CCIE
当前位置:网站首页>CCIE
思科3560交换机ACL配置实例
发布日期:2019-05-22 11:22:28 发布者:
    一、当前配置

    Switch_SZ_3560#show runBuilding configuration……Current configuration : 2061 bytes!version 12.2no service padservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname Switch_SZ_3560!enable secret 5 $1$cqZM$PRn8LNv6b6Iw9oplbjtNn.!no aaa new-modelip subnet-zeroip routing!no file verify autospanning-tree mode pvstspanning-tree extend system-id!vlan internal allocation policy ascending!!interface FastEthernet0/1!interface FastEthernet0/2switchport access vlan 2switchport mode access

    !interface FastEthernet0/3switchport access vlan 3switchport mode access!interface FastEthernet0/4!interface FastEthernet0/5!interface FastEthernet0/6!interface FastEthernet0/7!interface FastEthernet0/8!interface FastEthernet0/9!interface FastEthernet0/10!interface FastEthernet0/11!interface FastEthernet0/12!interface FastEthernet0/13!interface FastEthernet0/14!interface FastEthernet0/15!interface FastEthernet0/16!interface FastEthernet0/17!interface FastEthernet0/18!interface FastEthernet0/19!interface FastEthernet0/20!interface FastEthernet0/21!interface FastEthernet0/22!interface FastEthernet0/23!interface FastEthernet0/24!interface GigabitEthernet0/1!interface GigabitEthernet0/2!

    interface Vlan1ip address 10.3.21.10 255.255.255.0!interface Vlan2ip address 10.3.22.10 255.255.255.0!interface Vlan3ip address 10.3.23.10 255.255.255.0ip access-group server-protect in!ip default-gateway 10.3.21.254ip classlessip route 0.0.0.0 0.0.0.0 10.3.21.254ip http serverip http secure-server!!

    ip access-list extended server-protectpermit icmp any anypermit tcp 10.3.21.0 0.0.0.255 host 10.3.23.100 eq ftppermit tcp 10.3.22.0 0.0.0.255 host 10.3.23.100 eq ftp!!control-plane!!line con 0line vty 0 4password *********loginline vty 5 15password *********login!endSwitch_SZ_3560#

    二、ACL配置

    1、通用配置命令如下:

    acl number 100rule 0 deny udp source 0.0.0.0 0 source-port eq 1434 destination 1.1.0.0 0packet-filter ip-group 101 rule 0

    2、常用端口配置

    rule 6 deny tcp source-port eq 5554 destination-port eq 9995rule 7 deny tcp source-port eq 5554 destination-port eq 9996rule 8 deny tcp destination-port eq 135rule 9 deny tcp destination-port eq 136rule 10 deny tcp destination-port eq 138rule 11 deny tcp destination-port eq 4444rule 12 deny udp destination-port eq tftprule 13 deny udp destination-port eq 135rule 14 deny udp destination-port eq 136rule 15 deny udp destination-port eq 389rule 16 deny udp destination-port eq 445rule 17 deny tcp destination-port eq 4899rule 18 deny tcp destination-port eq sunrpcrule 19 deny tcp destination-port eq 6588rule 20 deny tcp destination-port eq 1978rule 21 deny tcp destination-port eq 593rule 22 deny tcp destination-port eq 3389rule 23 deny tcp destination-port eq 137rule 24 deny udp destination-port eq snmprule 25 deny tcp destination-port eq 139rule 26 deny tcp destination-port eq 445rule 27 deny tcp destination-port eq 2745rule 28 deny tcp destination-port eq 1080rule 29 deny tcp destination-port eq 6129rule 30 deny tcp destination-port eq 3127rule 31 deny tcp destination-port eq 3128rule 32 deny udp destination-port eq netbios-dgmrule 33 deny udp destination-port eq netbios-nsrule 34 deny tcp destination-port eq 5800rule 35 deny tcp destination-port eq 6667rule 36 deny tcp destination-port eq 1025rule 37 deny tcp destination-port eq 5554rule 38 deny tcp destination-port eq 1068rule 39 deny tcp destination-port eq 9995rule 40 deny udp destination-port eq netbios-ssnrule 41 deny tcp destination-port eq 539rule 42 deny udp destination-port eq 539rule 43 deny udp destination-port eq 1434rule 44 deny udp destination-port eq 593rule 45 deny udp destination-port eq 4444 rule 46 deny tcp destination-port eq 1022 rule 47 deny tcp destination-port eq 1023rule 48 deny udp destination-port eq 6666==================注:rule 42 deny tcp destination-port eq 135 (网上邻居使用,如果关闭可能会导致网络打印机等不能使用)rule 43 deny tcp destination-port eq 137 (网上邻居使用,如果关闭可能会导致网络打印机等不能使用)rule 44 deny tcp destination-port eq 138 (网上邻居使用,如果关闭可能会导致网络打印机等不能使用)rule 45 deny tcp destination-port eq 139 (网上邻居使用,如果关闭可能会导致网络打印机等不能使用)rule 47 deny tcp destination-port eq 445 (防震荡波病毒)rule 50 deny udp destination-port eq 445 (防震荡波病毒)rule 55 deny tcp destination-port eq 5554(防震荡波病毒)rule 57 deny tcp destination-port eq 9996(防震荡波病毒)

    用于控制 Worm_MSBlast.A 蠕虫的传播

    rule deny udp source any destination any destination-port eq 1434

微信