Cisco CSS 11000 Series Content Services Switches

Configuring Access Lists on the CSS 11000

Document ID: 7816

Updated: May 03, 2004



This document provides an explanation and sample configuration for the configuration of access lists on the Content Services Switch (CSS).

It is beyond the scope of this document to describe all of the features of this configuration. More information on any feature reviewed in this document is available in the Related Information section.

Before You Begin


For more information on document conventions, see the Cisco Technical Tips Conventions.


There are no specific prerequisites for this document.

Components Used

This document is not restricted to specific software and hardware versions.


The following describes the configuration process for the CSS. This process is recommended as to avoid denying traffic by mistake. See Enabling ACLs on the CSS 11000 Disables All by Default for further information. A complete sample configuration is also provided.

  1. Create an access list to permit desired traffic, explicitly denying all other traffic, by issuing the acl command, and its associated ACL Configuration Mode clause command.

  2. Apply the access list to appropriate circuits by issuing the apply command.

    Note: Even if you do not wish to block traffic on an interface, you still need to configure an access list to explicitly permit all traffic.

  3. When the access list has been created and applied, you must enable access control globally by issuing the acl apply command.

Note: To find additional information on the commands used in this document, use the Command Lookup Tool (registered customers only) .


CSS11XXX WebNS 4.0 or later
!Generated on 10/28/2001 18:40:54 
!Active version: ap0410017s


!*************************** GLOBAL ***************************

!--- Globally enable ACLs.
!--- When you enter the acl enable command, all traffic is denied 
!--- except for traffic specified in an ACL permit clause.

 acl enable 
 acl log enable

!--- Add a Default Gateway to the router.

 ip route 1

!************************* INTERFACE *************************

!--- Define the VLAN1 port.

 interface ethernet-1
  bridge vlan 1 

!Define the VLAN2 Ports
 interface ethernet-2
  bridge vlan 2
 interface ethernet-3
  bridge vlan 2 

!************************** CIRCUIT **************************

!--- CSS 11000 IP address on the server side (server's default gateway.)

 circuit VLAN2
  ip address 

!--- CSS 11000 IP address on the router side.
!--- RIP is enabled, sending RIPV2 updates, and receiving both RIPV1 and RIPV2
!--- updates.

 circuit VLAN1
  ip address 
  rip send v2
  rip receive both

!************************** SERVICE **************************

!--- Define HTTP servers.

service Server1 
  ip address
  keepalive type http 
  keepalive uri "/index.html"

service Server2 
  ip address 
  keepalive type http 
  keepalive uri "/index.html" 

!*************************** OWNER ***************************

!--- Define Layer 3 and Layer 5 HTTP wildcard rules for server 1 & 2
!--- to VIP

  content L3 
    add service Server1 
    add service Server2
    ip address 

  content L5
    add service Server1 
    add service Server2
    ip address 
    protocol tcp
    port 80
    url "/*"
    balance aca

!**************************** ACL ****************************

!--- Clause 1 allows RIP updates to come through.
!--- Clause 2 allows only HTTP traffic to the VIP.
!--- Apply to the router side.

acl 1 
  clause 1 permit udp any eq 520 destination any eq 520 
  clause 2 permit tcp any destination eq http 
  apply circuit-(VLAN1) 

!--- Clause 4 allows the servers to send any traffic on the 10net.
!--- Apply to the server side.

acl 2
  clause 4 permit any destination
  apply circuit-(VLAN2) 



Issue the show acl command to verify that the ACL is working correctly. Counters will help you to determine whether or not packets are hitting the access list.

Acl:  1 
  Clause:  2 
    Action:       permit TCP 
    Source:       any 
    Source Port:  any 
    Dest Port:    eq 80 
    Log:          disabled 
    Counters:     Content Hits: 1, Router Hits: 0

Related Information

Updated: May 03, 2004
Document ID: 7816