that call ACL blocks. These lines are then parsed to ouput a standard IOS Access List.
    • A Template Line references (includes) an ACL block. ACL blocks can be TD or UCS written ACL blocks or UCS NetIN/NetOUT blocks.
  • ACL Blocks
    • An ACL Block is a list of ACL Lines (called rules) that comprise part or all of a standard IOS access list.
    • An ACL Rule is a standard IOS Access List line.
    • An ACL Block (NCG) is an ACL Block stored in the user's NCG. This block can be referenced by an ACL template or a NetIN/NetOUT block.
    • AN ACL Block (NetIN/NetOUT) is an ACL Block assigned to a specific network. This block can reference (include) ACL blocks in the network's NCG.
  • Network Attributes
    • A Network Attribute is a value assigned to a network in NetDB. For our purposes here, it simply references an ACL block to assign to the network.
    • A template_in Network Attribute references an ACL template to be applied to it's container network.
    • A template_out Network Attribute references an ACL template to be applied to it's container network.

Tool Procedures

Procedure Workflow

The following is a general procedural workflow for the Custom ACL System. All Custom ACL creations should be definable through this procedure. Required lines are black, optional lines are grey.

  1. UCS Creates NCG-global ACL Blocks
  2. UCS Creates NetIN and/or NetOUT ACL Block for network, referencing his NCG-Global ACL Blocks if necessary
  3. UCS Notifies Network Operations of new NetIN, asks that it be applied to network X
  4. Network Engineer sanity-checks NetIN/NetOUT ACL block (if fail, return to UCS for editting. If pass, proceed to next step)
  5. Network Engineer creates Global ACL Blocks to preceed or proceed the NetIN/NetOUT block in an ACL Template
  6. Network Engineer creates or finds appropriate Template, referencing NetIN/NetOUT block and if necessary, Global ACL Blocks
  7. Network Engineer creates network 'template_in' or 'template_out' network attribute for network X and references appropriate ACL template (created or found in above step)
    • At this point, the system should pass the new parsed ACL to Voyence which should in turn push it to the correct router
  8. Network Engineer verifies successful Voyence push and references new ACL via an access-group statement on Network X's router interface

Example Procedure: Simple ACL
UCS wants a simple, network specific ACL applied inbound to his network.

Short Procedure

  1. UCS creates NetIN for network in question
  2. UCS asks NOC to apply his NetIN for network X to network X
  3. NO Engineer sanity-checks UCS's NetIN
  4. NO Engineer creates or finds ACL that references only NetIN (finds 'NetIN only' template)
  5. NO Engineer adds 'template_in' Network Attribute (referencing 'NetIN only' ACL template) to network X
  6. Voyence pushes new ACL to Router
  7. NO Engineer Verifies successful Voyence push to router, adds access-group refernce to appropriate router interface

Long Procedure

  1. UCS navigates (via NetDB) to the network he wants to apply the ACL to.
  2. Once on the network page, UCS clicks 'add NetIN'
  3. NetIN is auto-created, UCS returns to network page
  4. UCS clicks on new NetIN ACL Block to edit it
  5. UCS adds lines (called Rules) via the 'add last' link on the NetIN edit screen
    • These 'rules' can be individual IOS Access List lines, or can include ACL Blocks he had previously written in his NCG space
    • Once finished, the UCS can reorder these 'rules' by using the 'reorder' link on the NetIN edit screen
  6. UCS clicks 'submit' on NetIN screen to commit the ACL rules he just added
  7. UCS Emails the NOC to ask that his NetIN ACL block be applied to the network in question
  8. Network Engineer analyzes the NetIN ACL Block written by UCS, see no errors
    • FYI: The Network Engineer now needs to create a template which references only the 'NetIN' ACL Block
    • This block already exists as an ACL Template and is named 'NETIN only'
  9. Network Engineer navigates to network in question and selects 'add' under 'Network Attributes' to create a network attribute
  10. Network Engineer selects attribute name 'template_in' and adds value 'NetIN only' in refernce to the ACL template of the same name
  11. Network Engineer submits this network attribute
  12. ACL Push System receives request to create new ACL from NetDB, parses new ACL from ACL Template (and consequently NetIN)
  13. Push System names this new ACL in the form of "IP-DOTTED-QUAD-RANGE-Date-direction" where direction is 'in' or 'out'
  14. ACL PUsh System creates Voyence job to add this new ACL to the router that hosts network X
  15. Voyence Pushes ACL "x-x-x-x-date-IN" to router
  16. Network Engineer verifies that push was successful
  17. Network Engineer applies access-group in 'inbound' direction to correct interface

