Filter
Top Products
1-29
Cisco Content Services Switch Security Configuration Guide
OL-5650-02
Chapter 1 Controlling CSS Access
Controlling CSS Network Traffic Through Access Control Lists
2. In ACL mode, remove the ACL from the circuit.
(config-acl[7])# remove circuit-(VLAN1)
3. Make any changes to the ACL.
If you delete an ACL from the circuit, configure another ACL with a permit
clause for the circuit, and then apply it to the circuit. Otherwise, when you
reenable the ACLs on the CSS, the CSS denies traffic on the circuit.
4. Reapply the ACL on the circuit.
(config-acl[7])# apply circuit-(VLAN1)
5. In global configuration mode, reenable all ACLs on the CSS.
(config)# acl enable
Enabling ACLs on the CSS
After you configure ACLs and their clauses, and apply an ACL to each CSS
circuit, you can globally enable all ACLs for use on the CSS. When you globally
enable all ACLs, the CSS affects all traffic on all circuits and only allows traffic
on circuits with ACLs containing a permit clause.
Caution It is extremely important that you first configure an ACL for each CSS circuit to
permit traffic before you enable ACLs. Enabling ACLS affects all circuits. If you
do not permit traffic, you lose network connectivity. When you enable ACLs, all
traffic on a circuit that is not configured in an ACL permit clause is denied. The
CSS applies an implicit “deny all” clause to any circuit that does not have an ACL
applied to it.
For example, you configure three circuits on the CSS (VLAN1, VLAN2, and
VLAN3). Then you configure an ACL for VLAN1 only. When you globally
enable ACLs, VLAN1 passes traffic based on the ACL. However, VLAN2 and
VLAN3 discard all packets because of the implicit “deny all” clause that the CSS
applies to the circuits because they do not have an ACL.
Before you globally enable ACLs on the CSS, make sure that you have console
access. The console port is not affected if you lose network connectivity because
of an ACL configuration problem.