In Lab6.3, you have a request to allow r5 and r6 to only allow inbound ssh.
Here was your config class-map type port-filter Task63 match port tcp 23 policy-map type port-filter Task63 class Task63 control-plane host service-policy type port-filter input Task63 This should allow telnet, and since no drop method is specified, all other protocols are allowed as well. I tested this, and I was able to telnet from any device to R5 and R6. Here is my config I used: class-map type port-filter match-any CM_portfilter match not port tcp 22 policy-map type port-filter PM_portfilter class CM_portfilter drop control-plane host service-policy type port-filter input PM_portfilter This drops all traffic except SSH, which is what the lab requested. I also tested this and it works. Just on a side note from past experience, I was playing with the match closed-ports command, and I found an interesting thing When you are using stateful nat without hsrp, the routers communicate with one another over a specific port. This communication will be blocked when using the closed-port command. The interesting thing here is that this is not a closed port, as it is listed in the listening ports when executing the show control-plane host open-ports (possible bug?). This was in 12.4(15)T: class-map type port-filter match-any CL_portfilter match closed-ports policy-map type port-filter PM_portfilter class CM_portfilter drop control-plane host service-policy type port-filter input PM_portfilter
