[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]

JUNOSe 9.1.x Policy Management Configuration Guide > Creating Classifier Groups and Policy Rules > Configuring Policies to Provide Network Security

Configuring Policies to Provide Network Security

You can configure policy management to provide a level of network security by using policy rules that selectively forward or filter packet flows:

To stop a denial-of-service attack, you can use a policy with a filter rule. You need to construct the classifier list associated with the filter rule so that it isolates the attacker's traffic into a flow. To determine the criteria for this classifier list, you need to analyze the traffic received on an interface. Chapter 9, Monitoring Policy Management, describes how to capture packets into a log.

For example, you can route packets entering an IP interface (ATM 0/0.0) so that they are handled as indicated:

To configure this policy, issue the following commands:

host1(config)#ip classifier-list claclA ip host 1.1.1.1 any

host1(config)#ip classifier-list claclB tcp host 2.2.2.2 any ip-frag-offset eq 1

host1(config)#ip classifier-list claclC tcp any any

host1(config)#ip policy-list IpPolicy100

host1(config-policy-list)#classifier-group claclA 

host1(config-policy-list-classifier-group)#forward 

host1(config-policy-list-classifier-group)#exit

host1(config-policy-list)#classifier-group claclB 

host1(config-policy-list-classifier-group)#filter

host1(config-policy-list-classifier-group)#exit

host1(config-policy-list)#classifier-group claclC 

host1(config-policy-list-classifier-group)#forward

host1(config-policy-list-classifier-group)#exit

host1(config-policy-list)#classifier-group * 

host1(config-policy-list-classifier-group)#filter

host1(config-policy-list-classifier-group)#exit



host1(config)#interface atm 0/0.0

host1(config-subif)#ip policy input IpPolicy100 statistics enabled
[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]