Configuring a Blacklist

This section describes how to configure a blacklist. Insecure packets that match ACL rules can be added to the blacklist and then provided with lower bandwidth.

Prerequisites

The ACL bound to the blacklist must be a configured one. You can bind a non-existing ACL to the blacklist. When the ACL is bound to the blacklist, all the packets that match the ACL rules are added to the blacklist automatically. The blacklist function must be enabled. Otherwise, the self-defined blacklist does not take effect although you can configure a self-defined blacklist.

Context

If you determine that certain packets cannot be sent to the CPU or are invalid, you can add them to the blacklist by setting ACL rules. In this manner, you can discard these packets. All the users in the blacklist need to be manually configured. There is no default user in the blacklist.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run cpu-defend policy policy-number

    The attack defense policy view is displayed.

  3. Run blacklist [ ipv6 ] acl { acl-number | name acl-name }

    A self-defined blacklist is created.

    A self-define blacklist can be bound to only one ACL. If you bind a self-define blacklist to several ACLs, only the latest configuration takes effect. An address or port pool can be specified in an ACL rule, and the ACL rule can be delivered.

    • The address pool function can be delivered in the attack defense policy only when the cp-acl ip-pool enable command is configured.
    • The vpn-instance field in an ACL configured in an attack defense policy can be delivered and takes effect only when the cp-acl vpn-instance enable command is configured.
    • The ports in the port pool specified in a delivered ACL take effect based on the configuration order instead of the lexicographical order.
    • If the ACL rule in which both a port pool and a TTL range are specified is delivered, the TTL range does not take effect.
    • ACL rules with the neq parameter are not supported.
    • If the address pool function is not enabled, the ACL rule in which both address and port pools are specified cannot be delivered.

  4. (Optional) Run ipv6-enhance acl enable

    Some IPv6 packets to be sent to the CPU are matched against the ACL that contains a blacklist, whitelist, or user-defined flow.

  5. (Optional) Run cp-acl ip-pool enable

    The address pool function is enabled for an attack defense policy.

    Before enabling the address pool function for an attack defense policy, configure an address pool and bind the address pool to an ACL rule.

  6. (Optional) Run cp-acl vpn-instance enable

    The VPN field in the attack defense policy is configured to take effect.

  7. (Optional) Run acl ipv4-multicast-fib-miss enable

    Enable IPv4 MFIB-MISS packets to match against ACLs in the blacklist, whitelist, or user-defined flow.

  8. (Optional) Run acl dhcp-discover enable

    Enable DHCP-DISCOVER packets to match against ACLs in the blacklist, whitelist, or user-defined flow.

  9. Run commit

    The configuration is committed.

Parent Topic: Configuring the CAR
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >