核心交换机安全实战：内网隔离 + 端口封堵 + 白名单放行全配置

核心交换机安全实战：内网隔离 + 端口封堵 + 白名单放行全配置

（S7706 实战验证｜配置思路 + 流量流程图 + 完整脚本对照）

在企业园区网中，核心交换机是全网流量枢纽 ，所有跨网段、跨VLAN、内外网互通流量都必须经过这里。在核心层做统一的安全流量控制，能实现内网区域隔离、高危端口封堵、管理白名单放行三大目标，比在出口或接入层部署更高效、更彻底。

本文从设计思路→控制规则→配置逻辑→部署方法完整讲解，配套可直接落地的实战规则，适合运维、安全、等保建设使用。

一、为什么在核心交换机做安全策略

1. 全网流量必经点，所有跨网段访问均可管控
2. 内网横向隔离效果最强，防止攻击者在内网扩散
3. 统一配置、统一维护，无需逐台设备重复操作
4. 不占用出口设备性能，压力下沉到核心层
5. 双向管控入站+出站流量，安全无死角

一句话：出口管边界，核心管内网，才是完整的安全架构。

二、策略设计目标

本策略实现三个核心安全能力：

1. 内网多区域互访隔离，禁止未授权横向访问
2. 全网封堵高危端口，抵御勒索病毒、扫描、爆破
3. 仅放行指定管理IP访问核心区域，最小权限管控
4. 遵循先放行、后封禁，确保运维不被误拦截

三、核心控制规则说明

1. 内网网段互访完全隔离

对以下内网网段进行双向互访封禁：

• 172.18.27.0/24
• 172.18.28.0/25、172.18.28.128/25
• 172.18.29.0/25、172.18.29.128/25
• 172.18.30.0/24
• 172.18.31.0/27
• 172.18.32.0/24

控制效果 ：

这些网段之间任何方向、任何IP通信都被禁止，实现强隔离。

同时封禁：
任何地址 → 172.251.1.0/24 的访问（核心业务区）。

2. IPv6 网段对等隔离

对以下IPv6网段执行与IPv4一致的双向隔离：

• 2405:XXXX:XXXX:ea0::/64
• 2405:XXXX:XXXX:ed0::/64
• 2405:XXXX:XXXX:e10::/64
• 2405:XXXX:XXXX:ec0::/64
• 2405:XXXX:XXXX:eb0::/64
• 2405:XXXX:XXXX:e90::/64
• 2405:XXXX:XXXX:ee0::/64

作用：双栈安全一致，不留IPv6盲区。

3. 高危端口全网封堵

封堵内网最常被利用的高危端口：

• 445（SMB文件共享）
• 135（RPC远程调用）
• 137/138/139（NetBIOS）

覆盖：
TCP + UDP、源端口 + 目的端口，双向彻底封堵。

作用：大幅降低勒索病毒、蠕虫、内网扫描风险。

4. 管理IP白名单（仅放行这两个）

在全局封禁中，仅允许以下两个IP与核心业务区互通：

• 172.18.27.250
• 172.18.27.251

放行：

• 管理IP ↔ 172.251.1.0/24 双向访问

作用：最小权限运维，不影响管理，又保证安全。

四、配置逻辑与部署步骤

步骤1：定义访问控制规则

1. 创建区域隔离规则：禁止内网敏感网段互访
2. 创建IPv6隔离规则：与IPv4保持一致
3. 创建端口封堵规则：封禁445/135/137/138/139
4. 创建管理白名单规则：放行指定管理IP

