Re: CoPP clarification

Same here.

Additionally, if you are doiing the action "drop" in the policy map, then
all you really want to do in the ACL is match the interesting traffic and
then drop it using the policy map. This is how I would tend to configure
this:

ip access-list extended LOOPBACK
  permit tcp host 10.10.1.1 any eq telnet
  permit tcp host 10.10.2.2 any eq telnet

class-map TELNET
 match access-group LOOPBACK

policy-map SECURE
 class TELNET
 drop

control-plane
 service-policy input SECURE

HTH,
Sadiq

On Thu, Jun 25, 2009 at 4:14 PM, Joe Astorino <jastorino_at_ipexpert.com>wrote:

> Splinter,
>
> I am in the same boat as Bryan here: How can you have an extended ACL only
> specifying a source? You have to have a destination. This makes no sense.
>
> Regards,
>
> Joe Astorino
> CCIE #24347 (R&S)
> Sr. Support Engineer - IPexpert, Inc.
> URL: http://www.IPexpert.com
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Splinter
> Sent: Thursday, June 25, 2009 11:06 AM
> To: Bryan Bartik
> Cc: Cisco certification
> Subject: Re: CoPP clarification
>
> Yes the acl is complete,
>
> Only letting r1 and r2 to telnet to R3 sourcing from its loopback address.
>
>
>
> On Thu, Jun 25, 2009 at 4:53 PM, Bryan Bartik <bbartik_at_ipexpert.com>
> wrote:
>
> > Splinter,
> >
> > Have you pasted your configuration exactly the way it exists? The reason
> I
> > ask is because your extended ACL is not complete. You have only specified
> a
> > source on the first two lines. Should be like this:
> >
> > ip access-list extended LOOPBACK
> > deny tcp host 10.10.1.1 any eq telnet
> > deny tcp host 10.10.2.2 any eq telnet
> > permit tcp any any eq telnet
> >
> > Please verify the actual ACL and post back. Thanks!
> >
> > On Thu, Jun 25, 2009 at 6:33 AM, Splinter <splinter330_at_gmail.com> wrote:
> >
> >> Hi GS,
> >>
> >> I am playing around with CoPP to stop telnet to a certain router and
> would
> >> like some input or suggestions to what I am doing.
> >>
> >>
> >> I have the following scenario:
> >>
> >> R1 -------------- R3
> >> | |
> >> | |
> >> | |
> >> R2 -------------- R4
> >>
> >> I would like to only allow telnet to R3 and R4 from R1 and R2 loopbacks
> >> only.
> >>
> >> So here is what I have done:
> >>
> >> R3:
> >>
> >> ip access-list extended LOOPBACK
> >> deny tcp host 10.10.1.1 eq telnet
> >> deny tcp host 10.10.2.2 eq telnet
> >> permit tcp any any eq telnet
> >>
> >> class-map TELNET
> >> match access-group LOOPBACK
> >>
> >> policy-map SECURE
> >> class TELNET
> >> drop
> >>
> >> control-plane
> >> service-policy input SECURE
> >>
> >> So here is what problem / maybe understanding on how CoPP is working.
> >> I can telnet only using the loopbacks of R1 and R2 which what i needed
> >> done.
> >> BUT I can still telnet from R4 to R3 WHY is this.
> >> when i created the control-plane i used the "input" keywork and all
> telnet
> >> traffic going to the CP will look at my policy-map SECURE. (correct?)
> >> and make its decision based on what is configured.
> >>
> >> Where am i going wrong?
> >>
> >>
> >> Regards
> >>
> >> Splinter
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
> >
> > --
> > Bryan Bartik
> > CCIE #23707 (R&S), CCNP
> > Sr. Support Engineer - IPexpert, Inc.
> > URL: http://www.IPexpert.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
> Checked by AVG - www.avg.com
> Version: 8.5.374 / Virus Database: 270.12.90/2199 - Release Date: 06/25/09
> 06:22:00
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net