Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
325
Views
0
Helpful
1
Replies

Cisco NX-OS CoPP Exemptions

Lyphiard
Level 1
Level 1

‎04-28-2018 02:31 PM - edited ‎03-08-2019 02:49 PM

I currently have a public-facing switch configured with many constantly-changing VLANS with SVI. I've recently been facing an issue where multiple IP's are trying to bruteforce my SSH login. Having some kind of firewall in front of the switch currently is not an option.

 

I've been looking into using CoPP to allow SSH only from certain IP addresses. Since I have multiple SVI's, I'd like to use CoPP to enable me to block SSH on all IP's instead of needing to apply an ACL to each individual VLAN.

 

Here's my current configuration:

ip access-list copp-global
  10 permit tcp addrgroup management-ip any eq 22
  20 deny tcp any any eq 22
class-map type control-plane match-any copp-global
  match access-group name copp-global
policy-map type control-plane copp-global 
  class copp-global
    police pps 0
control-plane
  service-policy input copp-global

Essentially, I want to allow anyone in management-ip to access port 22, but block everyone else. However, the documentation for class-map states that the permit and deny clauses are ignored. This causes both 10 and 20 to be recognized as "deny" statements.

 

What would be the best way to go about accomplishing this?

 

Labels:
0 Helpful
1 Reply 1

Reza Sharifi
Hall of Fame
Hall of Fame

‎04-29-2018 07:58 AM

Hi,

You need an inbound access list on the interface facing the outside that has a public IP address with permits and denies statements.

HTH

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card