步骤2：定义流量分类

• 分类1：匹配所有封禁规则（网段隔离+端口封堵）
• 分类2：匹配管理白名单规则

步骤3：定义流量动作

• 管理白名单：允许（permit）
• 封禁流量：拒绝（deny）

步骤4：制定流量策略

匹配顺序必须是：先白名单、后封禁

避免管理流量被误杀。

步骤5：全局部署生效

在核心交换机上全局双向应用：

• 入方向（inbound）
• 出方向（outbound）

一次配置，全网所有端口、所有VLAN生效。

五、脚本结构总览（可直接对照使用）

1. IPv4隔离规则

acl number 3000
rule 101 deny ip source 172.18.27.0 0.0.0.255 destination 172.18.28.0 0.0.0.127
rule 102 deny ip source 172.18.27.0 0.0.0.255 destination 172.18.30.0 0.0.0.255
rule 103 deny ip source 172.18.27.0 0.0.0.255 destination 172.18.29.0 0.0.0.127
rule 104 deny ip source 172.18.27.0 0.0.0.255 destination 172.18.28.128 0.0.0.127
rule 105 deny ip source 172.18.27.0 0.0.0.255 destination 172.18.29.128 0.0.0.127
rule 106 deny ip source 172.18.27.0 0.0.0.255 destination 172.18.32.0 0.0.0.255
rule 107 deny ip source 172.18.27.0 0.0.0.255 destination 172.18.31.0 0.0.0.31
rule 108 deny ip source 172.18.28.0 0.0.0.127 destination 172.18.27.0 0.0.0.255
rule 109 deny ip source 172.18.28.0 0.0.0.127 destination 172.18.30.0 0.0.0.255
rule 110 deny ip source 172.18.28.0 0.0.0.127 destination 172.18.29.0 0.0.0.127
rule 111 deny ip source 172.18.28.0 0.0.0.127 destination 172.18.28.128 0.0.0.127
rule 112 deny ip source 172.18.28.0 0.0.0.127 destination 172.18.29.128 0.0.0.127
rule 113 deny ip source 172.18.28.0 0.0.0.127 destination 172.18.32.0 0.0.0.255
rule 114 deny ip source 172.18.28.0 0.0.0.127 destination 172.18.31.0 0.0.0.31
rule 115 deny ip source 172.18.30.0 0.0.0.255 destination 172.18.27.0 0.0.0.255
rule 116 deny ip source 172.18.30.0 0.0.0.255 destination 172.18.28.0 0.0.0.127
rule 117 deny ip source 172.18.30.0 0.0.0.255 destination 172.18.29.0 0.0.0.127
rule 118 deny ip source 172.18.30.0 0.0.0.255 destination 172.18.28.128 0.0.0.127
rule 119 deny ip source 172.18.30.0 0.0.0.255 destination 172.18.29.128 0.0.0.127
rule 120 deny ip source 172.18.30.0 0.0.0.255 destination 172.18.32.0 0.0.0.255
rule 121 deny ip source 172.18.30.0 0.0.0.255 destination 172.18.31.0 0.0.0.31
rule 122 deny ip source 172.18.29.0 0.0.0.127 destination 172.18.27.0 0.0.0.255
rule 123 deny ip source 172.18.29.0 0.0.0.127 destination 172.18.28.0 0.0.0.127
rule 124 deny ip source 172.18.29.0 0.0.0.127 destination 172.18.30.0 0.0.0.255
rule 125 deny ip source 172.18.29.0 0.0.0.127 destination 172.18.28.128 0.0.0.127
rule 126 deny ip source 172.18.29.0 0.0.0.127 destination 172.18.29.128 0.0.0.127
