Creating An Ip Classifier Control List That Matches The Tos Byte; Creating An Ip Classifier Control List That Filters Icmp Echo Requests; Creating Ip Classifier Control Lists That Use Tcp Or Ip Flags; Offset - Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - POLICY MANAGEMENT CONFIGURATION GUIDE 2010-10-04 Configuration Manual
Software for e series broadband services routers policy management configuration guide
Hide thumbs
Also See for JUNOSE SOFTWARE FOR E SERIES 11.3.X - POLICY MANAGEMENT CONFIGURATION GUIDE 2010-10-04:
- Reference manual (284 pages) ,
- Configuration manual (632 pages)
Table of Contents
Advertisement
JunosE 11.3.x Policy Management Configuration Guide
Creating an IP Classifier Control List That Matches the ToS Byte
Creating an IP Classifier Control List That Filters ICMP Echo Requests
Creating IP Classifier Control Lists That Use TCP or IP Flags
Creating IP Classifier Control Lists That Match the IP Fragmentation Offset
Creating or Modifying Classifier Control Lists for IPv6 Policy Lists
12
You can create an IP CLACL that matches the ToS byte in the IP header.
Issue the ip classifier-list command using the tos keyword.
host1(config)#ip classifier-list tos128 ip any any tos 128
host1(config)#ip classifier-list low-drop-prec ip any any dsfield 10
host1(config)#ip classifier-list priority ip any any precedence 1
You can create a CLACL that filters all ICMP echo requests headed toward an access
link under a denial-of-service attack.
Issue the ip classifier-list command:
host1(config)#ip classifier-list XYZCorpIcmpEchoReqs icmp any any 8 0
host1(config)#ip classifier-list XYZCorpIgmpType1 igmp any any 1
You can create CLACLs that use TCP or IP flags. For both IP flags and TCP flags, if you
specify only a single flag, the logical equation does not require quotation marks.
Issue the ip classifier-list command with the tcp-flags keyword and a logical equation
(a quotation-enclosed string using ! for NOT, & for AND) to match one or more of the
ack, fin, psh, rst, syn, or urg TCP flags:
host1(config)#ip classifier-list telnetConnects tcp 192.168.10.0 0.0.0.255 host
10.10.10.10 eq 23 tcp-flags "syn & !ack"
Issue the ip classifier-list command with the ip-flags keyword and a logical equation
(a quotation-enclosed string using ! for NOT, & for AND) to match one or more of the
dont-fragment, more-fragments,, or reserved IP flags:
host1(config)#ip classifier-list dontFragment ip any any ip-flags "dont-fragment"
You can create CLACLs that match the IP fragmentation offset.
Issue the ip classifier-list command with the ip-frag-offset keyword and the eq or gt
operator to match an IP fragmentation offset equal to 0, 1, or greater than 1:
host1(config)#ip classifier-list fragOffsetAttack ip any host 10.10.10.10 ip-frag-offset
eq 1
host1(config)#ip policy-list dosProtect
host1(config-policy-list)#filter classifier-group fragOffsetAttack
host1(config-policy-list)#forward
You can create or modify a classifier control list that can be used only in IPv6 policy lists.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
Need help?
Do you have a question about the JUNOSE SOFTWARE FOR E SERIES 11.3.X - POLICY MANAGEMENT CONFIGURATION GUIDE 2010-10-04 and is the answer not in the manual?