Kings,
What about adding control plane protection on the interface to limit the connects to SSH? If you use the control plan protection along with your FPM config it may satisfy the question. Control-plane host Management-interface fastethernet 0/1 Thanks, *Matt Manire* *CCSP, CCNP, CCDP, MCSE* *2003 & MCSE 2000* *Information Systems Security Manager* [email protected] *t*: 817.525.1863 *f*: 817.525.1903 *m*: 817.271.9165 *First Rate* | 1903 Ascension Boulevard | Arlington, TX 76006| www.FirstRate.com <http://www.firstrate.com/> *From:* [email protected] [mailto: [email protected]] *On Behalf Of *Kingsley Charles *Sent:* Thursday, May 03, 2012 4:58 AM *To:* Eugene Pefti *Cc:* [email protected] *Subject:* Re: [OSL | CCIE_Security] FPM to restrict vty access We can use HEX or decimal in FPM. Only ZFW policy maps have class default with default of drop action. With regards Kings On Thu, May 3, 2012 at 1:36 PM, Eugene Pefti <[email protected]> wrote: One more look at your question produced another thought. Don't we have to use port numbers in HEX ? In your case it should be "match field TCP dest-port 0x16" for SSH port 22 Secondly, in your particular task, Kings, can't we make do with just one class-map of stack type by matching the source address and TCP port as follows: Class-map type stack match-all IP-TCP-STACK Match field IP protocol eq 0x6 next TCP Match field IP source-addr eq 4.8.6.0 mask 255.255.255.0 match field TCP dest-port eq 0x16 next IP As far as I understand you don't have to look into the payload of the packet to match for more regex or bits. Then your policy-map would reference this class-map and the default class-map would drop everything else Eugene *From: *Kingsley Charles <[email protected]> *Date: *Wed, 2 May 2012 21:17:05 +0530 *To: *<[email protected]> *Subject: *[OSL | CCIE_Security] FPM to restrict vty access Hi all The task asks to allow ssh only from 4.8.6.0/24 and the restriction is that we should not use access-lists. So FPM is the only answer. In the following config, class-map get's matched and 4.8.6.0/24 is allowed in. The issue is that I need a wildcard class-map to block other ssh connections. But that doesn't work in the following solution. class-map type access-control match-all telblk match field TCP dest-port eq 22 class-map type access-control match-all vlan6 match field TCP dest-port eq 22 match field IP source-addr eq 4.8.6.0 mask 0.0.0.255 class-map type stack match-all tcp stack-start l2-start match field ETHER type eq 0x800 next IP match field IP protocol eq 6 next TCP policy-map type access-control ssh class vlan6 class telblk drop policy-map type access-control tcp class tcp service-policy ssh control-plane service-policy type access-control input tcp The following two alternative class-maps also doesn't work class-map type access-control match-all telblk match field ip source-addr range 0.0.0.0 255.255.255.255 class-map type access-control match-all telblk match field ip source-addr 0.0.0.0 mask 255.255.255.255 With regards Kings _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.comAre you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
