04-27-2010 09:16 AM - edited 03-06-2019 10:49 AM
Hi,
On nx-os, it is not able to enter access-class command under line vty, is there another way to resrtict telnet / ssh users on nexus devices?
Thank you.
04-27-2010 09:45 PM
Assuming you are talking about Nexus 7000. In order to control SSH to vty like IOS, you have to configure CoPP in the default VDC. There is an enhanced bug filed to correct this problem in the later release - CSCsq20638.
Here is the example to allow ssh to the Nexus from 10.10.10.0/24 network
ip access-list copp-system-acl-allow
10 remark ### ALLOW SSH
20 permit tcp 10.10.10.0/24 any eq 22
30 remark ### ALLOW SNMP
40 permit udp 10.10.20.0/24 any eq snmp
...
ip access-list copp-system-acl-deny
10 remark ### this is a catch-all to match any other traffic
20 permit ip any any
class-map type control-plane match-any copp-system-class-management-allow
match access-group name copp-system-acl-allow
class-map type control-plane match-any copp-system-class-management-deny
match access-group name copp-system-acl-deny
policy-map type control-plane copp-system-policy
class copp-system-class-management-allow
police cir 60000 kbps bc 250 ms conform transmit violate drop
class copp-system-class-management-deny
police cir 60000 kbps bc 250 ms conform drop violate drop
control-plane
service-policy input copp-system-policy
HTH,
jerry
04-27-2010 11:33 PM
Hi,
Thanks for the answer but, control-plane does not come with configure. I want to use this command under vdc..
04-28-2010 05:36 AM
Please look at bug ID CSCsq20638, attaching access-list under line vty is not an option right now, the workaround is to use CoPP.
Regards,
jerry
04-29-2010 02:56 PM
I've got the same issue. I have used the configuration you supplied and I still don't have any luck with this. I don't actually seeing the traffic hit my access-list. Am I doing something wrong here? I can paste the configuration, but it's going to look suspiciously like what you put out there.
04-29-2010 03:02 PM
If you want me to take a look, you can post it here. If you do post it, please put the output in a text file. Also, please indicate the host IP address you want to permit.
Regards,
jerry
04-29-2010 04:49 PM
OK, I will go in and grab the config here in a second. Although, while I am doing that can you tell me if the control-plane policing will affect traffic sent to the management interface? The reason I ask is that the only way I can get to this switch via the management interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide