Contents

IP reputation commands· 1

display ip-reputation attack-category· 1

display ip-reputation exception· 1

display ip-reputation top-hit-statistics· 2

display ip-reputation· 3

ip-reputation· 4

attack-category· 5

exception· 6

global enable· 6

top-hit-statistics enable· 7

 

IP reputation commands

display ip-reputation attack-category

Use display ip-reputation attack-category to display information about attack categories for IP reputation.

Syntax

display ip-reputation attack-category

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Usage guidelines

The command displays attack category information after IP reputation is enabled.

If you do not specify actions for an attack category, the pre-defined actions are displayed.

Examples

# Display information about attack categories for IP reputation.

<Sysname> display ip-reputation attack-category

ID      Attack name      Action      Logging

1       ddos              permit      enabled

2       web               deny         disabled

Figure 1 Command output

Field	Description
ID	Attack category ID.
Attack name	Attack category name.
Action	Action that the device takes on packets matching the attack category. ·     permit—Forwards the packets. ·     deny—Discards the packets.
Logging	Logging status, enabled or disabled.

 

Related commands

attack-category

display ip-reputation exception

Use display ip-reputation exception to display exception IP addresses.

Syntax

display ip-reputation exception

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Usage guidelines

The command displays exception IP addresses, if any, when the IP reputation is enabled.

Examples

# Display exception IP addresses.

<Sysname> display ip-reputation exception

IP address

10.1.1.1

10.10.1.1

Figure 2 Command output

Field	Description
IP address	Exception IP address.

 

display ip-reputation top-hit-statistics

Use display ip-reputation top-hit-statistics to display statistics for IP addresses with the highest hits on the IP reputation list.

Syntax

display ip-reputation top-hit-statistics [ top-number ] [ chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

top-number: Specifies the number of top ranking IP addresses. The value range is 10 to 100, and the default is 10.

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays statistics for IP addresses with the highest hits on the IP reputation list for all cards.

Usage guidelines

This command displays statistics for IP addresses with the highest hits on the IP reputation list when the top hit ranking feature is enabled.

This command does not display IP addresses with no hits. Therefore, the number of IP addresses in the command output might be less than the value of the top-number argument.

Examples

# Display statistics for 10 IP addresses with the highest hits on the IP reputation list.

<Sysname> display ip-reputation top-hit-statistics 10 slot 2

Slot 2 in chassis 1

IP address      Hit count

10.1.1.1        1000

10.1.1.2        999

10.1.1.3        996

10.1.1.4        994

10.1.1.5        994

10.1.1.6        994

Figure 3 Command output

Field	Description
IP address	IP address on the IP reputation list.
Hit count	Number of times that the IP address is hit.

 

display ip-reputation

Use display ip-reputation to display IP reputation information about an IP address.

Syntax

display ip-reputation ipv4 ipv4-address

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

ipv4 ipv4-address: Specifies an IPv4 address.

Usage guidelines

The IP reputation list contains the following attribute information for an IP address: attack category, match field, actions on matching packets, and the hit count.

If an IP address belongs to multiple attack categories, the command displays information about the IP address based on the attack category ID.

Examples

# Display IP reputation information about IP address 192.168.1.1.

<Sysname> display ip-reputation ipv4 192.168.1.1

IP address    Attack ID    Attack name    Direction    Action    Logging    Hit count

192.168.1.1   1             ddos             src           deny      enabled    1000

                2             web              dst           permit    disabled

Figure 4 Command output

Field	Description
IP address	IP address on the IP reputation list.
Attack ID	ID of the attack category to which the IP address belongs.
Attack name	Name of the attack category to which the IP address belongs.
Direction	Match field attribute of the IP address: ·     src—Used as the source IP address match criterion. ·     dst—Used as the destination IP address match criterion. ·     src/dst—Used as the source or destination IP address match criterion.
Action	Action on matching packets: ·     permit—Allows the packets to pass through. ·     deny—Drops the packets.
Logging	Logging status, enabled or disabled.
Hit count	Number of times that the IP address is matched.

