Configuring wlan ids frame filtering – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 161
149
Figure 76 Frame filtering
In the topology, three APs are connected to an AC. Configure white list and static blacklist entries on the
AC, which sends all the entries to the APs. If the MAC address of a station, Client 1 for example, is
present in the blacklist, it cannot access any of the APs. If only Client 1 is present in the white list, it can
access any of the APs, and other clients cannot access any of the APs.
•
Enable dynamic blacklist function on the AC. If AP 1 receives attack frames from Client 1, a dynamic
blacklist entry is generated in the blacklist, and Client 1 cannot associate with AP 1, but can
associate with AP 2 or AP 3. If AP 2 or AP 3 receives attack frames from Client 1, a new dynamic
blacklist entry is generated in the blacklist.
Configuring WLAN IDS frame filtering
WLAN IDS frame filtering configuration involves white list configuration, blacklist configuration, and
dynamic blacklist feature configuration.
•
The maximum number of static and dynamic blacklist and whitelist entries depends on your device
model. For more information, see About the WX Series Access Controllers Configuration Guides.
•
In WLAN IDS view, you can configure the static blacklist, white list, enable dynamic blacklist feature
and configure the lifetime for dynamic entries.
•
Only entries present in the white list are permitted. You can add entries into or delete entries from
the list.
•
Entries present in the static blacklist are denied.
•
Whenever WLAN IDS detects a flood attack, the attacking device is added into the dynamic
blacklist. You can set a lifetime in seconds for dynamic blacklist entries. After the lifetime of an entry
expires, the device entry is removed from the dynamic blacklist. If a flood attack from the device is
detected again before the lifetime expires, the entry is refreshed.
To configure WLAN IDS frame filtering:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter WLAN IDS view.
wlan ids
N/A
- H3C WX5500E Series Access Controllers H3C WX3500E Series Access Controllers H3C WX2500E Series Access Controllers H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C WX3000 Series Unified Switches H3C LSWM1WCM10 Access Controller Module H3C LSUM3WCMD0 Access Controller Module H3C LSUM1WCME0 Access Controller Module H3C LSWM1WCM20 Access Controller Module H3C LSQM1WCMB0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module H3C LSBM1WCM2A0 Access Controller Module H3C WA3600 Series Access Points H3C WA2600 Series WLAN Access Points