Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
400
Views
0
Helpful
0
Replies

ASR 1001-X Restrict Port Access

mustafa.chapal
Level 1
Level 1

‎07-12-2022 06:04 AM - edited ‎07-12-2022 08:07 AM

Hi,

I have a Cisco ASR 1001-X router running on IOS-XE version 3.16.02.S with Advanced Enterprise license. The platform has multiple BGP connections with hundreds of VLAN interfaces. I would like to restrict SSH and SNMP access on all the interfaces except one.

I have tried to achieve this using control plane policing but its not working as expected and following is the configuration. Also the individual drop command is not found under the policy map class.

I tried VTY acl for SSH but thats not working as well.

ACL on edge interfaces is not an appropriate option in such situation as it blocks those specific ports on all downstream hosts and ACL on all the interfaces is a tedious task.

Any help will be greatly appreciated.

Thank you

 

 

 

 

ip access-list extended SSH
 permit tcp any host 98.1.1.2 eq ssh
ip access-list extended SNMP
 permit udp any host 98.1.1.2 eq snmp

class-map match-any SSH
 match access-group name SSH
class-map match-any SNMP
 match access-group name SNMP

policy-map COPP
 class SSH
  police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop
 class SNMP
  police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop violate-action drop

control-plane
 service-policy input COPP

 

 

 

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card