Re: CoPP clarification

Splinter,

Have you pasted your configuration exactly the way it exists? The reason I
ask is because your extended ACL is not complete. You have only specified a
source on the first two lines. Should be like this:

ip access-list extended LOOPBACK
 deny tcp host 10.10.1.1 any eq telnet
 deny tcp host 10.10.2.2 any eq telnet
 permit tcp any any eq telnet

Please verify the actual ACL and post back. Thanks!

On Thu, Jun 25, 2009 at 6:33 AM, Splinter <splinter330_at_gmail.com> wrote:

> Hi GS,
>
> I am playing around with CoPP to stop telnet to a certain router and would
> like some input or suggestions to what I am doing.
>
>
> I have the following scenario:
>
> R1 -------------- R3
> | |
> | |
> | |
> R2 -------------- R4
>
> I would like to only allow telnet to R3 and R4 from R1 and R2 loopbacks
> only.
>
> So here is what I have done:
>
> R3:
>
> ip access-list extended LOOPBACK
> deny tcp host 10.10.1.1 eq telnet
> deny tcp host 10.10.2.2 eq telnet
> permit tcp any any eq telnet
>
> class-map TELNET
> match access-group LOOPBACK
>
> policy-map SECURE
> class TELNET
> drop
>
> control-plane
> service-policy input SECURE
>
> So here is what problem / maybe understanding on how CoPP is working.
> I can telnet only using the loopbacks of R1 and R2 which what i needed
> done.
> BUT I can still telnet from R4 to R3 WHY is this.
> when i created the control-plane i used the "input" keywork and all telnet
> traffic going to the CP will look at my policy-map SECURE. (correct?)
> and make its decision based on what is configured.
>
> Where am i going wrong?
>
>
> Regards
>
> Splinter
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Bryan Bartik
CCIE #23707 (R&S), CCNP
Sr. Support Engineer - IPexpert, Inc.
URL: http://www.IPexpert.com
Blogs and organic groups at http://www.ccie.net