本文档以华为S5720交换机为例，配置交换机防病毒策略，用于防范蠕虫病毒的攻击和传播，具体配置如下：

1.创建1个高级ACL访问控制列表，这里可以命名为virus：

acl name virus

2.在该ACL内做如下配置：

rule permit tcp source any destination any destination-port eq 135

rule permit udp source any destination any destination-port eq 135

rule permit udp source any destination any destination-port eq 137

rule permit udp source any destination any destination-port eq 138

rule permit tcp source any destination any destination-port eq 139

rule permit udp source any destination any destination-port eq 139

rule permit tcp source any destination any destination-port eq 445

rule permit udp source any destination any destination-port eq 445

rule permit tcp source any destination any destination-port eq 593

rule permit udp source any destination any destination-port eq 593

rule permit udp source any destination any destination-port eq 1434

rule permit tcp source any destination any destination-port eq 4444

rule permit tcp source any destination any destination-port eq 5554

rule permit tcp source any destination any destination-port eq 9995

rule permit tcp source any destination any destination-port eq 9996

3.配置基于ACL的流分类

traffic classifier virus

if-match acl virus

4.配置流行为

traffic behavior virus_deny

deny

5.创建流策略

traffic policy virus_deny

classifier virus behavior virus_deny

6.接下来，只需要将名为virus_deny的流策略应用到具体的交换机接口上就行了。应用该策略的命令为（在具体的接口模式下）：

traffic-policy virus_deny inbound

或traffic-policy virus_deny outbound