Configuring use case 3: Bind the ping flood attack ACL to an interface

To protect against ping flood DoS attacks, bind an extended Layer 3 ACL-based rate limit to filter ICMP packets and bind it to an interface.

Before you begin

You have configured an extended Layer 3 ACL-based rate limit to filter ICMP packets.

Procedure

  1. Enter global configuration mode.
    device# configure terminal
    
  2. Create a class map.
    device(config)# class-map aclFilter
    
    The class map is used to classify the traffic; different match conditions, including an ACL, can be used to match the traffic properties.
  3. While in class map mode associate the class map with an ACL.
    device(config)# match access-group acl1
    
    The class map is used to classify the traffic; different match conditions, including an ACL, can be used to match the traffic properties.
  4. Return to privileged EXEC mode.
    device(config-classmap)# end
    
  5. Verify the class map to ACL association.
    device# show running-config class-map aclFilter
     class-map aclFilter
      match access-group acl1
    !
    
  6. Create a policy map with a policer.
    device(config)# policy-map policyAclFilter
    
    A policy map is used to apply policer and QoS attributes to a particular interface.
  7. Associate a class map with the policy map.
    device(config-policymap)# class aclFilter
    
    Each policy map can have different class maps. Each class map in the policy map can be associated to separate policing and QoS parameters.
  8. Populate the class map policer parameters.
    device(config-policymap-class)# police cir 220000 cbs 50000 eir 36000 ebs 400000
    
    CIR and EIR are in increments of 22000 bps.
  9. Return to privileged EXEC mode.
    device(config-policymap-class-police)# end
    
  10. Verify the configuration.
    device# show policy-map detail policyAclFilter
    
    Policy-Map policyAclFilter
        Class aclFilter
          Police cir 22000 cbs 50000 eir 36000 ebs 400000
    
      Bound To:None
    
  11. Enter interface configuration mode.
    device(config)# interface ethernet 1/2
    
  12. Bind the policy map to the port.
    device(conf-if-eth-1/2)# service-policy in policyAclFilter
    2015/04/02-14:13:31, [SSMD-1405], 2511, SW/device | Active | DCE, INFO, device, IPv4 access list
    acl1 configured on interface Ethernet 1/2 at Ingress by FbQos_9_11.
    
  13. Return to privileged EXEC mode.
    device(conf-if-eth-1/2)# end 
    
  14. Verify the configuration.
    device# show policy-map detail policyAclFilter
    Policy-Map policyAclFilter
     Class aclFilter
     Police cir 220000 cbs 50000 eir 36000 ebs 400000
     Bound To: Et 1/2(in)
    
  15. Save the configuration.
    device# copy running-config startup-config
    

ACL-based protection against ping attacks applied to an interface configuration example

device# configure terminal
device(config)# class-map aclFilter
device(config)# match access-group acl1
device(config-classmap)# end
device# show running-config class-map aclFilter
device(config)# policy-map policyAclFilter
device(config-policymap)# class aclFilter
device(config-policymap-class)# police cir 220000 cbs 50000 eir 36000 ebs 400000
device(config-policymap-class-police)# end
device# show policy-map detail policyAclFilter
device(config)# interface ethernet 1/2
device(conf-if-eth-1/2)# service-policy in policyAclFilter
device(conf-if-eth-1/2)# end 
device# show policy-map detail policyAclFilter
device# copy running-config startup-config