华为交换机防病毒策略

本文档以华为S5720交换机为例，配置交换机防病毒策略，用于防范蠕虫病毒的攻击和传播，具体配置如下：

1.创建1个高级ACL访问控制列表，这里可以命名为virus：

acl name virus

2.在该ACL内做如下配置：

rule permit tcp source any destination any destination-port eq 135 rule permit udp source any destination any destination-port eq 135 rule permit udp source any destination any destination-port eq 137 rule permit udp source any destination any destination-port eq 138 rule permit tcp source any destination any destination-port eq 139 rule permit udp source any destination any destination-port eq 139 rule permit tcp source any destination any destination-port eq 445 rule permit udp source any destination any destination-port eq 445 rule permit tcp source any destination any destination-port eq 593 rule permit udp source any destination any destination-port eq 593 rule permit udp source any destination any destination-port eq 1434 rule permit tcp source any destination any destination-port eq 4444 rule permit tcp source any destination any destination-port eq 5554 rule permit tcp source any destination any destination-port eq 9995 rule permit tcp source any destination any destination-port eq 9996

3.配置基于ACL的流分类

traffic classifier virus if-match acl virus

4.配置流行为

traffic behavior virus_deny deny

5.创建流策略

traffic policy virus_deny classifier virus behavior virus_deny

6.接下来，只需要将名为virus_deny的流策略应用到具体的交换机接口上就行了。应用该策略的命令为（在具体的接口模式下）：

traffic-policy virus_deny inbound 或traffic-policy virus_deny outbound