Chapter 1 Controlling CSS Access

Controlling CSS Network Traffic Through Access Control Lists

5.Reapply the ACL to the circuit.

(config-acl[7])#apply circuit-(VLAN1)

6.In global configuration mode, reenable all ACLs on the CSS.

(config)# acl enable

To globally disable logging for all ACL clauses, enter:

(config)# no logging subsystem acl

ACL Example

The following ACL provides security for a CSS, Server1, and Server2 on one VLAN (VLAN1). The ACL:

Permits clients from subnet 172.16.107.x to access servers 1 and 2 on VLAN1 using various applications (for example, Telnet, FTP, TFTP)

Permits clients from subnet 172.16.107.x to launch a browser with the URL 172.16.107.35 (the VIP address)

Prevents clients on any subnet other than 172.16.107.x from accessing VLAN1 and servers 1 and 2

The individual clauses provide the following security.

Clause 20 permits any protocol from source subnet 172.16.107.0 to Server1 (IP address 172.16.107.15).

Clause 30 permits any protocol from source subnet 172.16.107.0 to Server2 (IP address 172.16.107.16).

Clause 40 permits any protocol from source subnet 172.16.107.0 to VIP address 172.16.107.35 port 80 (HTTP).

Clause 50 permits bidirectional communication to the VLAN for any Internet Control Message Protocol (ICMP) traffic, including keepalives. If you are using service keepalives, you must configure a clause to permit keepalive traffic.

Clause 60 permits UDP to port 520 on the VLAN for Routing Information Protocol (RIP) updates. This clause is required if your router is on a subnet other than 172.16.107.x.

Clause 70 denies everything that has not been permitted in the ACL.

 

Cisco Content Services Switch Security Configuration Guide

1-34

OL-5650-02

Page 58
Image 58
Cisco Systems OL-5650-02 manual ACL Example, Config# no logging subsystem acl