CSS 11500 question

Unanswered Question
Dec 28th, 2009

I have a customer who wants to restrict outbound from CSS to certian sites with certian ports.

Basically they want to go to site www.xxx.com on port 2400 and www.yyy.com on port 3500. Thats it. All other traffic should be restricted from CSS

how can that be done?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jason.espino Mon, 12/28/2009 - 20:20


Just as devsharma mentioned the configuration you are requesting can be achieved through the use of ACLs on the CSS.

The configuration should look something like this:

This global configuration command will allow the CSS to use the ACLs you configured.

acl enable

nql Networks - would be the networks or internal IPs you would like to apply the restirction too.

!**************************** NQL ****************************
nql Networks

ACLs - Just like a firewall, the CSS will match traffic based on the line number of the ACL clause and has a hidden implicit deny at the end of each ACL configuration.  The first 2 entries will be your permit, the 3rd your deny, and the last to allow all other outbound traffic to pass. Simply replace the IP address with the site's true IP.

!**************************** ACL ****************************
acl 1
  clause 1 permit tcp nql Networks destination eq 2400
  clause 2 permit tcp nql Networks destination eq 3500
  clause 3 deny any nql Networks destination
  clause 4 permit any any destination any

  apply circuit-(VLAN1)

If your CSS is in routed mode you would need to create another ACL entry with a "permit ip any any" and apply it to that circuit.  This would allow all traffic entering/exiting that circuit VLAN to pass. The ACL 1 configuration should be applied to the circuit VLAN were your server's outbound traffic would be intercetped 1st.  If you CSS is in bridged or one-armed mode the ACL will be applied to the single circuit VLAN.

PLEASE be sure to configure you ACL clauses and apply them to the approprite Cicuit VLAN BEFORE implimenting the "acl enable" global command. If you do this command 1st and you do not configure the ACLs clauses, and apply them to the correct Circuits you will lock yourself out of the CSS (if you are SSH'ed or Telnet'ed into the device) and the device will begin to drop all traffic.

Also please be advised, setting up ACLs on the CSS can be VERY CPU intensive.  I would recommend configuring ACLs during your non-peak hours of traffic.  Also, it would be best to take a snap shot of the CPU BEFORE and AFTER implmenting the rules.  This would give you an estatement of how much processing is involved by simply configuing the ACLs on the CSS.

The following command can be used to obtain the CPU information:

sho system-resources cpu_summary

I hope this info helps!

- Jason


This Discussion