R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

441

442

443

444

445

446

447

448

449

450

429

Ste

Command

Remarks

3. Apply an attack protection

policy to the interface.

attack-defense apply policy

policy-number

By default, no attack protection

policy is applied to any interface.

The attack protection policy to be

applied to an interface must already

exist.

Configuring the blacklist function

You can configure a device to filter packets from certain IP addresses by configuring the blacklist

function.

The blacklist configuration includes enabling the blacklist function and adding blacklist entries. When

adding a blacklist entry, you can also configure the entry aging time. If you do not configure the aging

time, the entry never ages out, and always exist until you delete it manually.

To configure the blacklist function:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enable the blacklist function.

blacklist enable Disabled by default.

3. Add a blacklist entry.

blacklist ip source-ip-address

[ timeout minutes ]

Optional.

The scanning attack protection

function can add blacklist entries

automatically.

You can add blacklist entries manually, or configure the device to automatically add the IP addresses of

detected scanning attackers to the blacklist. For the latter purpose, enable the blacklist function for the

device, the scanning attack protection function, and the blacklist function for scanning attack protection.

The blacklist entries added by the scanning attack protection function will be aged after the aging time,

which is configurable. For the configuration of scanning attack protection, see "Configuring a scanning

tack protection policy."

Enabling traffic statistics on an interface

To collect traffic statistics on an interface, enable the traffic statistics function on the interface. The device

supports traffic statistics in the following two modes:

• By direction, inbound or outbound—Collect statistics on packets received on or sent from an

interface.

• By IP address, source IP address or destination IP address—Collect statistics on packets received

on an interface by source IP addresses, or on packets sent from an interface by destination IP

addresses.

To enable traffic statistics on an interface:

Ste

Command

Remarks

1. Enter system view.

system-view N/A