Document ID: 21361
This document describes the use of port ranges in conjunction with an Access Control List (ACL) on the Content Services Switch (CSS) 11000 series switch.
For more information on document conventions, see the Cisco Technical Tips Conventions.
Before attempting this configuration, please ensure that you meet the following prerequisites:
CSS basic configuration
CSS advanced configuration with regards to an ACL
knowledge TCP/UDP port numbers
The information in this document is based on the software and hardware versions below.
Software Release version 3.x and higher
All revisions of this hardware version.
The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.
In this section, you are presented with the information to configure the features described in this document.
The need for using port ranges in an ACL helps simplify the amount of ACLs you would configure, given a situation where you would like to block user access for some TCP/UDP ports. For example, if you want to block ports 20 through 23 for all users coming into the box from the outside of your network. First, you need to assume that the outside network or public side of the CSS is in VLAN2, and the internal or server side of the network is on VLAN1.
You would create the following ACL:
acl 1 clause 10 deny any any destination range 20 23 !--- This clause blocks. clause 20 permit any any destination any !--- This clause allows everything else. apply circuit-(VLAN2) acl clause 10 permit any any destination any apply circuit-(VLAN1)
There is currently no verification procedure available for this configuration.
There is currently no specific troubleshooting information available for this configuration.
|Updated: May 03, 2004||Document ID: 21361|