Configuring use case 1: Protection against TCP SYN attacks

  1. Enter global configuration mode.
    device# configure terminal
    
  2. Create an extended IP ACL.
    device(config)# ip access-list extended acl1
    2015/04/01-13:18:15, [SSMD-1400], 2315, SW/device | Active | DCE, INFO, device, IPv4 access list acl1 is created.
    
    The system message is generated when you create an ACL. If you are configuring an existing ACL, no message is generated.
  3. Configure the extended ACL to permit TCP traffic from any source to any destination while filtering packets for which the sync (synchronize) flag is set.
    device(conf-ipacl-ext)# permit tcp any any sync
    2015/04/01-13:22:16, [SSMD-1404], 2316, SW/device | Active | DCE, INFO, device, IPv4 access list acl1 rule sequence number 10 is added.
    
  4. Return to privileged EXEC mode.
    device(conf-ipacl-ext)# end
    
  5. Verify the ACL.
    device# show running-config ip access-list extended acl1
    ip access-list extended acl1
     seq 10 permit tcp any any sync
     

Protection against TCP SYN attacks - ACL configuration example

device# configure terminal
device(config)# ip access-list extended acl1
device(conf-ipacl-ext)# permit tcp any any sync
device(conf-ipacl-ext)# end
device# show running-config ip access-list extended acl1