05-27-2025 12:59 AM
Hi,
May I ask if there is any way to deploy my own class-map into the default system-cpp-policy?
I’m trying to restrict SSH connections to only one loopback address, and have all other IPs dropped.
On basic routers, I achieved this using an extended ACL that matches the specific loopback IP and denies the rest.
Then, I created a class-map using that ACL, a policy-map referencing the class-map, and finally applied it to the control-plane.
This worked successfully on an ISR4221/K9.
However, I'm facing issues with the same setup on a WS-C3650-24TS.
So my question is:
Is there any way to edit the default policy-map by adding my own class-map that includes an ACL restricting SSH connections?
Extended IP access list SSH_ONLY_LOOPBACK
10 deny tcp any host <ip address> eq 22
20 permit tcp any any eq 22
07-10-2025 07:50 AM
sick question G. ur isr4221/k9 allowed this because ISR platforms support custom copp....
but no. U cannot modify the default #@system-cpp-policy directly on catalyst 3650 sw.
so while u cant directly edit system-cpppolicy u can achieve simiar functionality bu trying to restrict SSH access using and acl, for example: #ip access-list extended SSH_ONLY_LOOPBACK then #permit tcp any host <lo IP> eq 22... and continue with# line vty 0 4 #access-class SSH_ONLY_LOOPBACK in and finally hit the transport input ssh. --- but this limits SSH access to only the defined source ipsS or interfaces and this is the way that catalyst switches support....
2. use infrastructure acl, 3. use copp if ur platform supports it. and as usual if u need more info or some LABs... ping me G.
hope it helps.
-Enes
07-10-2025 07:58 AM
Router(config)#access-list 23 permit 10.10.10.0 0.0.0.255
Router(config)#line vty 5 15
Router(config-line)#transport input ssh
Router(config-line)#access-class 23 in
Router(config-line)#exit
why you not use access-class
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide