Router# configure terminal

Router(config)#ip access-list extended webserver10

Router(config-ext-nacl)#deny tcp any host eq telnet

Router(config-ext-nacl)#permit ip any any


You can define ACLs without applying them. However, the ACLs will have no effect until they are applied to the router’s interface.  Applying the ACL to the serial0 Interface

Router(config)#interface serial0

Router(config-if)# ip access-group webserver2 in

IP ACLs filter IP traffic destined for SNMP

Simple Network Management Protocol (SNMP) is widely used for router monitoring and configuration changes. If not configured properly, SNMP could provide a wealth of information about the device to intruders running SNMP discovery tools.

Configure the filter which only allows SNMP access to specific hosts.

Router(config)#access-list 20 remark SNMP ACL

Router(config)#access-list 20 permit

Router(config)#access-list 20 deny any log


Configure SNMP to have READ-ONLY access and treat the COMMUNITY string as a password – keep it difficult to guess.

Router(config)#snmp-server community RO 20

IP ACLs to mitigate the DDOS attack

A DoS attack is designed to deny user access to systems or networks. These attacks usually target specific services and attempt to overwhelm them by making numerous requests concurrently. If a system is not protected and cannot react to a DoS attack, it can be easy to overwhelm that system by running scripts that generate multiple requests. It is possible to greatly increase the magnitude of a DoS attack by launching the attack from multiple systems against a single target. This practice is referred to as a DDoS attack.

Use CAR to rate limit ICMP packets.

interface xy

rate-limit output access-group 2020 3000000 512000 786000 conform-action transmit exceed-action drop

access-list 2020 permit icmp any any echo-reply


Configure rate limiting for SYN packets.

Router(config)#access-list 152 permit tcp any host eq www

Router(config)#access-list 153 permit tcp any host eq www established

interface {int}

rate-limit output access-group 153 45000000 100000 100000  conform-action transmit exceed-action drop

rate-limit output access-group 152 1000000 100000 100000  conform-action transmit exceed-action drop

In the above example, replace:

45000000 with the maximum link bandwidth 1000000 with a value that is between 50% and 30% of the SYN flood rate burst normal and burst max rates with accurate values.

Note; that if you set the burst rate greater than 30%, many legitimate SYNs may be dropped. To get an idea of where to set the burst rate, use the show interfaces rate-limit command to display the conformed and exceeded rates for the interface. Your objective is to rate-limit the SYNs as little as necessary to get things working again.

Verify an IP ACL

Router#sh ip access-lists ?

      Access list number

  Access list number (expanded range)

WORD         Access list name

dynamic      List dynamic IP access lists

|      Output modifiers