
Chapter 1 Controlling CSS Access
Controlling CSS Network Traffic Through Access Control Lists
However, if you configure a CSS with the
After you apply an ACL and ACLs are disabled on the CSS, you must enter the global configuration acl enable command to enable the ACLs on the CSS. For information on the acl enable command, see the “Enabling ACLs on the CSS” section later in this chapter.
Removing an ACL from Circuits or DNS Queries
Remove an ACL from the circuit when you need to delete a clause from an ACL, the ACL applied to the circuit, or an ACL from DNS queries. To remove an ACL from all circuits, an individual circuit, or DNS queries, use the remove command. The syntax and options for this ACL mode command are:
•remove all - Removes the ACL from all circuits.
•remove circuit (circuit_name) - Removes the ACL from a specific circuit. For example, enter:
(config-acl[7])# remove circuit-(VLAN1)
To display a list of circuits that you can remove, use the remove ? command.
•remove dns - Removes the ACL from DNS queries. For example, enter:
We recommend that you globally disable ACLs on the CSS before removing an ACL from a circuit. If you remove an ACL from a circuit when ACLs are enabled on the CSS, the CSS applies an implicit “deny all” clause to this circuit causing the CSS to deny all traffic on it. If you do not want to deny traffic on the circuit, you must disable all ACLs on the CSS and then remove ACL from the circuit. By disabling all ACLs on the CSS, the CSS permits all traffic on all circuits.
For example:
1.In global configuration mode, disable all ACLs on the CSS.
(config)# acl disable
| Cisco Content Services Switch Security Configuration Guide |