分享页面

华为交换机防病毒策略

发布时间:2021-08-03 11:34
 

本文档以华为S5720交换机为例,配置交换机防病毒策略,用于防范蠕虫病毒的攻击和传播,具体配置如下:

1.创建1个高级ACL访问控制列表,这里可以命名为virus

acl name virus

2.在该ACL内做如下配置:

rule permit tcp source any destination any destination-port eq 135

rule permit udp source any destination any destination-port eq 135

rule permit udp source any destination any destination-port eq 137

rule permit udp source any destination any destination-port eq 138

rule permit tcp source any destination any destination-port eq 139

rule permit udp source any destination any destination-port eq 139

rule permit tcp source any destination any destination-port eq 445

rule permit udp source any destination any destination-port eq 445

rule permit tcp source any destination any destination-port eq 593

rule permit udp source any destination any destination-port eq 593

rule permit udp source any destination any destination-port eq 1434

rule permit tcp source any destination any destination-port eq 4444

rule permit tcp source any destination any destination-port eq 5554

rule permit tcp source any destination any destination-port eq 9995

rule permit tcp source any destination any destination-port eq 9996

3.配置基于ACL的流分类

traffic classifier virus

if-match acl virus

4.配置流行为

traffic behavior virus_deny

deny

5.创建流策略

traffic policy virus_deny

classifier virus behavior virus_deny

6.接下来,只需要将名为virus_deny的流策略应用到具体的交换机接口上就行了。应用该策略的命令为(在具体的接口模式下):

traffic-policy virus_deny inbound

或traffic-policy virus_deny outbound

本文导读