Configuring the IP blacklist
The IP blacklist feature filters packets sourced from IP addresses in blacklist entries.
IP blacklist entries can be manually added or dynamically learned:
You can manually add an IP blacklist entry. These entries do not age out by default. You can set an aging time for each entry.
The device can automatically add IP blacklist entries when collaborating with scanning attack detection. Each dynamically learned IP blacklist entry has an aging time, which is user configurable. Make sure the block-source keyword is specified as the scanning attack prevention action. For more information about the scanning attack detection and prevention, see "Configuring a scanning attack defense policy."
The IP blacklist can be used alone or together with a scanning attack defense policy.
To configure the IP blacklist:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. (Optional.) Enable the global blacklist feature. | blacklist global enable | By default, the global blacklist feature is disabled. If the global blacklist feature is enabled, the blacklist feature is enabled on all interfaces. |
3. (Optional.) Add an IPv4 blacklist entry. | blacklist ip source-ip-address [ vpn-instance vpn-instance-name ] [ ds-lite-peer ds-lite-peer-address ] [ timeout minutes ] | By default, no IPv4 blacklist entries exist. |
4. (Optional.) Add an IPv6 blacklist entry. | blacklist ipv6 source-ipv6-address [ vpn-instance vpn-instance-name ] [ timeout minutes ] | By default, no IPv6 blacklist entries exist. |
5. (Optional.) Enable logging for the blacklist feature. | blacklist logging enable | By default, logging is disabled for the blacklist feature. |
6. Enter interface view. | interface interface-type interface-number | N/A |
7. Enable the blacklist feature on the interface. | blacklist enable | By default, the blacklist feature is disabled on the interface. |