Chapter 1 Controlling CSS Access
Controlling CSS Network Traffic Through Access Control Lists
•clause number bypass - Creates a clause in the ACL to permit traffic on a circuit and bypasses (does not process) content rules that apply to the traffic. The syntax for clause bypass is:
clause number bypass protocol [source_info {source_port}] dest [dest_info {dest_port}] {sourcegroup name} {prefer servicename}
Note The bypass option bypasses traffic only on a content rule, and, therefore, does not cause Network Address Translating (NATing) to occur. Do not use the bypass option in an ACL clause with a source group. The bypass option does not affect NATing on a source group.
•clause number deny - Creates a clause in the ACL to deny traffic on a circuit. The syntax for clause deny is:
clause number deny protocol [source_info {source_port}] dest [dest_info {dest_port}] {sourcegroup name} {prefer servicename}
•clause number permit - Creates a clause in the ACL to permit traffic on a circuit. When you configure an ACL permit clause, all traffic not specified in a permit clause is denied by default. The syntax for clause permit is:
clause number permit protocol [source_info {source_port}] dest [dest_info {dest_port}] {sourcegroup name} {prefer servicename}
Note When a destination in an ACL clause is a Layer 5 content rule, the CSS does not spoof the connection. Therefore, the ACL clause does not function as would be expected. As a workaround, you may configure an additional clause to permit the TCP/IP addresses and ports. Be aware that content is matched on both clauses. For example,
clause 14 permit any any destination content Layer5/L5 eq 80 (original clause) clause 15 permit tcp any destination 200.200.200.200 eq 80 (This is an additional clause to handle the SYN, where the destination IP address is the IP address configured in the Layer 5 content rule. Note that this clause number must be greater than the destination content clause number.)
| Cisco Content Services Switch Security Configuration Guide |