This document describes the use of port ranges in conjunction with an
Access Control List (ACL) on the Content Services Switch (CSS) 11000 series
For more information on document conventions, see the
Cisco Technical Tips
Before attempting this configuration, please ensure that you meet the
The information in this document is based on the software and hardware
The information presented in this document was created from devices in
a specific lab environment. All of the devices used in this document started
with a cleared (default) configuration. If you are working in a live network,
ensure that you understand the potential impact of any command before using
In this section, you are presented with the information to configure
the features described in this document.
The need for using port ranges in an ACL helps simplify the amount of
ACLs you would configure, given a situation where you would like to block user
access for some TCP/UDP ports. For example, if you want to block ports 20
through 23 for all users coming into the box from the outside of your network.
First, you need to assume that the outside network or public side of the CSS is
in VLAN2, and the internal or server side of the network is on VLAN1.
You would create the following ACL:
clause 10 deny any any destination range 20 23
!--- This clause blocks.
clause 20 permit any any destination any
!--- This clause allows everything else.
clause 10 permit any any destination any
There is currently no verification procedure available for this
There is currently no specific troubleshooting information available
for this configuration.