Configuring and applying all four use cases for ACL-based traffic filtering

  1. Enter global configuration mode.
    device# configure terminal
    
  2. Create an ACL.
    device(config)# ip access-list extended acl1
    2015/04/02-13:22:39, [SSMD-1400], 2506, SW/device | Active | DCE, INFO, device, IPv4 access list acl1 is created.
    
    The system message is generated when you create an ACL. If you are configuring an existing ACL, no message is generated.
  3. Configure the extended ACL to filter packets for which the sync (synchronize) flag is set.
    device(conf-ipacl-ext)# permit tcp any any sync
    2015/04/02-13:25:28, [SSMD-1404], 2507, SW/device | Active | DCE, INFO, device, IPv4 access list acl1 rule sequence number 10 is added.
    This step provides protection from TCP SYN attacks.
  4. Configure the extended ACL to filter packets for which the rst flag is set.
    device(conf-ipacl-ext)# permit tcp any any rst                                                                                                                  
    2015/04/02-13:26:48, [SSMD-1404], 2508, SW/device | Active | DCE, INFO, device, IPv4 access list acl1 rule sequence number 20 is added.
    
    This step provides protection from TCP RST attacks.
  5. Configure the extended ACL to filter ICMP packets.
    device(conf-ipacl-ext)# permit icmp any any
    2015/04/02-13:28:20, [SSMD-1404], 2509, SW/device | Active | DCE, INFO, device, IPv4 access list acl1 rule sequence number 30 is added.
    
    This step protects against ping flood attacks.
  6. Configure the extended ACL to filter UDP packets.
    device(conf-ipacl-ext)# permit udp any any
    2015/04/02-13:30:15, [SSMD-1404], 2510, SW/device | Active | DCE, INFO, device, IPv4 access list acl1 rule sequence number 40 is added.
    This step protects against UDP flood attacks.
  7. Return to global configuration mode.
    device(conf-ipacl-ext)# exit
    
  8. Verify the ACL.
    device(config)# do show running-config ip access-list extended acl1
    ip access-list extended acl1
     seq 10 permit tcp any any sync
     seq 20 permit tcp any any rst
     seq 30 permit icmp any any
     seq 40 permit udp any any
    !
    
  9. Create a class map.
    device(config)# class-map aclFilter
    
    The class map is used to classify the traffic; different match conditions, including an ACL, can be used to match the traffic properties.
  10. While in class map mode associate the class map with an ACL.
    device(config-classmap)# match access-group acl1
    
  11. Return to global configuration mode.
    device(config-classmap)# exit
    
  12. Verify the class map to ACL association.
    device(config)# do show running-config class-map aclFilter
    class-map aclFilter
     match access-group acl1
    ! 
    
  13. Create a policy map with a policer.
    device(config)# policy-map policyAclFilter
    
    A policy map is used to apply policer and QoS attributes to a particular interface.
  14. Associate a class map with the policy map.
    device(config-policymap)# class aclFilter
    
    Each policy map can have different class maps. Each class map in the policy map can be associated to separate policing and QoS parameters.
  15. Populate the class map policer parameters.
    device(config-policymap-class)# police cir 220000 cbs 50000 eir 36000 ebs 400000
    
    CIR and EIR are in increments of 22000 bps.
  16. Return to privileged EXEC mode.
    device(config-policymap-class-police)# end
    
  17. Verify the configuration.
    device# show policy-map detail policyAclFilter
    
    Policy-Map policyAclFilter
        Class aclFilter
          Police cir 220000 cbs 50000 eir 36000 ebs 400000
    
      Bound To:None
    
  18. Enter global configuration mode.
    device# configure terminal
    
  19. Enter interface configuration mode.
    device(config)# interface ethernet 1/2
    
  20. Bind the policy map to the port.
    device(conf-if-eth-1/2)# service-policy in policyAclFilter
    2015/04/02-14:13:31, [SSMD-1405], 2511, SW/device | Active | DCE, INFO, device, 
    IPv4 access list acl1 configured on interface Ethernet 1/2 at Ingress by FbQos_9_11.
    
  21. Return to privileged EXEC mode.
    device(conf-if-eth-1/2)# end
    
  22. Verify the configuration.
    device# show policy-map detail policyAclFilter
    
    Policy-Map policyAclFilter
        Class aclFilter
          Police cir 220000 cbs 50000 eir 36000 ebs 400000
    
      Bound To: Et 1/2(in)
    
  23. Save the configuration.
    device# copy running-config startup-config
    

ACL-based traffic filtering to protect from DoS attacks configuration example

device# configure terminal
device(config)# ip access-list extended acl1
device(conf-ipacl-ext)# permit tcp any any sync
device(conf-ipacl-ext)# permit tcp any any rst
device(conf-ipacl-ext)# permit icmp any any
device(conf-ipacl-ext)# permit udp any any
device(config)# do show running-config ip access-list extended acl1
device(config)# class-map aclFilter
device(config-classmap)# match access-group acl1
device(config-classmap)# exit
device(config)# do show running-config class-map aclFilter
device(config)# policy-map policyAclFilter
device(config-policymap)# class aclFilter
device(config-policymap-class)# police cir 220000 cbs 50000 eir 36000 ebs 400000
device(config-policymap-class-police)# end
device# show policy-map detail policyAclFilter
device# configure terminal
device(config)# interface ethernet 1/2
device(conf-if-eth-1/2)# service-policy in policyAclFilter
device(conf-if-eth-1/2)# end
device# show policy-map detail policyAclFilter
device# copy running-config startup-config