[c-nsp] CoPP for SSH on nexus 7k. Confused!

Shanawaz shanawaz at gmail.com
Wed Oct 20 01:42:49 EDT 2010


** ip addresses used are imaginary **

Here's a really dumbed down version of my CoPP implementation. Its pretty
simple. I have ACL's to allow ssh from anywhere in my network, and then
allow telnet from anywhere in my network (note there is an unintentional
deny statement in that access-list). Then there is the ACL for matching any
other SSH traffic and

My policy map says 'any SSH from outside my network' gets dropped.

However in reality, I am able to ssh into my box from anywhere. even from
outside my network. so I have 2 questions.

1. I assume this is happening because all traffic is matching the deny
statement in the ACL copp-system-acl-telnet. What does the deny in an CoPP
ACL do?
2. Isnt there a 'deny ip any any'by default at the end of all access-lists.
In this case.. even the ACL copp-system-acl-ssh would have a deny ip any any
at the end.

I have tried my best to explain, but then if you dont understand the
scenario, I can try again ;)

class-map type control-plane match-any copp-system-class-management
  match access-group name copp-system-acl-ssh
  match access-group name copp-system-acl-telnet

class-map type control-plane match-any copp-system-class-undesirable
  match access-group name copp-system-acl-ssh-deny

policy-map type control-plane copp-system-policy
  class copp-system-class-management
    police cir 10000 kbps bc 375 ms conform transmit violate drop
  class copp-system-class-undesirable
    police cir 32 kbps bc 375 ms conform drop violate drop
  class class-default
    police cir 100 kbps bc 375 ms conform transmit violate drop

control-plane
  service-policy input copp-system-policy

ip access-list copp-system-acl-ssh
  10 permit tcp 129.63.8.0/24 any eq 22

ip access-list copp-system-acl-telnet
  10 permit ip 129.63.8.0/24 any
  20 deny ip any any

ip access-list copp-system-acl-ssh-deny
  10 permit tcp any any eq 22 log


More information about the cisco-nsp mailing list