Chapter 1 Controlling CSS Access
Controlling CSS Network Traffic Through Access Control Lists
1-34
Cisco Content Services Switch Security Configuration Guide
OL-5650-02
5. Reapply the ACL to the circuit.
(config-acl[7])# apply circuit-(VLAN1)
6. In global configuration mode, reenable all ACLs on the CSS.
(config)# acl enable
To globally disable logging for all ACL clauses, enter:
(config)# no logging subsystem acl
ACL Example
The following ACL provides security for a CSS, Server1, and Server2 on one
VLAN (VLAN1). The ACL:
• Permits clients from subnet 172.16.107.x to access servers 1 and 2 on VLAN1
using various applications (for example, Telnet, FTP, TFTP)
• Permits clients from subnet 172.16.107.x to launch a browser with the URL
172.16.107.35 (the VIP address)
• Prevents clients on any subnet other than 172.16.107.x from accessing
VLAN1 and servers 1 and 2
The individual clauses provide the following security.
• Clause 20 permits any protocol from source subnet 172.16.107.0 to Server1
(IP address 172.16.107.15).
• Clause 30 permits any protocol from source subnet 172.16.107.0 to Server2
(IP address 172.16.107.16).
• Clause 40 permits any protocol from source subnet 172.16.107.0 to VIP
address 172.16.107.35 port 80 (HTTP).
• Clause 50 permits bidirectional communication to the VLAN for any Internet
Control Message Protocol (ICMP) traffic, including keepalives. If you are
using service keepalives, you must configure a clause to permit keepalive
traffic.
• Clause 60 permits UDP to port 520 on the VLAN for Routing Information
Protocol (RIP) updates. This clause is required if your router is on a subnet
other than 172.16.107.x.
• Clause 70 denies everything that has not been permitted in the ACL.
