Configuring wids-frame filtering – H3C Technologies H3C WA2600 Series WLAN Access Points User Manual
Page 49
7-4
When an AP receives an 802.11 frame, it checks the source MAC address of the frame and processes
the frame as follows:
1) If the source MAC address does not match any entry in the white list, the frame is dropped. If there
is a match, the frame is considered valid and will be further processed.
2) If no white list entries exist, the static and dynamic blacklists are searched.
3) If the source MAC address matches an entry in any of the two lists, the frame is dropped.
4) If there is no match, or no blacklist entries exist, the frame is considered valid and will be further
processed.
Figure 7-1 Frame filtering
IP network
L2 Switch
FAT AP
Client 1
Client 2
Client 3
Client 4
If client 1 is present in the backlist, it cannot associate with the fat AP; if it is only in the white list, it can
get associated with the fat AP.
Configuring WIDS-Frame Filtering
WLAN IDS frame filtering configuration involves white list, black list configuration and dynamic black list
feature configuration.
z
In WLAN IDS view, you can configure the static black list, white list, enable dynamic blacklist
feature and configure the lifetime for dynamic entries.
z
Only entries present in the white list will be permitted. You can add entries into or delete entries
from the list.
z
Entries present in the static blacklist will be denied.
z
Whenever WLAN IDS detects a flood attack, the attacking device is added into the dynamic
blacklist. You can set a lifetime in seconds for dynamic blacklist entries. After the lifetime of an
entry expires, the device entry will be removed from the dynamic list.