This document describes how to configure access control lists (ACLs) on the Content Services Switch (CSS) 11000 and 11500 series switches.
This document also describes how to avoid some potential problems that can occur during the configuration, as well as how to use ACLs in conjunction with source groups to optimize the flow of traffic from the servers.
Caution: If you are working in a live network, ensure that you understand the potential impact of any command before using it.
For more information on document conventions, see the Cisco Technical Tips Conventions.
There are no specific prerequisites for this document.
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
This document uses this network setup:
In this section, you are presented with the information to configure the features described in this document.
Complete these steps to configure an ACL on CSS 11000/11500 series switches:
Create an ACL on the CSS 11000/11500 box by issuing the acl <integer 1-99> command at the global configuration prompt.
Create your policies inside the ACL by adding clause statements.
Based on your needs, your clauses can vary. Since the CSS 11000/11500 switch applies a hidden deny all clause as clause 255, you need to specify all traffic that you want to permit, including management traffic to the CSS 11000/11500.
This is an example of a basic ACL that allows all traffic from any server on VLAN 1 to reach any destination server on VLAN 2:
CS100(config-acl)# clause 10 permit any 10.0.1.0 255.255.255.0 destination 10.0.2.0 255.255.255.0
Note: ACLs are applied to the traffic on the ingress VLAN.
Note: The CSS 11000/11500 does not apply ACLs to response traffic because you already have a flow established. For example, if a server on the 10.0.2.0 subnet needed to respond back to a server on the 10.0.1.0 subnet, you would not need to have an ACL to allow the response. You do, however, need to create clauses for responses back for your service keepalives.
Keep in mind that the clauses are applied in numeric order and not necessarily in the order that you configured them. If you create clause 1, it is applied to the traffic before clause 10 even though clause 10 is listed first in the running configuration. Apply the ACL to a VLAN and enable it globally by entering these commands:
CS100(config-acl)# apply circuit-(VLAN1) CS100(config-acl)# exit CS100(config)# acl enable
Note: There is an implicit deny all clause applied to any VLAN that does not have an ACL applied to it. In this example, by applying the ACL only to VLAN 1, all packets that are initially received on VLAN 2 and VLAN 3 are discarded when you issue the acl enable command. To overcome this problem, you should create another ACL that has a clause to permit all traffic and apply it to VLAN 2 and VLAN 3.
You should have console access to the CSS 11000/11500 at the time that you globally enable ACLs because if you have not specified to allow management traffic to the switch, you can lose all access to the switch. If you have locked yourself out of the switch because of ACLs, then you need to either get console access to disable the ACLs globally, or get a person on-site to power off the box. If you need to power off the box to recover from an ACL problem, the box reverts to your last saved configuration, which will not have the ACLs enabled globally. When you do not shutdown the box properly, the CSS 11000/11500 runs through a checkdisk at the time of bootup, so the boot time is significantly longer than usual.
If you need to make changes to an ACL or a clause, then you should first disable ACLs globally before removing the ACL from the VLAN. By first removing the ACL from a VLAN, you have placed a deny all clause on that VLAN (see the note above). Issue these commands to allow the administrator to make ACL/clause changes:
CS100(config)# acl disable CS100(config-acl)# remove circuit-(VLAN1)
Note: When you remove an applied ACL from the circuit, the CSS applies an implicit deny all clause to this circuit causing the CSS to deny all traffic on it. If you do not want the CSS to deny traffic on the circuit when removing the applied ACL from the circuit, globally disable ACLs on the CSS with the global configuration mode acl disable command. By disabling all ACLs on the CSS, the CSS permits all traffic on all circuits.
To allow devices on the private subnet to initiate traffic out to the Internet, you can use a source group, which functions as a many-to-one Network Address Translation (NAT) translator. One common concern is how to NAT traffic destined to the Internet only, and not to NAT for local traffic. ACLs can be used with source groups to make the decision based on the destination IP address.
Create a source group to add to the configuration:
CS100(config)# group outbound Create group <outbound>, [y/n]:y CS100(config-group[outbound])# vip address 22.214.171.124 CS100(config-group[outbound])# active
Note: The virtual IP (VIP) address in the source group must be a public IP address so that the response traffic gets routed back to the CSS 11000/11500. The VIP can either be an IP address within the same subnet as the IP address configured on the circuit VLAN 3 (not the same IP address), or a different public IP address that the routers in the network have static routes pointing to the CSS 11000/11500.
