各厂商接入交换机通过ACL限制端口应用的配置信息

这几天针对“勒索病毒”全世界都是限制445端口，现在工作单位也利用了这次机会对接入交换机进行了处理。现在将这些解决方案总结如下，希望能帮到需要的同行。

设备一：H3C S3528

版本信息：

Huawei Versatile Routing Platform Software
VRP Software, Version 5.20, Release 5309
Copyright (c) 1998-2009 Huawei Tech. Co., Ltd. All rights reserved.
Quidway S3528P-EA uptime is 155 weeks, 3 days, 4 hours, 51 minutes

Quidway S3528P-EA
128M    bytes DRAM
32M     bytes Flash Memory
Config Register points to FLASH

Hardware Version is REV.D
CPLD Version is CPLD 002
Bootrom Version is 206
[SubSlot  0] 24FE Hardware Version is REV.D
[SubSlot  1]  4GE Hardware Version is REV.D

配置方法：

1、创建ACL，限制指定的端口（注意：若最后加上了any到any的允许或拒绝，在流行为中配置了filter deny会导致断网）

       acl number 3200

               rule 0 deny tcp destination-port eq 135
               rule 5 deny tcp destination-port eq 136
               rule 10 deny tcp destination-port eq 137
               rule 15 deny tcp destination-port eq 138
               rule 20 deny tcp destination-port eq 139
               rule 25 deny tcp destination-port eq 445
               rule 30 deny udp destination-port eq 445
2、通过流量分类、行为、QOS策略进行关联

      1）、流分类：

              traffic classifier AntiVirus operator and                     “说明：这里的名称（斜体字）不能有特殊符号，不然检查状态可能出现<Failed>的错误”
                   if-match acl 3200

       2）、流行为：

              traffic behavior AntiVirus
                    filter deny                                        ‘说明：此处可以设置为permit，因为ACL中已经设置为deny。若ACL设置为permit，此处需设置为deny’
       3）、QOS策略关联流分类和流行为
              qos policy AntiVirus
                    classifier AntiVirus behavior AntiVirus

3、应用QOS策略（二选一）

        1）、全局应用

                   qos apply policy AntiVirus global inbound

        2）、指定接口应用

                  interface Ethernet1/0/1
                          qos apply policy AntiVirus inbound

4、检查运行状态

[switch]display qos policy user-defined
 

 User Defined QoS Policy Information:
  Policy: AntiVirus
   Classifier: AntiVirus
     Behavior: AntiVirus
      Filter enable : deny

[switch]display traffic classifier user-defined AntiVirus

User Defined Classifier Information:
   Classifier: AntiVirus
    Operator: AND
    Rule(s) : If-match acl 3200

[switch]display traffic behavior user-defined AntiVirus

User Defined Behavior Information:
    Behavior: AntiVirus
      Filter enable : deny

[switch]dis qos policy interface inbound

  Interface: Ethernet1/0/1

  Direction: Inbound

  Policy: AntiVirus
   Classifier: AntiVirus
     Operator: AND
     Rule(s) : If-match acl 3200
     Behavior: AntiVirus
      Filter Enable: deny

[switch] dis qos policy global inbound

  Direction: Inbound

  Policy: AntiVirus
   Classifier: AntiVirus
     Operator: AND
     Rule(s) : If-match acl 3200
     Behavior: AntiVirus
      Filter Enable: deny

设备二：Huawei S3700

版本信息：

Huawei Versatile Routing Platform Software
VRP (R) software, Version 5.70 (S3700 V100R005C01)
Copyright (C) 2003-2010 HUAWEI TECH CO., LTD
Quidway S3700-52P-SI-AC Routing Switch uptime is 189 weeks, 2 days, 22 hours, 20 minutes

EMFEA 0(Master) : uptime is 189 weeks, 2 days, 22 hours, 19 minutes
128M bytes DDR Memory
16M bytes FLASH
Pcb      Version :  VER B
Basic  BOOTROM  Version :  229 Compiled at Aug 24 2010, 21:59:42
Software Version : VRP (R) Software, Version 5.70 (S3700 V100R005C01)

配置方法：

1、创建ACL

            acl number 3200

               rule 0 deny tcp destination-port eq 135
               rule 5 deny tcp destination-port eq 136
               rule 10 deny tcp destination-port eq 137
               rule 15 deny tcp destination-port eq 138
               rule 20 deny tcp destination-port eq 139
               rule 25 deny tcp destination-port eq 445
               rule 30 deny udp destination-port eq 445

2、通过流量分类、行为、QOS策略进行关联

      1）、流分类：

              traffic classifier AntiVirus
                   if-match acl 3200

       2）、流行为：

              traffic behavior AntiVirus
                    filter deny                                        ‘说明：此处可以设置为permit，因为ACL中已经设置为deny。若ACL设置为permit，此处需设置为deny’
       3）、QOS策略关联流分类和流行为
              traffic policy AntiVirus
                    classifier AntiVirus behavior AntiVirus

3、应用QOS策略（二选一）

        1）、全局应用

                   traffic-policy AntiVirus global inbound

        2）、指定接口应用

                  interface Ethernet1/0/1
                          traffic-policy AntiVirus inbound

设备三：中兴ZXR10 2952-SI

版本信息：

    ZXR10 Router Operating System Software, ZTE Corporation:
    ZXR10 2952-SI Version Number   : 29SI Series V2.0.12.R
    Copyright (c) 2001-2010 By ZTE Corporation
    Compiled: 10:45:50 Jan  8 2010
    System uptime is  0 years 5 days 3 hours 19 minutes 7 seconds

    Main processor      : ARM 9 SERIES
    Bootrom Version     : V1.0       Creation Date : 2009.9.25
    System Memory       : 32 M bytes System Flash  : 4 M bytes
    Epld Version        : V1.0 FPGA Version (Dno.) : NONE
    PCB  Version (Dno.) : V60404.0
    Switch's Mac Address: 00.22.93.55.40.45

    Module 0:      ZXR10 2952-SI; fasteth: 48; gbit: 0;
    Module 1:       COPPER 1000M; fasteth:  0; gbit: 1;
    Module 2:       COPPER 1000M; fasteth:  0; gbit: 1;
    Module 3:        FIBER 1000M; fasteth:  0; gbit: 1;
    Module 4:        FIBER 1000M; fasteth:  0; gbit: 1;

配置方法：

1、创建ACL

 >en

(cfg)#config acl extend number 168

(extend-acl-group)#rule 5 deny tcp any any dest-port 445 65535  （这里需要特别说明一下这个65535，它表示端口掩码，一般就用65535即可）

(extend-acl-group)#rule 10 deny tcp any any dest-port 139 65535

(extend-acl-group)# rule 15 deny tcp any any dest-port 138 65535   

(extend-acl-group)# rule 20 deny tcp any any dest-port 137 65535

(extend-acl-group)#rule 25 deny tcp any any dest-port 136 65535

(extend-acl-group)# rule 30 deny tcp any any dest-port 135 65535

(extend-acl-group)#rule 100 permit ip any any
(extend-acl-group)#exit

(cfg)#set acl 102 name AntiVirus

2、在接口上应用ACL

(cfg)#set port 1-50 acl 168 enable