RE: CoPP clarification

The point everybody is getting at is that the "any" is not anywhere in your
original post, shown below.

ip access-list extended LOOPBACK
  deny tcp host 10.10.1.1 eq telnet
  deny tcp host 10.10.2.2 eq telnet
  permit tcp any any eq telnet

Regards,

Joe Astorino
CCIE #24347 (R&S)
Sr. Support Engineer - IPexpert, Inc.
URL: http://www.IPexpert.com
  

From: Splinter [mailto:splinter330_at_gmail.com]
Sent: Thursday, June 25, 2009 12:01 PM
To: Sadiq Yakasai
Cc: Joe Astorino; Bryan Bartik; Cisco certification
Subject: Re: CoPP clarification

Hi,

my destination is "any" source is loopbacks of R1 and R2 for port 23.

you dont have to have a specific destination as R1 can telnet to any valid
ip address on R3.

On Thu, Jun 25, 2009 at 5:40 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:

Same here.

Additionally, if you are doiing the action "drop" in the policy map, then
all you really want to do in the ACL is match the interesting traffic and
then drop it using the policy map. This is how I would tend to configure
this:

ip access-list extended LOOPBACK

  permit tcp host 10.10.1.1 any eq telnet
  permit tcp host 10.10.2.2 any eq telnet

class-map TELNET
 match access-group LOOPBACK

policy-map SECURE
 class TELNET
 drop

control-plane
 service-policy input SECURE

HTH,
Sadiq

On Thu, Jun 25, 2009 at 4:14 PM, Joe Astorino <jastorino_at_ipexpert.com>
wrote:

Splinter,

I am in the same boat as Bryan here: How can you have an extended ACL only
specifying a source? You have to have a destination. This makes no sense.

Regards,

Joe Astorino
CCIE #24347 (R&S)

Sr. Support Engineer - IPexpert, Inc.
URL: http://www.IPexpert.com

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Splinter
Sent: Thursday, June 25, 2009 11:06 AM
To: Bryan Bartik
Cc: Cisco certification
Subject: Re: CoPP clarification

Yes the acl is complete,

Only letting r1 and r2 to telnet to R3 sourcing from its loopback address.

On Thu, Jun 25, 2009 at 4:53 PM, Bryan Bartik <bbartik_at_ipexpert.com> wrote:

> Splinter,
>
> Have you pasted your configuration exactly the way it exists? The reason I
> ask is because your extended ACL is not complete. You have only specified
a
> source on the first two lines. Should be like this:
>
> ip access-list extended LOOPBACK
> deny tcp host 10.10.1.1 any eq telnet
> deny tcp host 10.10.2.2 any eq telnet
> permit tcp any any eq telnet
>
> Please verify the actual ACL and post back. Thanks!
>
> On Thu, Jun 25, 2009 at 6:33 AM, Splinter <splinter330_at_gmail.com> wrote:
>
>> Hi GS,
>>
>> I am playing around with CoPP to stop telnet to a certain router and
would
>> like some input or suggestions to what I am doing.
>>
>>
>> I have the following scenario:
>>
>> R1 -------------- R3
>> | |
>> | |
>> | |
>> R2 -------------- R4
>>
>> I would like to only allow telnet to R3 and R4 from R1 and R2 loopbacks
>> only.
>>
>> So here is what I have done:
>>
>> R3:
>>
>> ip access-list extended LOOPBACK
>> deny tcp host 10.10.1.1 eq telnet
>> deny tcp host 10.10.2.2 eq telnet
>> permit tcp any any eq telnet
>>
>> class-map TELNET
>> match access-group LOOPBACK
>>
>> policy-map SECURE
>> class TELNET
>> drop
>>
>> control-plane
>> service-policy input SECURE
>>
>> So here is what problem / maybe understanding on how CoPP is working.
>> I can telnet only using the loopbacks of R1 and R2 which what i needed
>> done.
>> BUT I can still telnet from R4 to R3 WHY is this.
>> when i created the control-plane i used the "input" keywork and all
telnet
>> traffic going to the CP will look at my policy-map SECURE. (correct?)
>> and make its decision based on what is configured.
>>
>> Where am i going wrong?
>>
>>
>> Regards
>>
>> Splinter
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Bryan Bartik
> CCIE #23707 (R&S), CCNP
> Sr. Support Engineer - IPexpert, Inc.
> URL: http://www.IPexpert.com

Blogs and organic groups at http://www.ccie.net
Received on Thu Jun 25 2009 - 12:03:53 ART