Login
- Table of Contents
-
- 11-Security Command Reference
- 00-Preface
- 01-AAA Commands
- 02-802.1X Commands
- 03-MAC Authentication Commands
- 04-Portal Commands
- 05 Password Control Commands
- 06-Public Key Commands
- 07-IPsec Commands
- 08-SSH Commands
- 09-Blacklist Commands
- 10-TCP and ICMP Attack Protection Commands
- 11-IP Source Guard Commands
- 12-ARP Attack Protection Commands
- 13-ND Attack Defense Commands
- 14-URPF Commands
- 15-PKI Commands
- 16-SSL Commands
- 17-FIPS Commands
- 18-Attack Detection and Protection Commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 09-Blacklist Commands | 77.08 KB |
blacklist enable
Syntax
blacklist enable
undo blacklist enable
View
System view
Default level
2: System level
Parameters
None
Description
Use blacklist enable to enable the blacklist function.
Use undo blacklist enable to restore the default.
By default, the blacklist function is disabled.
After the blacklist function is enabled, you can add blacklist entries manually.
Examples
# Enable the blacklist function.
<Sysname> system-view
blacklist ip
Syntax
blacklist ip source-ip-address [ timeout minutes ]
undo blacklist { all | ip source-ip-address [ timeout ] }
View
System view
Default level
2: System level
Parameters
source-ip-address: IP address to be added to the blacklist, used to match the source IP address of packets. This IP address cannot be a broadcast address, 127.0.0.0/8, a class D address, or a class E address.
all: Specifies all blacklist entries.
timeout minutes: Specifies an aging time for the blacklist entry. The minutes argument indicates the aging time in the range of 1 to 1000 minutes. If you do not specify the aging time, the blacklist entry will never get aged and thus always exist unless you delete it manually.
Description
Use blacklist ip to add a blacklist entry. After an IP address is added to the blacklist, the switch will filter all packets from it.
Use undo blacklist to delete one or all blacklist entries, or cancel the aging time configuration of a blacklist entry. You can use undo blacklist ip source-ip-address timeout to cancel the aging time specified for a manually added blacklist entry. After the configuration, this blacklist entry will never get aged.
All blacklist entries can take effect only when the blacklist function is enabled.
You can modify the aging time of an existing blacklist entry, and the modification will take effect immediately.
Related commands: blacklist enable and display blacklist.
Examples
# Add IP address 192.168.1.2 to the blacklist and configure its aging time as 20 minutes.
<Sysname> system-view
[Sysname] blacklist ip 192.168.1.2 timeout 20
display blacklist
Syntax
In standalone mode:
display blacklist { all | ip source-ip-address [ slot slot-number ] | slot slot-number } [ | { begin | exclude | include } regular-expression ]
In IRF mode:
display blacklist { all | chassis chassis-number slot slot-number | ip source-ip-address [ chassis chassis-number slot slot-number ] } [ | { begin | exclude | include }
View
Any view
Default level
1: Monitor level
Parameters
all: Displays information about all blacklist entries.
ip source-ip-address: Displays information about the blacklist entry for an IP address. source-ip-address indicates the IP address, which cannot be a broadcast address, 127.0.0.0/8, a class D address, or a class E address.
slot slot-number: Displays information about the blacklist entries for the card in a slot. (In standalone mode.)
chassis chassis-number slot slot-number: Displays information about the blacklist entries for a card in a certain IRF member switch. The chassis-number argument refers to the ID of the IRF member switch, and the slot-number argument refers to the number of the slot where the card resides. For the IRF member ID of a switch, use the display device command. (In IRF mode.)
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays the lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use display blacklist to display information about one or all blacklist entries.
Related commands: blacklist enable and blacklist ip.
Examples
# Display information about all blacklist entries.
<Sysname> display blacklist all
Blacklist information
------------------------------------------------------------------------------
Blacklist : enabled
Blacklist items : 1
------------------------------------------------------------------------------
IP Type Aging started Aging finished Dropped packets
YYYY/MM/DD hh:mm:ss YYYY/MM/DD hh:mm:ss
2.2.1.2 manual 2008/08/27 19:15:39 Never 0
1.1.1.3 manual 2008/09/02 06:13:20 2008/09/02 07:54:47 4294967295
--------------------------------------------------------------------------
Table 1 Command output
|
Field |
Description |
|
Blacklist |
Indicates whether the blacklist function is enabled. |
|
Blacklist items |
Number of blacklist entries. |
|
IP |
IP address of the blacklist entry. |
|
Type |
Type of the blacklist entry. It can be manual, which means the entry was added manually. |
|
Aging started |
Time when the blacklist entry is added. |
|
Aging finished |
Aging time of the blacklist entry. Never means that the entry will never get aged. |
|
Dropped packets |
Number of packets from the IP address that have been dropped. |
