RE: CoPP clarification

Splinter,

I am in the same boat as Bryan here: How can you have an extended ACL only
specifying a source? You have to have a destination. This makes no sense.

Regards,

Joe Astorino
CCIE #24347 (R&S)
Sr. Support Engineer - IPexpert, Inc.
URL: http://www.IPexpert.com
 

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Splinter
Sent: Thursday, June 25, 2009 11:06 AM
To: Bryan Bartik
Cc: Cisco certification
Subject: Re: CoPP clarification

Yes the acl is complete,

Only letting r1 and r2 to telnet to R3 sourcing from its loopback address.

On Thu, Jun 25, 2009 at 4:53 PM, Bryan Bartik <bbartik_at_ipexpert.com> wrote:

> Splinter,
>
> Have you pasted your configuration exactly the way it exists? The reason I
> ask is because your extended ACL is not complete. You have only specified
a
> source on the first two lines. Should be like this:
>
> ip access-list extended LOOPBACK
> deny tcp host 10.10.1.1 any eq telnet
> deny tcp host 10.10.2.2 any eq telnet
> permit tcp any any eq telnet
>
> Please verify the actual ACL and post back. Thanks!
>
> On Thu, Jun 25, 2009 at 6:33 AM, Splinter <splinter330_at_gmail.com> wrote:
>
>> Hi GS,
>>
>> I am playing around with CoPP to stop telnet to a certain router and
would
>> like some input or suggestions to what I am doing.
>>
>>
>> I have the following scenario:
>>
>> R1 -------------- R3
>> | |
>> | |
>> | |
>> R2 -------------- R4
>>
>> I would like to only allow telnet to R3 and R4 from R1 and R2 loopbacks
>> only.
>>
>> So here is what I have done:
>>
>> R3:
>>
>> ip access-list extended LOOPBACK
>> deny tcp host 10.10.1.1 eq telnet
>> deny tcp host 10.10.2.2 eq telnet
>> permit tcp any any eq telnet
>>
>> class-map TELNET
>> match access-group LOOPBACK
>>
>> policy-map SECURE
>> class TELNET
>> drop
>>
>> control-plane
>> service-policy input SECURE
>>
>> So here is what problem / maybe understanding on how CoPP is working.
>> I can telnet only using the loopbacks of R1 and R2 which what i needed
>> done.
>> BUT I can still telnet from R4 to R3 WHY is this.
>> when i created the control-plane i used the "input" keywork and all
telnet
>> traffic going to the CP will look at my policy-map SECURE. (correct?)
>> and make its decision based on what is configured.
>>
>> Where am i going wrong?
>>
>>
>> Regards
>>
>> Splinter
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Bryan Bartik
> CCIE #23707 (R&S), CCNP
> Sr. Support Engineer - IPexpert, Inc.
> URL: http://www.IPexpert.com

Blogs and organic groups at http://www.ccie.net
Received on Thu Jun 25 2009 - 11:14:15 ART