Chapter1 Controlling CSS Access
Controlling CSS Network Traffic Through Access Control Lists
1-30
Cisco Content Services Switch Security Configuration Guide
OL-5650-02
Use the global configuration acl enable command to enable all ACLs on the CSS.
To globally enable all ACLs, enter:
(config)# acl enable
Disabling ACLs on the CSSIf you need to add, change, or delete an ACL or delete an ACL clause, we
recommend that you disable all ACLs on the CSS before removing the ACL from
the circuit. If you remove an ACL before globally disabling ACLs, the CSS
applies an implicit “deny all” clause to the circuit from which the ACL is removed
and denies traffic on the circuit.
Note Globally disabling ACLs on the CSS disables all ACLs on the CSS and permits
all traffic on all CSS circuits.
To globally disable all ACLs on the CSS, enter:
(config)# acl disable
Showing ACLsUse the show acl commands to display access control lists and clauses. The show
acl commands are available in all modes.
When you show an ACL clause that is applied to a circuit, the display includes:
•Content Hits - A flow can be defined as a stream of UDP and TCP packets
between a client and a server. The CSS must receive a number of packets from
the client and the server before it can completely set up a flow. All of these
packets, received before the flow is completely set up, are subject to ACL
checks and can cause increments to the ACL Content Hits counter.
•Router Hits - All non-UDP and non-TCP packets subjected to ACL checks
cause increments to the ACL Router Hits counter. All UDP and TCP traffic
terminating on the CSS (for example, a Telnet or FTP session) cause
increments to the ACL Router Hits counter.