1. Configure advanced ACL
# Configure the security policy for port ban in the ACL.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] acl 3001
[Switch-acl-adv-3001] rule deny tcp destination-port eq 135
[Switch-acl-adv-3001] rule deny udp destination-port eq 135
[Switch-acl-adv-3001] rule deny tcp destination-port eq 137
[Switch-acl-adv-3001] rule deny udp destination-port eq 137 //enclose the netbios-ns port
[Switch-acl-adv-3001] rule deny tcp destination-port eq 138
[Switch-acl-adv-3001] rule deny udp destination-port eq 138 //enclose the netbios-dgm port
[Switch-acl-adv-3001] rule deny tcp destination-port eq 139
[Switch-acl-adv-3001] rule deny udp destination-port eq 139 //enclose the netbios-ssn port
[Switch-acl-adv-3001] rule deny tcp destination-port eq 445
[Switch-acl-adv-3001] rule deny udp destination-port eq 445
[Switch-acl-adv-3001] rule permit ip
[Switch-acl-adv-3001] quit
2. Configure ACL-based traffic classification
# Configure the traffic classifier tc1 to classify packets matching ACL 3001.
[Switch] traffic classifier tc1
[Switch-classifier-tc1] if-match acl 3001
[Switch-classifier-tc1] quit
3. Configure the behavior as
# Configure the traffic behavior as tb1, and the action is to reject the packet.
[Switch] traffic behavior tb1
[Switch-behavior-tb1] deny
[Switch-behavior-tb1] quit
4. Configure the traffic policy
# Configure the traffic policy tp1 to associate the traffic class tc1 with the traffic behavior tb1.
[Switch] traffic policy tp1
[Switch-trafficpolicy-tp1] classifier tc1 behavior tb1
[Switch-trafficpolicy-tp1] quit
5. Apply the traffic policy to the port (uplink port or downlink port)
For example, the traffic policy tp1 is applied to the inbound direction of the downlink interface GE0/0/2.
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] traffic-policy tp1 inbound
[Switch-GigabitEthernet0/0/2] quit
6. Verify the configuration results
# Display the configuration information of the ACL rule.
[Switch-acl-adv-3001]dis acl 3001
Advanced ACL 3001, 10 rules
Acl's step is 5
Rule 5 deny tcp destination-port eq 135
Rule 10 deny udp destination-port eq 135
Rule 15 deny tcp destination-port eq 137
Rule 20 deny udp destination-port eq netbios-ns
Rule 25 deny tcp destination-port eq 138
Rule 30 deny udp destination-port eq netbios-dgm
Rule 35 deny tcp destination-port eq 139
Rule 40 deny udp destination-port eq netbios-ssn
Rule 45 deny tcp destination-port eq 445
Rule 50 deny udp destination-port eq 445
# View the configuration information of the traffic classifier.
[Switch] display traffic classifier user-defined
User Defined Classifier Information:
Classifier: tc1
Operator: OR
Rule(s) : if-match acl 3001
Total classifier number is 1
# View the configuration information of the traffic policy.
[Switch] display traffic policy user-defined tp1
User Defined Traffic Policy Information:
Policy: tp1
Classifier: tc1
Operator: OR
Behavior: tb1
Deny
# View the application information of the traffic policy.
[Switch] display traffic-policy applied-record
-------------------------------------------------
Policy Name: tp1
Policy Index: 0
Classifier: tc1 Behavior: tb1
-------------------------------------------------
*interface GigabitEthernet0/0/2
Traffic-policy tp1 inbound
Slot 0 : success
-------------------------------------------------
Policy total applied times: 1.