Guest

Cisco CSS 11000 Series Content Services Switches

Configuring Access Lists on the CSS 11000

Document ID: 7816

Updated: May 03, 2004

   Print

Introduction

This document provides an explanation and sample configuration for the configuration of access lists on the Content Services Switch (CSS).

It is beyond the scope of this document to describe all of the features of this configuration. More information on any feature reviewed in this document is available in the Related Information section.

Before You Begin

Conventions

For more information on document conventions, see the Cisco Technical Tips Conventions.

Prerequisites

There are no specific prerequisites for this document.

Components Used

This document is not restricted to specific software and hardware versions.

Configure

The following describes the configuration process for the CSS. This process is recommended as to avoid denying traffic by mistake. See Enabling ACLs on the CSS 11000 Disables All by Default for further information. A complete sample configuration is also provided.

  1. Create an access list to permit desired traffic, explicitly denying all other traffic, by issuing the acl command, and its associated ACL Configuration Mode clause command.

  2. Apply the access list to appropriate circuits by issuing the apply command.

    Note: Even if you do not wish to block traffic on an interface, you still need to configure an access list to explicitly permit all traffic.

  3. When the access list has been created and applied, you must enable access control globally by issuing the acl apply command.

Note: To find additional information on the commands used in this document, use the Command Lookup Tool (registered customers only) .

Configuration

CSS11XXX WebNS 4.0 or later
!Generated on 10/28/2001 18:40:54 
!Active version: ap0410017s

configure

!*************************** GLOBAL ***************************


!--- Globally enable ACLs.
!--- When you enter the acl enable command, all traffic is denied 
!--- except for traffic specified in an ACL permit clause.

 acl enable 
 acl log enable



!--- Add a Default Gateway to the router.


 ip route 0.0.0.0 0.0.0.0 192.32.1.1 1


!************************* INTERFACE *************************


!--- Define the VLAN1 port.

 interface ethernet-1
  bridge vlan 1 


!Define the VLAN2 Ports
 interface ethernet-2
  bridge vlan 2
 interface ethernet-3
  bridge vlan 2 


!************************** CIRCUIT **************************


!--- CSS 11000 IP address on the server side (server's default gateway.)

 circuit VLAN2
  ip address 10.0.3.100 255.0.0.0 



!--- CSS 11000 IP address on the router side.
!--- RIP is enabled, sending RIPV2 updates, and receiving both RIPV1 and RIPV2
!--- updates.

 circuit VLAN1
  ip address 192.32.1.100 255.255.255.0 
  rip
  rip send v2
  rip receive both


!************************** SERVICE **************************



!--- Define HTTP servers.


service Server1 
  ip address 10.0.3.1
  keepalive type http 
  keepalive uri "/index.html"
  active 

service Server2 
  ip address 10.0.3.2 
  keepalive type http 
  keepalive uri "/index.html" 
  active 

!*************************** OWNER ***************************


!--- Define Layer 3 and Layer 5 HTTP wildcard rules for server 1 & 2
!--- to VIP 192.32.1.254.


owner www.acl.com 
  content L3 
    add service Server1 
    add service Server2
    ip address 192.32.1.254 
    active 

  content L5
    add service Server1 
    add service Server2
    ip address 192.32.1.254 
    protocol tcp
    port 80
    url "/*"
    balance aca
    active 

!**************************** ACL ****************************


!--- Clause 1 allows RIP updates to come through.
!--- Clause 2 allows only HTTP traffic to the VIP.
!--- Apply to the router side.


acl 1 
  clause 1 permit udp any eq 520 destination any eq 520 
  clause 2 permit tcp any destination 192.32.1.254 eq http 
  apply circuit-(VLAN1) 



!--- Clause 4 allows the servers to send any traffic on the 10net.
!--- Apply to the server side.


acl 2
  clause 4 permit any 10.0.0.0 255.0.0.0 destination 10.0.0.0 255.0.0.0
  apply circuit-(VLAN2) 

end

Verify

Issue the show acl command to verify that the ACL is working correctly. Counters will help you to determine whether or not packets are hitting the access list.

Acl:  1 
  Clause:  2 
    Action:       permit TCP 
    Source:       any 
    Source Port:  any 
    Destination:  192.32.1.254/255.255.255.255 
    Dest Port:    eq 80 
    Log:          disabled 
    Counters:     Content Hits: 1, Router Hits: 0

Related Information

Updated: May 03, 2004
Document ID: 7816