Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
406
Views
1
Helpful
4
Replies

WS-C3650 CoPP – Is it possible to add custom class-map to system-cpp-p

Ivan-Homola
Level 1
Level 1

‎05-27-2025 12:59 AM

Hi,

May I ask if there is any way to deploy my own class-map into the default system-cpp-policy?

I’m trying to restrict SSH connections to only one loopback address, and have all other IPs dropped.

On basic routers, I achieved this using an extended ACL that matches the specific loopback IP and denies the rest.
Then, I created a class-map using that ACL, a policy-map referencing the class-map, and finally applied it to the control-plane.

This worked successfully on an ISR4221/K9.

However, I'm facing issues with the same setup on a WS-C3650-24TS.

So my question is:
Is there any way to edit the default policy-map by adding my own class-map that includes an ACL restricting SSH connections?

Extended IP access list SSH_ONLY_LOOPBACK
10 deny tcp any host <ip address> eq 22
20 permit tcp any any eq 22

 

Labels:
4 Replies 4

Enes Simnica
Level 3
Level 3

‎07-10-2025 07:50 AM

sick question G. ur isr4221/k9 allowed this because ISR platforms support custom copp....

but no. U cannot modify the default #@system-cpp-policy directly on catalyst 3650 sw.

so while u cant directly edit system-cpppolicy u can achieve simiar functionality bu trying to restrict SSH access using and acl, for example: #ip access-list extended SSH_ONLY_LOOPBACK then #permit tcp any host <lo IP> eq 22... and continue with# line vty 0 4 #access-class SSH_ONLY_LOOPBACK in and finally hit the transport input ssh.   --- but this limits SSH access to only the defined source ipsS or interfaces and this is the way that catalyst switches support....

2. use infrastructure acl, 3. use copp if ur platform supports it. and as usual if u need more info or some LABs... ping me G. 

hope it helps.

 

-Enes

 

more Cisco?!
more Gym?!
0 Helpful

MHM Cisco World
VIP
VIP

‎07-10-2025 07:58 AM 

Router(config)#access-list 23 permit 10.10.10.0 0.0.0.255
Router(config)#line vty 5 15
Router(config-line)#transport input ssh
Router(config-line)#access-class 23 in
Router(config-line)#exit

why you not use access-class

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎07-12-2025 07:59 AM

I was sure I read about this case for BGP secure' I couldnot find doc but I found which is better 

Check this link how you can use CoPP

https://sites.google.com/site/amitsciscozone/qos/copp---control-plane-policing

MHM

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎07-12-2025 04:55 AM

This can be achieved in normal ACL, you do need to edit any CoPP here.

or bind to source interface for the devices can only connect that IP. (restricted to local LAN).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents