04-04-2013 05:09 AM - edited 03-04-2019 07:29 PM
Hi ALL !!!
I created CPP and applied the service policy like "permit tcp host x.x.x.x any telnet" to it.
It work very nice if I haven't VRF.
But, ALL my users from VRF "USER" or "Manage" can telnet to router :-(
What can you suggest to me?
04-04-2013 06:55 AM
Hello,
are you sure about this
permit tcp host x.x.x.x any telnet
Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."
04-04-2013 09:19 PM
Hi Muhammad !!!
No of course :-)
I created ACL "permit tcp ANY ANY telnet"
Then some class like "match access-group name my_acl"
Then I created policy like that
policy-map ctrl
class permitctrl
police 32000 conform-action drop exceed-action drop
And Then
control-plane
service-policy input ctrl
But I think it doesn't matter
It work very nice with simple IP, but not with VRF :-(
04-05-2013 12:29 AM
Hello,
I read COPP and what I understood is its not interface level, its route processor level...
http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html
To define appropriate policies for your CoPP configuration, you need to identify all of the traffic flows and packet rates for those flows that may be seen by CoPP. Typically, ACLs are used for the traffic flow identification task and, in most cases, the protocols as well as the source and destination IP addresses are well known. It is still quite likely that some surprise traffic flows will arise. The definition of these ACLs is one of the most critical steps in the CoPP process. MQC uses these ACLs to define the traffic classes, which in turn become the object of the policy actions (policing). Appropriate granularity in the distribution of protocols within these ACLs allows for better protection of the RP.
Management – ACL 121
! – ACL for CoPP Management class! access-list 121 permit tcp <NOC block>eq telnet access-list 121 permit tcp eq telnet established access-list 121 permit tcp eq 22 access-list 121 permit tcp eq 22 established access-list 121 permit udp eq snmp access-list 121 permit tcp eq www access-list 121 permit udp eq 443 access-list 121 permit tcp eq ftp access-list 121 permit tcp eq ftp-data access-list 121 permit udp eq syslog access-list 121 permit udp eq domain access-list 121 permit udp eq ntp
Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."
02-12-2019 12:35 AM
Hi Oleg,
Did you have this sorted? Is the control-plane VRF aware? I'm facing similar issue. Any contribution is welcome.
02-12-2019 12:37 AM
Hi Oleg,
Did you have this sorted? Is the control-plane VRF aware? I'm facing similar issue. Any contribution is welcome.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide