WS-C3650 CoPP – Is it possible to add custom class-map to system-cpp-p

Ivan-Homola · ‎05-27-2025

Hi,

May I ask if there is any way to deploy my own class-map into the default system-cpp-policy?

I’m trying to restrict SSH connections to only one loopback address, and have all other IPs dropped.

On basic routers, I achieved this using an extended ACL that matches the specific loopback IP and denies the rest.
Then, I created a class-map using that ACL, a policy-map referencing the class-map, and finally applied it to the control-plane.

This worked successfully on an ISR4221/K9.

However, I'm facing issues with the same setup on a WS-C3650-24TS.

So my question is:
Is there any way to edit the default policy-map by adding my own class-map that includes an ACL restricting SSH connections?

Extended IP access list SSH_ONLY_LOOPBACK
10 deny tcp any host <ip address> eq 22
20 permit tcp any any eq 22

Enes Simnica · ‎07-10-2025

sick question G. ur isr4221/k9 allowed this because ISR platforms support custom copp....

but no. U cannot modify the default #@system-cpp-policy directly on catalyst 3650 sw.

so while u cant directly edit system-cpppolicy u can achieve simiar functionality bu trying to restrict SSH access using and acl, for example: #ip access-list extended SSH_ONLY_LOOPBACK then #permit tcp any host <lo IP> eq 22... and continue with# line vty 0 4 #access-class SSH_ONLY_LOOPBACK in and finally hit the transport input ssh. --- but this limits SSH access to only the defined source ipsS or interfaces and this is the way that catalyst switches support....

2. use infrastructure acl, 3. use copp if ur platform supports it. and as usual if u need more info or some LABs... ping me G.

hope it helps.

-Enes

more Cisco?!
more Gym?!

MHM Cisco World · ‎07-10-2025

Router(config)#access-list 23 permit 10.10.10.0 0.0.0.255
Router(config)#line vty 5 15
Router(config-line)#transport input ssh
Router(config-line)#access-class 23 in
Router(config-line)#exit

why you not use access-class

MHM