To protect against TCP SYN DoS attacks, bind ACL-based protection against TCP SYN attacks to an interface.
You have configured an extended Layer 3 ACL-based rate limit matching TCP SYN.
device# configure terminal
device(config)# class-map aclFilter
device(config)# match access-group acl1
device(config-classmap)# end
device# show running-config class-map aclFilter class-map aclFilter match access-group acl1 !
device(config)# policy-map policyAclFilter
device(config-policymap)# class aclFilter
device(config-policymap-class)# police cir 220000 cbs 50000 eir 36000 ebs 400000
device(config-policymap-class-police)# end
device# show policy-map detail policyAclFilter Policy-Map policyAclFilter Class aclFilter Police cir 220000 cbs 50000 eir 36000 ebs 400000 Bound To:None
device(config)# interface ethernet 1/2
device(conf-if-eth-1/2)# service-policy in policyAclFilter 2015/04/02-14:13:31, [SSMD-1405], 2511, SW/device | Active | DCE, INFO, device, IPv4 access list acl1 configured on interface Ethernet 1/2 at Ingress by FbQos_9_11.
device(conf-if-eth-1/2)# end
device# show policy-map detail policyAclFilter Policy-Map policyAclFilter Class aclFilter Police cir 220000 cbs 50000 eir 36000 ebs 400000 Bound To: Et 1/2(in)
device# copy running-config startup-config
device# configure terminal device(config)# class-map aclFilter device(config)# match access-group acl1 device(config-classmap)# end device# show running-config class-map aclFilter device(config)# policy-map policyAclFilter device(config-policymap)# class aclFilter device(config-policymap-class)# police cir 220000 cbs 50000 eir 36000 ebs 400000 device(config-policymap-class-police)# end device# show policy-map detail policyAclFilter device(config)# interface ethernet 1/2 device(conf-if-eth-1/2)# service-policy in policyAclFilter device(conf-if-eth-1/2)# end device# show policy-map detail policyAclFilter device# copy running-config startup-config