EasyManuals Logo

Juniper E320 User Manual

Juniper E320
212 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #30 background imageLoading...
Page #30 background image
JUNOSe 7.2.x Policy Management Configuration Guide
14 ! Creating Classifier Control Lists
! Use the destinationQualifier option to specify a single TCP or UDP port or range
of ports, an ICMP code and optional type, or an IGMP type. The
destinationQualifier option is composed of the following suboptions:
! portNumber—Single port number or the beginning of a range of port
numbers (TCP and UDP only)
! portOperator—One of the following (TCP and UDP only):
" eq—Equal to
" lt—Less than
" gt—Greater than
" neq—Not equal to
" range—Range of ports
! toPortNumber—End of a range of port numbers (TCP and UDP only)
! icmpType—ICMP message type (ICMP only)
! icmpCode—ICMP message code (ICMP only)
! igmpType—IGMP message type (IGMP only)
For example, the following command matches packets with source address
198.168.30.100 and ICMP type 2 and code 10:
host1(config)#ip classifier-list YourListName icmp host 192.168.30.100 any 2
10
! Use the tcp-flags keyword and a logical equation (a quotation-enclosed string
using ! for NOT, & for AND) to match one or more of the following TCP flags:
ack, fin, psh, rst, syn, urg. For example:
host1(config)#ip classifier-list telnetConnects tcp 192.168.10.0 0.0.0.255 host
10.10.10.10 eq 23 tcp-flags "syn & !ack"
! Use the ip-flags keyword and a logical equation (a quotation-enclosed string
using ! for NOT, & for AND) to match one or more of the following IP flags:
dont-fragment, more-fragments, reserved. For example:
host1(config)#ip classifier-list dontFragment ip any any ip-flags "dont-fragment"
! For both IP flags and TCP flags, if you specify only a single flag, the logical
equation does not require quotation marks.
! Use the ip-frag-offset keyword and the eq or gt operator to match an IP
fragmentation offset equal to 0, 1, or greater than 1.
For example, the following commands configure a policy to filter fragmentation
offsets equal to 1:
host1(config)#ip classifier-list fragOffsetAttack ip any host 10.10.10.10
ip-frag-offset eq 1
host1(config)#ip policy-list dosProtect
host1(config-policy-list)#filter classifier-group fragOffsetAttack
host1(config-policy-list)#forward
! Use the traffic-class keyword to match packets with a traffic class that you
defined using the traffic-class command.

Table of Contents

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Juniper E320 and is the answer not in the manual?

Juniper E320 Specifications

General IconGeneral
BrandJuniper
ModelE320
CategoryNetwork Router
LanguageEnglish

Related product manuals