Jerry Ye Tue, 04/27/2010 - 21:45
User Badges:
  • Cisco Employee,

Assuming you are talking about Nexus 7000. In order to control SSH to vty like IOS, you have to configure CoPP in  the default VDC. There is an enhanced bug filed to correct this problem  in the later release - CSCsq20638.

Here is the example to allow ssh to the Nexus from network

ip access-list copp-system-acl-allow

10 remark ### ALLOW SSH

20  permit tcp any eq 22

30 remark ### ALLOW SNMP

40  permit udp any eq snmp

... ... (to include snmp, NTP,  TACACS+, etc)

ip  access-list copp-system-acl-deny

  10 remark ### this is a  catch-all to match any other traffic

  20 permit ip any any

class-map  type control-plane match-any copp-system-class-management-allow

   match access-group name copp-system-acl-allow

class-map type  control-plane match-any copp-system-class-management-deny

  match  access-group name copp-system-acl-deny

policy-map type control-plane  copp-system-policy

    class copp-system-class-management-allow

         police cir 60000 kbps bc 250 ms conform transmit violate drop

     class copp-system-class-management-deny

        police cir 60000  kbps bc 250 ms conform drop violate drop


  service-policy  input copp-system-policy



Muhammed AKYUZ Tue, 04/27/2010 - 23:33
User Badges:


Thanks for the answer but, control-plane does not come with configure. I want to use this command under vdc..

Jerry Ye Wed, 04/28/2010 - 05:36
User Badges:
  • Cisco Employee,

Please look at bug ID CSCsq20638, attaching access-list under line vty is not an option right now, the workaround is to use CoPP.



Jerry Ye Thu, 04/29/2010 - 15:02
User Badges:
  • Cisco Employee,

If you want me to take a look, you can post it here. If you do post it, please put the output in a text file. Also, please indicate the host IP address you want to permit.




This Discussion