Chapter 1 Controlling CSS Access

Controlling CSS Network Traffic Through Access Control Lists

For example, Figure 1-2shows three VLAN circuits on the CSS.

Figure 1-2 ACLs Enabled on the CSS

 

CSS with ACLs enabled

 

 

 

 

TCP incoming traffic to

ACL 1

 

Incoming

 

VLAN1

 

 

 

 

 

 

VIP 192.32.1.254

 

traffic

 

All incoming traffic to

ACL 2

 

Incoming

 

VLAN2

 

 

 

 

 

 

any destination

 

traffic

 

All traffic denied due to

No ACL

 

Incoming

 

VLAN3

 

 

no applied ACL

 

traffic

 

 

 

 

 

 

 

114997

For VLAN1, if you want to allow any TCP traffic to the destination VIP address 192.32.1.254, create ACL 1 and configure the following clause, clause 15 permit tcp any destination 192.32.1.254. Then apply ACL 1 to VLAN1.

For VLAN2, if you want to allow all traffic to any destination, create ACL 2 and configure the following clause, clause 15 permit any any destination any. Then apply ACL 2 to VLAN2.

When you enable ACLs on the CSS, VLAN1 and VLAN2 permit traffic as defined by the permit clauses configured for the ACL. Because no ACL is applied to VLAN3, the CSS applies an implicit “deny all” clause to this circuit causing the CSS to deny all traffic on it.

Caution ACLs function as a firewall security feature. It is extremely important that you first configure an ACL for each CSS circuit to permit traffic before you enable ACLs. If you do not permit any traffic, you lose network connectivity. Note that the console port is not affected.

 

Cisco Content Services Switch Security Configuration Guide

1-14

OL-5650-02

Page 38
Image 38
Cisco Systems OL-5650-02 manual Acl