Guest

Cisco CSS 11000 Series Content Services Switches

Port Ranges in ACLs on the CSS 11000

Document ID: 21361

Updated: May 03, 2004

   Print

Introduction

This document describes the use of port ranges in conjunction with an Access Control List (ACL) on the Content Services Switch (CSS) 11000 series switch.

Before You Begin

Conventions

For more information on document conventions, see the Cisco Technical Tips Conventions.

Prerequisites

Before attempting this configuration, please ensure that you meet the following prerequisites:

  • CSS basic configuration

  • CSS advanced configuration with regards to an ACL

  • knowledge TCP/UDP port numbers

Components Used

The information in this document is based on the software and hardware versions below.

  • Software Release version 3.x and higher

  • All revisions of this hardware version.

The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.

Configure

In this section, you are presented with the information to configure the features described in this document.

Port Ranges in ACLs

The need for using port ranges in an ACL helps simplify the amount of ACLs you would configure, given a situation where you would like to block user access for some TCP/UDP ports. For example, if you want to block ports 20 through 23 for all users coming into the box from the outside of your network. First, you need to assume that the outside network or public side of the CSS is in VLAN2, and the internal or server side of the network is on VLAN1.

You would create the following ACL:

acl 1 
  clause 10 deny any any destination range 20 23  

!--- This clause blocks.

  clause 20 permit any any destination any   

!--- This clause allows everything else. 

  apply circuit-(VLAN2) 
acl 
 clause 10 permit any any destination any 
 apply circuit-(VLAN1) 

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: May 03, 2004
Document ID: 21361