Guide to Defense Configuration on CE
Series Switche
Product Family
|
Enterprise network products
|
Product Model
|
Data center network switch
|
Released On
|
2017-05-14
|
Updated On
|
2019-03-11
|
Versions Involved
|
All versions
|
Severity
|
Major
|
Note: Before the configuration, ensure that no service is
using ports 135, 137, 139, 445, and 3389. Otherwise, the services are affected. 1. Configure an advanced ACL that is not in use on the
device to match the destination ports to be protected. For example:
Acl
3000
Rule 5 permit tcp destination-port eq 135
Rule 10 permit udp destination-port eq 135
Rule 15 permit tcp destination-port eq 137
Rule 20 permit udp destination-port eq 137
Rule 25 permit tcp destination-port eq 139
Rule 30 permit udp destination-port eq 139
Rule 35 permit tcp destination-port eq 445
Rule 40 permit udp destination-port eq 445
Rule
45 permit tcp destination-port eq 3389
Rule 50 permit udp destination-port eq 3389
2. Configure a traffic classifier to match the ACL.
Traffic classifier test
if-match acl 3000
3. Configure the traffic behavior to discard packets.
Traffic behavior test
deny
4. Configure a traffic policy.
Traffic policy test
classifier test behavior test
5. Apply the policy to the global inbound direction.
Traffic-policy test global inbound
6. Commit the configuration.
Commit
Note: Apply the policy to the inbound direction of the
device. The outbound policy of the CE12800 that matches the IP addresses of
traffic takes effect only on forwarded Layer 3 traffic.
That is all I want to share with you! Thank you!
|