Configuring the blacklist function, Network requirements, Configuration procedure – H3C Technologies H3C SecBlade LB Cards User Manual
Page 267: Verifying the configuration
256
Configuring the blacklist function
Network requirements
As shown in
, Host D is an attacker in the external network. Configure LB to filter packets from
Host D permanently. Host C is in the internal network. Configure LB to drop packets from Host C for 50
minutes, so that Host C cannot access the external network during the specified period of time.
Figure 142 Network diagram
Configuration procedure
# Configure IP addresses for interfaces. (Details not shown.)
# Enable the blacklist function.
[LB] blacklist enable
# Add Host D's IP address 5.5.5.5 to the blacklist without configuring an aging time for it.
[LB] blacklist ip 5.5.5.5
# Add Host C's IP address 192.168.1.4 to the blacklist and configure the aging time as 50 minutes.
[LB] blacklist ip 192.168.1.4 timeout 50
Verifying the configuration
Use the display blacklist all command to display the added blacklist entries.
[LB] display blacklist all
Blacklist information
-------------------------------------------------------------------------
Blacklist : enabled
Blacklist items : 2
------------------------------------------------------------------------------
IP Type Aging started Aging finished Dropped packets
YYYY/MM/DD hh:mm:ss YYYY/MM/DD hh:mm:ss
5.5.5.5 manual 2008/04/09 16:02:20 Never 0
192.168.1.4 manual 2008/04/09 16:02:26 2008/04/09 16:52:26 0
After the configuration takes effect, LB should:
•
Always drop packets from Host D unless you delete Host D's IP address from the blacklist by using
the undo blacklist ip 5.5.5.5 command.
•
Within 50 minutes, drop Host C's packets received.
•
After 50 minutes, normally forward Host C's packets received.
Internet
LB
Host C
GE0/2
GE0/1
Host A
Host B
Attacker
Host D
5.5.5.5/24
202.1.0.1/16
192.168.1.1/16
192.168.1.4/16