
Chapter 1 Controlling CSS Access
Controlling CSS Network Traffic Through Access Control Lists
For example, Figure
Figure 1-2 ACLs Enabled on the CSS
| CSS with ACLs enabled |
|
|
|
| TCP incoming traffic to | ACL 1 |
| Incoming |
| VLAN1 |
| ||
|
|
|
| |
| VIP 192.32.1.254 |
| traffic | |
| All incoming traffic to | ACL 2 |
| Incoming |
| VLAN2 |
| ||
|
|
|
| |
| any destination |
| traffic | |
| All traffic denied due to | No ACL |
| Incoming |
| VLAN3 |
| ||
| no applied ACL |
| traffic | |
|
| |||
|
|
|
|
|
114997
For VLAN1, if you want to allow any TCP traffic to the destination VIP address 192.32.1.254, create ACL 1 and configure the following clause, clause 15 permit tcp any destination 192.32.1.254. Then apply ACL 1 to VLAN1.
For VLAN2, if you want to allow all traffic to any destination, create ACL 2 and configure the following clause, clause 15 permit any any destination any. Then apply ACL 2 to VLAN2.
When you enable ACLs on the CSS, VLAN1 and VLAN2 permit traffic as defined by the permit clauses configured for the ACL. Because no ACL is applied to VLAN3, the CSS applies an implicit “deny all” clause to this circuit causing the CSS to deny all traffic on it.
Caution ACLs function as a firewall security feature. It is extremely important that you first configure an ACL for each CSS circuit to permit traffic before you enable ACLs. If you do not permit any traffic, you lose network connectivity. Note that the console port is not affected.
| Cisco Content Services Switch Security Configuration Guide |