DELL N3000 User Manual

Configuring Access Control Lists

This example includes some ACL rules to consider to reduce DoS attacks on 

the switch. It does not represent a complete DoS suite. A firewall with deep 

packet inspection capabilities should be used for true DoS protection.

ip access-list reduce-dos-attacks

!

! Rate limit echo requests

!

permit icmp any any icmp-message echo rate-limit 32 64

!

! Deny telnet and rate-limit SSH to the CPU 

!

deny tcp any any eq telnet flag established 

permit tcp any any eq 22 flag established rate-limit 1024 128

deny tcp any any eq telnet

permit tcp any any eq 22 rate-limit 12 2

!

! Rate limit TCP opens

!

permit tcp any any flag +syn rate-limit 8 2

!

! Rate limit TCP closes

!

permit tcp any any flag +fin rate-limit 8 2

!

! Block TCP/UDP/IP frag attacks

!

deny ip any any fragments

!

! Limit SNMP (should set source address to management stations)

! Must be tuned for SNMP walks. May need to adjust the SNMP client 

! retry count or timeout.

!

permit udp any any eq snmp rate-limit 1024 128

!

! Allow other traffic types to come to CPU

!

permit every

exit

ip access-group reduce-dos-attacks control-plane

!

The rate limits below should be adjusted to match the expected rates of 

traffic coming to the CPU.