Configuring and applying all four use cases for ACL-based traffic filtering

Follow these steps to apply ACLs for traffic filtering.

1. Enter global configuration mode.
   

   device# configure terminal
   

2. Create an ACL.
   

   device(config)# ip access-list extended acl1
   2015/04/02-13:22:39, [SSMD-1400], 2506, SW/device | Active | DCE, INFO, device, IPv4 access list acl1 is created.
   

   The system message is generated when you create an ACL. If you are configuring an existing ACL, no message is generated.
3. Configure the extended ACL to filter packets for which the sync (synchronize) flag is set.
   

   device(conf-ipacl-ext)# permit tcp any any sync
   2015/04/02-13:25:28, [SSMD-1404], 2507, SW/device | Active | DCE, INFO, device, IPv4 access list acl1 rule sequence number 10 is added.

   This step provides protection from TCP SYN attacks.
4. Configure the extended ACL to filter packets for which the rst flag is set.
   

   device(conf-ipacl-ext)# permit tcp any any rst                                                                                                                  
   2015/04/02-13:26:48, [SSMD-1404], 2508, SW/device | Active | DCE, INFO, device, IPv4 access list acl1 rule sequence number 20 is added.
   

   This step provides protection from TCP RST attacks.
5. Configure the extended ACL to filter ICMP packets.
   

   device(conf-ipacl-ext)# permit icmp any any
   2015/04/02-13:28:20, [SSMD-1404], 2509, SW/device | Active | DCE, INFO, device, IPv4 access list acl1 rule sequence number 30 is added.
   

   This step protects against ping flood attacks.
6. Configure the extended ACL to filter UDP packets.
   

   device(conf-ipacl-ext)# permit udp any any
   2015/04/02-13:30:15, [SSMD-1404], 2510, SW/device | Active | DCE, INFO, device, IPv4 access list acl1 rule sequence number 40 is added.

   This step protects against UDP flood attacks.
7. Return to global configuration mode.
   

   device(conf-ipacl-ext)# exit
   

8. Verify the ACL.
   

   device(config)# do show running-config ip access-list extended acl1
   ip access-list extended acl1
    seq 10 permit tcp any any sync
    seq 20 permit tcp any any rst
    seq 30 permit icmp any any
    seq 40 permit udp any any
   !
   

9. Create a class map.
   

   device(config)# class-map aclFilter
   

   The class map is used to classify the traffic; different match conditions, including an ACL, can be used to match the traffic properties.
10. While in class map mode associate the class map with an ACL.
    

    device(config-classmap)# match access-group acl1
    

11. Return to global configuration mode.
    

    device(config-classmap)# exit
    

12. Verify the class map to ACL association.
    

    device(config)# do show running-config class-map aclFilter
    class-map aclFilter
     match access-group acl1
    ! 
    

13. Create a policy map with a policer.
    

    device(config)# policy-map policyAclFilter
    

    A policy map is used to apply policer and QoS attributes to a particular interface.
14. Associate a class map with the policy map.
    

    device(config-policymap)# class aclFilter
    

    Each policy map can have different class maps. Each class map in the policy map can be associated to separate policing and QoS parameters.
15. Populate the class map policer parameters.
    

    device(config-policymap-class)# police cir 220000 cbs 50000 eir 36000 ebs 400000
    

    CIR and EIR are in increments of 22000 bps.
16. Return to privileged EXEC mode.
    

    device(config-policymap-class-police)# end
    

17. Verify the configuration.
    

    device# show policy-map detail policyAclFilter
    
    Policy-Map policyAclFilter
        Class aclFilter
          Police cir 220000 cbs 50000 eir 36000 ebs 400000
    
      Bound To:None
    

18. Enter global configuration mode.
    

    device# configure terminal
    

19. Enter interface configuration mode.
    

    device(config)# interface ethernet 1/2
    

20. Bind the policy map to the port.
    

    device(conf-if-eth-1/2)# service-policy in policyAclFilter
    2015/04/02-14:13:31, [SSMD-1405], 2511, SW/device | Active | DCE, INFO, device, 
    IPv4 access list acl1 configured on interface Ethernet 1/2 at Ingress by FbQos_9_11.
    

21. Return to privileged EXEC mode.
    

    device(conf-if-eth-1/2)# end
    

22. Verify the configuration.
    

    device# show policy-map detail policyAclFilter
    
    Policy-Map policyAclFilter
        Class aclFilter
          Police cir 220000 cbs 50000 eir 36000 ebs 400000
    
      Bound To: Et 1/2(in)
    

23. Save the configuration.
    

    device# copy running-config startup-config
    

ACL-based traffic filtering to protect from DoS attacks configuration example

device# configure terminal
device(config)# ip access-list extended acl1
device(conf-ipacl-ext)# permit tcp any any sync
device(conf-ipacl-ext)# permit tcp any any rst
device(conf-ipacl-ext)# permit icmp any any
device(conf-ipacl-ext)# permit udp any any
device(config)# do show running-config ip access-list extended acl1
device(config)# class-map aclFilter
device(config-classmap)# match access-group acl1
device(config-classmap)# exit
device(config)# do show running-config class-map aclFilter
device(config)# policy-map policyAclFilter
device(config-policymap)# class aclFilter
device(config-policymap-class)# police cir 220000 cbs 50000 eir 36000 ebs 400000
device(config-policymap-class-police)# end
device# show policy-map detail policyAclFilter
device# configure terminal
device(config)# interface ethernet 1/2
device(conf-if-eth-1/2)# service-policy in policyAclFilter
device(conf-if-eth-1/2)# end
device# show policy-map detail policyAclFilter
device# copy running-config startup-config