nexus line vty access-class

Unanswered Question
Apr 27th, 2010

Hi,

On nx-os, it is not able to enter access-class command under line vty, is there another way to resrtict telnet / ssh users on nexus devices?

Thank you.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jerry Ye Tue, 04/27/2010 - 21:45

Assuming you are talking about Nexus 7000. In order to control SSH to vty like IOS, you have to configure CoPP in  the default VDC. There is an enhanced bug filed to correct this problem  in the later release - CSCsq20638.

Here is the example to allow ssh to the Nexus from 10.10.10.0/24 network

ip access-list copp-system-acl-allow

10 remark ### ALLOW SSH

20  permit tcp 10.10.10.0/24 any eq 22

30 remark ### ALLOW SNMP

40  permit udp 10.10.20.0/24 any eq snmp

... ... (to include snmp, NTP,  TACACS+, etc)

ip  access-list copp-system-acl-deny

  10 remark ### this is a  catch-all to match any other traffic

  20 permit ip any any

class-map  type control-plane match-any copp-system-class-management-allow

   match access-group name copp-system-acl-allow

class-map type  control-plane match-any copp-system-class-management-deny

  match  access-group name copp-system-acl-deny

policy-map type control-plane  copp-system-policy

    class copp-system-class-management-allow

         police cir 60000 kbps bc 250 ms conform transmit violate drop

     class copp-system-class-management-deny

        police cir 60000  kbps bc 250 ms conform drop violate drop

control-plane

  service-policy  input copp-system-policy

HTH,

jerry

Muhammed AKYUZ Tue, 04/27/2010 - 23:33

Hi,

Thanks for the answer but, control-plane does not come with configure. I want to use this command under vdc..

Jerry Ye Wed, 04/28/2010 - 05:36

Please look at bug ID CSCsq20638, attaching access-list under line vty is not an option right now, the workaround is to use CoPP.

Regards,

jerry

Jerry Ye Thu, 04/29/2010 - 15:02

If you want me to take a look, you can post it here. If you do post it, please put the output in a text file. Also, please indicate the host IP address you want to permit.

Regards,

jerry

Actions

This Discussion