WS-C3650 CoPP – Is it possible to add custom class-map to system-cpp-p
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2025 12:59 AM
Hi,
May I ask if there is any way to deploy my own class-map into the default system-cpp-policy?
I’m trying to restrict SSH connections to only one loopback address, and have all other IPs dropped.
On basic routers, I achieved this using an extended ACL that matches the specific loopback IP and denies the rest.
Then, I created a class-map using that ACL, a policy-map referencing the class-map, and finally applied it to the control-plane.
This worked successfully on an ISR4221/K9.
However, I'm facing issues with the same setup on a WS-C3650-24TS.
So my question is:
Is there any way to edit the default policy-map by adding my own class-map that includes an ACL restricting SSH connections?
Extended IP access list SSH_ONLY_LOOPBACK
10 deny tcp any host <ip address> eq 22
20 permit tcp any any eq 22
- Labels:
-
Other Switching
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2025 07:50 AM
sick question G. ur isr4221/k9 allowed this because ISR platforms support custom copp....
but no. U cannot modify the default #@system-cpp-policy directly on catalyst 3650 sw.
so while u cant directly edit system-cpppolicy u can achieve simiar functionality bu trying to restrict SSH access using and acl, for example: #ip access-list extended SSH_ONLY_LOOPBACK then #permit tcp any host <lo IP> eq 22... and continue with# line vty 0 4 #access-class SSH_ONLY_LOOPBACK in and finally hit the transport input ssh. --- but this limits SSH access to only the defined source ipsS or interfaces and this is the way that catalyst switches support....
2. use infrastructure acl, 3. use copp if ur platform supports it. and as usual if u need more info or some LABs... ping me G.
hope it helps.
-Enes
more Gym?!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2025 07:58 AM
Router(config)#access-list 23 permit 10.10.10.0 0.0.0.255
Router(config)#line vty 5 15
Router(config-line)#transport input ssh
Router(config-line)#access-class 23 in
Router(config-line)#exit
why you not use access-class
MHM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-12-2025 07:59 AM
I was sure I read about this case for BGP secure' I couldnot find doc but I found which is better
Check this link how you can use CoPP
https://sites.google.com/site/amitsciscozone/qos/copp---control-plane-policing
MHM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-12-2025 04:55 AM
This can be achieved in normal ACL, you do need to edit any CoPP here.
or bind to source interface for the devices can only connect that IP. (restricted to local LAN).
