Configuring wlan ids frame filtering, Overview – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

148

Configuring WLAN IDS frame filtering

Overview

Frame filtering is a feature of 802.11 MAC and a sub-feature of WLAN IDS.
An access controller maintains a white list (permitted entries), a static blacklist (denied entries), and a
dynamic blacklist (denied entries that are added to the blacklist when WLAN IDS detects flood attacks).

You can configure the white and black lists through the CLI.
You can configure the blacklist and white list functions to filter frames from WLAN clients and implement

client access control.
WLAN client access control is accomplished through the following three types of lists.

•

White list—Contains the MAC addresses of all clients allowed to access the WLAN. If the white list
is used, only permitted clients can access the WLAN, and all frames from other clients are

discarded.

•

Static blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. This list is
manually configured.

•

Dynamic blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. A client
is dynamically added to the list if it is considered sending attacking frames until the timer of the

entry expires. A dynamic blacklist can collaborate with ARP detection. When ARP detection detects
any attacks, the MAC addresses of attackers are added to the dynamic blacklist. For more

information about ARP detection, see Security Configuration Guide.

When an AP receives an 802.11 frame, it checks the source MAC address of the frame and processes the

frame by following these rules:

1.

If the source MAC address does not match any entry in the white list, the frame is dropped. If there
is a match, the frame is considered valid and is further processed.

2.

If no white list entries exist, the static and dynamic blacklists are searched.

3.

If the source MAC address matches an entry in any of the two lists, the frame is dropped.

4.

If there is no match, or no blacklist entries exist, the frame is considered valid and is further
processed.

The static blacklist and whitelist configured on the AC apply to all APs connected to the AC, and dynamic

blacklist applies to APs that received attack packets.