secure ip classifier-list
Syntax
secure ip classifier-list classifierName { { classifier-auth-id { 0 } } | { [ traffic-class trafficClassName ]
[ color { green | yellow | red } ] [ user-packet-class userPacketClassValue ]
[ source-route-class routeClassValue ] [ destination-route-class routeClassValue ]
[ local { true | false
} ] [ not ] { protocol }
[ not
] { sourceAddress sourceMask | host sourceHostAddress | any }
[ sourceQualifier ]
[ not ]
{ destinationAddress destinationMask | host destinationHostAddress | any }
[ destinationQualifier ] [ tcpQualifier ] [ ip-flags ipFlags ]
[ ip-frag-offset
{ eq 0 | eq 1 | gt 1 } ]
[ precedence precNum | dsField dsFieldNum | tos tosNum ] } }
no secure ip classifier-list classifierName [ classifierNumber ] [ classifier-auth-id { 0 } ]
Release Information
Command introduced in JunosE Release 8.0.0.
Description
Creates or modifies a secure classifier control list. Use the not keyword to deny traffic for a specific protocol, source address, or destination address. Use the any keyword to allow traffic to any source or destination address. The no version removes the classifier control list.
Options
- classifierName—Name of the classifier control list entry
- classifierAuthId—Number of the authentication ID to match (0)
- trafficClassName—Name of the traffic class to match
- green—Matches packet color to green, indicating a low drop preference
- yellow—Matches packet color to yellow, indicating a medium drop preference
- red—Matches packet color to red, indicating a high drop preference
- userPacketClassValue—User packet value to match; in the range 0–15
- routeClassValue—Value of the route-class; in the range 0–255
- local—Specifies traffic destined for this interface
- true—Matches packets that are locally destined
- false—Matches packets that are not locally destined
- not—Matches any except the immediately following protocol or address
- protocol—Protocol name (IGMP, IP, TCP, or UDP) or number (in the range 0–255) to match
- sourceAddress—Source address to match
- sourceMask—Wild-card mask to apply to the source address
- host—Matches source or destination address as a host
- sourceHostAddress—Source host address to match
- any—Matches any source or destination address
- sourceQualifier—For UDP or
TCP protocols, one of the following protocol-specific classifier parameters.
See Creating or Modifying Classifier Control Lists for IP
Policy Lists in the JunosE Policy Management Configuration Guide, for details.
- portOperator—One of the following Boolean operator keywords: lt (less than), gt (greater than), eq (equal to), ne (not equal), or range (range of port numbers)
- range—Single port number or a range of port numbers
- destinationAddress—Destination address to match
- destinationMask—Wild-card mask to apply to the destination address
- destinationHostAddress—Destination host address to match
- destinationQualifier—One of
the following protocol-specific classifier parameters for destination
TCP or UDP ports, ICMP code and type, or IGMP type. The portOperator and port range are used with TCP and UDP.
The icmpType, icmpCode,
and igmpType parameters are used with ICMP and
IGMP.
- portOperator—one of the following Boolean operator keywords: lt (less than), gt (greater than), eq (equal to), or ne (not equal), or range (range of port numbers) (TCP and UDP only)
- range—Single port number or a range of port numbers
- icmpType—ICMP message type (ICMP only)
- icmpCode—ICMP message code (ICMP only)
- igmpType—IGMP message type (IGMP only)
- tcpQualifier—TCP flags classification parameters
- tcpFlag—For TCP only; a logic
equation that specifies flag bit values; ! means logical NOT
and & means logical AND; use any of the following flag names:
- ack—0x10
- fin—0x01
- push—0x08
- rst—0x04
- syn—0x02
- urgent—0x20
- ipFlags—Logic equation that
specifies flag bit values; ! means logical NOT and & means logical
AND; use any of the following flag names:
- dont-fragment—0x02
- more-fragments—0x01
- reserved—0x04
- ip-frag-offset—Matches the specified IP fragmentation
offset; use any of the following:
- eq 0—Equals 0
- eq 1—Equals 1
- gt 1—Greater than 1
- precNum—Upper three bits of the ToS byte; in the range 0–7
- dsFieldNum—Upper six bits of the ToS byte; in the range 0–63
- tosNum—Whole eight bits of the ToS byte; in the range 0–255
- classifierNumber—Index of the classifier control list entry to be deleted
Mode
Global Configuration