rule 127 deny ip source 172.18.29.0 0.0.0.127 destination 172.18.32.0 0.0.0.255
rule 128 deny ip source 172.18.29.0 0.0.0.127 destination 172.18.31.0 0.0.0.31
rule 129 deny ip source 172.18.28.128 0.0.0.127 destination 172.18.27.0 0.0.0.255
rule 130 deny ip source 172.18.28.128 0.0.0.127 destination 172.18.28.0 0.0.0.127
rule 131 deny ip source 172.18.28.128 0.0.0.127 destination 172.18.30.0 0.0.0.255
rule 132 deny ip source 172.18.28.128 0.0.0.127 destination 172.18.29.0 0.0.0.127
rule 133 deny ip source 172.18.28.128 0.0.0.127 destination 172.18.29.128 0.0.0.127
rule 134 deny ip source 172.18.28.128 0.0.0.127 destination 172.18.32.0 0.0.0.255
rule 135 deny ip source 172.18.28.128 0.0.0.127 destination 172.18.31.0 0.0.0.31
rule 136 deny ip source 172.18.29.128 0.0.0.127 destination 172.18.27.0 0.0.0.255
rule 137 deny ip source 172.18.29.128 0.0.0.127 destination 172.18.28.0 0.0.0.127
rule 138 deny ip source 172.18.29.128 0.0.0.127 destination 172.18.30.0 0.0.0.255
rule 139 deny ip source 172.18.29.128 0.0.0.127 destination 172.18.29.0 0.0.0.127
rule 140 deny ip source 172.18.29.128 0.0.0.127 destination 172.18.28.128 0.0.0.127
rule 141 deny ip source 172.18.29.128 0.0.0.127 destination 172.18.31.0 0.0.0.31
rule 142 deny ip source 172.18.32.0 0.0.0.255 destination 172.18.27.0 0.0.0.255
rule 143 deny ip source 172.18.32.0 0.0.0.255 destination 172.18.28.0 0.0.0.127
rule 144 deny ip source 172.18.32.0 0.0.0.255 destination 172.18.30.0 0.0.0.255
rule 145 deny ip source 172.18.32.0 0.0.0.255 destination 172.18.29.0 0.0.0.127
rule 146 deny ip source 172.18.32.0 0.0.0.255 destination 172.18.28.128 0.0.0.127
rule 147 deny ip source 172.18.32.0 0.0.0.255 destination 172.18.31.0 0.0.0.31
rule 148 deny ip source 172.18.31.0 0.0.0.31 destination 172.18.27.0 0.0.0.255
rule 149 deny ip source 172.18.31.0 0.0.0.31 destination 172.18.28.0 0.0.0.127
rule 150 deny ip source 172.18.31.0 0.0.0.31 destination 172.18.30.0 0.0.0.255
rule 151 deny ip source 172.18.31.0 0.0.0.31 destination 172.18.29.0 0.0.0.127
rule 152 deny ip source 172.18.31.0 0.0.0.31 destination 172.18.28.128 0.0.0.127
rule 153 deny ip source 172.18.31.0 0.0.0.31 destination 172.18.29.128 0.0.0.127
rule 154 deny ip source 172.18.31.0 0.0.0.31 destination 172.18.32.0 0.0.0.255
rule 155 deny ip source any destination 172.251.1.0 0.0.0.255

