R3303-HP HSR6800 Routers Security Configuration Guide
16
Figure 130 Network diagram
Configuration procedure
# Configure IP addresses for interfaces. (Details not shown.)
# Enable the blacklist function.
<Router> system-view
[Router] blacklist enable
# Add Host D's IP address 5.5.5.5 to the blacklist without configuring an aging time for it.
[Router] blacklist ip 5.5.5.5
# Add Host C's IP address 192.168.1.4 to the blacklist and configure the aging time as 50 minutes.
[Router] blacklist ip 192.168.1.4 timeout 50
Verifying the configuration
# Execute the display blacklist all command to display the added blacklist entries.
[Router] display blacklist all
Blacklist information
-------------------------------------------------------------------------
Blacklist : enabled
Blacklist items : 2
------------------------------------------------------------------------------
IP Type Aging started Aging finished Dropped packets
YYYY/MM/DD hh:mm:ss YYYY/MM/DD hh:mm:ss
Total blacklist items on slot 0 : 2
5.5.5.5 manual 2008/04/09 16:02:20 Never 0
192.168.1.4 manual 2008/04/09 16:02:26 2008/04/09 16:52:26 0
After the configuration takes effect, the router should:
• Always drop packets from Host D unless you delete Host D's IP address from the blacklist by using
the undo blacklist ip 5.5.5.5 command.
• Within 50 minutes, drop Host C's packets received.
• After 50 minutes, correctly forward Host C's packets received.
Internet
Router
Host C
GE3/0/2GE3/0/1
Host A Host B
Attacker
Host D
5.5.5.5/24
202.1.0.1/16192.168.1.1/16
192.168.1.4/16