Use the ip access-control-list command to enter the configuration mode of an ACL. For example:

Gxxx-001(super)# ip access-control-list 301

Use the ip-rule command to enter the configuration mode of an ACL rule. For example:

Gxxx-001(super)# ip-rule 1

Use the dos-classification command to configure the name of the DoS attack classification. Possible values are: fraggle, smurf, ip-spoofing, other-attack-100, other-attack-101, other-attack-102, other-attack-103, other-attack-104, and other-attack-105. For example:

Gxxx-001(super-ACL 301/ip rule 1)# dos-classification smurf
Done!

Use destination-ip or ip-protocol commands to define the packet criteria to which the ACL rule should apply.

You can use destination-ip to specify that the rule applies to packets with a specific destination address and you can use ip-protocol to specify that the rule applies to packets with a specific protocol:

Gxxx-001(super-ACL 301/ip rule 1)# destination-ip 255.255.255.255 0.0.0.0
Done!
Gxxx-001(super-ACL 301/ip rule 1)# ip-protocol icmp
Done!

Use the composite-operation command to associate the ACL rule with the predefined operation deny-notify, that tells the Branch Gateway to drop any packet received that matches the ACL rule, and send a trap upon dropping the packet. For example:

Gxxx-001(super-ACL 301/ip rule 1)# composite-operation deny-notify
Done!

Use the following example to exit the ACL rule:

Gxxx-001(super-ACL 301/ip rule 1)# exit

Use the following example to exit the ACL:

Gxxx-001(super-ACL 301)# exit

An example for entering the configuration mode of the interface on which you want to activate the ACL:

Gxxx-001(super)# interface vlan 203

An example for activating the configured ACL for incoming packets on the desired interface:

Gxxx-001(super-if:vlan 203)# ip access-group 301 in
Done!