Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Creating or Modifying Classifier Control Lists for IP Policy Lists

    Tasks to create or modify classifier control lists for IP policy lists:

    Creating Classifier Control List for Only IP Policy Lists

    You can create or modify a classifier control list that can be used only in IP policy lists. The behavior of multiple-element classifier-list classification is the logical OR of the elements in the CLACL.

    • Issue the ip classifier-list command to match all packets that have a source IP address of 192.168.30.100 or have a destination IP address of 192.168.30.200:
      host1(config)#ip classifier-list boston5 ip host 192.168.30.100 anyhost1(config)#ip classifier-list boston5 ip any host 192.168.30.200

    Setting Up an IP Classifier Control List to Accept Traffic from All Sources

    You can set up a CLACL to accept IP traffic from all source addresses on the subnet.

    • Issue the ip classifier-list command:
      host1(config)#ip classifier-list XYZCorpPermit ip 192.168.0.0 0.0.255.255 any

    Classifying IP Traffic Based on Source and Destination Addresses

    You can classify traffic based on source and destination addresses, You can specify the address as a host address, or a subnet with a wildcard. If you specify the address as a subnet, the mask, in binary notation, must be a series of contiguous zeros, followed by a series of contiguous ones. The any keyword is the address wildcard, matching traffic for any address.

    • Issue the ip classifier-list command to classify traffic on any source or destination address:
      host1(config)#ip classifier-list YourListName ip any anyhost1(config)#ip classifier-list YourListName ip host 10.10.10.10 anyhost1(config)#ip classifier-list YourListName ip 10.10.0.0 0.0.255.255 host 10.10.10.2

    Using IP Classifier Control Lists to Match Route Class Values

    You can set up classifier control lists to match route-class values. In this example, svale20 matches the source address lookup route-class value of 1, svale30 matches the destination address lookup route-class value of 1 and a ToS byte value of 10, svale40 matches the source address lookup route-class value of 1 and the packets destined to a local interface, and west20 matches the source address lookup route-class value of 1 and packets that are not destined for a local interface (packets destined for remote interfaces).

    • Issue the ip classifier-list command:
      host1(config)#ip classifier-list svale20 source-route-class 1 ip any anyhost1(config)#ip classifier-list svale30 destination-route-class 1 ip any any tos 10host1(config)#ip classifier-list svale40 source-route-class 1 local true ip any anyhost1(config)#ip classifier-list west20 source-route-class 1 local false ip any any

    Creating IP Classifier Control Lists for TCP and UDP Ports

    You can specify a single TCP or UDP port or a range of ports, where packets are matched with source address 198.168.30.100 and UDP source port numbers in the range 110.

    • Issue the ip classifier-list command to create a CLACL on a UDP host:
      host1(config)#ip classifier-list YourListName udp host 192.168.30.100 range 1 10 any

      To create a CLACL that matches all traffic on UDP source ports greater than 100:

      host1(config)#ip classifier-list XYZCorpUdp udp any gt 100 172.17.2.1 0.0.255.255

      To match a non-TCP packet originating from IP address 172.28.100.52:

      host1(config)#ip classifier-list YourListName not tcp host 172.28.100.52 any

      To specify a single TCP or UDP port or range of ports, an ICMP code and optional type, or an IGMP type, which matches packets with source address 198.168.30.100 and ICMP type 2 and code 10:

      host1(config)#ip classifier-list YourListName icmp host 192.168.30.100 any 2 10

    Creating an IP Classifier Control List That Matches the ToS Byte

    You can create an IP CLACL that matches the ToS byte in the IP header.

    • Issue the ip classifier-list command using the tos keyword.
      host1(config)#ip classifier-list tos128 ip any any tos 128 host1(config)#ip classifier-list low-drop-prec ip any any dsfield 10 host1(config)#ip classifier-list priority ip any any precedence 1

    Creating an IP Classifier Control List That Filters ICMP Echo Requests

    You can create a CLACL that filters all ICMP echo requests headed toward an access link under a denial-of-service attack.

    • Issue the ip classifier-list command:
      host1(config)#ip classifier-list XYZCorpIcmpEchoReqs icmp any any 8 0 host1(config)#ip classifier-list XYZCorpIgmpType1 icmp any any

    Creating IP Classifier Control Lists That Use TCP or IP Flags

    You can create CLACLs that use TCP or IP flags. For both IP flags and TCP flags, if you specify only a single flag, the logical equation does not require quotation marks.

    • Issue the ip classifier-list command with the tcp-flags keyword and a logical equation (a quotation-enclosed string using ! for NOT, & for AND) to match one or more of the ack, fin, psh, rst, syn, or urg TCP flags:
      host1(config)#ip classifier-list telnetConnects tcp 192.168.10.0 0.0.0.255 host 10.10.10.10 eq 23 tcp-flags "syn & !ack"
    • Issue the ip classifier-list command with the ip-flags keyword and a logical equation (a quotation-enclosed string using ! for NOT, & for AND) to match one or more of the dont-fragment, more-fragments, or reserved IP flags:
      host1(config)#ip classifier-list dontFragment ip any any ip-flags "dont-fragment"

    Creating IP Classifier Control Lists That Match the IP Fragmentation Offset

    You can create CLACLs that match the IP fragmentation offset.

    • Issue the ip classifier-list command with the ip-frag-offset keyword and the eq or gt operator to match an IP fragmentation offset equal to 0, 1, or greater than 1:
      host1(config)#ip classifier-list fragOffsetAttack ip any host 10.10.10.10 ip-frag-offset eq 1host1(config)#ip policy-list dosProtecthost1(config-policy-list)#filter classifier-group fragOffsetAttackhost1(config-policy-list)#forward

    Published: 2014-08-14