1.通过ACL封禁高危端口及按需放通访问内容
可在端口下调用ACL或者在端口对应vlan的三层口下调用ACL
#
acl number 3200
rule 210 deny tcp destination-port eq 135
rule 220 deny tcp destination-port eq 137
rule 230 deny tcp destination-port eq 138
rule 240 deny tcp destination-port eq 139
rule 250 deny tcp destination-port eq 445
rule 260 deny udp destination-port eq 135
rule 270 deny udp destination-port eq netbios-ns
rule 280 deny udp destination-port eq netbios-dgm
rule 290 deny udp destination-port eq netbios-ssn
rule 300 deny udp destination-port eq 445
rule 400 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
rule 1000 deny tcp
rule 2000 deny udp
#
2.端口下绑定IP地址和MAC地址,防止非法用户接入
#
ip verify source ip-address mac-address
ip source binding ip-address 192.168.1.1 mac-address 0021-5236-3250
#
3.端口下开启广播和组播风暴抑制功能,本例限制的是每秒允许转发的最大广播包数
#
broadcast-suppression pps 6400
multicast-suppression pps 6400
#
4.若交换机开启STP,端口下将端口设置为边缘端口并开启BPDU保护
#
stp edged-port enable
stp port bpdu-protection enable
#