Configuring use case 3: Bind the ping flood attack ACL to an interface

To protect against ping flood DoS attacks, bind an extended Layer 3 ACL-based rate limit to filter ICMP packets and bind it to an interface.

Before you begin

You have configured an extended Layer 3 ACL-based rate limit to filter ICMP packets.

Procedure

  1. Enter global configuration mode. 
    device# configure terminal
  2. Create a class map. 
    device(config)# class-map aclFilter
    The class map is used to classify the traffic; different match conditions, including an ACL, can be used to match the traffic properties.
  3. While in class map mode associate the class map with an ACL. 
    device(config)# match access-group acl1
    The class map is used to classify the traffic; different match conditions, including an ACL, can be used to match the traffic properties.
  4. Return to privileged EXEC mode. 
    device(config-classmap)# end
  5. Verify the class map to ACL association. 
    device# show running-config class-map aclFilter
 class-map aclFilter
  match access-group acl1
!
  6. Create a policy map with a policer. 
    device(config)# policy-map policyAclFilter
    A policy map is used to apply policer and QoS attributes to a particular interface.
  7. Associate a class map with the policy map. 
    device(config-policymap)# class aclFilter
    Each policy map can have different class maps. Each class map in the policy map can be associated to separate policing and QoS parameters.
  8. Populate the class map policer parameters. 
    device(config-policymap-class)# police cir 220000 cbs 50000 eir 36000 ebs 400000
    CIR and EIR are in increments of 22000 bps.
  9. Return to privileged EXEC mode. 
    device(config-policymap-class-police)# end
  10. Verify the configuration. 
    device# show policy-map detail policyAclFilter

Policy-Map policyAclFilter
    Class aclFilter
      Police cir 22000 cbs 50000 eir 36000 ebs 400000

  Bound To:None
  11. Enter interface configuration mode. 
    device(config)# interface ethernet 1/2
  12. Bind the policy map to the port. 
    device(conf-if-eth-1/2)# service-policy in policyAclFilter
2015/04/02-14:13:31, [SSMD-1405], 2511, SW/device | Active | DCE, INFO, device, IPv4 access list
acl1 configured on interface Ethernet 1/2 at Ingress by FbQos_9_11.
  13. Return to privileged EXEC mode. 
    device(conf-if-eth-1/2)# end
  14. Verify the configuration. 
    device# show policy-map detail policyAclFilter
Policy-Map policyAclFilter
 Class aclFilter
 Police cir 220000 cbs 50000 eir 36000 ebs 400000
 Bound To: Et 1/2(in)
  15. Save the configuration. 
    device# copy running-config startup-config

ACL-based protection against ping attacks applied to an interface configuration example

device# configure terminal
device(config)# class-map aclFilter
device(config)# match access-group acl1
device(config-classmap)# end
device# show running-config class-map aclFilter
device(config)# policy-map policyAclFilter
device(config-policymap)# class aclFilter
device(config-policymap-class)# police cir 220000 cbs 50000 eir 36000 ebs 400000
device(config-policymap-class-police)# end
device# show policy-map detail policyAclFilter
device(config)# interface ethernet 1/2
device(conf-if-eth-1/2)# service-policy in policyAclFilter
device(conf-if-eth-1/2)# end 
device# show policy-map detail policyAclFilter
device# copy running-config startup-config
9037573-00 Rev AA