
Chapter 1 Controlling CSS Access
Controlling CSS Network Traffic Through Access Control Lists
Note When you remove an applied ACL from the circuit, the CSS applies an implicit “deny all” clause to this circuit causing the CSS to deny all traffic on it. If you want the CSS to permit traffic on the circuit when removing the applied ACL from the circuit, globally disable ACLs on the CSS with the global configuration mode acl disable command. By disabling all ACLs on the CSS, the CSS permits all traffic on all circuits.
Applying an ACL to a Circuit or DNS Queries
After you configure the clauses on an ACL, use the apply command to assign an ACL to all circuits, an individual circuit, or to DNS queries.
Note When you add a new clause to an applied ACL, use the apply circuit command to reapply the ACL on the circuit for the clause to take effect.
You cannot apply an empty ACL to a circuit. If you attempt to do so, this error message appears: Cannot apply ACL for it has no clauses.
The syntax and options for this ACL mode command are:
•apply all - Applies the ACL to all existing circuits. For example:
•apply circuit - (circuit_name) - Applies the ACL to an individual circuit. For example, to apply acl 7 to circuit VLAN1:
(config-acl[7])# apply circuit-(VLAN1)
To display a list of circuits, use the apply ? command.
•apply dns - Adds the ACL to DNS queries.
If you configure a domain name on a content rule on a CSS using the add dns domain_ name command, a DNS query for that domain name does match an ACL that is configured with the apply dns command.
|
| Cisco Content Services Switch Security Configuration Guide |
|
|
|
|
| ||
|
|
| ||
|
|
|