
Chapter 1 Controlling CSS Access
Controlling CSS Network Traffic Through Access Control Lists
Use the global configuration acl enable command to enable all ACLs on the CSS. To globally enable all ACLs, enter:
(config)# acl enable
Disabling ACLs on the CSS
If you need to add, change, or delete an ACL or delete an ACL clause, we recommend that you disable all ACLs on the CSS before removing the ACL from the circuit. If you remove an ACL before globally disabling ACLs, the CSS applies an implicit “deny all” clause to the circuit from which the ACL is removed and denies traffic on the circuit.
Note Globally disabling ACLs on the CSS disables all ACLs on the CSS and permits all traffic on all CSS circuits.
To globally disable all ACLs on the CSS, enter:
(config)# acl disable
Showing ACLs
Use the show acl commands to display access control lists and clauses. The show acl commands are available in all modes.
When you show an ACL clause that is applied to a circuit, the display includes:
•Content Hits - A flow can be defined as a stream of UDP and TCP packets between a client and a server. The CSS must receive a number of packets from the client and the server before it can completely set up a flow. All of these packets, received before the flow is completely set up, are subject to ACL checks and can cause increments to the ACL Content Hits counter.
•Router Hits - All
| Cisco Content Services Switch Security Configuration Guide |