R2511-HP MSR Router Series Security Command Reference(V5)
482
protection function or the user login authentication function. For configuration information about
scanning attack protection, see the defense scan add-to-blacklist command.
Examples
# Enable the blacklist function.
<Sysname> system-view
[Sysname] blacklist enable
Related commands
• defense scan
• display attack-defense policy
blacklist ip
Use blacklist ip to add a blacklist entry. After an IP address is added to the blacklist, the device filters all
packets from it.
Use undo blacklist to delete blacklist entries or cancel the aging time configuration of a blacklist entry.
Syntax
blacklist ip source-ip-address [ timeout minutes ]
undo blacklist { all | ip source-ip-address [ timeout ] }
Views
System view
Default command level
2: System level
Parameters
source-ip-address: Specifies the IP address to be added to the blacklist, used to match the source IP
address of packets. This IP address cannot be a broadcast address, 127.0.0.0/8, a class D address, or
a class E address.
all: Specifies all blacklist entries.
timeout minutes: Specifies an aging time for the blacklist entry. minutes indicates the aging time and are
in the range of 1 to 1000, in minutes. If you do not specify the aging time, the blacklist entry never gets
aged and always exists unless you delete it manually.
Usage guidelines
You can use the undo blacklist ip source-ip-address timeout command to cancel the aging time specified
for a manually added blacklist entry. After the configuration, this blacklist entry never gets aged.
All blacklist entries can take effect only when the blacklist function is enabled.
You can modify the aging time of an existing blacklist entry, and the modification takes effect
immediately.
Examples
# Add IP address 192.168.1.2 to the blacklist, and configure its aging time as 20 minutes.
<Sysname> system-view
[Sysname] blacklist ip 192.168.1.2 timeout 20