2. IPv6隔离规则

acl ipv6 number 3000
rule 101 deny ipv6 source 2405:XXXX:XXXX:ea0::/64 destination 2405:XXXX:XXXX:ed0::/64
rule 102 deny ipv6 source 2405:XXXX:XXXX:ea0::/64 destination 2405:XXXX:XXXX:e10::/64
rule 103 deny ipv6 source 2405:XXXX:XXXX:ea0::/64 destination 2405:XXXX:XXXX:ec0::/64
rule 104 deny ipv6 source 2405:XXXX:XXXX:ea0::/64 destination 2405:XXXX:XXXX:eb0::/64
rule 105 deny ipv6 source 2405:XXXX:XXXX:ea0::/64 destination 2405:XXXX:XXXX:e90::/64
rule 106 deny ipv6 source 2405:XXXX:XXXX:ea0::/64 destination 2405:XXXX:XXXX:ee0::/64
rule 107 deny ipv6 source 2405:XXXX:XXXX:ed0::/64 destination 2405:XXXX:XXXX:ea0::/64
rule 108 deny ipv6 source 2405:XXXX:XXXX:ed0::/64 destination 2405:XXXX:XXXX:e10::/64
rule 109 deny ipv6 source 2405:XXXX:XXXX:ed0::/64 destination 2405:XXXX:XXXX:ec0::/64
rule 110 deny ipv6 source 2405:XXXX:XXXX:ed0::/64 destination 2405:XXXX:XXXX:eb0::/64
rule 111 deny ipv6 source 2405:XXXX:XXXX:ed0::/64 destination 2405:XXXX:XXXX:e90::/64
rule 112 deny ipv6 source 2405:XXXX:XXXX:ed0::/64 destination 2405:XXXX:XXXX:ee0::/64
rule 113 deny ipv6 source 2405:XXXX:XXXX:e10::/64 destination 2405:XXXX:XXXX:ea0::/64
rule 114 deny ipv6 source 2405:XXXX:XXXX:e10::/64 destination 2405:XXXX:XXXX:ed0::/64
rule 115 deny ipv6 source 2405:XXXX:XXXX:e10::/64 destination 2405:XXXX:XXXX:ec0::/64
rule 116 deny ipv6 source 2405:XXXX:XXXX:e10::/64 destination 2405:XXXX:XXXX:eb0::/64
rule 117 deny ipv6 source 2405:XXXX:XXXX:e10::/64 destination 2405:XXXX:XXXX:e90::/64
rule 118 deny ipv6 source 2405:XXXX:XXXX:e10::/64 destination 2405:XXXX:XXXX:ee0::/64
rule 119 deny ipv6 source 2405:XXXX:XXXX:ec0::/64 destination 2405:XXXX:XXXX:ea0::/64
rule 120 deny ipv6 source 2405:XXXX:XXXX:ec0::/64 destination 2405:XXXX:XXXX:ed0::/64
rule 121 deny ipv6 source 2405:XXXX:XXXX:ec0::/64 destination 2405:XXXX:XXXX:e10::/64
rule 122 deny ipv6 source 2405:XXXX:XXXX:ec0::/64 destination 2405:XXXX:XXXX:eb0::/64
rule 123 deny ipv6 source 2405:XXXX:XXXX:ec0::/64 destination 2405:XXXX:XXXX:e90::/64
rule 124 deny ipv6 source 2405:XXXX:XXXX:ec0::/64 destination 2405:XXXX:XXXX:ee0::/64
rule 125 deny ipv6 source 2405:XXXX:XXXX:eb0::/64 destination 2405:XXXX:XXXX:ea0::/64
rule 126 deny ipv6 source 2405:XXXX:XXXX:eb0::/64 destination 2405:XXXX:XXXX:ed0::/64
rule 127 deny ipv6 source 2405:XXXX:XXXX:eb0::/64 destination 2405:XXXX:XXXX:e10::/64
rule 128 deny ipv6 source 2405:XXXX:XXXX:eb0::/64 destination 2405:XXXX:XXXX:ec0::/64
rule 129 deny ipv6 source 2405:XXXX:XXXX:eb0::/64 destination 2405:XXXX:XXXX:e90::/64
rule 130 deny ipv6 source 2405:XXXX:XXXX:eb0::/64 destination 2405:XXXX:XXXX:ee0::/64
rule 131 deny ipv6 source 2405:XXXX:XXXX:e90::/64 destination 2405:XXXX:XXXX:ea0::/64
rule 132 deny ipv6 source 2405:XXXX:XXXX:e90::/64 destination 2405:XXXX:XXXX:ed0::/64
rule 133 deny ipv6 source 2405:XXXX:XXXX:e90::/64 destination 2405:XXXX:XXXX:e10::/64
rule 134 deny ipv6 source 2405:XXXX:XXXX:e90::/64 destination 2405:XXXX:XXXX:ec0::/64
rule 135 deny ipv6 source 2405:XXXX:XXXX:e90::/64 destination 2405:XXXX:XXXX:eb0::/64
rule 136 deny ipv6 source 2405:XXXX:XXXX:e90::/64 destination 2405:XXXX:XXXX:ee0::/64
rule 137 deny ipv6 source 2405:XXXX:XXXX:ee0::/64 destination 2405:XXXX:XXXX:ea0::/64
rule 138 deny ipv6 source 2405:XXXX:XXXX:ee0::/64 destination 2405:XXXX:XXXX:ed0::/64
rule 139 deny ipv6 source 2405:XXXX:XXXX:ee0::/64 destination 2405:XXXX:XXXX:e10::/64
rule 140 deny ipv6 source 2405:XXXX:XXXX:ee0::/64 destination 2405:XXXX:XXXX:ec0::/64
rule 141 deny ipv6 source 2405:XXXX:XXXX:ee0::/64 destination 2405:XXXX:XXXX:eb0::/64
rule 142 deny ipv6 source 2405:XXXX:XXXX:ee0::/64 destination 2405:XXXX:XXXX:e90::/64

