[c-nsp] CoPP for SSH on nexus 7k. Confused!

Shanawaz shanawaz at gmail.com
Wed Oct 20 21:05:31 EDT 2010 

This is a rather long email. so please be warned.
I have tried to simplify my config in the lab environment.
Hardware is the same as production Nx 7010 running n7000-s1-dk9.4.2.4.bin

Scenario 1:

Config
------
policy-map type control-plane copp-system-policy
  class copp-system-class-management
    police cir 10000 kbps bc 375 ms conform transmit violate drop
  class copp-system-class-undesirable
    police cir 32 kbps bc 375 ms conform drop violate drop
  class class-default
    police cir 100 kbps bc 375 ms conform transmit violate drop
control-plane
  service-policy input copp-system-policy

class-map type control-plane match-any copp-system-class-management
  match access-group name copp-system-acl-ssh
  match access-group name copp-system-acl-telnet

class-map type control-plane match-any copp-system-class-undesirable
  match access-group name copp-system-acl-ssh-deny

ip access-list copp-system-acl-ssh
  10 permit tcp 129.63.8.0/24 any eq 22
ip access-list copp-system-acl-telnet
  10 permit tcp 129.63.8.0/24 any eq telnet
  20 deny ip any any log
ip access-list copp-system-acl-ssh-deny
  10 permit tcp any any eq 22

Actual behavior: I can SSH from a completely different network. Lets say
136.172.20.22 which is not on the allowed list.
expected behavior: I should not be able to SSH from 136.172.20.22. The
traffic would match statement 20 in "copp-system-acl-telnet" and get to the
next class "copp-system-class-undesirable" where it should get dropped. Or
the traffic should match copp-system-acl-ssh-deny and get dropped.

Scenario 2: I removed the deny ip any any from "copp-system-acl-telnet"

ip access-list copp-system-acl-telnet
  10 permit tcp 129.63.8.0/24 any eq telnet

Expected behavior: I should not be able to SSH from 136.172.20.22
actual behavior: It works as expected . i can even see matches against the
class "copp-system-class-undesirable" when I do 'sh policy-map interface
control-plane'

So I know the solution to my problem and I have fixed it by removing the
deny statement. but is this the way it is meant to behave? Otherwise I can
lodge a TAC case to see if they can see the same issue.

The hypothesis is the deny statement in copp-system-acl-telnet is possibly
sending traffic to default-class or just sending the traffic straight
through. The reason I am saying its possibly sending the traffic straight
through is the scenario 3 below

Scenario 3: I added the 'deny ip any any' statement again. And I added a few
classes above our SSH class and undesirable class so nothing ever can get to
default class with the exception of our sneaky SSH traffic.

I can still SSH from outside networks and there are no matches whatsoever in
default class. So what is the SSH traffic from 136.172.20.22 matching to to
be allowed in?

ip access-list copp-system-acl-telnet
  10 permit tcp 129.63.8.0/24 any eq telnet
  20 deny ip any any

policy-map type control-plane copp-system-policy
  class copp-system-class-critical
    police cir 39600 kbps bc 375 ms conform transmit violate drop
  class copp-system-class-important
    police cir 1060 kbps bc 1500 ms conform transmit violate drop
  class copp-system-class-management
    police cir 10000 kbps bc 375 ms conform transmit violate drop
  class copp-system-class-undesirable
    police cir 32 kbps bc 375 ms conform drop violate drop
  class class-default
    police cir 100 kbps bc 375 ms conform transmit violate drop

class-map type control-plane match-any copp-system-class-important
  match access-group name copp-system-acl-glbp
  match access-group name copp-system-acl-hsrp
  match access-group name copp-system-acl-vrrp
  match access-group name copp-system-acl-icmp6-msgs
  match access-group name copp-system-acl-pim-reg
class-map type control-plane match-any copp-system-class-management
  match access-group name copp-system-acl-ftp
  match access-group name copp-system-acl-ntp
  match access-group name copp-system-acl-ntp6
  match access-group name copp-system-acl-radius
  match access-group name copp-system-acl-sftp
  match access-group name copp-system-acl-snmp
  match access-group name copp-system-acl-ssh
  match access-group name copp-system-acl-telnet
class-map type control-plane match-any copp-system-class-critical
  match access-group name copp-system-acl-bgp
  match access-group name copp-system-acl-bgp6
  match access-group name copp-system-acl-eigrp
  match access-group name copp-system-acl-igmp
  match access-group name copp-system-acl-msdp
  match access-group name copp-system-acl-ospf
  match access-group name copp-system-acl-ospf6
  match access-group name copp-system-acl-pim
  match access-group name copp-system-acl-pim6
  match access-group name copp-system-acl-rip
  match access-group name copp-system-acl-vpc

If my testing doesnot make sense, I can try explaining again.

Regards.
Shanawaz

More information about the cisco-nsp mailing list