cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
234
Views
0
Helpful
3
Replies
Beginner

CoPP with ACL

Hello everyone,

 

1)

I already got a ACL for ssh applied to vty lines.

ip access-list standard vty-access

permit xx.xx.xx.xx log

line vty 0 4
access-class vty-access

transport input ssh

 

2)  ACL to use with CoPP

access-list 101 permit tcp xx.xx.xx.xx yy.yy.yy.yy eq 22

access-list 101 permit tcp xx.xx.xx.xx eq 22 yy.yy.yy.yy established

remark ** drop untrusted IP address **

access-list 102 permit tcp any any eq 22

access-list 102 permit tcp any eq 22 any

remark *** protect against TCP SYN Flood against Port 22 ***

access-list 102 permit tcp any any eq 22 established

3)

CoPP Class Map

class-map match-all MANAGEMENT
match access-group 101

exit

class-map match-all Drop

match access-group 102

exit

class MANAGEMENT
conform-action transmit exceed-action transmit

exit

class Drop

 drop

exit

 

My idea is to allow with ACL 101 trusted IP Address for SSH login (rate-limit maybe later)

With ACL 102 deny all other IP Address for SSH connection , also with the use of established keyword deny TCP SYN Flood against Port 22.

Is this solution ok for my idea.

My 2nd Question what happens to the already configured ip access-list standard vty-access

As far as i understood is management traffic destined to the router itself handeld at Process Level, so the already

configured ip access-list standard vty-access is checked after CoPP and hence make no sense ?

I hope everyone get what i plan to do.

Any helpful suggestion or explaination would by excellent.

Thank you

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Re: CoPP with ACL

Hi Francesco,

 

Just to get it right,

if i put the deny <trusted ssh ip address> at the first line of the ACL 102. The Ip address is then checked against the match access-group 102 and because it is a deny statement it is not part of the class drop and hence permitted.

Tried this yesterday and the policy-map doesn´t support the drop command ( ISR 4300 Series IOS XE 16.2) as a standalone

command. Only with police 8000 conform-action drop. This is not what i want.

Any solution ?

Thanks

 

 

View solution in original post

3 REPLIES 3
Highlighted
VIP Advisor

Re: CoPP with ACL

Hi

For your first question, yes it make sense if you want to keep the door open to rate limit the ssh traffic in the future. I personally always have a deny statement at the beginning of the dropped acl. This means on your acl 102, i would have added deny xxxxx at the first sequences just to make sure if some do something wrong, you still have access.
Acl on lines are useless if using copp.
I also use the Management Plane Protection (in addition to copp) to specify which interface will be used as my mgmt to ssh to. But not available on newer ios xe.
Check the hardening guide explaining it:
https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted
Beginner

Re: CoPP with ACL

Hi Francesco,

 

Just to get it right,

if i put the deny <trusted ssh ip address> at the first line of the ACL 102. The Ip address is then checked against the match access-group 102 and because it is a deny statement it is not part of the class drop and hence permitted.

Tried this yesterday and the policy-map doesn´t support the drop command ( ISR 4300 Series IOS XE 16.2) as a standalone

command. Only with police 8000 conform-action drop. This is not what i want.

Any solution ?

Thanks

 

 

View solution in original post

Highlighted
Beginner

Re: CoPP with ACL

Hello everyone

Regarding the policy-map "drop" command not supported.

I found the solution in Cisco COPP best practice.

 

In some versions of IOS, the keyword drop may be used in place of the keyword police when the desired action is to deny all traffic within the affected class. For example, the following policy drops all traffic matching class ONE:

!
policy-map CoPP
class ONE
class TWO
class THREE
police 10000 1500 1500 conform-action transmit exceed-action drop

 

As shown in the example, traffic matching class ONE or class TWO is permitted without using a police statement with each class. Check the release notes for your version of IOS to determine whether this option is available for policing traffic.

  • In some versions of IOS, the keyword drop may be used in place of the keyword police when the desired action is to deny all traffic within the affected class. For example, the following policy drops all traffic matching class ONE:

 

!
policy-map CoPP
class ONE
police 10000 1500 1500 conform-action drop exceed-action drop
class TWO
police 10000 1500 1500 conform-action transmit exceed-action drop

 

The above is equivalent to:

 

!
policy-map CoPP
class ONE
drop
class TWO
police 10000 1500 1500 conform-action transmit exceed-action drop

 

As shown in the above example, traffic matching class ONE is simply dropped. Using the drop keyword is equivalent to using the police statement with both conform and exceed actions of drop. While the police statement is available in all Cisco IOS releases, the drop keyword is only available in certain releases. Check the release notes for your version of Cisco IOS to determine which options are available for policing traffic.