 

ip-reputation

Use ip-reputation to enter IP reputation view.

Use undo ip-reputation to delete all configuration in IP reputation view.

Syntax

ip-reputation

undo ip-reputation

Views

System view

Predefined user roles

network-admin

context-admin

Examples

# Enter IP reputation view.

<Sysname> system-view

[Sysname] ip-reputation

[Sysname-ip-reputation]

attack-category

Use attack-category to configure actions for an attack category.

Use undo attack-category to restore the default.

Syntax

attack-category attack-id { action { deny | permit } | logging { disable | enable } } *

undo attack-category attack-id

Default

No actions are configured for an attack category. Each attack category has its own pre-defined actions.

Views

IP reputation view

Predefined user roles

network-admin

context-admin

Parameters

attack-id: Specifies an attack category ID. The value range depends on the IP reputation file and the device model.

action: Specifies an action.

deny: Drops matching packets.

permit: Allows matching packets to pass through.

logging: Sets the logging status for the attack category. When a packet matches the attack category with logging enabled, the device generates logs for the matching events.

disable: Disables logging for the matching events.

enable: Enables logging for the matching events.

Usage guidelines

The command configuration takes effect after you enable IP reputation.

On the IP reputation list, an IP address can belong to multiple attack categories. Each attack category has its own actions.

If an IP address belongs to only one attack category, the device takes the actions in this attack category. If an IP address belongs to multiple attack categories, the device takes an action that has higher priority among all actions in those attack categories. The drop action has higher priority than the permit action.

If logging is enabled for any one of attack categories to which an IP address belongs, the device generates a log when the IP address is matched.

The device supports fast output of IP reputation logs. For more information about fast log output, see fast log output commands in Network Management and Monitoring Command Reference.

Examples

# Set the action to deny for attack category 1 and enable logging for the attack category.

<Sysname> system-view

[Sysname] ip-reputation

[Sysname-ip-reputation] attack-category 1 action deny logging enable

Related commands

display ip-reputation

global enable

exception

Use exception to specify an exception IP address.

Use undo exception to remove an exception IP address.

Syntax

exception ipv4 ipv4-address

undo exception ipv4 ipv4-address

Default

No exception IP address is specified.

Views

IP reputation view

Predefined user roles

network-admin

context-admin

Parameters

ipv4 ipv4-address: Specifies an exception IPv4 address.

Usage guidelines

The command takes effect after you enable IP reputation.

The device forwards a packet if the source or destination IP address of the packet is an exception IP address.

Repeat this command to add multiple exception IP addresses.

Examples

# Specify 192.168.1.1 as an exception IP address.

<Sysname> system-view

[Sysname] ip-reputation

[Sysname-ip-reputation] exception ipv4 192.168.1.1

Related commands

display ip-reputation exception

global enable

global enable

Use global enable to enable IP reputation globally.

Use undo global enable to disable IP reputation globally.

Syntax

global enable

undo global enable

Default

IP reputation is disabled globally.

Views

IP reputation view

Predefined user roles

network-admin

context-admin

Examples

# Enable IP reputation globally.

<Sysname> system-view

[Sysname] ip-reputation

[Sysname-ip-reputation] global enable

top-hit-statistics enable

Use top-hit-statistics enable to enable the top hit ranking feature for IP addresses.

Use undo top-hit-statistics enable to disable the top hit ranking feature.

Syntax

top-hit-statistics enable

undo top-hit-statistics enable

Default

The top hit ranking feature is disabled for IP addresses on the IP reputation list.

Views

IP reputation view

Predefined user roles

network-admin

context-admin

Usage guidelines

This feature takes effect after you enable IP reputation.

This feature enables the device to collect hit statistics for IP addresses on the IP reputation list and rank them. After you disable this feature, the device clears hit statistics for IP reputation.

Examples

# Enable the top hit ranking feature for IP addresses on the IP reputation list.

<Sysname> system-view

[Sysname] ip-reputation

[Sysname-ip-reputation] top-hit-statistics enable

Related commands

display ip-reputation top-hit-statistics