Creating An Exception Rule Within A Policy Classifier Group - Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - POLICY MANAGEMENT CONFIGURATION GUIDE 2010-10-04 Configuration Manual
Software for e series broadband services routers policy management configuration guide
Hide thumbs
Also See for JUNOSE SOFTWARE FOR E SERIES 11.3.X - POLICY MANAGEMENT CONFIGURATION GUIDE 2010-10-04:
- Reference manual (284 pages) ,
- Configuration manual (632 pages)
Table of Contents
Advertisement
JunosE 11.3.x Policy Management Configuration Guide
Creating an Exception Rule within a Policy Classifier Group
32
To stop a denial-of-service attack, you can use a policy with a filter rule. You need to
construct the classifier list associated with the filter rule so that it isolates the attacker's
traffic into a flow. To determine the criteria for this classifier list, you need to analyze the
traffic received on an interface. "Monitoring Policy Management Overview" on page 173
describes how to capture packets into a log.
For example, you can route packets entering an IP interface (ATM 0/0.0) so that they
are handled as indicated:
Packets from source 1.1.1.1 are routed.
TCP packets from source 2.2.2.2 with the IP fragmentation offset set to one are dropped.
All other TCP packets are routed.
All other packets are dropped.
To configure this policy, issue the following commands:
host1(config)#ip classifier-list claclA ip host 1.1.1.1 any
host1(config)#ip classifier-list claclB tcp host 2.2.2.2 any ip-frag-offset eq 1
host1(config)#ip classifier-list claclC tcp any any
host1(config)#ip policy-list IpPolicy100
host1(config-policy-list)#classifier-group claclA
host1(config-policy-list-classifier-group)#forward
host1(config-policy-list-classifier-group)#exit
host1(config-policy-list)#classifier-group claclB
host1(config-policy-list-classifier-group)#filter
host1(config-policy-list-classifier-group)#exit
host1(config-policy-list)#classifier-group claclC
host1(config-policy-list-classifier-group)#forward
host1(config-policy-list-classifier-group)#exit
host1(config-policy-list)#classifier-group *
host1(config-policy-list-classifier-group)#filter
host1(config-policy-list-classifier-group)#exit
host1(config)#interface atm 0/0.0
host1(config-subif)#ip policy input IpPolicy100 statistics enabled
To create the exception rule within an IP policy classifier group to specify the client
application for the destination of packets rather than forwarding them by the forwarding
controller (FC), use the exception http-redirect command. Doing this enables the
application to then perform an application-dependent action on the content of the
packet. The exception rule applies to input and secondary-input policies.
The guidelines for creating exception rules within an IPv6 policy classifier group are the
same as those for creating exception rules within an IPv4 policy classifier group.
NOTE: The exception http-redirect command is not supported for the ES2
10G Uplink LM.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
Need help?
Do you have a question about the JUNOSE SOFTWARE FOR E SERIES 11.3.X - POLICY MANAGEMENT CONFIGURATION GUIDE 2010-10-04 and is the answer not in the manual?