beautypg.com

Configuring wlan ids frame filtering – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 161

background image

149

Figure 76 Frame filtering

In the topology, three APs are connected to an AC. Configure white list and static blacklist entries on the
AC, which sends all the entries to the APs. If the MAC address of a station, Client 1 for example, is

present in the blacklist, it cannot access any of the APs. If only Client 1 is present in the white list, it can

access any of the APs, and other clients cannot access any of the APs.

Enable dynamic blacklist function on the AC. If AP 1 receives attack frames from Client 1, a dynamic
blacklist entry is generated in the blacklist, and Client 1 cannot associate with AP 1, but can
associate with AP 2 or AP 3. If AP 2 or AP 3 receives attack frames from Client 1, a new dynamic

blacklist entry is generated in the blacklist.

Configuring WLAN IDS frame filtering

WLAN IDS frame filtering configuration involves white list configuration, blacklist configuration, and
dynamic blacklist feature configuration.

The maximum number of static and dynamic blacklist and whitelist entries depends on your device
model. For more information, see About the WX Series Access Controllers Configuration Guides.

In WLAN IDS view, you can configure the static blacklist, white list, enable dynamic blacklist feature
and configure the lifetime for dynamic entries.

Only entries present in the white list are permitted. You can add entries into or delete entries from
the list.

Entries present in the static blacklist are denied.

Whenever WLAN IDS detects a flood attack, the attacking device is added into the dynamic
blacklist. You can set a lifetime in seconds for dynamic blacklist entries. After the lifetime of an entry

expires, the device entry is removed from the dynamic blacklist. If a flood attack from the device is
detected again before the lifetime expires, the entry is refreshed.

To configure WLAN IDS frame filtering:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter WLAN IDS view.

wlan ids

N/A