Shawn,
It should say to drop on that I may have just not pasted the drop in there for telnet. As telnet and ssh are the only VTY protocols what is shown should be fine if the drop keyword was there. Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: [email protected] [mailto:[email protected]] On Behalf Of Shawn H. Mesiatowsky Sent: Thursday, June 11, 2009 9:39 PM To: [email protected] Subject: [OSL | CCIE_Security] Lab 6.3, PortFiltering In Lab6.3, you have a request to allow r5 and r6 to only allow inbound ssh. Here was your config class-map type port-filter Task63 match port tcp 23 policy-map type port-filter Task63 class Task63 control-plane host service-policy type port-filter input Task63 This should allow telnet, and since no drop method is specified, all other protocols are allowed as well. I tested this, and I was able to telnet from any device to R5 and R6. Here is my config I used: class-map type port-filter match-any CM_portfilter match not port tcp 22 policy-map type port-filter PM_portfilter class CM_portfilter drop control-plane host service-policy type port-filter input PM_portfilter This drops all traffic except SSH, which is what the lab requested. I also tested this and it works. Just on a side note from past experience, I was playing with the match closed-ports command, and I found an interesting thing When you are using stateful nat without hsrp, the routers communicate with one another over a specific port. This communication will be blocked when using the closed-port command. The interesting thing here is that this is not a closed port, as it is listed in the listening ports when executing the show control-plane host open-ports (possible bug?). This was in 12.4(15)T: class-map type port-filter match-any CL_portfilter match closed-ports policy-map type port-filter PM_portfilter class CM_portfilter drop control-plane host service-policy type port-filter input PM_portfilter
