Chapter1 Controlling CSS Access
Controlling CSS Network Traffic Through Access Control Lists
1-14
Cisco Content Services Switch Security Configuration Guide
OL-5650-02
For example, Figure 1-2 shows three VLAN circuits on the CSS.
Figure 1-2 ACLs Enabled on the CSS
For VLAN1, if you want to allow any TCP traffic to the destination VIP address
192.32.1.254, create ACL 1 and configure the following clause, clause 15 permit
tcp any destination 192.32.1.254. Then apply ACL 1 to VLAN1.
For VLAN2, if you want to allow all traffic to any destination, create ACL 2 and
configure the following clause, clause 15 permit any any destination any. Then
apply ACL 2 to VLAN2.
When you enable ACLs on the CSS, VLAN1 and VLAN2 permit traffic as
defined by the permit clauses configured for the ACL. Because no ACL is applied
to VLAN3, the CSS applies an implicit “deny all” clause to this circuit causing
the CSS to deny all traffic on it.
Caution ACLs function as a firewall security feature. It is extremely important that you
first configure an ACL for each CSS circuit to permit traffic before you enable
ACLs. If you do not permit any traffic, you lose network connectivity. Note that
the console port is not affected.
114997
CSS with ACLs enabled
Incoming
traffic
TCP incoming traffic to
VIP 192.32.1.254
All incoming traffic to
any destination
All traffic denied due to
no applied ACL
ACL 1
VLAN1
ACL 2
VLAN2
VLAN3
No ACL
Incoming
traffic
Incoming
traffic