Filter
Top Products
1-15
Cisco Content Services Switch Security Configuration Guide
OL-5650-02
Chapter 1 Controlling CSS Access
Controlling CSS Network Traffic Through Access Control Lists
Enabling ACLs globally affects all traffic on all CSS circuits whether they have
ACLs or not. When you enable ACLs, all traffic on a circuit that is not configured
in an ACL permit clause is denied. If you do not apply an ACL on each circuit,
the CSS denies traffic on that circuit.
When the CSS is using ACLs, its hardware implements a maximum of 10 ACLs
with simple Layer 3 or Layer 4 clauses. The CSS software implements more
complicated ACLs with Layer 5 clauses.
Note ACLs are not supported on the CSS Ethernet Management port.
ACLs do not block ARP packets.
You cannot use an ACL clause with a source group to perform source address
translation of traffic destined to an SSL module. This clause will be accepted by
the CSS but will be ignored for flows terminated at the SSL module. You can
apply NAT to connections towards servers after SSL processing.
If you are load-balancing passive FTP servers and you want to use an ACL to
apply a source group, you must configure services directly in the source group.
For details on using source groups to support FTP sessions, refer to the Cisco
Content Services Switch Content Load-Balancing Configuration Guide.
ACL Configuration Quick Start
Use the quick-start procedure in Table 1-1 to configure an ACL. Each step
includes the CLI command required to complete the task. For a complete
description of each feature, see the sections following this procedure.
Note You must configure an ACL with at least one permit clause for each CSS circuit.
Otherwise, the CSS denies all traffic on the circuit.