To create an ACL clause to allow the private VLANs to communicate with each other without using NAT, issue these commands:
CS100(config)# acl 1 Create ACL <1>, [y/n]:y CS100(config-acl)# clause 2 bypass any 10.0.1.0 255.255.255.0 destination 10.0.2.0 255.255.255.0
This configuration allows the clients on the 10.0.1.0 subnet to communicate with clients on the 10.0.2.0 subnet without the source group using NAT because the bypass statement tells the CSS 11000/11500 to route the traffic and bypass all rules configured on the CSS 11000/11500.
Add a clause to direct all other traffic from the clients on the 10.0.1.0 subnet to the source group, so the source IP address can use NAT to connect to 126.96.36.199:
CS100(config-acl)# clause 10 permit any 10.0.1.0 255.255.255.0 destination any sourcegroup outbound CS100(config-acl)# clause 1 permit icmp any destination any
Clause 1 is used to permit your keepalives for the services to be permitted into the CSS 11000/11500.
Apply the ACL to a VLAN:
CS100(config-acl)# apply circuit-(VLAN1) CS100(config-acl)# exit
Note: Only one ACL can be applied to a VLAN, but many VLANs can be applied to an ACL. For instance, you can apply VLAN 2 and VLAN 1 to ACL 2, but you cannot apply ACL 2 and ACL 3 to VLAN 3.
If you want the traffic from servers on VLAN 2 to hit the source group and also to communicate with VLAN1 without using a NAT IP address, issue these commands:
CS100(config)# acl 2 Create ACL <1>, [y/n]:y CS100(config-acl)# clause 1 bypass any 10.0.2.0 255.255.255.0 destination 10.0.1.0 255.255.255.0 CS100(config-acl)# clause 10 permit any 10.0.2.0 255.255.255.0 destination any sourcegroup outbound CS100(config-acl)# apply circuit-(VLAN2) CS100(config-acl)# exit
For inbound traffic from the Internet, you need to create/apply an ACL on VLAN3, and also enable the ACLs globally. For this example, allow any traffic to come in from the Internet:
CS100(config)# acl 3 Create ACL <1>, [y/n]:y CS100(config-acl)# clause 1 permit any any destination any CS100(config-acl)# apply circuit-(VLAN3) CS100(config-acl)# exit CS100(config)# acl enable CS100(config)# exit
This is a sample configuration:
CS100# show run acl !**************************** ACL **************************** acl 3 clause 1 permit any any destination any apply circuit-(VLAN3) acl 2 clause 1 bypass any 10.0.2.0 255.255.255.0 destination 10.0.1.0 255.255.255.0 clause 10 permit any 10.0.2.0 255.255.255.0 destination any sourcegroup outbound apply circuit-(VLAN2) acl 1 clause 2 bypass any 10.0.1.0 255.255.255.0 destination 10.0.2.0 255.255.255.0 clause 10 permit any 10.0.1.0 255.255.255.0 destination any sourcegroup outbound clause 1 permit icmp any destination any apply circuit-(VLAN1) CS100#
Note: Even though ACL clauses are listed in the order entered, the clauses are applied in numerical order.
Based on the configuration above, these statements are true:
Packets sourced from the 10.0.1.0 subnet destined to 10.0.2.0 are not connected using NAT by the source group.
Packets sourced from the 10.0.2.0 subnet destined to 10.0.1.0 are not connected using NAT by the source group.
Packets sourced from either 10.0.1.0 or 10.0.2.0, destined anywhere other than what was specified in statements 1 and 2, use NAT to connect to a source IP address of 188.8.131.52.
Any Internet Control Message Protocol (ICMP) keepalives for services on the 10.0.1.0 subnet are allowed.
All traffic initiated from the Internet, and responses from the servers, are permitted.
Issue the following commands to verify the ACL configuration and usage:
show acl — displays all ACLs and their clauses.
show acl index — displays the clauses for the specified ACL index number (valid numbers are 1 to 99).
show acl config — shows the ACL global configuration. This command also displays which ACLs are applied to which circuits.
You may enable ACL or clause logging for troubleshooting purpose, however, note that it may degrade the performance of the CSS.
To globally enable ACL logging, issue the global configuration mode logging subsystem acl level debug-7 command.
To enable logging on an existing ACL clause, issue the log enable option for the clause command.
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.