< Home

Configuring a Blacklist

Context

A blacklist is a group of users with particular characteristics. The device discards packets from users in the blacklist. You can apply an ACL to a blacklist. In addition, for S2720-EI, S5720I-SI, S5720-LI, S5720S-LI, S5720S-SI, S5720-SI, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI, packets matching the IPv4 blacklist are sent to the CPU first, and then discarded. To reduce impact of malicious packets on the CPU usage, you can configure the switch to discard the packets directly without sending them to the CPU.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run cpu-defend policy policy-name

    The attack defense policy view is displayed.

  3. Create a blacklist.

    • Run the blacklist blacklist-id acl acl-number1 command to create an IPv4 blacklist.

      The ACL referenced by the IPv4 blacklist can be a basic ACL, an advanced ACL, or a Layer 2 ACL. For details about ACL configuration, see ACL Configuration.

      By default, no IPv4 blacklist is configured.

    • Run the blacklist blacklist-id acl ipv6 acl-number2 command to create an IPv6 blacklist.

      Only advanced ACLs can be applied to the IPv6 blacklist. For details about ACL configuration, see ACL Configuration.

      By default, no IPv6 blacklist is configured.

    • Run the blacklist blacklist-id acl acl-number3 hard-drop command to create the blacklist that discards the packets matching ACL rules in the forwarding chip.

      The ACL referenced in this command must be an advanced ACL, and this command applies to only IPv4 packets. For details about ACL configuration, see ACL Configuration.

      By default, the blacklist that discards the packets matching ACL rules in the forwarding chip is not configured.

    • An attack defense policy can contain a maximum of eight blacklists (including IPv4 and IPv6 blacklists and the blacklist that discards the packets matching ACL rules).
    • Packets matching the ACL applied to a blacklist are discarded, regardless of whether the ACL contains a permit or deny rule.
    • If an ACL has no rule, the blacklist that references the ACL does not take effect.
    • Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support the IPv6 blacklist.
    • For the S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-HI, S6730-H, S6730S-H, S6730-S, and S6730S-S, an advanced ACL applied to the IPv6 blacklist can match only the source IP address.
    • Only the S2720-EI, S5720I-SI, S5720-LI, S5720S-LI, S5720S-SI, S5720-SI, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI support the blacklist that discards the packets matching ACL rules in the forwarding chip.
    • For the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S, when a basic ACL is applied to the blacklist and the ACL is configured to match the source IP address of packets, the blacklist takes effect for IP and ARP packets. For the S5720-EI, S6720-EI, and S6720S-EI, when an advanced ACL is applied to the blacklist and the ACL is configured to match IP packets, the blacklist takes effect for IP and ARP packets.
    • For the S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-HI, S6730-H, S6730S-H, S6730-S, and S6730S-S, after fast ICMP reply is enabled, the ping detection cannot be blocked by the blacklist. This is because after the fast ICMP reply function is enabled, the ICMP Echo Request packets received on an interface of the device are not sent to the protocol stack or processed by the CPU. Instead, the interface directly processes the packets.

Parent Topic: Configuring CPU Attack Defense
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >