Configuring and applying all four use cases for ACL-based traffic filtering

  1. Enter global configuration mode. 
    device# configure terminal
  2. Create an ACL. 
    device(config)# ip access-list extended acl1
2015/04/02-13:22:39, [SSMD-1400], 2506, SW/device | Active | DCE, INFO, device, IPv4 access list acl1 is created.
    The system message is generated when you create an ACL. If you are configuring an existing ACL, no message is generated.
  3. Configure the extended ACL to filter packets for which the sync (synchronize) flag is set. 
    device(conf-ipacl-ext)# permit tcp any any sync
2015/04/02-13:25:28, [SSMD-1404], 2507, SW/device | Active | DCE, INFO, device, IPv4 access list acl1 rule sequence number 10 is added.
    This step provides protection from TCP SYN attacks.
  4. Configure the extended ACL to filter packets for which the rst flag is set. 
    device(conf-ipacl-ext)# permit tcp any any rst                                                                                                                  
2015/04/02-13:26:48, [SSMD-1404], 2508, SW/device | Active | DCE, INFO, device, IPv4 access list acl1 rule sequence number 20 is added.
    This step provides protection from TCP RST attacks.
  5. Configure the extended ACL to filter ICMP packets. 
    device(conf-ipacl-ext)# permit icmp any any
2015/04/02-13:28:20, [SSMD-1404], 2509, SW/device | Active | DCE, INFO, device, IPv4 access list acl1 rule sequence number 30 is added.
    This step protects against ping flood attacks.
  6. Configure the extended ACL to filter UDP packets. 
    device(conf-ipacl-ext)# permit udp any any
2015/04/02-13:30:15, [SSMD-1404], 2510, SW/device | Active | DCE, INFO, device, IPv4 access list acl1 rule sequence number 40 is added.
    This step protects against UDP flood attacks.
  7. Return to global configuration mode. 
    device(conf-ipacl-ext)# exit
  8. Verify the ACL. 
    device(config)# do show running-config ip access-list extended acl1
ip access-list extended acl1
 seq 10 permit tcp any any sync
 seq 20 permit tcp any any rst
 seq 30 permit icmp any any
 seq 40 permit udp any any
!
  9. Create a class map. 
    device(config)# class-map aclFilter
    The class map is used to classify the traffic; different match conditions, including an ACL, can be used to match the traffic properties.
  10. While in class map mode associate the class map with an ACL. 
    device(config-classmap)# match access-group acl1
  11. Return to global configuration mode. 
    device(config-classmap)# exit
  12. Verify the class map to ACL association. 
    device(config)# do show running-config class-map aclFilter
class-map aclFilter
 match access-group acl1
!
  13. Create a policy map with a policer. 
    device(config)# policy-map policyAclFilter
    A policy map is used to apply policer and QoS attributes to a particular interface.
  14. Associate a class map with the policy map. 
    device(config-policymap)# class aclFilter
    Each policy map can have different class maps. Each class map in the policy map can be associated to separate policing and QoS parameters.
  15. Populate the class map policer parameters. 
    device(config-policymap-class)# police cir 220000 cbs 50000 eir 36000 ebs 400000
    CIR and EIR are in increments of 22000 bps.
  16. Return to privileged EXEC mode. 
    device(config-policymap-class-police)# end
  17. Verify the configuration. 
    device# show policy-map detail policyAclFilter

Policy-Map policyAclFilter
    Class aclFilter
      Police cir 220000 cbs 50000 eir 36000 ebs 400000

  Bound To:None
  18. Enter global configuration mode. 
    device# configure terminal
  19. Enter interface configuration mode. 
    device(config)# interface ethernet 1/2
  20. Bind the policy map to the port. 
    device(conf-if-eth-1/2)# service-policy in policyAclFilter
2015/04/02-14:13:31, [SSMD-1405], 2511, SW/device | Active | DCE, INFO, device, 
IPv4 access list acl1 configured on interface Ethernet 1/2 at Ingress by FbQos_9_11.
  21. Return to privileged EXEC mode. 
    device(conf-if-eth-1/2)# end
  22. Verify the configuration. 
    device# show policy-map detail policyAclFilter

Policy-Map policyAclFilter
    Class aclFilter
      Police cir 220000 cbs 50000 eir 36000 ebs 400000

  Bound To: Et 1/2(in)
  23. Save the configuration. 
    device# copy running-config startup-config

ACL-based traffic filtering to protect from DoS attacks configuration example

device# configure terminal
device(config)# ip access-list extended acl1
device(conf-ipacl-ext)# permit tcp any any sync
device(conf-ipacl-ext)# permit tcp any any rst
device(conf-ipacl-ext)# permit icmp any any
device(conf-ipacl-ext)# permit udp any any
device(config)# do show running-config ip access-list extended acl1
device(config)# class-map aclFilter
device(config-classmap)# match access-group acl1
device(config-classmap)# exit
device(config)# do show running-config class-map aclFilter
device(config)# policy-map policyAclFilter
device(config-policymap)# class aclFilter
device(config-policymap-class)# police cir 220000 cbs 50000 eir 36000 ebs 400000
device(config-policymap-class-police)# end
device# show policy-map detail policyAclFilter
device# configure terminal
device(config)# interface ethernet 1/2
device(conf-if-eth-1/2)# service-policy in policyAclFilter
device(conf-if-eth-1/2)# end
device# show policy-map detail policyAclFilter
device# copy running-config startup-config
9038049-00 Rev AA