Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring Policies to Provide Network Security

    You can configure policy management to provide a level of network security by using policy rules that selectively forward or filter packet flows:

    • Forward—Causes the packet flows that satisfy the classification associated with the rule to be routed by the virtual router
    • Filter—Causes the interface to drop all packets of the packet flow that satisfy the classification associated with the rule

    To stop a denial-of-service attack, you can use a policy with a filter rule. You need to construct the classifier list associated with the filter rule so that it isolates the attacker’s traffic into a flow. To determine the criteria for this classifier list, you need to analyze the traffic received on an interface. Monitoring Policy Management Overview describes how to capture packets into a log.

    For example, you can route packets entering an IP interface (ATM 0/0.0) so that they are handled as indicated:

    • Packets from source are routed.
    • TCP packets from source with the IP fragmentation offset set to one are dropped.
    • All other TCP packets are routed.
    • All other packets are dropped.

    To configure this policy, issue the following commands:

    host1(config)#ip classifier-list claclA ip host anyhost1(config)#ip classifier-list claclB tcp host any ip-frag-offset eq 1host1(config)#ip classifier-list claclC tcp any anyhost1(config)#ip policy-list IpPolicy100host1(config-policy-list)#classifier-group claclAhost1(config-policy-list-classifier-group)#forwardhost1(config-policy-list-classifier-group)#exithost1(config-policy-list)#classifier-group claclBhost1(config-policy-list-classifier-group)#filterhost1(config-policy-list-classifier-group)#exithost1(config-policy-list)#classifier-group claclChost1(config-policy-list-classifier-group)#forwardhost1(config-policy-list-classifier-group)#exithost1(config-policy-list)#classifier-group *host1(config-policy-list-classifier-group)#filterhost1(config-policy-list-classifier-group)#exithost1(config)#interface atm 0/0.0 host1(config-subif)#ip policy input IpPolicy100 statistics enabled

    Published: 2014-08-14