Typical Junk Traffic Filtering
Security Policy Introduction
Interface-based ACLs can be used to effectively prevent abnormal traffic from entering user terminals or prevent terminals' abnormal traffic from entering a network. The traffic to be blocked mainly includes common viruses and Trojan horse ports.
The ports to be blocked must be determined based on site requirements and confirmed by users. The following configurations and examples are for reference only.
Configuring Maintenance
- Define an ACL to discard invalid packets matching viruses or Trojan horse ports.
- Run acl { name interface-based-acl-name { interface | [ interface ] number interface-based-acl-number } | [ number ] interface-based-acl-number }
The interface-based ACL view is displayed.
The interface-based ACL number ranges from 1000 to 1999.
- Run rule [ rule-id ] [ name rule-name ] { permit | deny } interface { interface-type interface-number | any } [ time-range time-name ] *
An interface-based ACL rule is configured.
- Run acl { name interface-based-acl-name { interface | [ interface ] number interface-based-acl-number } | [ number ] interface-based-acl-number }
- Configure a traffic policy.
- Run traffic classifier classifier-name [ operator { and | or } ]
A traffic classifier is configured, and the traffic classifier view is displayed.
- Run if-match [ ipv6 ] acl { acl-number | name acl-name }
An ACL rule is configured.
- Run traffic classifier classifier-name [ operator { and | or } ]
- Define a traffic behavior.
- Run traffic behavior behavior–name
A traffic behavior is configured, and the traffic behavior view is displayed.
- Run permit | deny
Packets are allowed to pass or are discarded.
- Run traffic behavior behavior–name
- Configure a traffic policy.
- Run traffic policy policy-name
A traffic policy is configured, and the traffic policy view is displayed.
- Run classifier classifier-name behavior behavior-name
A traffic behavior is specified for the traffic classifier in the traffic policy.
- Run traffic policy policy-name
- Apply the traffic policy to a specified interface.
- Run interface interface-type interface-number
The interface view is displayed.
- Run traffic-policy policy-name { inbound | outbound }The traffic policy is applied to the specified interface.
You can apply different traffic policies to the inbound and outbound directions of an interface.
- Run interface interface-type interface-number
Configuration Example
acl number 3300 rule 5 deny udp source-port range 135 netbios-ssn rule 10 deny udp destination-port range 135 netbios-ssn rule 15 deny udp source-port eq 445 rule 20 deny udp destination-port eq 445 rule 25 deny tcp source-port eq 445 rule 30 deny tcp destination-port eq 445 acl ipv6 number 3400 rule 5 deny udp source-port range 135 netbios-ssn rule 10 deny udp destination-port range 135 netbios-ssn rule 15 deny udp source-port eq 445 rule 20 deny udp destination-port eq 445 rule 25 deny tcp source-port eq 445 rule 30 deny tcp destination-port eq 445
traffic classifier tcAntivirusIn operator or
if-match acl 3300
if-match ipv6 acl 3400
traffic behavior tbAntivirusIn
traffic policy tpAntivirusIn
share-mode
statistics enable
classifier tcAntivirusIn behavior tbAntivirusIn precedence 1
//Apply the traffic policy to the inbound direction of the upstream interface.
interface GigabitEthernet0/1/0
undo shutdown
traffic-policy tpAntivirusIn inbound
traffic classifier tcAntivirusOut operator or
if-match acl 3300
if-match ipv6 acl 3400
traffic behavior tbAntivirusOut
traffic policy tpAntivirusOut
share-mode
statistics enable
classifier tcAntivirusOut behavior tbAntivirusOut precedence 1
//Apply the traffic policy to the outbound direction on the upstream interface of the device.
interface GigabitEthernet0/1/0
undo shutdown
traffic-policy tpAntivirusOut outbound