各厂商接入交换机通过ACL限制端口应用的配置信息
来源:互联网 发布:xftp连接linux失败 编辑:程序博客网 时间:2024/06/05 02:54
这几天针对“勒索病毒”全世界都是限制445端口,现在工作单位也利用了这次机会对接入交换机进行了处理。现在将这些解决方案总结如下,希望能帮到需要的同行。
设备一:H3C S3528
版本信息:
Huawei Versatile Routing Platform Software
VRP Software, Version 5.20, Release 5309
Copyright (c) 1998-2009 Huawei Tech. Co., Ltd. All rights reserved.
Quidway S3528P-EA uptime is 155 weeks, 3 days, 4 hours, 51 minutes
Quidway S3528P-EA
128M bytes DRAM
32M bytes Flash Memory
Config Register points to FLASH
Hardware Version is REV.D
CPLD Version is CPLD 002
Bootrom Version is 206
[SubSlot 0] 24FE Hardware Version is REV.D
[SubSlot 1] 4GE Hardware Version is REV.D
配置方法:
1、创建ACL,限制指定的端口(注意:若最后加上了any到any的允许或拒绝,在流行为中配置了filter deny会导致断网)
acl number 3200
rule 0 deny tcp destination-port eq 135
rule 5 deny tcp destination-port eq 136
rule 10 deny tcp destination-port eq 137
rule 15 deny tcp destination-port eq 138
rule 20 deny tcp destination-port eq 139
rule 25 deny tcp destination-port eq 445
rule 30 deny udp destination-port eq 445
2、通过流量分类、行为、QOS策略进行关联
1)、流分类:
traffic classifier AntiVirus operator and “说明:这里的名称(斜体字)不能有特殊符号,不然检查状态可能出现<Failed>的错误”
if-match acl 3200
2)、流行为:
traffic behavior AntiVirus
filter deny ‘说明:此处可以设置为permit,因为ACL中已经设置为deny。若ACL设置为permit,此处需设置为deny’
3)、QOS策略关联流分类和流行为
qos policy AntiVirus
classifier AntiVirus behavior AntiVirus
3、应用QOS策略(二选一)
1)、全局应用
qos apply policy AntiVirus global inbound
2)、指定接口应用
interface Ethernet1/0/1
qos apply policy AntiVirus inbound
4、检查运行状态
[switch]display qos policy user-defined
User Defined QoS Policy Information:
Policy: AntiVirus
Classifier: AntiVirus
Behavior: AntiVirus
Filter enable : deny
[switch]display traffic classifier user-defined AntiVirus
User Defined Classifier Information:
Classifier: AntiVirus
Operator: AND
Rule(s) : If-match acl 3200
[switch]display traffic behavior user-defined AntiVirus
User Defined Behavior Information:
Behavior: AntiVirus
Filter enable : deny
[switch]dis qos policy interface inbound
Interface: Ethernet1/0/1
Direction: Inbound
Policy: AntiVirus
Classifier: AntiVirus
Operator: AND
Rule(s) : If-match acl 3200
Behavior: AntiVirus
Filter Enable: deny
[switch] dis qos policy global inbound
Direction: Inbound
Policy: AntiVirus
Classifier: AntiVirus
Operator: AND
Rule(s) : If-match acl 3200
Behavior: AntiVirus
Filter Enable: deny
设备二:Huawei S3700
版本信息:
Huawei Versatile Routing Platform Software
VRP (R) software, Version 5.70 (S3700 V100R005C01)
Copyright (C) 2003-2010 HUAWEI TECH CO., LTD
Quidway S3700-52P-SI-AC Routing Switch uptime is 189 weeks, 2 days, 22 hours, 20 minutes
EMFEA 0(Master) : uptime is 189 weeks, 2 days, 22 hours, 19 minutes
128M bytes DDR Memory
16M bytes FLASH
Pcb Version : VER B
Basic BOOTROM Version : 229 Compiled at Aug 24 2010, 21:59:42
Software Version : VRP (R) Software, Version 5.70 (S3700 V100R005C01)
配置方法:
1、创建ACL
