Re: CoPP clarification

Hi,

my destination is "any" source is loopbacks of R1 and R2 for port 23.

you dont have to have a specific destination as R1 can telnet to any valid
ip address on R3.

On Thu, Jun 25, 2009 at 5:40 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:

> Same here.
>
> Additionally, if you are doiing the action "drop" in the policy map, then
> all you really want to do in the ACL is match the interesting traffic and
> then drop it using the policy map. This is how I would tend to configure
> this:
>
> ip access-list extended LOOPBACK
> permit tcp host 10.10.1.1 any eq telnet
> permit tcp host 10.10.2.2 any eq telnet
>
>
> class-map TELNET
> match access-group LOOPBACK
>
> policy-map SECURE
> class TELNET
> drop
>
> control-plane
> service-policy input SECURE
>
>
> HTH,
> Sadiq
>
>
> On Thu, Jun 25, 2009 at 4:14 PM, Joe Astorino <jastorino_at_ipexpert.com>wrote:
>
>> Splinter,
>>
>> I am in the same boat as Bryan here: How can you have an extended ACL
>> only
>> specifying a source? You have to have a destination. This makes no
>> sense.
>>
>> Regards,
>>
>> Joe Astorino
>> CCIE #24347 (R&S)
>> Sr. Support Engineer - IPexpert, Inc.
>> URL: http://www.IPexpert.com
>>
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> Splinter
>> Sent: Thursday, June 25, 2009 11:06 AM
>> To: Bryan Bartik
>> Cc: Cisco certification
>> Subject: Re: CoPP clarification
>>
>> Yes the acl is complete,
>>
>> Only letting r1 and r2 to telnet to R3 sourcing from its loopback address.
>>
>>
>>
>> On Thu, Jun 25, 2009 at 4:53 PM, Bryan Bartik <bbartik_at_ipexpert.com>
>> wrote:
>>
>> > Splinter,
>> >
>> > Have you pasted your configuration exactly the way it exists? The reason
>> I
>> > ask is because your extended ACL is not complete. You have only
>> specified
>> a
>> > source on the first two lines. Should be like this:
>> >
>> > ip access-list extended LOOPBACK
>> > deny tcp host 10.10.1.1 any eq telnet
>> > deny tcp host 10.10.2.2 any eq telnet
>> > permit tcp any any eq telnet
>> >
>> > Please verify the actual ACL and post back. Thanks!
>> >
>> > On Thu, Jun 25, 2009 at 6:33 AM, Splinter <splinter330_at_gmail.com>
>> wrote:
>> >
>> >> Hi GS,
>> >>
>> >> I am playing around with CoPP to stop telnet to a certain router and
>> would
>> >> like some input or suggestions to what I am doing.
>> >>
>> >>
>> >> I have the following scenario:
>> >>
>> >> R1 -------------- R3
>> >> | |
>> >> | |
>> >> | |
>> >> R2 -------------- R4
>> >>
>> >> I would like to only allow telnet to R3 and R4 from R1 and R2 loopbacks
>> >> only.
>> >>
>> >> So here is what I have done:
>> >>
>> >> R3:
>> >>
>> >> ip access-list extended LOOPBACK
>> >> deny tcp host 10.10.1.1 eq telnet
>> >> deny tcp host 10.10.2.2 eq telnet
>> >> permit tcp any any eq telnet
>> >>
>> >> class-map TELNET
>> >> match access-group LOOPBACK
>> >>
>> >> policy-map SECURE
>> >> class TELNET
>> >> drop
>> >>
>> >> control-plane
>> >> service-policy input SECURE
>> >>
>> >> So here is what problem / maybe understanding on how CoPP is working.
>> >> I can telnet only using the loopbacks of R1 and R2 which what i needed
>> >> done.
>> >> BUT I can still telnet from R4 to R3 WHY is this.
>> >> when i created the control-plane i used the "input" keywork and all
>> telnet
>> >> traffic going to the CP will look at my policy-map SECURE. (correct?)
>> >> and make its decision based on what is configured.
>> >>
>> >> Where am i going wrong?
>> >>
>> >>
>> >> Regards
>> >>
>> >> Splinter
>> >>
>> >>
>> >> Blogs and organic groups at http://www.ccie.net
>> >>
>> >> _______________________________________________________________________
>> >> Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >
>> >
>> > --
>> > Bryan Bartik
>> > CCIE #23707 (R&S), CCNP
>> > Sr. Support Engineer - IPexpert, Inc.
>> > URL: http://www.IPexpert.com
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>> Checked by AVG - www.avg.com
>> Version: 8.5.374 / Virus Database: 270.12.90/2199 - Release Date: 06/25/09
>> 06:22:00
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> CCIE #19963

Blogs and organic groups at http://www.ccie.net
Received on Thu Jun 25 2009 - 18:01:29 ART