2nd try:
Additionally, if you are doiing the action "drop" in the policy map, then
all you really want to do in the ACL is match the interesting traffic and
then drop it using the policy map. This is how I would tend to configure
this:
ip access-list extended LOOPBACK
permit tcp host 10.10.1.1 any eq telnet
permit tcp host 10.10.2.2 any eq telnet
class-map TELNET
match access-group LOOPBACK
policy-map SECURE
class TELNET
drop
control-plane
service-policy input SECURE
HTH,
Sadiq
On Thu, Jun 25, 2009 at 5:13 PM, Splinter <splinter330_at_gmail.com> wrote:
> sorry guys,
>
> did not pick that up.... i looked at it for a long time but it evaded me.
> :(
>
> I have my dynamips running on 1 machine and my internet on another... so
> have to type configs out.
>
> so... with the "any" keyword in the config does the Control plane look at
> all input traffic from all interfaces and apply the QOS?
>
>
> splinter
>
>
> On Thu, Jun 25, 2009 at 6:03 PM, Joe Astorino
<jastorino_at_ipexpert.com>wrote:
>
>> The point everybody is getting at is that the �any� is not anywhere in
>> your original post, shown below.
>>
>>
>>
>>
>>
>> ip access-list extended LOOPBACK
>> deny tcp host 10.10.1.1 eq telnet
>> deny tcp host 10.10.2.2 eq telnet
>> permit tcp any any eq telnet
>>
>>
>>
>> Regards,
>>
>> Joe Astorino
>> CCIE #24347 (R&S)
>> Sr. Support Engineer � IPexpert, Inc.
>> URL: http://www.IPexpert.com
>>
>>
>> *From:* Splinter [mailto:splinter330_at_gmail.com]
>> *Sent:* Thursday, June 25, 2009 12:01 PM
>> *To:* Sadiq Yakasai
>> *Cc:* Joe Astorino; Bryan Bartik; Cisco certification
>> *Subject:* Re: CoPP clarification
>>
>>
>>
>> Hi,
>>
>> my destination is "any" source is loopbacks of R1 and R2 for port 23.
>>
>> you dont have to have a specific destination as R1 can telnet to any valid
>> ip address on R3.
>>
>> On Thu, Jun 25, 2009 at 5:40 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com>
>> wrote:
>>
>> Same here.
>>
>> Additionally, if you are doiing the action "drop" in the policy map, then
>> all you really want to do in the ACL is match the interesting traffic and
>> then drop it using the policy map. This is how I would tend to configure
>> this:
>>
>>
>>
>> ip access-list extended LOOPBACK
>>
>> permit tcp host 10.10.1.1 any eq telnet
>> permit tcp host 10.10.2.2 any eq telnet
>>
>>
>>
>>
>> class-map TELNET
>> match access-group LOOPBACK
>>
>> policy-map SECURE
>> class TELNET
>> drop
>>
>> control-plane
>> service-policy input SECURE
>>
>> HTH,
>> Sadiq
>>
>>
>>
>> On Thu, Jun 25, 2009 at 4:14 PM, Joe Astorino <jastorino_at_ipexpert.com>
>> wrote:
>>
>> Splinter,
>>
>> I am in the same boat as Bryan here: How can you have an extended ACL
>> only
>> specifying a source? You have to have a destination. This makes no
>> sense.
>>
>> Regards,
>>
>> Joe Astorino
>> CCIE #24347 (R&S)
>>
>> Sr. Support Engineer - IPexpert, Inc.
>> URL: http://www.IPexpert.com
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> Splinter
>> Sent: Thursday, June 25, 2009 11:06 AM
>> To: Bryan Bartik
>> Cc: Cisco certification
>> Subject: Re: CoPP clarification
>>
>> Yes the acl is complete,
>>
>> Only letting r1 and r2 to telnet to R3 sourcing from its loopback address.
>>
>>
>>
>> On Thu, Jun 25, 2009 at 4:53 PM, Bryan Bartik <bbartik_at_ipexpert.com>
>> wrote:
>>
>> > Splinter,
>> >
>> > Have you pasted your configuration exactly the way it exists? The reason
>> I
>> > ask is because your extended ACL is not complete. You have only
>> specified
>> a
>> > source on the first two lines. Should be like this:
>> >
>> > ip access-list extended LOOPBACK
>> > deny tcp host 10.10.1.1 any eq telnet
>> > deny tcp host 10.10.2.2 any eq telnet
>> > permit tcp any any eq telnet
>> >
>> > Please verify the actual ACL and post back. Thanks!
>> >
>> > On Thu, Jun 25, 2009 at 6:33 AM, Splinter <splinter330_at_gmail.com>
>> wrote:
>> >
>> >> Hi GS,
>> >>
>> >> I am playing around with CoPP to stop telnet to a certain router and
>> would
>> >> like some input or suggestions to what I am doing.
>> >>
>> >>
>> >> I have the following scenario:
>> >>
>> >> R1 -------------- R3
>> >> | |
>> >> | |
>> >> | |
>> >> R2 -------------- R4
>> >>
>> >> I would like to only allow telnet to R3 and R4 from R1 and R2 loopbacks
>> >> only.
>> >>
>> >> So here is what I have done:
>> >>
>> >> R3:
>> >>
>> >> ip access-list extended LOOPBACK
>> >> deny tcp host 10.10.1.1 eq telnet
>> >> deny tcp host 10.10.2.2 eq telnet
>> >> permit tcp any any eq telnet
>> >>
>> >> class-map TELNET
>> >> match access-group LOOPBACK
>> >>
>> >> policy-map SECURE
>> >> class TELNET
>> >> drop
>> >>
>> >> control-plane
>> >> service-policy input SECURE
>> >>
>> >> So here is what problem / maybe understanding on how CoPP is working.
>> >> I can telnet only using the loopbacks of R1 and R2 which what i needed
>> >> done.
>> >> BUT I can still telnet from R4 to R3 WHY is this.
>> >> when i created the control-plane i used the "input" keywork and all
>> telnet
>> >> traffic going to the CP will look at my policy-map SECURE. (correct?)
>> >> and make its decision based on what is configured.
>> >>
>> >> Where am i going wrong?
>> >>
>> >>
>> >> Regards
>> >>
>> >> Splinter
>> >>
>> >>
>> >> Blogs and organic groups at http://www.ccie.net
>> >>
>> >> _______________________________________________________________________
>> >> Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >
>> >
>> > --
>> > Bryan Bartik
>> > CCIE #23707 (R&S), CCNP
>> > Sr. Support Engineer - IPexpert, Inc.
>> > URL: http://www.IPexpert.com
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>> Checked by AVG - www.avg.com
>> Version: 8.5.374 / Virus Database: 270.12.90/2199 - Release Date: 06/25/09
>> 06:22:00
>>
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>>
>> CCIE #19963
>>
>>
>>
>> Checked by AVG - www.avg.com
>> Version: 8.5.374 / Virus Database: 270.12.90/2199 - Release Date: 06/25/09
>> 06:22:00
>>
>
>
--
CCIE #19963
Blogs and organic groups at http://www.ccie.net
Received on Thu Jun 25 2009 - 17:16:02 ART