NE80E如何配置防病毒访问控制

NE80E配置防病毒

acl number 3000                                                                
 description ANTI-VIRUS                                                        
 rule 1 deny tcp destination-port eq 135                                       
 rule 2 deny tcp destination-port eq 137                                       
 rule 3 deny tcp destination-port eq 138                                       
 rule 4 deny tcp destination-port eq 139                                       
 rule 5 deny tcp destination-port eq 445                                       
 rule 6 deny tcp destination-port eq 5554                                      
 rule 7 deny tcp destination-port eq 901                                       
 rule 8 deny tcp destination-port eq 2745                                      
 rule 9 deny tcp destination-port eq 3127                                      
 rule 10 deny tcp destination-port eq 3128                                     
 rule 11 deny tcp destination-port eq 6129                                     
 rule 12 deny tcp destination-port eq 6667                                     
 rule 13 deny tcp destination-port eq 4444                                     
 rule 14 deny tcp destination-port eq 1025                                     
 rule 15 deny tcp destination-port eq 593                                      
 rule 16 deny udp destination-port eq 135                                      
 rule 17 deny udp destination-port eq netbios-ns                               
 rule 18 deny udp destination-port eq netbios-dgm                              
 rule 19 deny udp destination-port eq netbios-ssn                              
 rule 20 deny udp destination-port eq 445                                      
 rule 21 deny udp destination-port eq 9995                                     
 rule 22 deny udp destination-port eq 9996                                     
 rule 23 deny udp destination-port eq 1434                                     
 rule 40 permit ip                                  %此条需做，permit其它的数据报文%
#
traffic classifier anti_virus operator and                                     
   if-match acl 3000
#
traffic behavior anti_virus                       % 此默认的动作为permit%
#
traffic policy anti
   classifier anti_virus behavior anti_virus
#   
interface GigabitEthernet2/0/0
   traffic-policy anti inbound
 
  此配置实际上是acl和traffic policy关联，在acl中deny的流即丢弃，在acl中要加permit ip source any dest any，让其他流量可以通过。后面的traffic behavior 实际上是使用了缺省的permit操作。如果traffic behavior中添加deny的动作，添加之后会造成业务不通

   详情参考  http://support.huawei.com/support/pages/kbcenter/view/product.do?actionFlag=searchManualContents&web_doc_id=SC0000594258&material_type=ProductManual&part_no=10092