Re: [OSL | CCIE_Security] FPM to restrict vty access

[Eugene Pefti]

I'm confused, Kings,
For me CPPr and CoPP is still control-plane. Why would I need to disable CEF if 
FPM is implemented purely in CEF ?

Eugene

From: Kingsley Charles [mailto:kingsley.char...@gmail.com]
Sent: 02 May 2012 13:16
To: Eugene Pefti
Cc: ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] FPM to restrict vty access

That should be CPPr not CoPP. It can be applied to CoPP. If you disable cef, 
you can see that only CPPr features get's disabled.

With regards
Kings
On Thu, May 3, 2012 at 1:10 AM, Eugene Pefti 
<eug...@koiossystems.com<mailto:eug...@koiossystems.com>> wrote:
According to Cisco FPM can not be applied to a control-plane.

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/ht_fpm.html

Restrictions for Flexible Packet Matching

<snip>
*Mapping of FPM policies to control-plane is not supported.

From: 
ccie_security-boun...@onlinestudylist.com<mailto:ccie_security-boun...@onlinestudylist.com>
 
[mailto:ccie_security-boun...@onlinestudylist.com<mailto:ccie_security-boun...@onlinestudylist.com>]
 On Behalf Of Kingsley Charles
Sent: 02 May 2012 08:47
To: ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>
Subject: [OSL | CCIE_Security] FPM to restrict vty access

Hi all

The task asks to allow ssh only from 4.8.6.0/24<http://4.8.6.0/24> and the 
restriction is that we should not use access-lists. So FPM is the only answer.

In the following config, class-map get's matched and 
4.8.6.0/24<http://4.8.6.0/24> is allowed in. The issue is that I need a 
wildcard class-map to block other ssh connections. But that doesn't
work in the following solution.


class-map type access-control match-all telblk
 match field TCP dest-port eq 22

class-map type access-control match-all vlan6
 match field TCP dest-port eq 22
 match field IP source-addr eq 4.8.6.0 mask 0.0.0.255

class-map type stack match-all tcp
 stack-start l2-start
 match field ETHER type eq 0x800 next IP
 match field IP protocol eq 6 next TCP


policy-map type access-control ssh
 class vlan6
 class telblk
   drop

policy-map type access-control tcp
 class tcp
  service-policy ssh

control-plane
 service-policy type access-control input tcp


The following two alternative class-maps also doesn't work

class-map type access-control match-all telblk
match field  ip source-addr  range 0.0.0.0 255.255.255.255

class-map type access-control match-all telblk
match field  ip source-addr 0.0.0.0 mask 255.255.255.255





With regards
Kings


_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com