各厂商接入交换机通过ACL限制端口应用的配置信息
这几天针对“勒索病毒”全世界都是限制445端口,现在工作单位也利用了这次机会对接入交换机进行了处理。现在将这些解决方案总结如下,希望能帮到需要的同行。
设备一:H3C S3528
版本信息:
Huawei Versatile Routing Platform Software
VRP Software, Version 5.20, Release 5309
Copyright (c) 1998-2009 Huawei Tech. Co., Ltd. All rights reserved.
Quidway S3528P-EA uptime is 155 weeks, 3 days, 4 hours, 51 minutes
Quidway S3528P-EA
128M bytes DRAM
32M bytes Flash Memory
Config Register points to FLASH
Hardware Version is REV.D
CPLD Version is CPLD 002
Bootrom Version is 206
[SubSlot 0] 24FE Hardware Version is REV.D
[SubSlot 1] 4GE Hardware Version is REV.D
配置方法:
1、创建ACL,限制指定的端口(注意:若最后加上了any到any的允许或拒绝,在流行为中配置了filter deny会导致断网)
acl number 3200
rule 0 deny tcp destination-port eq 135
rule 5 deny tcp destination-port eq 136
rule 10 deny tcp destination-port eq 137
rule 15 deny tcp destination-port eq 138
rule 20 deny tcp destination-port eq 139
rule 25 deny tcp destination-port eq 445
rule 30 deny udp destination-port eq 445
2、通过流量分类、行为、QOS策略进行关联
1)、流分类:
traffic classifier AntiVirus operator and “说明:这里的名称(斜体字)不能有特殊符号,不然检查状态可能出现
if-match acl 3200
2)、流行为:
traffic behavior AntiVirus
filter deny ‘说明:此处可以设置为permit,因为ACL中已经设置为deny。若ACL设置为permit,此处需设置为deny’
3)、QOS策略关联流分类和流行为
qos policy AntiVirus
classifier AntiVirus behavior AntiVirus
3、应用QOS策略(二选一)
1)、全局应用
qos apply policy AntiVirus global inbound
2)、指定接口应用
interface Ethernet1/0/1
qos apply policy AntiVirus inbound
4、检查运行状态
[switch]display qos policy user-defined
User Defined QoS Policy Information:
Policy: AntiVirus
Classifier: AntiVirus
Behavior: AntiVirus
Filter enable : deny
[switch]display traffic classifier user-defined AntiVirus
User Defined Classifier Information:
Classifier: AntiVirus
Operator: AND
Rule(s) : If-match acl 3200
[switch]display traffic behavior user-defined AntiVirus
User Defined Behavior Information:
Behavior: AntiVirus
Filter enable : deny
[switch]dis qos policy interface inbound
Interface: Ethernet1/0/1
Direction: Inbound
Policy: AntiVirus
Classifier: AntiVirus
Operator: AND
Rule(s) : If-match acl 3200
Behavior: AntiVirus
Filter Enable: deny
[switch] dis qos policy global inbound
Direction: Inbound
Policy: AntiVirus
Classifier: AntiVirus
Operator: AND
Rule(s) : If-match acl 3200
Behavior: AntiVirus
Filter Enable: deny
设备二:Huawei S3700
版本信息:
Huawei Versatile Routing Platform Software
VRP (R) software, Version 5.70 (S3700 V100R005C01)
Copyright (C) 2003-2010 HUAWEI TECH CO., LTD
Quidway S3700-52P-SI-AC Routing Switch uptime is 189 weeks, 2 days, 22 hours, 20 minutes
EMFEA 0(Master) : uptime is 189 weeks, 2 days, 22 hours, 19 minutes
128M bytes DDR Memory
16M bytes FLASH
Pcb Version : VER B
Basic BOOTROM Version : 229 Compiled at Aug 24 2010, 21:59:42
Software Version : VRP (R) Software, Version 5.70 (S3700 V100R005C01)
配置方法:
1、创建ACL
acl number 3200
rule 0 deny tcp destination-port eq 135
rule 5 deny tcp destination-port eq 136
rule 10 deny tcp destination-port eq 137
rule 15 deny tcp destination-port eq 138
rule 20 deny tcp destination-port eq 139
rule 25 deny tcp destination-port eq 445
rule 30 deny udp destination-port eq 445
2、通过流量分类、行为、QOS策略进行关联
1)、流分类:
traffic classifier AntiVirus
if-match acl 3200
2)、流行为:
traffic behavior AntiVirus
filter deny ‘说明:此处可以设置为permit,因为ACL中已经设置为deny。若ACL设置为permit,此处需设置为deny’
3)、QOS策略关联流分类和流行为
traffic policy AntiVirus
classifier AntiVirus behavior AntiVirus
3、应用QOS策略(二选一)
1)、全局应用
traffic-policy AntiVirus global inbound
2)、指定接口应用
interface Ethernet1/0/1
traffic-policy AntiVirus inbound
版本信息:
ZXR10 Router Operating System Software, ZTE Corporation:
ZXR10 2952-SI Version Number : 29SI Series V2.0.12.R
Copyright (c) 2001-2010 By ZTE Corporation
Compiled: 10:45:50 Jan 8 2010
System uptime is 0 years 5 days 3 hours 19 minutes 7 seconds
Main processor : ARM 9 SERIES
Bootrom Version : V1.0 Creation Date : 2009.9.25
System Memory : 32 M bytes System Flash : 4 M bytes
Epld Version : V1.0 FPGA Version (Dno.) : NONE
PCB Version (Dno.) : V60404.0
Switch's Mac Address: 00.22.93.55.40.45
Module 0: ZXR10 2952-SI; fasteth: 48; gbit: 0;
Module 1: COPPER 1000M; fasteth: 0; gbit: 1;
Module 2: COPPER 1000M; fasteth: 0; gbit: 1;
Module 3: FIBER 1000M; fasteth: 0; gbit: 1;
Module 4: FIBER 1000M; fasteth: 0; gbit: 1;
配置方法:
1、创建ACL
>en
(cfg)#config acl extend number 168
(extend-acl-group)#rule 5 deny tcp any any dest-port 445 65535 (这里需要特别说明一下这个65535,它表示端口掩码,一般就用65535即可)
(extend-acl-group)#rule 10 deny tcp any any dest-port 139 65535
(extend-acl-group)# rule 15 deny tcp any any dest-port 138 65535
(extend-acl-group)# rule 20 deny tcp any any dest-port 137 65535
(extend-acl-group)#rule 25 deny tcp any any dest-port 136 65535
(extend-acl-group)# rule 30 deny tcp any any dest-port 135 65535
(extend-acl-group)#rule 100 permit ip any any
(extend-acl-group)#exit
(cfg)#set acl 102 name AntiVirus
2、在接口上应用ACL
(cfg)#set port 1-50 acl 168 enable