blacklist
Function
The blacklist command configures a blacklist.
The undo blacklist command deletes a blacklist.
By default, no blacklist is configured.
Format
IPv4 blacklist:
blacklist blacklist-id acl acl-number1
undo blacklist blacklist-id
IPv6 blacklist:
blacklist blacklist-id acl ipv6 acl-number2
undo blacklist blacklist-id
Blacklist that discards the packets matching ACL rules in the forwarding chip:
blacklist blacklist-id acl acl-number3 hard-drop
undo blacklist blacklist-id
Parameters
Parameter |
Description |
Value |
|---|---|---|
blacklist-id |
Specifies the ID of a blacklist. |
The value is an integer that ranges from 1 to 8. |
acl acl-number1 |
Specifies the number of an Access Control List (ACL) referenced by a blacklist. |
The value is an integer that ranges from 2000 to 4999.
|
acl ipv6 acl-number2 |
Specifies the ACL matching the IPv6 blacklist. |
The value of acl-number2 is an integer that ranges from 3000 to 3999. |
acl acl-number3 |
Specifies the ACL matching the IPv4 blacklist. |
The value of acl-number3 is an integer that ranges from 3000 to 3999. |
hard-drop |
Discards the packets matching the blacklist in the forwarding chip. |
- |
Usage Guidelines
To defend against malicious packet attacks, the device uses ACLs to add users with the specific characteristic into a blacklist and discards the packets from the users in the blacklist. In addition, for S2720-EI, S5720I-SI, S5720-LI, S5720S-LI, S5720S-SI, S5720-SI, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI, packets matching the IPv4 blacklist are sent to the CPU first, and then discarded. To discard the packets directly without sending them to the CPU, you can run the blacklist blacklist-id acl acl-number3 hard-drop command. This function can reduce impact of malicious packets on the CPU usage, and applies to only IPv4 packets.
An attack defense policy can contain a maximum of eight blacklists (including IPv4 and IPv6 blacklists and the blacklist that discards the packets matching ACL rules).
For S5720-EI, S6720-EI, and S6720S-EI, packets sent from blacklisted users are discarded after traffic statistics are collected; therefore, you can run the display cpu-defend statistics command to view statistics on the packets sent from blacklisted users. For other device models, the statistics on discarded packets collected by the display cpu-defend statistics command do not contain the statistics on the packets sent from blacklisted users.
Example
# Specify ACL 2001 as the rule of blacklist 2.
<HUAWEI> system-view [HUAWEI] cpu-defend policy test [HUAWEI-cpu-defend-policy-test] blacklist 2 acl 2001 Info: This configuration may cause packet loss.
# Apply ACL 3001 to IPv6 blacklist 3.
<HUAWEI> system-view [HUAWEI] cpu-defend policy test [HUAWEI-cpu-defend-policy-test] blacklist 3 acl ipv6 3001 Info: This configuration may cause packet loss.
# Apply ACL 3006 to blacklist 5 to discard the packets matching ACL 3006 in the forwarding chip.
<HUAWEI> system-view [HUAWEI] cpu-defend policy test [HUAWEI-cpu-defend-policy-test] blacklist 5 acl 3006 hard-drop Info: This configuration may cause packet loss.