Configuring wlan ids frame filtering – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 161
149
Figure 76 Frame filtering
In the topology, three APs are connected to an AC. Configure white list and static blacklist entries on the
AC, which sends all the entries to the APs. If the MAC address of a station, Client 1 for example, is
present in the blacklist, it cannot access any of the APs. If only Client 1 is present in the white list, it can
access any of the APs, and other clients cannot access any of the APs.
•
Enable dynamic blacklist function on the AC. If AP 1 receives attack frames from Client 1, a dynamic
blacklist entry is generated in the blacklist, and Client 1 cannot associate with AP 1, but can
associate with AP 2 or AP 3. If AP 2 or AP 3 receives attack frames from Client 1, a new dynamic
blacklist entry is generated in the blacklist.
Configuring WLAN IDS frame filtering
WLAN IDS frame filtering configuration involves white list configuration, blacklist configuration, and
dynamic blacklist feature configuration.
•
The maximum number of static and dynamic blacklist and whitelist entries depends on your device
model. For more information, see About the WX Series Access Controllers Configuration Guides.
•
In WLAN IDS view, you can configure the static blacklist, white list, enable dynamic blacklist feature
and configure the lifetime for dynamic entries.
•
Only entries present in the white list are permitted. You can add entries into or delete entries from
the list.
•
Entries present in the static blacklist are denied.
•
Whenever WLAN IDS detects a flood attack, the attacking device is added into the dynamic
blacklist. You can set a lifetime in seconds for dynamic blacklist entries. After the lifetime of an entry
expires, the device entry is removed from the dynamic blacklist. If a flood attack from the device is
detected again before the lifetime expires, the entry is refreshed.
To configure WLAN IDS frame filtering:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter WLAN IDS view.
wlan ids
N/A