Does the identity filter need to be configured on an AR configured with IPSec

33

Generally, you may not configure an identity filter set when configuring IPSec on an AR router. In some special scenarios, for example, an IPSec over DSVPN application, multiple mGRE tunnel interfaces are configured on the Hub which provides only one IP address for Spoke access. The mGRE tunnel interfaces use the same source address or source interface. In this scenario, the AR router needs to determine the mGRE tunnel interface of each IKE packet based on parameters in the identity filter set. If no identity filter set is configured, the IPSec tunnel cannot be established.

Other related questions:
Does the deep security defense function of an AR router need a license
Whether the deep security defense function of an AR router needs a license is subject to the router model and software version. For details, see the product manuals of corresponding software versions. For example, for a router with the V200R007 software, choose IPS Configuration > Configuration Notes and URL Filtering Configuration > Configuration Notes in the Security Configuration Guide > Deep Security Defense Configuration through the URL: AR100&AR120&AR150&AR160&AR200&AR1200& AR1600&AR2200&AR3200&AR3600 V200R007 Product Documentation.

How to configure URL filtering function on AR routers
AR150, AR160, AR200, AR1200, and AR2200 series (AR2201 and AR2202) do not support deep security function, that is, do not support the URL filtering function. The URL filtering function can be configured in CLI based on the following roadmap: 1. Purchase a license and activate it properly. 2. Configure the URL filtering template. 3. Bind the URL filtering template in the security policy. 4. Apply the security policy in the interzone. For details about the configuration and related screenshots, see the following URL of the Huawei enterprise technical forum: The AR router configures URL filtering from the command line For details about the configuration in Web management page and related description, see the following URL: AR router WEB interface configuration

Does the CT license need to be configured on the AR that is connected to an IP phone
The CT license is not required when the IP phone connects to the AR router. The CT license is used to implement call transfer over a trunk. That is, calls received over one trunk are forwarded over another trunk.

Configure the traffic-filter command to filter packets
On Eth2/0/0, you can configure packet filtering based on an ACL that permits packets with source IP address 192.168.0.2/32 as follows: system-view [Huawei] acl 3000 [Huawei-acl-adv-3000] rule 5 permit ip source 192.168.0.2 0 [Huawei-acl-adv-3000] quit [Huawei] interface ethernet 2/0/0 [Huawei-Ethernet2/0/0] traffic-filter inbound acl 3000

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top