[c-nsp] CoPP for SSH on nexus 7k. Confused!

Colin Whittaker colin at netech.ie
Wed Oct 20 11:19:39 EDT 2010


So the way I have handled this is that I just match any ssh traffic in
the undesirable acl. It works perfectly on both 4.2 and 5.0

IP access list copp-system-acl-undesirable
        10 permit udp any any eq 1434
        20 permit tcp any any eq 22

One thing to watch for is that with this config you will be unable to
ssh from the device to anywhere. adding an acl entry to allow
established works around this.

IP access list copp-system-acl-ssh
        10 permit tcp any eq 22 any established 

The next NX-OS release is supposed to have vty acl's which will make
life much much easier. 

Colin

On Wed, Oct 20, 2010 at 04:42:49PM +1100, Shanawaz wrote:
> ** ip addresses used are imaginary **
> 
> Here's a really dumbed down version of my CoPP implementation. Its pretty
> simple. I have ACL's to allow ssh from anywhere in my network, and then
> allow telnet from anywhere in my network (note there is an unintentional
> deny statement in that access-list). Then there is the ACL for matching any
> other SSH traffic and
> 
> My policy map says 'any SSH from outside my network' gets dropped.
> 
> However in reality, I am able to ssh into my box from anywhere. even from
> outside my network. so I have 2 questions.
> 
> 1. I assume this is happening because all traffic is matching the deny
> statement in the ACL copp-system-acl-telnet. What does the deny in an CoPP
> ACL do?
> 2. Isnt there a 'deny ip any any'by default at the end of all access-lists.
> In this case.. even the ACL copp-system-acl-ssh would have a deny ip any any
> at the end.
> 
> I have tried my best to explain, but then if you dont understand the
> scenario, I can try again ;)
> 
> class-map type control-plane match-any copp-system-class-management
>   match access-group name copp-system-acl-ssh
>   match access-group name copp-system-acl-telnet
> 
> class-map type control-plane match-any copp-system-class-undesirable
>   match access-group name copp-system-acl-ssh-deny
> 
> policy-map type control-plane copp-system-policy
>   class copp-system-class-management
>     police cir 10000 kbps bc 375 ms conform transmit violate drop
>   class copp-system-class-undesirable
>     police cir 32 kbps bc 375 ms conform drop violate drop
>   class class-default
>     police cir 100 kbps bc 375 ms conform transmit violate drop
> 
> control-plane
>   service-policy input copp-system-policy
> 
> ip access-list copp-system-acl-ssh
>   10 permit tcp 129.63.8.0/24 any eq 22
> 
> ip access-list copp-system-acl-telnet
>   10 permit ip 129.63.8.0/24 any
>   20 deny ip any any
> 
> ip access-list copp-system-acl-ssh-deny
>   10 permit tcp any any eq 22 log
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

-- 
Colin Whittaker					+353 (0)86 8211 965
http://colin.netech.ie			            colin at netech.ie


More information about the cisco-nsp mailing list