Archive for the ‘Generic Firewalling’ Category

ip access-list extended TTL    
permit ip host any ttl lt 2


class-map acl-filter-class

# match access-group name TTL


policy-map acl-filter
class acl-filter-class



service-policy input acl-filter

The following example configures a traffic class called acl-filter-class for use in a policy map called acl-filter. An access list permits IP packets from any source having a TTL of 0 or 1. Any packets matching the access list are dropped.
The policy map is attached to the control plane.

!– defines an IP access list that filters on a TTL value; it must be an extended access list.
ip access-list extended TTL    !–Every access list must have at least one permit statement.!–This access-list sets conditions to allow a packet to pass a named IP access list.
!–This example permits packets from source to any destination with a TTL value less than 2. Any packets that pass the access list are dropped in policy. This special access list is separate from any interface access list.
#permit ip host any ttl lt 2!– Creates a class map to be used for matching packets to a specified class.
#class-map acl-filter-class!– Configures the match criteria for a class map on the basis of the specified access control list.

     # match access-group name TTL!– Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy.

policy-map acl-filter!– Specifies the name of the class whose policy you want to create or change or to specify the default class (commonly known as the class-default class) before you configure its policy.

class acl-filter-class!– Configures a traffic class to discard packets belonging to a specific class.

drop!– Associates or modifies attributes or parameters that are associated with the control plane of the device.


!– Attaches a policy map to a control plane for aggregate control plane services.Router(config-cp)# service-policy input acl-filter