Chapter 1 Controlling CSS Access

Configuring Network Qualifier Lists for ACLs

!**************************** ACL ***************************

acl 1

clause 20 permit any 172.16.107.0 255.255.255.0 destination 172.16.107.15

clause 30 permit any 172.16.107.0 255.255.255.0 destination 172.16.107.16

clause 40 permit any 172.16.107.0 255.255.255.0 destination 172.16.107.35 eq 80

clause 50 permit ICMP any destination any clause 60 permit udp any destination any eq 520 clause 70 deny any any destination any

apply circuit-(VLAN1)

Configuring Network Qualifier Lists for ACLs

NQL configuration mode allows you to configure a network qualifier list (NQL). An NQL is a list of networks or specific services, identified by IP address and subnet mask, that you assign to an ACL clause as a source or destination. By grouping networks into an NQL and assigning the NQL to an ACL clause, you have to create only one clause instead of a separate clause for each network.

The CSS enables you to configure a maximum of 512:

Networks or services per NQL

NQLs per CSS

This functionality is useful, for example, in a caching environment in which you have a network you want to bypass and send content requests directly to the origin servers (servers containing the content). You can also use an NQL for users who prefer a service based on a specific network.

To access NQL configuration mode, use the nql command. The prompt changes to (config-nql [name]). You can also use this command from NQL mode to access another NQL.

See the following sections to configure an NQL:

Creating an NQL

Describing an NQL

Adding Networks to an NQL

Adding an NQL to an ACL Clause

Showing NQL Configurations

 

 

Cisco Content Services Switch Security Configuration Guide

 

 

 

 

 

 

OL-5650-02

 

 

1-35

 

 

 

Page 59
Image 59
Cisco Systems OL-5650-02 manual Configuring Network Qualifier Lists for ACLs