Forum Discussion

k_kirchev_28437's avatar
k_kirchev_28437
Icon for Nimbostratus rankNimbostratus
Dec 20, 2017

Import Cisco ACL(2000+ rows) from Cisco ACE to F5

Hello guys,

 

through last few months I have been looking for scenario how to upload/implement/import Cisco ACL to F5. I have been looking here and found like 5,10 Cisco ACLs articles but none of them is working for me.

 

So the problem is this:

 

I am migrating old Cisco ACE contexts to new client's F5 i5000 series vCMPs. I was preparing this for a couple of months since I had Cisco ACE configs provided. Everything with implementation of first context worked fine. I created vlans,trunks,vCMP, provisioning, configure vCMP itself etc. Also I have used Cisco provided scripts which are from 2015. And in fact for LTM they are not 100% effective. However I managed to configure what was left manually.

 

But now I come to the next context/vCMP where I have more than 2000 rows of ACL regarding some printers access. I was looking for solution of this but still without any result.

 

Interesting thing is that I have request from client if I could implement ACL to F5 directly from pre-defined/created list in .csv format. It could be text or xml whatever. Also this list will change in time. Is there any option for this ? Could it be done through tmsh? Some script?

 

Please help.

 

access control
application delivery
application security
BIG-IP Access Policy Manager (APM)
security
TMSH

13 Replies

Sort By
Show More
  • Andy_McGrath's avatar
    Andy_McGrath
    Icon for Cumulonimbus rankCumulonimbus
    Jan 09, 2018

    So my understanding is these are ACL's to restrict access to VIPs on the ACE, so load-balancing Virtual Servers on the F5's.

     

    From this expect AFM (Advanced Firewall Manager) is likely to be your best option on the target F5 devices, as long are/can be licensed and provisioned. Although not seeing the full solution difficult to make a convulsive recommendation.

     

    Based on these assumptions you can migrate your ACL's into AFM Network Security Policies however this is not that simple as the approach is different in the F5 AFM than Cisco ACL.

     

    I did start on a Python script for this a few years ago for a project but not sure how useful it would be for you. Will see if I can dig it out and share with you.

     

  • k_kirchev_28437's avatar
    k_kirchev_28437
    Icon for Nimbostratus rankNimbostratus
    Jan 09, 2018

    Hi AMG,

     

    thanks for the reply. I was almost desperate because I did not find anything last 3 months. So:

     

    1. ACL's are in Exchange context and will be used for printer access(restrict traffic).
    2. I had not used APM or AFM modules till now. I suppose they are going to be APM ACLs but please give advice based on your experience.

    3. On this context of ACE I am not sure what are the virtual servers. Could you please take a look and give an advice. I suppose these bellow could be Standard or maybe Performance L4? :

       

      class-map match-all EXCHANGE_HTTPS

       

      5 match virtual-address 10.0.168.32 tcp eq https

       

      class-map match-all HUB_CLI

       

      5 match virtual-address 10.0.168.34 tcp eq smtp class-map match-all HUB_RELAY

       

      5 match virtual-address 10.0.168.35 tcp eq smtp

       

      class-map match-all HUB_WWW

       

      5 match virtual-address 10.0.168.33 tcp eq smtp

       

      class-map match-any IMAP

       

      5 match virtual-address 10.0.168.32 tcp eq 143

       

      10 match virtual-address 10.0.168.32 tcp eq 993

       

  • Andy_McGrath's avatar
    Andy_McGrath
    Icon for Cumulonimbus rankCumulonimbus
    Jan 09, 2018

    Hi Kaloyan,

     

    Looks like an older post which the community has not picked up on but will do my best to help as I have a bit of experience with Cisco ACE to F5 (did mostly nothing but Cisco to F5 migrations for almost 2 years).

     

    A few question just for clarity:

     

    1. What are the ACL's used for, access to VIP's, to restrict traffic being forwarded by the ACE or something else like management restrictions?
    2. How are to looking to implement these ACL's on the target F5 devices, AFM policies or iRules or something else?
    3. The ACE's and target F5 planned to be used for routing traffic, using IP forwarding Virtual Servers?

    Once have this hopefully can help you out some more.

     

    AMG