Chapter 1 Controlling CSS Access

Controlling CSS Network Traffic Through Access Control Lists

Use the global configuration acl enable command to enable all ACLs on the CSS. To globally enable all ACLs, enter:

(config)# acl enable

Disabling ACLs on the CSS

If you need to add, change, or delete an ACL or delete an ACL clause, we recommend that you disable all ACLs on the CSS before removing the ACL from the circuit. If you remove an ACL before globally disabling ACLs, the CSS applies an implicit “deny all” clause to the circuit from which the ACL is removed and denies traffic on the circuit.

Note Globally disabling ACLs on the CSS disables all ACLs on the CSS and permits all traffic on all CSS circuits.

To globally disable all ACLs on the CSS, enter:

(config)# acl disable

Showing ACLs

Use the show acl commands to display access control lists and clauses. The show acl commands are available in all modes.

When you show an ACL clause that is applied to a circuit, the display includes:

Content Hits - A flow can be defined as a stream of UDP and TCP packets between a client and a server. The CSS must receive a number of packets from the client and the server before it can completely set up a flow. All of these packets, received before the flow is completely set up, are subject to ACL checks and can cause increments to the ACL Content Hits counter.

Router Hits - All non-UDP and non-TCP packets subjected to ACL checks cause increments to the ACL Router Hits counter. All UDP and TCP traffic terminating on the CSS (for example, a Telnet or FTP session) cause increments to the ACL Router Hits counter.

 

Cisco Content Services Switch Security Configuration Guide

1-30

OL-5650-02

Page 54
Image 54
Cisco Systems OL-5650-02 manual Disabling ACLs on the CSS, Showing ACLs