I manage a couple of catalyst 6807XL switches in a VSS configuration. They have the default "policy-default-autocopp" copp policy in place and I would like to restrict ssh access to specific subnets and limit connections to just a loopback address.
I have seen contradicting info on the correct way to create the ACL for this.
my question is do I create the ACL as shown below with reverse logic of a traditional ACL, or am I doing this wrong for this platform?
class-map match-all class-copp-ssh
match access-group name acl-copp-ssh
!
policy-map policy-default-autocopp
class class-copp-ssh
drop
!
ip access-list extended acl-copp-ssh
10 deny tcp 192.168.1.0 0.0.0.255 host 10.1.1.1 eq 22
30 permit tcp any any eq 22
40 deny ip any any
No comments:
Post a Comment