Configuring Policies to Provide Network Security

You can configure policy management to provide a level of network security by using policy rules that selectively forward or filter packet flows:

• Forward—Causes the packet flows that satisfy the classification associated with the rule to be routed by the virtual router
• Filter—Causes the interface to drop all packets of the packet flow that satisfy the classification associated with the rule

To stop a denial-of-service attack, you can use a policy with a filter rule. You need to construct the classifier list associated with the filter rule so that it isolates the attacker’s traffic into a flow. To determine the criteria for this classifier list, you need to analyze the traffic received on an interface. Monitoring Policy Management Overview describes how to capture packets into a log.

For example, you can route packets entering an IP interface (ATM 0/0.0) so that they are handled as indicated:

• Packets from source 1.1.1.1 are routed.
• TCP packets from source 2.2.2.2 with the IP fragmentation offset set to one are dropped.
• All other TCP packets are routed.
• All other packets are dropped.

To configure this policy, issue the following commands: