1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Software
  5. POLICY MANAGEMENT - CONFIGURATION GUIDE...
  6. Configuration manual

Creating An Exception Rule Within A Policy Classifier Group - Juniper POLICY MANAGEMENT - CONFIGURATION GUIDE V11.1.X Configuration Manual

Junose software for broadband services routers policy management configuration guide
Hide thumbs
Table of Contents

Advertisement

JUNOSe 11.1.x Policy Management Configuration Guide
To stop a denial-of-service attack, you can use a policy with a filter rule. You need
to construct the classifier list associated with the filter rule so that it isolates the
attacker's traffic into a flow. To determine the criteria for this classifier list, you need
to analyze the traffic received on an interface. "Monitoring Policy Management
Overview" on page 181 describes how to capture packets into a log.
For example, you can route packets entering an IP interface (ATM 0/0.0) so that they
are handled as indicated:
To configure this policy, issue the following commands:

Creating an Exception Rule within a Policy Classifier Group

To create the exception rule within an IP policy classifier group to specify the client
application for the destination of packets rather than forwarding them by the
forwarding controller (FC), use the exception http-redirect command. Doing this
enables the application to then perform an application-dependent action on the
content of the packet. The exception rule applies to input and secondary-input policies.
The guidelines for creating exception rules within an IPv6 policy classifier group are
the same as those for creating exception rules within an IPv4 policy classifier group.
36
Creating an Exception Rule within a Policy Classifier Group
Filter Causes the interface to drop all packets of the packet flow that satisfy the
classification associated with the rule
Packets from source 1.1.1.1 are routed.
TCP packets from source 2.2.2.2 with the IP fragmentation offset set to one are
dropped.
All other TCP packets are routed.
All other packets are dropped.
host1(config)#ip classifier-list claclA ip host 1.1.1.1 any
host1(config)#ip classifier-list claclB tcp host 2.2.2.2 any ip-frag-offset eq 1
host1(config)#ip classifier-list claclC tcp any any
host1(config)#ip policy-list IpPolicy100
host1(config-policy-list)#classifier-group claclA
host1(config-policy-list-classifier-group)#forward
host1(config-policy-list-classifier-group)#exit
host1(config-policy-list)#classifier-group claclB
host1(config-policy-list-classifier-group)#filter
host1(config-policy-list-classifier-group)#exit
host1(config-policy-list)#classifier-group claclC
host1(config-policy-list-classifier-group)#forward
host1(config-policy-list-classifier-group)#exit
host1(config-policy-list)#classifier-group *
host1(config-policy-list-classifier-group)#filter
host1(config-policy-list-classifier-group)#exit
host1(config)#interface atm 0/0.0
host1(config-subif)#ip policy input IpPolicy100 statistics enabled

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the POLICY MANAGEMENT - CONFIGURATION GUIDE V11.1.X and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Juniper POLICY MANAGEMENT - CONFIGURATION GUIDE V11.1.X

Related Content for Juniper POLICY MANAGEMENT - CONFIGURATION GUIDE V11.1.X

This manual is also suitable for:

E series

Table of Contents