JUNOSe 7.2.x Policy Management Configuration Guide
34 ! Creating Classifier Groups and Policy Rules
To stop a denial-of-service attack, you can use a policy with a filter rule. You need to
construct the classifier list associated with the filter rule so that it isolates the
attacker’s traffic into a flow. To determine the criteria for this classifier list, you need
to analyze the traffic received on an interface. Chapter 5, Monitoring Policy
Management, describes how to capture packets into a log.
For example, you can route packets entering an IP interface (ATM 0/0.0) so that they
are handled as indicated:
! Packets from source 1.1.1.1 are routed.
! TCP packets from source 2.2.2.2 with the IP fragmentation offset set to one are
dropped.
! All other TCP packets are routed.
! All other packets are dropped.
To configure this policy, issue the following commands:
host1(config)#ip classifier-list claclA ip host 1.1.1.1 any
host1(config)#ip classifier-list claclB tcp host 2.2.2.2 any ip-frag-offset eq 1
host1(config)#ip classifier-list claclC tcp any any
host1(config)#ip policy-list IpPolicy100
host1(config-policy-list)#classifier-group claclA
host1(config-policy-list-classifier-group)#forward
host1(config-policy-list-classifier-group)#exit
host1(config-policy-list)#classifier-group claclB
host1(config-policy-list-classifier-group)#filter
host1(config-policy-list-classifier-group)#exit
host1(config-policy-list)#classifier-group claclC
host1(config-policy-list-classifier-group)#forward
host1(config-policy-list-classifier-group)#exit
host1(config-policy-list)#classifier-group *
host1(config-policy-list-classifier-group)#filter
host1(config-policy-list-classifier-group)#exit
host1(config)#interface atm 0/0.0
host1(config-subif)#ip policy input IpPolicy100 statistics enabled
Creating Multiple Forwarding Solutions with IP Policy Lists
By default, the router uses a single route table lookup to determine the forwarding
solution for packets. For IP policy lists only, the forward command enables you to
configure one or more unique forwarding solutions (interfaces or next-hop
addresses) that override the route table lookup. By creating a group of forwarding
solutions, you can ensure that there is a reachable solution for the packets.
You can use the order keyword to specify the order of the group of forwarding
solutions within a single forward rule. If no order value is specified, then the default
order of 100 is assigned to a solution. The router evaluates the forwarding solutions
in the group, starting at the solution with the lowest order value, and then uses the
first reachable solution. To be considered a reachable solution, a solution must be a
reachable interface or a next-hop address that has a route in the routing table. If no
solutions are reachable, the traffic is dropped.
To Next Page
Loading...
Need help?
General
