secure ip classifier-list

Syntax

secure ip classifier-list classifierName { { classifier-auth-id { 0 } } | { [ traffic-class trafficClassName ]
[ color { green | yellow | red } ] [ user-packet-class userPacketClassValue ]
[ source-route-class routeClassValue ] [ destination-route-class routeClassValue ]
[ local { true | false } ] [ not ] { protocol }
[ not ] { sourceAddress sourceMask | host sourceHostAddress | any }
[ sourceQualifier ]
[ not ] { destinationAddress destinationMask | host destinationHostAddress | any }
[ destinationQualifier ] [ tcpQualifier ] [ ip-flags ipFlags ]
[ ip-frag-offset { eq 0 | eq 1 | gt 1 } ]
[ precedence precNum | dsField dsFieldNum | tos tosNum ] } }

no secure ip classifier-list classifierName [ classifierNumber ] [ classifier-auth-id { 0 } ]

Release Information

Command introduced in JUNOSe Release 8.0.0.

Description

Creates or modifies a secure classifier control list. Use the not keyword to deny traffic for a specific protocol, source address, or destination address. Use the any keyword to allow traffic to any source or destination address. The no version removes the classifier control list.

Options

• classifierName—Name of the classifier control list entry
• classifierAuthId—Number of the authentication ID to match (0)
• trafficClassName—Name of the traffic class to match
• green—Matches packet color to green, indicating a low drop preference
• yellow—Matches packet color to yellow, indicating a medium drop preference
• red—Matches packet color to red, indicating a high drop preference
• userPacketClassValue—User packet value to match; in the range 0–15
• routeClassValue—Value of the route-class; in the range 0–255
• local—Specifies traffic destined for this interface
  • true—Matches packets that are locally destined
  • false—Matches packets that are not locally destined
• not—Matches any except the immediately following protocol or address
• protocol—Protocol name (IGMP, IP, TCP, or UDP) or number (in the range 0–255) to match
• sourceAddress—Source address to match
• sourceMask—Wild-card mask to apply to the source address
• host—Matches source or destination address as a host
• sourceHostAddress—Source host address to match
• any—Matches any source or destination address
• sourceQualifier—For UDP or TCP protocols, one of the following protocol-specific classifier parameters. See Creating or Modifying Classifier Control Lists for IP Policy Lists in the JUNOSe Policy Management Configuration Guide, for details.
  • portOperator—One of the following Boolean operator keywords: lt (less than), gt (greater than), eq (equal to), ne (not equal), or range (range of port numbers)
  • range—Single port number or a range of port numbers
• destinationAddress—Destination address to match
• destinationMask—Wild-card mask to apply to the destination address
• destinationHostAddress—Destination host address to match
• destinationQualifier—One of the following protocol-specific classifier parameters for destination TCP or UDP ports, ICMP code and type, or IGMP type. The portOperator and port range are used with TCP and UDP. The icmpType, icmpCode, and igmpType parameters are used with ICMP and IGMP.
  • portOperator—one of the following Boolean operator keywords: lt (less than), gt (greater than), eq (equal to), or ne (not equal), or range (range of port numbers) (TCP and UDP only)
  • range—Single port number or a range of port numbers
  • icmpType—ICMP message type (ICMP only)
  • icmpCode—ICMP message code (ICMP only)
  • igmpType—IGMP message type (IGMP only)
• tcpQualifier—TCP flags classification parameters
• tcpFlag—For TCP only; a logic equation that specifies flag bit values; ! means logical NOT and & means logical AND; use any of the following flag names:
  • ack—0x10
  • fin—0x01
  • push—0x08
  • rst—0x04
  • syn—0x02
  • urgent—0x20
• ipFlags—Logic equation that specifies flag bit values; ! means logical NOT and & means logical AND; use any of the following flag names:
  • dont-fragment—0x02
  • more-fragments—0x01
  • reserved—0x04
• ip-frag-offset—Matches the specified IP fragmentation offset; use any of the following:
  • eq 0—Equals 0
  • eq 1—Equals 1
  • gt 1—Greater than 1
• precNum—Upper three bits of the ToS byte; in the range 0–7
• dsFieldNum—Upper six bits of the ToS byte; in the range 0–63
• tosNum—Whole eight bits of the ToS byte; in the range 0–255
• classifierNumber—Index of the classifier control list entry to be deleted

Global Configuration

Related Topics

• Configuring CLI-Based Mirroring

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.