The following example demonstrates the configuration of MSS notifications using ACL rules. In this example, smurf packets (ICMP packets that are sent to a limited broadcast destination) arriving at interface VLAN 203 are defined as a DoS attack to be reported in MSS notifications.
//create and enter the configuration mode of access control list 301:
Gxxx-001(super)# ip access-control-list 301
//create and enter the configuration mode of ip rule 1:
Gxxx-001(super-ACL 301/ip rule 1)# ip-rule 1
//set the rule criteria for the custom DoS classification:
//use dos-classification command to specify to report on receiving smurf
//packets (ICMP echo packets with limited broadcast destination address )
Gxxx-001(super-ACL 301/ip rule 1)# dos-classification smurf
Done!
//apply predefined composite-operation deny-notify, which drops the packet and
//causes the gateway to send a trap when it drops the packet
Gxxx-001(super-ACL 301)# composite-operation Deny-Notify
Done!
//specify that the ip rule applies to packets with this destination ip address.
Gxxx-001(super-ACL 301/ip rule 1)# destination-ip 255.255.255.255 0.0.0.0
Done!
//Specify that the ip rule applies to ICMP packets
Gxxx-001(super-ACL 301/ip rule 1)# ip-protocol icmp
Done!
Gxxx-001(super-ACL 301/ip rule 1)# exit
Gxxx-001(super-ACL 301)# show ip-rule
Index Protocol IP Wildcard Port Operation
DSCP Fragment rule
----- -------- --- ---------------- ----------- ------------ --------------
1 icmp Src Any Any Type Deny-Notify
Any Dst 255.255.255.255 Host Any Code No
Dos classification: smurf
Deflt Any Src Any Any Permit
Any Dst Any Any No
Gxxx-001(super-ACL 301)# exit
Gxxx-001(super)# interface vlan 203
//activate Access Control list 301 for incoming packets on interface vlan 203:
Gxxx-001(super-if:VLAN 203)# ip access-group 301 in
Done!