acl number 3200
rule 0 deny tcp destination-port eq 135
rule 5 deny tcp destination-port eq 136
rule 10 deny tcp destination-port eq 137
rule 15 deny tcp destination-port eq 138
rule 20 deny tcp destination-port eq 139
rule 25 deny tcp destination-port eq 445
rule 30 deny udp destination-port eq 445
2、通过流量分类、行为、QOS策略进行关联
1)、流分类:
traffic classifier AntiVirus
if-match acl 3200
2)、流行为:
traffic behavior AntiVirus
filter deny ‘说明:此处可以设置为permit,因为ACL中已经设置为deny。若ACL设置为permit,此处需设置为deny’
3)、QOS策略关联流分类和流行为
traffic policy AntiVirus
classifier AntiVirus behavior AntiVirus
3、应用QOS策略(二选一)
1)、全局应用
traffic-policy AntiVirus global inbound
2)、指定接口应用
interface Ethernet1/0/1
traffic-policy AntiVirus inbound
版本信息:
ZXR10 Router Operating System Software, ZTE Corporation:
ZXR10 2952-SI Version Number : 29SI Series V2.0.12.R
Copyright (c) 2001-2010 By ZTE Corporation
Compiled: 10:45:50 Jan 8 2010
System uptime is 0 years 5 days 3 hours 19 minutes 7 seconds
Main processor : ARM 9 SERIES
Bootrom Version : V1.0 Creation Date : 2009.9.25
System Memory : 32 M bytes System Flash : 4 M bytes
Epld Version : V1.0 FPGA Version (Dno.) : NONE
PCB Version (Dno.) : V60404.0
Switch's Mac Address: 00.22.93.55.40.45
Module 0: ZXR10 2952-SI; fasteth: 48; gbit: 0;
Module 1: COPPER 1000M; fasteth: 0; gbit: 1;
Module 2: COPPER 1000M; fasteth: 0; gbit: 1;
Module 3: FIBER 1000M; fasteth: 0; gbit: 1;
Module 4: FIBER 1000M; fasteth: 0; gbit: 1;
配置方法:
1、创建ACL
>en
(cfg)#config acl extend number 168
(extend-acl-group)#rule 5 deny tcp any any dest-port 445 65535 (这里需要特别说明一下这个65535,它表示端口掩码,一般就用65535即可)
(extend-acl-group)#rule 10 deny tcp any any dest-port 139 65535
(extend-acl-group)# rule 15 deny tcp any any dest-port 138 65535
(extend-acl-group)# rule 20 deny tcp any any dest-port 137 65535
(extend-acl-group)#rule 25 deny tcp any any dest-port 136 65535
(extend-acl-group)# rule 30 deny tcp any any dest-port 135 65535
(extend-acl-group)#rule 100 permit ip any any
(extend-acl-group)#exit
(cfg)#set acl 102 name AntiVirus
2、在接口上应用ACL
(cfg)#set port 1-50 acl 168 enable
- 各厂商接入交换机通过ACL限制端口应用的配置信息
- Cisco交换机ACL的配置
- CISCO ACL 限制ip及端口配置
- 通过ACL实现交换机端口和ip地址绑定
- cisco交换机端口聚合、VTP、ACL配置实例
- 思科交换机的ACL配置汇总练习
- S3610_S5510系列交换机IPv4 ACL的配置
- 华为交换机ACL配置的一些东西
- h3c交换机基本ACL配置
- h3c交换机基本ACL配置
- Extreme Summit交换机ACL配置
- 华为交换机端口信息
- 交换机端口的监听配置技巧
- 各种交换机的端口镜像配置
- 锐捷交换机的端口配置状态
- cisco3550交换机的端口限速配置
- 交换机端口安全配置
- 交换机端口安全配置
- git问题 warning: LF will be replaced by CRLF in README.md.
- matlab——图像配准
- RecycleView多条目布局不填充满父布局
- spring与mybatis整合配置文件详解
- Java高新技术第一篇:类加载器详解
- 各厂商接入交换机通过ACL限制端口应用的配置信息
- 一个UILabel不同部分显示不同颜色
- 【Java深入】ArrayList源码剖析(一)
- 41万亿元规模的消金行业,重构势在必行,AI算法会是突破口?
- 关于移动端input框 在手机页面中无法输入文字的问题
- [Leetcode]2. Add Two Numbers
- leetcode 508. Most Frequent Subtree Sum
- Java.NET.BindException java.net.ConnectException java.net.SocketException异常
- IP协议相关技术简介