guys sorry for wasting your time... IT WORKS the way it should.
only allow loopbacks of R1 and R2 and deny everything else.
What I was also testing prior to this or sometime earlier is NAT... I have
traffic from R4 natted to R2 Loopback.
thats why the telnet was going thru.
Sorry once again for all the confusion
Splinter.
On Thu, Jun 25, 2009 at 6:20 PM, Bryan Bartik <bbartik_at_ipexpert.com> wrote:
> Splinter,
>
> The ACL as you describe should work, strange that it doesn't. My only
> concern was that since part of the config had an error, perhaps other parts
> also had errors and we were not getting the "full" picture. When you do
> "show access-lists" do you see any matches when coming from R4? It sounds
> like R4 is getting denied by the ACL and thus not matched and dropped by
the
> policy.
>
>
> On Thu, Jun 25, 2009 at 10:13 AM, Splinter <splinter330_at_gmail.com> wrote:
>
>> sorry guys,
>>
>> did not pick that up.... i looked at it for a long time but it evaded me.
>> :(
>>
>> I have my dynamips running on 1 machine and my internet on another... so
>> have to type configs out.
>>
>> so... with the "any" keyword in the config does the Control plane look at
>> all input traffic from all interfaces and apply the QOS?
>>
>>
>> splinter
>>
>>
>> On Thu, Jun 25, 2009 at 6:03 PM, Joe Astorino
<jastorino_at_ipexpert.com>wrote:
>>
>>> The point everybody is getting at is that the �any� is not anywhere in
>>> your original post, shown below.
>>>
>>>
>>>
>>>
>>>
>>> ip access-list extended LOOPBACK
>>> deny tcp host 10.10.1.1 eq telnet
>>> deny tcp host 10.10.2.2 eq telnet
>>> permit tcp any any eq telnet
>>>
>>>
>>>
>>> Regards,
>>>
>>> Joe Astorino
>>> CCIE #24347 (R&S)
>>> Sr. Support Engineer � IPexpert, Inc.
>>> URL: http://www.IPexpert.com
>>>
>>>
>>> *From:* Splinter [mailto:splinter330_at_gmail.com]
>>> *Sent:* Thursday, June 25, 2009 12:01 PM
>>> *To:* Sadiq Yakasai
>>> *Cc:* Joe Astorino; Bryan Bartik; Cisco certification
>>> *Subject:* Re: CoPP clarification
>>>
>>>
>>>
>>> Hi,
>>>
>>> my destination is "any" source is loopbacks of R1 and R2 for port 23.
>>>
>>> you dont have to have a specific destination as R1 can telnet to any
>>> valid ip address on R3.
>>>
>>> On Thu, Jun 25, 2009 at 5:40 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com>
>>> wrote:
>>>
>>> Same here.
>>>
>>> Additionally, if you are doiing the action "drop" in the policy map, then
>>> all you really want to do in the ACL is match the interesting traffic and
>>> then drop it using the policy map. This is how I would tend to configure
>>> this:
>>>
>>>
>>>
>>> ip access-list extended LOOPBACK
>>>
>>> permit tcp host 10.10.1.1 any eq telnet
>>> permit tcp host 10.10.2.2 any eq telnet
>>>
>>>
>>>
>>>
>>> class-map TELNET
>>> match access-group LOOPBACK
>>>
>>> policy-map SECURE
>>> class TELNET
>>> drop
>>>
>>> control-plane
>>> service-policy input SECURE
>>>
>>> HTH,
>>> Sadiq
>>>
>>>
>>>
>>> On Thu, Jun 25, 2009 at 4:14 PM, Joe Astorino <jastorino_at_ipexpert.com>
>>> wrote:
>>>
>>> Splinter,
>>>
>>> I am in the same boat as Bryan here: How can you have an extended ACL
>>> only
>>> specifying a source? You have to have a destination. This makes no
>>> sense.
>>>
>>> Regards,
>>>
>>> Joe Astorino
>>> CCIE #24347 (R&S)
>>>
>>> Sr. Support Engineer - IPexpert, Inc.
