Chapter 1 Controlling CSS Access

Controlling CSS Network Traffic Through Access Control Lists

4.Apply another ACL on the circuit. If you do not apply an ACL on the circuit, the CSS denies traffic on the circuit when you enable ACLs on the CSS.

5.Reenable all ACLs on the CSS. Enter:

(config)# acl enable

Configuring Clauses

The clauses you configure on an ACL determine how the CSS controls traffic on a circuit. When you configure a clause, you must assign a number to it. The number assigned to each clause is important. The CSS processes the ACL starting from clause 1 and sequentially progresses through the rest of the clauses. When assigning numbers to clauses, assign the lowest numbers to clauses with the most specific matches. Then, assign higher numbers to clauses with less specific matches.

You do not need to enter the clauses sequentially. The CSS automatically inserts the clause in the appropriate order in the ACL. For example, if you enter clauses 10 and 24, and then clause 15, the CSS inserts the clauses in the correct sequence.

To create a clause to permit, deny, or bypass traffic on a circuit, use the clause command. The clause number is the number you want to assign to the clause. Enter a number from 1 to 254.

Note Once you add a new clause to an ACL when ACLs are enabled on the CSS, you must reapply the ACL on the circuit. For more information, see the “Adding a Clause When ACLs are Globally Enabled” section.

When you create a clause, you cannot modify it. You must delete the clause and create a new clause. For information on deleting a clause, see the “Deleting a Clause” section.

The CSS applies a hidden default “deny all” clause as clause 255 to all ACLs. You must specify permit clauses that allow traffic including management traffic on the CSS.

The syntax for the clause command is:

 

 

Cisco Content Services Switch Security Configuration Guide

 

 

 

 

 

 

OL-5650-02

 

 

1-19

 

 

 

Page 43
Image 43
Cisco Systems OL-5650-02 manual Configuring Clauses