【记录】华为交换机如何屏蔽危险端口并限速( MQC & ACL )

第一:在交换机创建高级ACL(华为acl rule最后默认是允许)

acl name Site-Security-Type1 3998
 rule 5 permit tcp destination-port eq 135
 rule 10 permit tcp destination-port eq 137
 rule 15 permit tcp destination-port eq 138
 rule 20 permit tcp destination-port eq 139
 rule 25 permit tcp destination-port eq 145
 rule 30 permit tcp destination-port eq 1723
 rule 35 permit udp destination-port eq 135
 rule 40 permit udp destination-port eq netbios-ns
 rule 45 permit udp destination-port eq netbios-dgm
 rule 50 permit udp destination-port eq netbios-ssn
 rule 55 permit udp destination-port eq 145
 rule 60 permit udp destination-port eq 1723
 rule 65 permit tcp destination-port eq pop2
 rule 70 permit tcp destination-port eq pop3
 rule 75 permit tcp destination-port eq smtp

第二:创建流分类

traffic classifier Site-Security-Type1 operator and
 if-match acl Site-Security-Type1
traffic classifier all operator and
 if-match any

第三:创建流行为

traffic behavior Deny
 deny
traffic behavior P10MP15M-1
 car cir 10240 pir 15360 cbs 1280000 pbs 1920000 green pass yellow pass remark-dscp 18 red discard
 statistic enable
#traffic behavior PASS
# permit

第四:匹配流策略,并在端口下应用

traffic policy P10MP15M-1-Cluster
 classifier Site-Security-Type1 behavior Deny
 classifier all behavior P10MP15M-1

interface GigabitEthernet0/0/4
 description test-BSH-3F-G0
 port link-type access
 port default vlan 3525
 traffic-policy P5MP10M-1-Cluster inbound
 traffic-policy P50M outbound
 port-isolate enable group 1
 broadcast-suppression packets 10
微信打赏微信打赏

如果文章对你有帮助,欢迎点击上方按钮打赏作者

最后编辑于:2022/11/22作者: 辣条①号

现在在做什么? 接下来打算做什么? 你的目标什么? 期限还有多少? 进度如何? 不负遇见,不谈亏欠!

暂无评论

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注

arrow grin ! ? cool roll eek evil razz mrgreen smile oops lol mad twisted wink idea cry shock neutral sad ???