Creating or Modifying Classifier Control Lists for IP Policy Lists

Creating Classifier Control List for Only IP Policy Lists

You can create or modify a classifier control list that can be used only in IP policy lists. The behavior of multiple-element classifier-list classification is the logical OR of the elements in the CLACL.

• Issue the ip classifier-list command to match all packets that have a source IP address of 192.168.30.100 or have a destination IP address of 192.168.30.200:
  host1(config)#ip classifier-list boston5 ip host 192.168.30.100 any host1(config)#ip classifier-list boston5 ip any host 192.168.30.200

Setting Up an IP Classifier Control List to Accept Traffic from All Sources

You can set up a CLACL to accept IP traffic from all source addresses on the subnet.

• Issue the ip classifier-list command:
  host1(config)#ip classifier-list XYZCorpPermit ip 192.168.0.0 0.0.255.255 any

Classifying IP Traffic Based on Source and Destination Addresses

You can classify traffic based on source and destination addresses, You can specify the address as a host address, or a subnet with a wildcard. If you specify the address as a subnet, the mask, in binary notation, must be a series of contiguous zeros, followed by a series of contiguous ones. The any keyword is the address wildcard, matching traffic for any address.

• Issue the ip classifier-list command to classify traffic on any source or destination address:
  host1(config)#ip classifier-list YourListName ip any any host1(config)#ip classifier-list YourListName ip host 10.10.10.10 any host1(config)#ip classifier-list YourListName ip 10.10.0.0 0.0.255.255 host 10.10.10.2

Using IP Classifier Control Lists to Match Route Class Values

You can set up classifier control lists to match route-class values. In this example, svale20 matches the source address lookup route-class value of 1, svale30 matches the destination address lookup route-class value of 1 and a ToS byte value of 10, svale40 matches the source address lookup route-class value of 1 and the packets destined to a local interface, and west20 matches the source address lookup route-class value of 1 and packets that are not destined for a local interface (packets destined for remote interfaces).

• Issue the ip classifier-list command:
  host1(config)#ip classifier-list svale20 source-route-class 1 ip any any host1(config)#ip classifier-list svale30 destination-route-class 1 ip any any
  tos 10 host1(config)#ip classifier-list svale40 source-route-class 1 local true ip any any host1(config)#ip classifier-list west25 source-route-class 1 local false ip any any

Creating IP Classifier Control Lists for TCP and UDP Ports

You can specify a single TCP or UDP port or a range of ports, where packets are matched with source address 198.168.30.100 and UDP source port numbers in the range 1–10.

• Issue the ip classifier-list command to create a CLACL on a UDP host:
  host1(config)#ip classifier-list YourListName udp host 192.168.30.100 range 1 10 any

  To create a CLACL that matches all traffic on UDP source ports greater than 100:

  host1(config)#ip classifier-list XYZCorpUdp udp any gt 100 172.17.2.1 0.0.255.255

  To match a non-TCP packet originating from IP address 172.28.100.52:

  host1(config)#ip classifier-list YourListName not tcp host 172.28.100.52 any

  To specify a single TCP or UDP port or range of ports, an ICMP code and optional type, or an IGMP type, which matches packets with source address 198.168.30.100 and ICMP type 2 and code 10:

  host1(config)#ip classifier-list YourListName icmp host 192.168.30.100 any 2 10

Creating an IP Classifier Control List That Matches the ToS Byte

You can create an IP CLACL that matches the ToS byte in the IP header.

• Issue the ip classifier-list command using the tos keyword.
  host1(config)#ip classifier-list tos128 ip any any tos 128 host1(config)#ip classifier-list low-drop-prec ip any any dsfield 10 host1(config)#ip classifier-list priority ip any any precedence 1

Creating an IP Classifier Control List That Filters ICMP Echo Requests

You can create a CLACL that filters all ICMP echo requests headed toward an access link under a denial-of-service attack.

• Issue the ip classifier-list command:
  host1(config)#ip classifier-list XYZCorpIcmpEchoReqs icmp any any 8 0 host1(config)#ip classifier-list XYZCorpIgmpType1 igmp any any 1

Creating IP Classifier Control Lists That Use TCP or IP Flags

You can create CLACLs that use TCP or IP flags. For both IP flags and TCP flags, if you specify only a single flag, the logical equation does not require quotation marks.

• Issue the ip classifier-list command with the tcp-flags keyword and a logical equation (a quotation-enclosed string using ! for NOT, & for AND) to match one or more of the ack, fin, psh, rst, syn, or urg TCP flags:
  host1(config)#ip classifier-list telnetConnects tcp 192.168.10.0 0.0.0.255 host 10.10.10.10 eq 23 tcp-flags "syn & !ack"
• Issue the ip classifier-list command with the ip-flags keyword and a logical equation (a quotation-enclosed string using ! for NOT, & for AND) to match one or more of the dont-fragment, more-fragments,, or reserved IP flags:
  host1(config)#ip classifier-list dontFragment ip any any ip-flags "dont-fragment"

Creating IP Classifier Control Lists That Match the IP Fragmentation Offset

You can create CLACLs that match the IP fragmentation offset.

• Issue the ip classifier-list command with the ip-frag-offset keyword and the eq or gt operator to match an IP fragmentation offset equal to 0, 1, or greater than 1:
  host1(config)#ip classifier-list fragOffsetAttack ip any host 10.10.10.10 ip-frag-offset eq 1 host1(config)#ip policy-list dosProtect host1(config-policy-list)#filter classifier-group fragOffsetAttack host1(config-policy-list)#forward