Re: CoPP clarification

I agree - always ask when I doubt! Now I understand your scenario - good
job!

Sadiq

On Thu, Jun 25, 2009 at 5:34 PM, Joseph L. Brunner
<joe_at_affirmedsystems.com>wrote:

> "The only stupid question is one that is not asked"
>
> Ask away :)
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Splinter
> Sent: Thursday, June 25, 2009 12:27 PM
> To: Bryan Bartik
> Cc: Joe Astorino; Sadiq Yakasai; Cisco certification
> Subject: Re: CoPP clarification
>
> guys sorry for wasting your time... IT WORKS the way it should.
>
> only allow loopbacks of R1 and R2 and deny everything else.
>
> What I was also testing prior to this or sometime earlier is NAT... I have
> traffic from R4 natted to R2 Loopback.
>
> thats why the telnet was going thru.
>
> Sorry once again for all the confusion
>
> Splinter.
>
> On Thu, Jun 25, 2009 at 6:20 PM, Bryan Bartik <bbartik_at_ipexpert.com>
> wrote:
>
> > Splinter,
> >
> > The ACL as you describe should work, strange that it doesn't. My only
> > concern was that since part of the config had an error, perhaps other
> parts
> > also had errors and we were not getting the "full" picture. When you do
> > "show access-lists" do you see any matches when coming from R4? It sounds
> > like R4 is getting denied by the ACL and thus not matched and dropped by
> the
> > policy.
> >
> >
> > On Thu, Jun 25, 2009 at 10:13 AM, Splinter <splinter330_at_gmail.com>
> wrote:
> >
> >> sorry guys,
> >>
> >> did not pick that up.... i looked at it for a long time but it evaded
> me.
> >> :(
> >>
> >> I have my dynamips running on 1 machine and my internet on another... so
> >> have to type configs out.
> >>
> >> so... with the "any" keyword in the config does the Control plane look
> at
> >> all input traffic from all interfaces and apply the QOS?
> >>
> >>
> >> splinter
> >>
> >>
> >> On Thu, Jun 25, 2009 at 6:03 PM, Joe Astorino
> <jastorino_at_ipexpert.com>wrote:
> >>
> >>> The point everybody is getting at is that the any is not anywhere in
> >>> your original post, shown below.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> ip access-list extended LOOPBACK
> >>> deny tcp host 10.10.1.1 eq telnet
> >>> deny tcp host 10.10.2.2 eq telnet
> >>> permit tcp any any eq telnet
> >>>
> >>>
> >>>
> >>> Regards,
> >>>
> >>> Joe Astorino
> >>> CCIE #24347 (R&S)
> >>> Sr. Support Engineer IPexpert, Inc.
> >>> URL: http://www.IPexpert.com
> >>>
> >>>
> >>> *From:* Splinter [mailto:splinter330_at_gmail.com]
> >>> *Sent:* Thursday, June 25, 2009 12:01 PM
> >>> *To:* Sadiq Yakasai
> >>> *Cc:* Joe Astorino; Bryan Bartik; Cisco certification
> >>> *Subject:* Re: CoPP clarification
> >>>
> >>>
> >>>
> >>> Hi,
> >>>
> >>> my destination is "any" source is loopbacks of R1 and R2 for port 23.
> >>>
> >>> you dont have to have a specific destination as R1 can telnet to any
> >>> valid ip address on R3.
> >>>
> >>> On Thu, Jun 25, 2009 at 5:40 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com>
> >>> wrote:
> >>>
> >>> Same here.
> >>>
> >>> Additionally, if you are doiing the action "drop" in the policy map,
> then
> >>> all you really want to do in the ACL is match the interesting traffic
> and
> >>> then drop it using the policy map. This is how I would tend to
> configure
> >>> this:
> >>>
> >>>
> >>>
> >>> ip access-list extended LOOPBACK
> >>>
> >>> permit tcp host 10.10.1.1 any eq telnet
> >>> permit tcp host 10.10.2.2 any eq telnet
> >>>
> >>>
> >>>
> >>>
> >>> class-map TELNET
> >>> match access-group LOOPBACK
> >>>
> >>> policy-map SECURE
> >>> class TELNET
> >>> drop
> >>>
> >>> control-plane
> >>> service-policy input SECURE
> >>>
> >>> HTH,
> >>> Sadiq
> >>>
> >>>
> >>>
> >>> On Thu, Jun 25, 2009 at 4:14 PM, Joe Astorino <jastorino_at_ipexpert.com>
> >>> wrote:
> >>>
> >>> Splinter,
> >>>
> >>> I am in the same boat as Bryan here: How can you have an extended ACL
> >>> only
> >>> specifying a source? You have to have a destination. This makes no
> >>> sense.
> >>>
> >>> Regards,
> >>>
> >>> Joe Astorino
> >>> CCIE #24347 (R&S)
> >>>
> >>> Sr. Support Engineer - IPexpert, Inc.
> >>> URL: http://www.IPexpert.com
> >>>
> >>> -----Original Message-----
> >>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
> Of
> >>> Splinter
> >>> Sent: Thursday, June 25, 2009 11:06 AM
> >>> To: Bryan Bartik
> >>> Cc: Cisco certification
> >>> Subject: Re: CoPP clarification
> >>>
> >>> Yes the acl is complete,
> >>>
> >>> Only letting r1 and r2 to telnet to R3 sourcing from its loopback
> >>> address.
> >>>
> >>>
> >>>
> >>> On Thu, Jun 25, 2009 at 4:53 PM, Bryan Bartik <bbartik_at_ipexpert.com>
> >>> wrote:
> >>>
> >>> > Splinter,
> >>> >
> >>> > Have you pasted your configuration exactly the way it exists? The
> >>> reason I
> >>> > ask is because your extended ACL is not complete. You have only
> >>> specified
> >>> a
> >>> > source on the first two lines. Should be like this:
> >>> >
> >>> > ip access-list extended LOOPBACK
> >>> > deny tcp host 10.10.1.1 any eq telnet
> >>> > deny tcp host 10.10.2.2 any eq telnet
> >>> > permit tcp any any eq telnet
> >>> >
> >>> > Please verify the actual ACL and post back. Thanks!
> >>> >
> >>> > On Thu, Jun 25, 2009 at 6:33 AM, Splinter <splinter330_at_gmail.com>
> >>> wrote:
> >>> >
> >>> >> Hi GS,
> >>> >>
> >>> >> I am playing around with CoPP to stop telnet to a certain router and
> >>> would
> >>> >> like some input or suggestions to what I am doing.
> >>> >>
> >>> >>
> >>> >> I have the following scenario:
> >>> >>
> >>> >> R1 -------------- R3
> >>> >> | |
> >>> >> | |
> >>> >> | |
> >>> >> R2 -------------- R4
> >>> >>
> >>> >> I would like to only allow telnet to R3 and R4 from R1 and R2
> >>> loopbacks
> >>> >> only.
> >>> >>
> >>> >> So here is what I have done:
> >>> >>
> >>> >> R3:
> >>> >>
> >>> >> ip access-list extended LOOPBACK
> >>> >> deny tcp host 10.10.1.1 eq telnet
> >>> >> deny tcp host 10.10.2.2 eq telnet
> >>> >> permit tcp any any eq telnet
> >>> >>
> >>> >> class-map TELNET
> >>> >> match access-group LOOPBACK
> >>> >>
> >>> >> policy-map SECURE
> >>> >> class TELNET
> >>> >> drop
> >>> >>
> >>> >> control-plane
> >>> >> service-policy input SECURE
> >>> >>
> >>> >> So here is what problem / maybe understanding on how CoPP is
> working.
> >>> >> I can telnet only using the loopbacks of R1 and R2 which what i
> needed
> >>> >> done.
> >>> >> BUT I can still telnet from R4 to R3 WHY is this.
> >>> >> when i created the control-plane i used the "input" keywork and all
> >>> telnet
> >>> >> traffic going to the CP will look at my policy-map SECURE.
> (correct?)
> >>> >> and make its decision based on what is configured.
> >>> >>
> >>> >> Where am i going wrong?
> >>> >>
> >>> >>
> >>> >> Regards
> >>> >>
> >>> >> Splinter
> >>> >>
> >>> >>
> >>> >> Blogs and organic groups at http://www.ccie.net
> >>> >>
> >>> >>
> >>> _______________________________________________________________________
> >>> >> Subscription information may be found at:
> >>> >> http://www.groupstudy.com/list/CCIELab.html
> >>> >>
> >>> >>
> >>> >>
> >>> >>
> >>> >>
> >>> >>
> >>> >>
> >>> >>
> >>> >
> >>> >
> >>> > --
> >>> > Bryan Bartik
> >>> > CCIE #23707 (R&S), CCNP
> >>> > Sr. Support Engineer - IPexpert, Inc.
> >>> > URL: http://www.IPexpert.com
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> Checked by AVG - www.avg.com
> >>> Version: 8.5.374 / Virus Database: 270.12.90/2199 - Release Date:
> >>> 06/25/09
> >>> 06:22:00
> >>>
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>>
> >>> CCIE #19963
> >>>
> >>>
> >>>
> >>> Checked by AVG - www.avg.com
> >>> Version: 8.5.374 / Virus Database: 270.12.90/2199 - Release Date:
> >>> 06/25/09 06:22:00
> >>>
> >>
> >>
> >
> >
> > --
> > Bryan Bartik
> > CCIE #23707 (R&S), CCNP
> > Sr. Support Engineer - IPexpert, Inc.
> > URL: http://www.IPexpert.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net