blacklist acl

Function

The blacklist acl command adds packets matching specific ACL rules to the blacklist.

The undo blacklist command deletes added packets from the blacklist.

By default, no ACL rules are specified to add matching packet to the blacklist.

Format

blacklist [ ipv6 ] acl { acl-number | name acl-name }

undo blacklist [ ipv6 ]

Parameters

Parameter	Description	Value
ipv6	Configures an IPv6 blacklist. If this parameter is not specified, an IPv4 blacklist is configured.	-
acl-number	Specifies the number of an ACL.	It is an integer ranging from 2000 to 3999.
name acl-name	Specifies the name of an ACL.	The value is a string of 1 to 64 case-sensitive characters without spaces. The value must start with a letter (a to z or A to Z, case sensitive).

Parameter

Description

Value

ipv6

Configures an IPv6 blacklist. If this parameter is not specified, an IPv4 blacklist is configured.

acl-number

Specifies the number of an ACL.

It is an integer ranging from 2000 to 3999.

name acl-name

Specifies the name of an ACL.

The value is a string of 1 to 64 case-sensitive characters without spaces. The value must start with a letter (a to z or A to Z, case sensitive).

Views

Attack defense policy view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
cpu-defend	write

Usage Guidelines

Usage Scenario

If you consider that some IP packets should not be sent to the CPU, or that some IP packets are illegal, you can set an ACL rule to add these IP packets to a blacklist to drop the packets. All users need to be manually added to the blacklist, and there is no default users in the blacklist.

A user-defined blacklist can be bound to only one ACL. If the blacklist is bound to multiple ACLs, the last bound ACL takes effect.

When an ACL is bound to a blacklist, the rules containing NEQ, time-range, or vpn-instance in the ACL do not take effect. The other rules can take effect.

By default, attack defense against TCP SYN flooding is enabled. This function has a higher priority than the blacklist function. Therefore, TCP SYN packets are preferentially matched against the ACL rules defined for attack defense against TCP SYN flooding, instead of the ACL rules defined by blacklist acl.

To match TCP SYN packets against ACL rules defined in the blacklist, run the undo tcpsyn-flood enable command to disable attack defense against TCP SYN flooding.

After attack defense against TCP SYN flooding is disabled, the TCP SYN attack packets that do not match the ACL rules in the blacklist will be sent to the CPU. Therefore, exercise caution when running the undo tcpsyn-flood enable command.

Prerequisites

The ACL to which a blacklist is bound must be configured. You cannot bind a blacklist to an ACL that does not exist. When a blacklist is bound to an ACL, all the packets that match the ACL rules are automatically added to the blacklist.

Before running the blacklist acl command, you must have already enabled the blacklist function; otherwise, the blacklist can still be configured but does not take effect.

Precautions

In VS mode, this command is supported only by the admin VS.

If a CAR value has been configured for the blacklist, you need to consider the impact on the configured CAR when binding an ACL rule.

Example

# Add the packets that match ACL 2001 with the permit action to the blacklist of attack defense policy 8.

<HUAWEI> system-view
[~HUAWEI] acl 2001
[*HUAWEI-acl4-basic-2001] rule permit source 10.1.1.1 0
[*HUAWEI-acl4-basic-2001] quit
[*HUAWEI] cpu-defend policy 8
[*HUAWEI-cpu-defend-policy-8] blacklist acl 2001