现在网络病毒肆意横行,给网络的正常应用带来了很大的隐患,下面给出Quidway S6500系列交换机防病毒配置的一个模版,仅供大家参考:
acl name anti_worm advanced
rule 0 deny udp destination-port eq tftp
rule 1 deny tcp destination-port eq 135
rule 2 deny udp destination-port eq 135
rule 3 deny udp destination-port eq 137
rule 4 deny udp destination-port eq 138
rule 5 deny tcp destination-port eq 139
rule 6 deny udp destination-port eq netbios-ssn
rule 7 deny tcp destination-port eq 445
rule 8 deny udp destination-port eq 445
rule 9 deny tcp destination-port eq 539
rule 10 deny udp destination-port eq 539
rule 11 deny tcp destination-port eq 593
rule 12 deny udp destination-port eq 593
rule 13 deny udp destination-port eq 1434
rule 14 deny tcp destination-port eq 4444
acl name anti_icmp advanced
rule 0 deny icmp
将以上规则以not-carefor-interface方式在芯片上全局下发,如:
int e1/0/1
packet-filter inbound ip-group anti_worm not-care-for-interface
packet-filter inbound ip-group anti_icmp not-care-for-interface
int e2/0/1
packet-filter inbound ip-group anti_worm not-care-for-interface
packet-filter inbound ip-group anti_icmp not-care-for-interface
int e2/0/48
packet-filter inbound ip-group anti_worm not-care-for-interface
packet-filter inbound ip-group anti_icmp not-care-for-interface
注:
1、 not-carefor-interface参数表示的意思是该规则在整个芯片下发,而不仅仅是在这个端口下发,对于FT48单板来说,一个有两个芯片,前24个端口为一个芯片,后24个端口为一个芯片,在芯片的任何一个端口带该参数下发的规则都在整个芯片上生效。
2、 其他单板为一块芯片。
