Labbed it and works for me. I am denying telnet to 1.1.1.1. The image is
12.4(15)T which is the one on the CCIE lab rack.
class-map type access-control match-all telnet
match field IP dest-addr eq 16843009
match field TCP dest-port eq 23
class-map type stack match-all tcpstack
match field IP protocol eq 6 next TCP
!
!
policy-map type access-control telnet
class telnet
drop
policy-map type access-control tcpstack
class tcpstack
service-policy telnet
!
control-plane
service-policy type access-control input tcpstack
router1#sh policy-map type access-control control-plane
Control Plane
Service-policy access-control input: tcpstack
Class-map: tcpstack (match-all)
4 packets, 240 bytes
5 minute offered rate 0 bps
Match: field IP protocol eq 6 next TCP
Service-policy access-control : telnet
Class-map: telnet (match-all)
4 packets, 240 bytes
5 minute offered rate 0 bps
Match: field IP dest-addr eq 16843009
Match: field TCP dest-port eq 23
drop
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Class-map: class-default (match-any)
6 packets, 1475 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
With regards
Kings
On Sat, Jul 2, 2011 at 3:41 AM, Adil Pasha <[email protected]> wrote:
>
> I have done this question many times and it works.
>
> I am doing the lab tomorrow in IPX racks and routers so I am sure that IOS
> supports it.
>
> Hope I am not wrong and I will send you the config and stats.
>
> Best Regards.
> ______________________
> Adil
>
> On Jul 1, 2011, at 4:12 PM, Piotr Matusiak wrote:
>
> CSCsm32186
> fpm - policy action not taken when it is applied to control-plane
>
> I knew I saw it somewhere:
>
> "Mapping of FPM policies to control-plane is not supported. "
> http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/ht_fpm.html
>
>
> Regards,
> Piotr
>
>
> 2011/7/1 Mark Senteza <[email protected]>
>
>> Todd,
>>
>> at first thats what I was doing - telnetting to the Loopback IP from the
>> same router. But then I switched to telnetting from a remote router and I
>> still cant get it to work
>>
>>
>> On Fri, Jul 1, 2011 at 11:35 AM, Todd Heide <[email protected]> wrote:
>>
>>> Just curious, from where are you trying to telnet from? If you attempt
>>> to telnet to a loopback IP on the same device you are consoled on, you will
>>> still be able to connect to it. No ACL can prevent that since it is the
>>> same physical device, and it thinks you are telnetting to it from its own
>>> IP. I don’t know how many times I banged my head against the desk trying to
>>> test an ACL that way. ****
>>>
>>> ** **
>>>
>>> ** **
>>>
>>> *From:* [email protected] [mailto:
>>> [email protected]] *On Behalf Of *Piotr Matusiak
>>> *Sent:* Friday, July 01, 2011 3:50 AM
>>> *To:* Mark Senteza
>>> *Cc:* [email protected]
>>> *Subject:* Re: [OSL | CCIE_Security] FPM troubleshooting****
>>>
>>> ** **
>>>
>>> FPM cannot be used for Control Plane! You must attach it to the physical
>>> interface in inbound direction.
>>>
>>> Regards,
>>> Piotr
>>>
>>> ****
>>>
>>> 2011/7/1 Mark Senteza <[email protected]>****
>>>
>>> Hi again,
>>>
>>> I got the following FPM config setup on my router to prevent telnet to
>>> Loopback0 IP Address 3.3.3.3. However, when I telnet to 3.3.3.3 I am able to
>>> establish a connection. Where am I going wrong with my config ?
>>>
>>> load protocol system:fpm/phdf/ip.phdf
>>> load protocol system:fpm/phdf/tcp.phdf
>>>
>>> class-map type stack match-all LAB83-STACK
>>> match field IP protocol eq 6 next TCP
>>>
>>> class-map type access-control match-all TELNET-ACCESS
>>> match field TCP dest-port eq 23
>>> match field IP dest-addr eq 3.3.3.3
>>>
>>> policy-map type access-control TELNET-POLICY
>>> class TELNET-ACCESS
>>> drop
>>>
>>> policy-map type access-control STACK-POLICY
>>> class LAB83-STACK
>>> service-policy TELNET-POLICY
>>>
>>> control-plane
>>> service-policy type access-control input STACK-POLICY
>>>
>>> CCIELAB-ROUTER-R1#telnet 3.3.3.3
>>> Trying 3.3.3.3 ... Open
>>>
>>>
>>> User Access Verification
>>>
>>> Password:
>>> CCIELAB-ROUTER-R3#
>>>
>>> _______________________________________________
>>> For more information regarding industry leading CCIE Lab training, please
>>> visit www.ipexpert.com
>>>
>>> Are you a CCNP or CCIE and looking for a job? Check out
>>> www.PlatinumPlacement.com****
>>>
>>> ** **
>>>
>>
>>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
> Are you a CCNP or CCIE and looking for a job? Check out
> www.PlatinumPlacement.com
>
>
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
> Are you a CCNP or CCIE and looking for a job? Check out
> www.PlatinumPlacement.com
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
