02-18-2020 09:44 AM - edited 02-20-2020 09:46 PM
Hello everyone,
1)
I already got a ACL for ssh applied to vty lines.
ip access-list standard vty-access
permit xx.xx.xx.xx log
line vty 0 4
access-class vty-access
transport input ssh
2) ACL to use with CoPP
access-list 101 permit tcp xx.xx.xx.xx yy.yy.yy.yy eq 22
access-list 101 permit tcp xx.xx.xx.xx eq 22 yy.yy.yy.yy established
remark ** drop untrusted IP address **
access-list 102 permit tcp any any eq 22
access-list 102 permit tcp any eq 22 any
remark *** protect against TCP SYN Flood against Port 22 ***
access-list 102 permit tcp any any eq 22 established
3)
CoPP Class Map
class-map match-all MANAGEMENT
match access-group 101
exit
class-map match-all Drop
match access-group 102
exit
class MANAGEMENT
conform-action transmit exceed-action transmit
exit
class Drop
drop
exit
My idea is to allow with ACL 101 trusted IP Address for SSH login (rate-limit maybe later)
With ACL 102 deny all other IP Address for SSH connection , also with the use of established keyword deny TCP SYN Flood against Port 22.
Is this solution ok for my idea.
My 2nd Question what happens to the already configured ip access-list standard vty-access
As far as i understood is management traffic destined to the router itself handeld at Process Level, so the already
configured ip access-list standard vty-access is checked after CoPP and hence make no sense ?
I hope everyone get what i plan to do.
Any helpful suggestion or explaination would by excellent.
Thank you
Solved! Go to Solution.
02-18-2020 11:51 PM
Hi Francesco,
Just to get it right,
if i put the deny <trusted ssh ip address> at the first line of the ACL 102. The Ip address is then checked against the match access-group 102 and because it is a deny statement it is not part of the class drop and hence permitted.
Tried this yesterday and the policy-map doesn´t support the drop command ( ISR 4300 Series IOS XE 16.2) as a standalone
command. Only with police 8000 conform-action drop. This is not what i want.
Any solution ?
Thanks
02-18-2020 08:06 PM
02-18-2020 11:51 PM
Hi Francesco,
Just to get it right,
if i put the deny <trusted ssh ip address> at the first line of the ACL 102. The Ip address is then checked against the match access-group 102 and because it is a deny statement it is not part of the class drop and hence permitted.
Tried this yesterday and the policy-map doesn´t support the drop command ( ISR 4300 Series IOS XE 16.2) as a standalone
command. Only with police 8000 conform-action drop. This is not what i want.
Any solution ?
Thanks
02-19-2020 03:11 AM
Hello everyone
Regarding the policy-map "drop" command not supported.
I found the solution in Cisco COPP best practice.
In some versions of IOS, the keyword drop may be used in place of the keyword police when the desired action is to deny all traffic within the affected class. For example, the following policy drops all traffic matching class ONE:
!
policy-map CoPP
class ONE
class TWO
class THREE
police 10000 1500 1500 conform-action transmit exceed-action drop
As shown in the example, traffic matching class ONE or class TWO is permitted without using a police statement with each class. Check the release notes for your version of IOS to determine whether this option is available for policing traffic.
!
policy-map CoPP
class ONE
police 10000 1500 1500 conform-action drop exceed-action drop
class TWO
police 10000 1500 1500 conform-action transmit exceed-action drop
The above is equivalent to:
!
policy-map CoPP
class ONE
drop
class TWO
police 10000 1500 1500 conform-action transmit exceed-action drop
As shown in the above example, traffic matching class ONE is simply dropped. Using the drop keyword is equivalent to using the police statement with both conform and exceed actions of drop. While the police statement is available in all Cisco IOS releases, the drop keyword is only available in certain releases. Check the release notes for your version of Cisco IOS to determine which options are available for policing traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide