Enterprise

Community Forums Switches

the S5700 needs to ban th...

the S5700 needs to ban the ransomware port on the LAN switch. How to implement it? Specific operation steps and configuration examples?

Created: Dec 22, 2018 01:19:13Latest reply: Dec 29, 2018 02:33:11 258 7 8 1

display all floors ^#1

1. Configure advanced ACL

# Configure the security policy for port ban in the ACL.

<HUAWEI> system-view

[HUAWEI] sysname Switch

[Switch] acl 3001

[Switch-acl-adv-3001] rule deny tcp destination-port eq 135

[Switch-acl-adv-3001] rule deny udp destination-port eq 135

[Switch-acl-adv-3001] rule deny tcp destination-port eq 137

[Switch-acl-adv-3001] rule deny udp destination-port eq 137 //enclose the netbios-ns port

[Switch-acl-adv-3001] rule deny tcp destination-port eq 138

[Switch-acl-adv-3001] rule deny udp destination-port eq 138 //enclose the netbios-dgm port

[Switch-acl-adv-3001] rule deny tcp destination-port eq 139

[Switch-acl-adv-3001] rule deny udp destination-port eq 139 //enclose the netbios-ssn port

[Switch-acl-adv-3001] rule deny tcp destination-port eq 445

[Switch-acl-adv-3001] rule deny udp destination-port eq 445

[Switch-acl-adv-3001] rule permit ip

[Switch-acl-adv-3001] quit

2. Configure ACL-based traffic classification

# Configure the traffic classifier tc1 to classify packets matching ACL 3001.

[Switch] traffic classifier tc1

[Switch-classifier-tc1] if-match acl 3001

[Switch-classifier-tc1] quit

3. Configure the behavior as

# Configure the traffic behavior as tb1, and the action is to reject the packet.

[Switch] traffic behavior tb1

[Switch-behavior-tb1] deny

[Switch-behavior-tb1] quit

4. Configure the traffic policy

# Configure the traffic policy tp1 to associate the traffic class tc1 with the traffic behavior tb1.

[Switch] traffic policy tp1

[Switch-trafficpolicy-tp1] classifier tc1 behavior tb1

[Switch-trafficpolicy-tp1] quit

5. Apply the traffic policy to the port (uplink port or downlink port)

For example, the traffic policy tp1 is applied to the inbound direction of the downlink interface GE0/0/2.

[Switch] interface gigabitethernet 0/0/2

[Switch-GigabitEthernet0/0/2] traffic-policy tp1 inbound

[Switch-GigabitEthernet0/0/2] quit

6. Verify the configuration results

# Display the configuration information of the ACL rule.

[Switch-acl-adv-3001]dis acl 3001

Advanced ACL 3001, 10 rules

Acl's step is 5

Rule 5 deny tcp destination-port eq 135

Rule 10 deny udp destination-port eq 135

Rule 15 deny tcp destination-port eq 137

Rule 20 deny udp destination-port eq netbios-ns

Rule 25 deny tcp destination-port eq 138

Rule 30 deny udp destination-port eq netbios-dgm

Rule 35 deny tcp destination-port eq 139

Rule 40 deny udp destination-port eq netbios-ssn

Rule 45 deny tcp destination-port eq 445

Rule 50 deny udp destination-port eq 445

# View the configuration information of the traffic classifier.

[Switch] display traffic classifier user-defined

User Defined Classifier Information:

Classifier: tc1

Operator: OR

Rule(s) : if-match acl 3001

Total classifier number is 1

# View the configuration information of the traffic policy.

[Switch] display traffic policy user-defined tp1

User Defined Traffic Policy Information:

Policy: tp1

Classifier: tc1

Operator: OR

Behavior: tb1

Deny

# View the application information of the traffic policy.

[Switch] display traffic-policy applied-record

-------------------------------------------------

Policy Name: tp1

Policy Index: 0

Classifier: tc1 Behavior: tb1

-------------------------------------------------

*interface GigabitEthernet0/0/2

Traffic-policy tp1 inbound

Slot 0 : success

-------------------------------------------------

Policy total applied times: 1.

x
convention：

Helpful (8) Favorite(1) Report

xiaomumu Created Dec 24, 2018 01:44:17

Know how to implement S5700 need to prohibit LAN switches on the extortion software port This post was last edited by xiaomumu at 2018-12-27 02:47.

x
convention：

3li Created Dec 24, 2018 17:09:58

No idea

x
convention：

No.9527 Created Dec 26, 2018 03:38:11

According to the ransomware port and address, configure traffic-policy to deny it

x
convention：

yjhd Created Dec 26, 2018 08:58:31

View the configuration information of the traffic classifier

x
convention：

liwaye Created Dec 27, 2018 07:10:57

thanks for sharing its very useful

x
convention：

GongXiaochuan

Created Dec 28, 2018 02:47:57

full steps for the configuration on S5700 for the QoS. very good

x
convention：

Good Good Study Day Day Up

Finn92 Created Dec 29, 2018 02:33:11

hi author , maybe you should tell us what's port will be used by ransomware directlly , then we will found many ways to deny it .

x
convention：

Comment

Notice

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:

Politically sensitive content
Content concerning pornography, gambling, and drug abuse
Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy

Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."