To Next Page

To Previous Page

JUNOSe 7.2.x Policy Management Configuration Guide

14 ! Creating Classifier Control Lists

! Use the destinationQualifier option to specify a single TCP or UDP port or range

of ports, an ICMP code and optional type, or an IGMP type. The

destinationQualifier option is composed of the following suboptions:

! portNumber—Single port number or the beginning of a range of port

numbers (TCP and UDP only)

! portOperator—One of the following (TCP and UDP only):

" eq—Equal to

" lt—Less than

" gt—Greater than

" neq—Not equal to

" range—Range of ports

! toPortNumber—End of a range of port numbers (TCP and UDP only)

! icmpType—ICMP message type (ICMP only)

! icmpCode—ICMP message code (ICMP only)

! igmpType—IGMP message type (IGMP only)

For example, the following command matches packets with source address

198.168.30.100 and ICMP type 2 and code 10:

host1(config)#ip classifier-list YourListName icmp host 192.168.30.100 any 2

! Use the tcp-flags keyword and a logical equation (a quotation-enclosed string

using ! for NOT, & for AND) to match one or more of the following TCP flags:

ack, fin, psh, rst, syn, urg. For example:

host1(config)#ip classifier-list telnetConnects tcp 192.168.10.0 0.0.0.255 host

10.10.10.10 eq 23 tcp-flags "syn & !ack"

! Use the ip-flags keyword and a logical equation (a quotation-enclosed string

using ! for NOT, & for AND) to match one or more of the following IP flags:

dont-fragment, more-fragments, reserved. For example:

host1(config)#ip classifier-list dontFragment ip any any ip-flags "dont-fragment"

! For both IP flags and TCP flags, if you specify only a single flag, the logical

equation does not require quotation marks.

! Use the ip-frag-offset keyword and the eq or gt operator to match an IP

fragmentation offset equal to 0, 1, or greater than 1.

For example, the following commands configure a policy to filter fragmentation

offsets equal to 1:

host1(config)#ip classifier-list fragOffsetAttack ip any host 10.10.10.10

ip-frag-offset eq 1

host1(config)#ip policy-list dosProtect

host1(config-policy-list)#filter classifier-group fragOffsetAttack

host1(config-policy-list)#forward

! Use the traffic-class keyword to match packets with a traffic class that you

defined using the traffic-class command.

Brand	Juniper
Model	E Series
Category	Network Router
Language	English

Juniper E Series Configuration Guide

Table of Contents

Other manuals for Juniper E Series

Questions and Answers:

Juniper E Series Specifications

Related product manuals