Example Procedure: Complex ACL
UCS Wants his NetIN ACL Block added to Network Y, but NOC needs prefixes and suffixes added

Short Procedure

  1. UCS creates NCG-Global ACL Block (block 1) to include in his NetIN ACL Block
  2. UCS creates NetIN for network in question, includes (block 1)
  3. UCS asks NOC to apply his NetIN for network X to network X
  4. NO Engineer sanity-checks UCS's NetIN
    • NOC engineer ok's UCS' NetIN block, but requires a prefix and suffix for the ACL
  5. NO Engineer creates suffix and prefix TD ACL Blocks for inclusion in new template
  6. NO Engineer creates ACL template that references 'NetIN' surrounded by 'prefix' and 'suffix' blocks (named templateY)
  7. NO Engineer adds 'template_in' Network Attribute (referencing 'templateY' ACL template) to network Y
  8. Voyence pushes new ACL to Router
  9. NO Engineer Verifies successful Voyence push to router, adds access-group refernce to appropriate router interface

Long Procedure

  1. UCS navigates (via NetDB) to his NCG, creates ACL Block 'block1' for later use
  2. UCS navigates (via NetDB) to the network he wants to apply the ACL to.
  3. Once on the network page, UCS clicks 'add NetIN'
  4. NetIN is auto-created, UCS returns to network page
  5. UCS clicks on new NetIN ACL Block to edit it
  6. UCS adds lines (called Rules) via the 'add last' link on the NetIN edit screen
  7. UCS includes 'block1' at the end of his NetIN ACL Block via the same procedure
  8. UCS clicks 'submit' on NetIN screen to commit the ACL rules he just added
  9. UCS Emails the NOC to ask that his NetIN ACL block be applied to the network in question
  10. Network Engineer analyzes the NetIN ACL Block written by UCS, see no errors but needs to add a suffix and prefix
  11. Network Engineer navigates to Network Operations NCG (via NetDB)
  12. Network Engineer creates ACL Blocks 'suffix' and 'prefix', saves them for later use in template
  13. Network Engineer navigates to ACL Template List (via NetDB main menu)
  14. Network Engineer creates ACL Template 'template Y' which includes 'prefix', 'NetIN', and 'suffix'
  15. Network Engineer navigates to network in question and selects 'add' under 'Network Attributes' to create a network attribute
  16. Network Engineer selects attribute name 'template_in' and adds value 'template Y' in reference to the ACL template of the same name
  17. Network Engineer submits this network attribute
  18. ACL Push System receives request to create new ACL from NetDB, parses new ACL from ACL Template (and consequently prefix, NetIN, block1 and suffix)
  19. ACL Push System names this new ACL in the form of "IP-DOTTED-QUAD-RANGE-Date-direction" where direction is 'in' or 'out'
  20. ACL Push System creates Voyence job to add this new ACL to the router that hosts network Y
  21. Voyence Pushes ACL "x-x-x-x-date-IN" to router
  22. Network Engineer verifies that push was successful
  23. Network Engineer applies access-group in 'inbound' direction to correct interface
Questions/comments about this website can be directed to:
www@td.rutgers.edu



© 2007 Rutgers, The State University of New Jersey. All rights reserved.

TD Documentation
  Documentation & Reference
  TD Papers
  F.A.Q.
  Policy & Guidelines
  Presentations
TD Links
  Tools
  Search
  Staff
  The Network
  Projects
  Services
Jump To
  TD Home
  ESS Home
  OIT Home
  Rutgers Home