Filter
Top Products
Chapter 1 Controlling CSS Access
Controlling CSS Network Traffic Through Access Control Lists
1-20
Cisco Content Services Switch Security Configuration Guide
OL-5650-02
• clause number bypass - Creates a clause in the ACL to permit traffic on a
circuit and bypasses (does not process) content rules that apply to the traffic.
The syntax for clause bypass is:
clause number bypass protocol [source_info {source_port}]
dest [dest_info {dest_port}] {sourcegroup name} {prefer
servicename}
Note The bypass option bypasses traffic only on a content rule, and, therefore,
does not cause Network Address Translating (NATing) to occur. Do not
use the bypass option in an ACL clause with a source group. The bypass
option does not affect NATing on a source group.
• clause number deny - Creates a clause in the ACL to deny traffic on a circuit.
The syntax for clause deny is:
clause number deny protocol [source_info {source_port}]
dest [dest_info {dest_port}] {sourcegroup name} {prefer
servicename}
• clause number permit - Creates a clause in the ACL to permit traffic on a
circuit. When you configure an ACL permit clause, all traffic not specified in
a permit clause is denied by default. The syntax for clause permit is:
clause number permit protocol [source_info {source_port}]
dest [dest_info {dest_port}] {sourcegroup name} {prefer
servicename}
Note When a destination in an ACL clause is a Layer 5 content rule, the CSS does not
spoof the connection. Therefore, the ACL clause does not function as would be
expected. As a workaround, you may configure an additional clause to permit the
TCP/IP addresses and ports. Be aware that content is matched on both clauses. For
example,
clause 14 permit any any destination content Layer5/L5 eq 80 (original clause)
clause 15 permit tcp any destination 200.200.200.200 eq 80 (This is an additional
clause to handle the SYN, where the destination IP address is the IP address
configured in the Layer 5 content rule. Note that this clause number must be
greater than the destination content clause number.)