3. 高危端口封堵规则

acl number 3050
 rule 5 deny tcp destination-port eq 445
 rule 6 deny tcp source-port eq 445
 rule 7 deny udp destination-port eq 445
 rule 8 deny udp source-port eq 445
 rule 10 deny tcp destination-port eq 135
 rule 11 deny tcp source-port eq 135
 rule 12 deny udp destination-port eq 135
 rule 13 deny udp source-port eq 135
 rule 15 deny tcp destination-port eq 137
 rule 16 deny tcp source-port eq 137
 rule 17 deny udp destination-port eq netbios-ns
 rule 18 deny udp source-port eq netbios-ns
 rule 20 deny tcp destination-port eq 138
 rule 21 deny tcp source-port eq 138
 rule 22 deny udp destination-port eq netbios-dgm
 rule 23 deny udp source-port eq netbios-dgm
 rule 25 deny tcp destination-port eq 139
 rule 26 deny tcp source-port eq 139

4. 管理IP白名单规则

acl number 3001
 rule  permit ip source 172.18.27.250 0 destination 172.251.1.0 0.0.0.255 
 rule permit ip source 172.18.27.251 0 destination 172.251.1.0 0.0.0.255 
 rule 10 permit ip source 172.251.1.0 0.0.0.255  destination 172.18.27.250 0
 rule 11 permit ip source 172.251.1.0 0.0.0.255  destination 172.18.27.251 0

5. 流量分类

- 分类1：匹配所有封禁规则

traffic classifier cl_fengjinduankou operator or
 if-match acl 3050
 if-match acl 3000
 if-match acl ipv6 3000

- 分类2：匹配管理白名单

traffic classifier be_manage operator and
 if-match acl 3001

6. 流量行为

- 管理：允许

traffic behavior be_manage
 permit

- 风险：拒绝

traffic behavior be_fengjinduankou
 deny

7. 流量策略（先放行、后封禁）

traffic policy po_fengjinduankou match-order config
 classifier be_manage behavior be_manage
 classifier cl_fengjinduankou behavior be_fengjinduankou

8. 全局双向应用

traffic-policy po_fengjinduankou global inbound
traffic-policy po_fengjinduankou global outbound

六、上线部署注意事项

1. 先加白名单，再配置封禁，防止自己被锁
2. 策略顺序必须是：白名单优先
3. 在低峰期部署，部署后观察10--20分钟
4. 查看规则匹配计数，确认流量正常命中
5. 提前梳理网段，避免误封业务

七、总结

这套部署在核心交换机的安全流量策略，是企业内网安全的标准方案：

• 区域隔离：阻断内网横向移动
• 端口封堵：抵御勒索与蠕虫
• 白名单放行：最小权限运维
• 全局双向生效：一点配置，全网安全

适合园区网、政务网、校园网、企业内网直接落地，满足等保2.0要求，稳定、高效、易维护。