>>> URL: http://www.IPexpert.com
>>>
>>> -----Original Message-----
>>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>>> Splinter
>>> Sent: Thursday, June 25, 2009 11:06 AM
>>> To: Bryan Bartik
>>> Cc: Cisco certification
>>> Subject: Re: CoPP clarification
>>>
>>> Yes the acl is complete,
>>>
>>> Only letting r1 and r2 to telnet to R3 sourcing from its loopback
>>> address.
>>>
>>>
>>>
>>> On Thu, Jun 25, 2009 at 4:53 PM, Bryan Bartik <bbartik_at_ipexpert.com>
>>> wrote:
>>>
>>> > Splinter,
>>> >
>>> > Have you pasted your configuration exactly the way it exists? The
>>> reason I
>>> > ask is because your extended ACL is not complete. You have only
>>> specified
>>> a
>>> > source on the first two lines. Should be like this:
>>> >
>>> > ip access-list extended LOOPBACK
>>> > deny tcp host 10.10.1.1 any eq telnet
>>> > deny tcp host 10.10.2.2 any eq telnet
>>> > permit tcp any any eq telnet
>>> >
>>> > Please verify the actual ACL and post back. Thanks!
>>> >
>>> > On Thu, Jun 25, 2009 at 6:33 AM, Splinter <splinter330_at_gmail.com>
>>> wrote:
>>> >
>>> >> Hi GS,
>>> >>
>>> >> I am playing around with CoPP to stop telnet to a certain router and
>>> would
>>> >> like some input or suggestions to what I am doing.
>>> >>
>>> >>
>>> >> I have the following scenario:
>>> >>
>>> >> R1 -------------- R3
>>> >> | |
>>> >> | |
>>> >> | |
>>> >> R2 -------------- R4
>>> >>
>>> >> I would like to only allow telnet to R3 and R4 from R1 and R2
>>> loopbacks
>>> >> only.
>>> >>
>>> >> So here is what I have done:
>>> >>
>>> >> R3:
>>> >>
>>> >> ip access-list extended LOOPBACK
>>> >> deny tcp host 10.10.1.1 eq telnet
>>> >> deny tcp host 10.10.2.2 eq telnet
>>> >> permit tcp any any eq telnet
>>> >>
>>> >> class-map TELNET
>>> >> match access-group LOOPBACK
>>> >>
>>> >> policy-map SECURE
>>> >> class TELNET
>>> >> drop
>>> >>
>>> >> control-plane
>>> >> service-policy input SECURE
>>> >>
>>> >> So here is what problem / maybe understanding on how CoPP is working.
>>> >> I can telnet only using the loopbacks of R1 and R2 which what i needed
>>> >> done.
>>> >> BUT I can still telnet from R4 to R3 WHY is this.
>>> >> when i created the control-plane i used the "input" keywork and all
>>> telnet
>>> >> traffic going to the CP will look at my policy-map SECURE. (correct?)
>>> >> and make its decision based on what is configured.
>>> >>
>>> >> Where am i going wrong?
>>> >>
>>> >>
>>> >> Regards
>>> >>
>>> >> Splinter
>>> >>
>>> >>
>>> >> Blogs and organic groups at http://www.ccie.net
>>> >>
>>> >>
>>> _______________________________________________________________________
>>> >> Subscription information may be found at:
>>> >> http://www.groupstudy.com/list/CCIELab.html
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >
>>> >
>>> > --
>>> > Bryan Bartik
>>> > CCIE #23707 (R&S), CCNP
>>> > Sr. Support Engineer - IPexpert, Inc.
>>> > URL: http://www.IPexpert.com
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Checked by AVG - www.avg.com
>>> Version: 8.5.374 / Virus Database: 270.12.90/2199 - Release Date:
>>> 06/25/09
>>> 06:22:00
>>>
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>>
>>> CCIE #19963
>>>
>>>
>>>
>>> Checked by AVG - www.avg.com
>>> Version: 8.5.374 / Virus Database: 270.12.90/2199 - Release Date:
>>> 06/25/09 06:22:00
>>>
>>
>>
>
>
> --
> Bryan Bartik
> CCIE #23707 (R&S), CCNP
> Sr. Support Engineer - IPexpert, Inc.
> URL: http://www.IPexpert.com
Blogs and organic groups at http://www.ccie.net
Received on Thu Jun 25 2009 - 18:27:09 ART