Why cannot an AR router filter packets it sends

0

The forwarding mechanism of an AR router is separate from the control mechanism. The control security policies set on the AR router do not apply to packets the AR router sends.

Other related questions:
Why cannot an AR router send trap messages

SNMP provides the trap function to control the output of trap messages. An AR router generates trap messages only when the trap function has been enabled on the AR router.

Perform the following operations to enable the trap function on an AR router:

  1. Run the system-view command to enter the system view.
  2. Run the snmp-agent trap enable command to enable the AR router to send trap messages to the NMS.
  3. Run the snmp-agent target-host trap-paramsname paramsname v1 securityname securityname [ binding-private-value ] [ trap-filterprofilename filterprofilename ] [ private-netmanager ] command to set parameters for sending trap messages.
    NOTE:
    • V200R001C01 and later versions support binding-private-value.
    • V200R002C00 and later versions support private-netmanager.
  4. Run the snmp-agent target-host trap-hostname hostname address ipv4-addr [ udp-port udp-portid ] [ public-net | vpn-instance vpn-instance-name ] trap-paramsname paramsname command to specify the destination host for receiving trap messages and error codes.
    NOTE:

    The default destination UDP port number is 162. To ensure secure communication between the NMS and managed devices, run the udp-port command to change the UDP port number to a non-well-known port number.


Why cannot an AR router be configured with IP packet check options
The IP packet check options can be configured only on the Layer 2 interface of an AR router by running the IP source check command. On the Layer 3 interface, the interface must be converted to a Layer 2 interface before IP packet check options can be configured.

Configure the ACL-based packet filtering firewall on an AR router
The packet filtering firewall filters packets based on a configured ACL. If data flows occur between two security zones, the packet filtering firewall implements filter policies according to ACL rules. In the system view: Run the acl [ number ] acl-number [ match-order { config | auto } ] command to create an ACL and access the ACL view. Note: The ACLs that can be used by the packet filtering firewall include basic ACLs and advanced ACLs. Run the rule command in the ACL view to configure ACL rules. Run the quit command to return to the system view. Run the firewall interzone zone-name1 zone-name2 command to access the interzone view. Run the packet-filter acl-number { inbound | outbound } command to configure the ACL-based packet filtering firewall. The ACL-based packet filtering firewall configured for the interzone can be specific to the inbound and outbound directions, respectively. For details about the commands for configuring the ACL-based packet filtering firewall of AR series routers, see the URL: The AR router configures the ACL packet filtering firewall.

Why does the AR router not raise alarms
SNMP provides the alarm control function which can be used to control the alarm output of a module. A device can raise alarms only when this function is enabled on it. To enable the alarm switch control function, perform the following steps: 1. Run the system-view command to enter the system view. 2. Run the snmp-agent trap enable command to enable the device to send alarms to the NMS. 3. Run the snmp-agent target-host trap-paramsname paramsname v1 securityname securityname [ binding-private-value ] [ trap-filterprofilename filterprofilename ] [ private-netmanager ] command to set the parameters of the Trap package sent by the device. 4. Run the snmp-agent target-host trap-hostname hostname address ipv4-addr [ udp-port udp-portid ] [ public-net | vpn-instance vpn-instance-name ] trap-paramsname paramsnam command to configure the target host to which the device sends alarms and error codes. Description: 1. The binding-private-value parameter is supported in V200R001C01 or later. 2. The private-netmanager parameter is supported in V200R002C00 or later.

Query the ACL hit count configured for the packet filtering firewall on an AR router
To query the ACL hit count configured for the packet filtering firewall on an AR router, do as follows: 1. Run the traffic classifier classifier-name command in the system view to create a traffic classifier and access the traffic classifier view. Run the if-match acl { acl-number | acl-name } command to configure rules for matching the traffic classifier. 2. Run the traffic behavior behavior-name command in the system view to create a traffic behavior and access the traffic behavior view. Run the statistic enable command to enable the traffic statistics function. 3. Run the traffic policy policy-name command in the system view to create a traffic policy and access the traffic policy view. Run the classifier classifier-name behavior behavior-name command to associate the traffic classifier with the behavior in the policy. 4. Run the traffic-policy policy-name inbound command in the interface view where count is needed. 5. Run the display traffic policy statistics interface interface-type interface-number inbound verbose rule-base command to query the ACL hit count configured for the packet filtering firewall on the interface.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top