How many security policy groups can an interface of an AR router apply

1

One interface of an AR router can apply only one security policy group, and vice versa (except for the multilink shared security policy group). To apply another security policy group on the interface, cancel the previous policy from the interface first.

Other related questions:
How Many Security Groups Can Each User Have?

Each user can have a maximum of 100 security groups and 5000 security group rules.

When creating an ECS, you can select multiple security groups (no more than five is recommended).


How to configure interface groups on AR routers
If users need to perform the same configuration on multiple Ethernet interfaces, they can add the Ethernet interfaces into an interface group. Users only need to run the configuration command of a function once in an inteface group view to configure the function for all Ethernet interfaces included in the interface group. In this way, interfaces can be configured in batches and repeated configurations are reduced. Interfaces can be added into two types of interface groups: permanent interface groups and temporary interface groups, which have the same function. However, a temporary group is automatically deleted by the system after you quit the view of the temporary interface group. Configure a permanent interface group as follows: [Huawei] port-group portgroup1 [Huawei-port-group-portgroup1] group-member ethernet2/0/0 to ethernet2/0/1 //Add interface Eth2/0/0 and interface Eth2/0/1 to the interface group portgroup1. Configure a temporary interface group as follows: [Huawei] port-group group-member ethernet2/0/0 to ethernet2/0/1 //Add interface Eth2/0/0 and interface Eth2/0/1 to a temporary interface group. AR550 series products do not support interface groups.

Can I apply a traffic policy to an interface on an S series switch
For S series switches (except the S1700), a traffic policy can be applied to an interface. The application procedure is as follows: 1. Run the system-view command to enter the system view. 2. Run the interface interface-type interface-number[.subinterface-number ] command to enter the interface or sub-interface view. 3 Run the traffic-policy policy-name { inbound | outbound } command to apply a traffic policy in the interface or sub-interface view. Note: A traffic policy can be applied to a sub-interface only when the switch or card model supports sub-interfaces. A traffic policy can only be applied to one direction on an interface, but can be applied to different directions on different interfaces. After a traffic policy is applied to an interface, the system performs traffic policing for all the incoming or outgoing packets that match traffic classification rules on the interface. Note: MQC cannot be configured on the S2700SI.

Create a security zone and add interfaces into the security zone on an AR router
A router considers that data flows occurring within a security zone are trustful and therefore no security policy needs to be implemented. If data flows occur between different security zones, the security check function of the firewall is triggered, and corresponding policy is implemented. To configure firewall services, create relevant security zones and specify priorities for the security zones so as to determine deployment of security services according to the priorities between different security zones. The specified priorities cannot be modified; otherwise, other configuration cannot be performed. Different security zones have different priorities. The larger the value, the higher the priority of a zone. After a security zone is created, interfaces must be added to the zone to activate the firewall. The specific configuration procedure is as follows: 1. Run the system-view command to access the system view. 2. Run the firewall zone zone-name command to create a security zone. By default, no security zone is created on the router. 3. Run the priority security-priority command to configure a priority for the security zone. 4. Run the quit command to access the system view. 5. Run the interface interface-type interface-number command to access the interface view. 6. Run the zone zone-name command to add interfaces to the security zone.//Each security zone can contain multiple interfaces, but an interface can be added to one zone only. Note: The router will automatically create a security zone named Local which has the highest priority. This security zone cannot be deleted or contain any interface, and its priority cannot be modified. To apply the firewall functions to the control packets which are reported to this router, the Local security zone may be used. For details about the commands for creating a security zone and adding interfaces into the security zone as well as creating an interzone, see the URL: The AR router creates a security domain and adds the interface to the security zone.

Can the E1 interface of an AR router interconnect with MP-group interfaces
The E1 interface of an AR router cannot interconnect with MP-group interfaces. The network works properly only when the configurations of the interfaces on both interconnected ends are consistent.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top