Forum Discussion
Import Cisco ACL(2000+ rows) from Cisco ACE to F5
Hello guys,
through last few months I have been looking for scenario how to upload/implement/import Cisco ACL to F5. I have been looking here and found like 5,10 Cisco ACLs articles but none of them is working for me.
So the problem is this:
I am migrating old Cisco ACE contexts to new client's F5 i5000 series vCMPs. I was preparing this for a couple of months since I had Cisco ACE configs provided. Everything with implementation of first context worked fine. I created vlans,trunks,vCMP, provisioning, configure vCMP itself etc. Also I have used Cisco provided scripts which are from 2015. And in fact for LTM they are not 100% effective. However I managed to configure what was left manually.
But now I come to the next context/vCMP where I have more than 2000 rows of ACL regarding some printers access. I was looking for solution of this but still without any result.
Interesting thing is that I have request from client if I could implement ACL to F5 directly from pre-defined/created list in .csv format. It could be text or xml whatever. Also this list will change in time. Is there any option for this ? Could it be done through tmsh? Some script?
Please help.
- Andy_McGrathCumulonimbus
So my understanding is these are ACL's to restrict access to VIPs on the ACE, so load-balancing Virtual Servers on the F5's.
From this expect AFM (Advanced Firewall Manager) is likely to be your best option on the target F5 devices, as long are/can be licensed and provisioned. Although not seeing the full solution difficult to make a convulsive recommendation.
Based on these assumptions you can migrate your ACL's into AFM Network Security Policies however this is not that simple as the approach is different in the F5 AFM than Cisco ACL.
I did start on a Python script for this a few years ago for a project but not sure how useful it would be for you. Will see if I can dig it out and share with you.
- k_kirchev_28437Nimbostratus
Hi AMG,
thanks for the reply. I was almost desperate because I did not find anything last 3 months. So:
- ACL's are in Exchange context and will be used for printer access(restrict traffic).
- I had not used APM or AFM modules till now. I suppose they are going to be APM ACLs but please give advice based on your experience.
-
On this context of ACE I am not sure what are the virtual servers. Could you please take a look and give an advice. I suppose these bellow could be Standard or maybe Performance L4? :
class-map match-all EXCHANGE_HTTPS
5 match virtual-address 10.0.168.32 tcp eq https
class-map match-all HUB_CLI
5 match virtual-address 10.0.168.34 tcp eq smtp class-map match-all HUB_RELAY
5 match virtual-address 10.0.168.35 tcp eq smtp
class-map match-all HUB_WWW
5 match virtual-address 10.0.168.33 tcp eq smtp
class-map match-any IMAP
5 match virtual-address 10.0.168.32 tcp eq 143
10 match virtual-address 10.0.168.32 tcp eq 993
- Andy_McGrathCumulonimbus
Hi Kaloyan,
Looks like an older post which the community has not picked up on but will do my best to help as I have a bit of experience with Cisco ACE to F5 (did mostly nothing but Cisco to F5 migrations for almost 2 years).
A few question just for clarity:
- What are the ACL's used for, access to VIP's, to restrict traffic being forwarded by the ACE or something else like management restrictions?
- How are to looking to implement these ACL's on the target F5 devices, AFM policies or iRules or something else?
- The ACE's and target F5 planned to be used for routing traffic, using IP forwarding Virtual Servers?
Once have this hopefully can help you out some more.
AMG
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com