Configuring the IP blacklist feature
About the IP blacklist feature
The IP blacklist feature filters packets sourced from IP addresses in blacklist entries. If the global blacklist feature is enabled, the blacklist feature is enabled on all interfaces.
IP blacklist entries can be manually added or dynamically learned:
You can manually add an IP blacklist entry by using the blacklist ip or blacklist ipv6 command. These entries do not age out by default. You can set an aging time for each entry.
The device can automatically add IP blacklist entries when collaborating with scanning attack detection. Each dynamically learned IP blacklist entry has an aging time, which is user configurable. Make sure the block-source keyword is specified as the scanning attack prevention action. For more information about the scanning attack detection and prevention, see "Configuring a scanning attack defense policy."
Procedure
Enter system view.
system-view
(Optional.) Enable the global blacklist feature.
blacklist global enable
By default, the global blacklist feature is disabled.
(Optional.) Add an IP blacklist entry.
Add an IPv4 blacklist entry.
blacklist ip source-ip-address [ vpn-instance vpn-instance-name ] [ ds-lite-peer ds-lite-peer-address ] [ timeout minutes ]
Add an IPv6 blacklist entry.
blacklist ipv6 source-ipv6-address [ vpn-instance vpn-instance-name ] [ timeout minutes ]
(Optional.) Enable logging for the blacklist feature.
blacklist logging enable
By default, logging is disabled for the blacklist feature.