Re: [OSL | CCIE_Security] FPM to restrict vty access

Wed, 02 May 2012 14:55:47 -0700 

That should be CPPr not CoPP. It can be applied to CoPP. If you disable
cef, you can see that only CPPr features get's disabled.

With regards
Kings

On Thu, May 3, 2012 at 1:10 AM, Eugene Pefti <[email protected]>wrote:

>  According to Cisco FPM can not be applied to a control-plane.****
>
> ** **
>
> http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/ht_fpm.html****
>
> ** **
>
> Restrictions for Flexible Packet Matching ****
>
> ** **
>
> <snip>****
>
> •Mapping of FPM policies to control-plane is not supported.****
>
> ** **
>
> *From:* [email protected] [mailto:
> [email protected]] *On Behalf Of *Kingsley Charles
> *Sent:* 02 May 2012 08:47
> *To:* [email protected]
> *Subject:* [OSL | CCIE_Security] FPM to restrict vty access****
>
> ** **
>
> Hi all
>
> The task asks to allow ssh only from 4.8.6.0/24 and the restriction is
> that we should not use access-lists. So FPM is the only answer.
>
> In the following config, class-map get's matched and 4.8.6.0/24 is
> allowed in. The issue is that I need a wildcard class-map to block other
> ssh connections. But that doesn't
> work in the following solution.
>
>
> class-map type access-control match-all telblk
>  match field TCP dest-port eq 22
>
> class-map type access-control match-all vlan6
>  match field TCP dest-port eq 22
>  match field IP source-addr eq 4.8.6.0 mask 0.0.0.255
>
> class-map type stack match-all tcp
>  stack-start l2-start
>  match field ETHER type eq 0x800 next IP
>  match field IP protocol eq 6 next TCP
>
>
> policy-map type access-control ssh
>  class vlan6
>  class telblk
>    drop
>
> policy-map type access-control tcp
>  class tcp
>   service-policy ssh
>
> control-plane
>  service-policy type access-control input tcp
>
>
> The following two alternative class-maps also doesn't work
>
> class-map type access-control match-all telblk
> match field  ip source-addr  range 0.0.0.0 255.255.255.255
>
> class-map type access-control match-all telblk
> match field  ip source-addr 0.0.0.0 mask 255.255.255.255
>
>
>
>
>
> With regards
> Kings****
>

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to