Guest

Cisco CSS 11500 Series Content Services Switches

Using NQLs on the CSS 11500

Cisco - Using NQLs on the CSS 11500

Document ID: 12609

Updated: Mar 07, 2006

   Print

Introduction

This document provides information on how to effectively reduce the size of your Access Control Lists (ACLs) with the use of Network Qualifier Lists (NQLs). The use of NQLs reduces the number of ACLs that you need to use in your configuration. For example, that which would take 14 ACLs can be done with 3 NQLs and 4 ACLs.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco Content Services Switch (CSS) 11000 (End of Life) and 11500 series content services switches

  • Cisco WebNS Software Release 7.20

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

Information and Examples

Network Diagram

This document uses this network setup:

how_to_use_nqls.gif

Examples

These are the explanations of the clause statements in the next output examples:

  • Clauses 20 and 21 allow HTTP traffic to the Virtual IPs (VIPs).

  • Clauses 30, 31, and 32 allow Telnet traffic from the Remote Intranet to any server.

  • Clauses 40, 41, 42, 43, 44, and 45 allow traffic to be sent between the servers.

  • Clauses 50, 51, and 52 allow the servers to send traffic to the Remote Intranet.

Example without NQLs

**************************** ACL ****************************
acl 1 
clause 20 permit tcp any destination 193.54.22.100 eq 80
clause 21 permit tcp any destination 193.54.22.210 eq 80
clause 30 permit tcp 63.25.128.0 255.255.128.0 destination 193.54.22.1 eq 23
clause 31 permit tcp 63.25.128.0 255.255.128.0 destination 193.54.22.2 eq 23
clause 32 permit tcp 63.25.128.0 255.255.128.0 destination 193.54.22.3 eq 23
clause 40 permit any 193.54.22.1 destination 193.54.22.2 
clause 41 permit any 193.54.22.1 destination 193.54.22.3
clause 42 permit any 193.54.22.2 destination 193.54.22.1 
clause 43 permit any 193.54.22.2 destination 193.54.22.3
clause 44 permit any 193.54.22.3 destination 193.54.22.1
clause 45 permit any 193.54.22.3 destination 193.54.22.2
clause 50 bypass any 193.54.22.1 destination 63.25.128.0 255.255.128.0
clause 51 bypass any 193.54.22.2 destination 63.25.128.0 255.255.128.0
clause 52 bypass any 193.54.22.3 destination 63.25.128.0 255.255.128.0
apply circuit-(VLAN1)

Example with NQLs

**************************** NQL **************************** 
  
nql Local 
description "Traffic for local devices" 
ip address 193.54.22.0 255.255.255.240 

nql Remote 
description "Allow traffic to/from remote intranet" 
  
ip address 63.25.128.0 255.255.128.0 

nql VIP 
description "Traffic to the VIP's"
ip address 193.54.22.100 255.255.255.255 
ip address 193.54.22.210 255.255.255.255 


**************************** ACL ****************************
acl 1
clause 20 permit tcp any destination nql VIP eq 80
clause 30 permit tcp nql Remote destination nql Local eq 23
clause 40 permit any nql Local destination nql Local
clause 50 bypass any nql Local destination nql Remote
apply circuit-(VLAN1)

Related Information

Updated: Mar 07, 2006
Document ID: 12609