文章目录
第一:在交换机创建高级ACL(华为acl rule最后默认是允许)
acl name Site-Security-Type1 3998
rule 5 permit tcp destination-port eq 135
rule 10 permit tcp destination-port eq 137
rule 15 permit tcp destination-port eq 138
rule 20 permit tcp destination-port eq 139
rule 25 permit tcp destination-port eq 145
rule 30 permit tcp destination-port eq 1723
rule 35 permit udp destination-port eq 135
rule 40 permit udp destination-port eq netbios-ns
rule 45 permit udp destination-port eq netbios-dgm
rule 50 permit udp destination-port eq netbios-ssn
rule 55 permit udp destination-port eq 145
rule 60 permit udp destination-port eq 1723
rule 65 permit tcp destination-port eq pop2
rule 70 permit tcp destination-port eq pop3
rule 75 permit tcp destination-port eq smtp
第二:创建流分类
traffic classifier Site-Security-Type1 operator and
if-match acl Site-Security-Type1
traffic classifier all operator and
if-match any
第三:创建流行为
traffic behavior Deny
deny
traffic behavior P10MP15M-1
car cir 10240 pir 15360 cbs 1280000 pbs 1920000 green pass yellow pass remark-dscp 18 red discard
statistic enable
#traffic behavior PASS
# permit
第四:匹配流策略,并在端口下应用
traffic policy P10MP15M-1-Cluster
classifier Site-Security-Type1 behavior Deny
classifier all behavior P10MP15M-1
interface GigabitEthernet0/0/4
description test-BSH-3F-G0
port link-type access
port default vlan 3525
traffic-policy P5MP10M-1-Cluster inbound
traffic-policy P50M outbound
port-isolate enable group 1
broadcast-suppression packets 10
如果文章对你有帮助,欢迎点击上方按钮打赏作者
暂无评论