The S5700 needs to ban the ransomware port on the LAN switch. How to implement it? Specific operation steps and configuration examples?

Hello everyone,

Today I will share with you how to ban the ransomware port on the LAN switch.

1. Configure advanced ACL

# Configure the security policy for port ban in the ACL.

<HUAWEI> system-view

[HUAWEI] sysname Switch

[Switch] acl 3001

[Switch-acl-adv-3001] rule deny tcp destination-port eq 135

[Switch-acl-adv-3001] rule deny udp destination-port eq 135

[Switch-acl-adv-3001] rule deny tcp destination-port eq 137

[Switch-acl-adv-3001] rule deny udp destination-port eq 137 //enclose the netbios-ns port

[Switch-acl-adv-3001] rule deny tcp destination-port eq 138

[Switch-acl-adv-3001] rule deny udp destination-port eq 138 //enclose the netbios-dgm port

[Switch-acl-adv-3001] rule deny tcp destination-port eq 139

[Switch-acl-adv-3001] rule deny udp destination-port eq 139 //enclose the netbios-ssn port

[Switch-acl-adv-3001] rule deny tcp destination-port eq 445

[Switch-acl-adv-3001] rule deny udp destination-port eq 445

[Switch-acl-adv-3001] rule permit ip

[Switch-acl-adv-3001] quit

2. Configure ACL-based traffic classification

# Configure the traffic classifier tc1 to classify packets matching ACL 3001.

[Switch] traffic classifier tc1

[Switch-classifier-tc1] if-match acl 3001

[Switch-classifier-tc1] quit

3. Configure the behavior as

# Configure the traffic behavior as tb1, and the action is to reject the packet.

[Switch] traffic behavior tb1

[Switch-behavior-tb1] deny

[Switch-behavior-tb1] quit

4. Configure the traffic policy

# Configure the traffic policy tp1 to associate the traffic class tc1 with the traffic behavior tb1.

[Switch] traffic policy tp1

[Switch-trafficpolicy-tp1] classifier tc1 behavior tb1

[Switch-trafficpolicy-tp1] quit

5. Apply the traffic policy to the port (uplink port or downlink port)

For example, the traffic policy tp1 is applied to the inbound direction of the downlink interface GE0/0/2.

[Switch] interface gigabitethernet 0/0/2

[Switch-GigabitEthernet0/0/2] traffic-policy tp1 inbound

[Switch-GigabitEthernet0/0/2] quit

6. Verify the configuration results

# Display the configuration information of the ACL rule.

[Switch-acl-adv-3001]dis acl 3001

Advanced ACL 3001, 10 rules

Acl's step is 5

 Rule 5 deny tcp destination-port eq 135

 Rule 10 deny udp destination-port eq 135

 Rule 15 deny tcp destination-port eq 137

 Rule 20 deny udp destination-port eq netbios-ns

 Rule 25 deny tcp destination-port eq 138

 Rule 30 deny udp destination-port eq netbios-dgm

 Rule 35 deny tcp destination-port eq 139

 Rule 40 deny udp destination-port eq netbios-ssn

 Rule 45 deny tcp destination-port eq 445

 Rule 50 deny udp destination-port eq 445

# View the configuration information of the traffic classifier.

[Switch] display traffic classifier user-defined

   User Defined Classifier Information:

    Classifier: tc1

     Operator: OR

     Rule(s) : if-match acl 3001

Total classifier number is 1

# View the configuration information of the traffic policy.

[Switch] display traffic policy user-defined tp1

  User Defined Traffic Policy Information:

  Policy: tp1

   Classifier: tc1

    Operator: OR

     Behavior: tb1

      Deny

# View the application information of the traffic policy.

[Switch] display traffic-policy applied-record

-------------------------------------------------

  Policy Name: tp1

  Policy Index: 0

     Classifier: tc1 Behavior: tb1

-------------------------------------------------

 *interface GigabitEthernet0/0/2

    Traffic-policy tp1 inbound

      Slot 0 : success

-------------------------------------------------

  Policy total applied times: 1.