R3303-HP HSR6800 Routers Security Configuration Guide
xi
Enabling source MAC consistency check for ND packets ························································································· 53
Configuring URPF ······················································································································································· 54
Overview ········································································································································································· 54
URPF check modes ················································································································································ 54
URPF features ························································································································································· 54
URPF work flow ······················································································································································ 55
Network application ············································································································································· 57
Configuring URPF on an interface ································································································································ 57
URPF configuration example ········································································································································· 58
Network requirements ··········································································································································· 58
Configuration procedure ······································································································································ 58
Configuring FIPS························································································································································· 59
Overview ········································································································································································· 59
FIPS self-tests ··································································································································································· 59
Power-up self-tests ·················································································································································· 59
Conditional self-tests ·············································································································································· 60
Triggering a self-test ·············································································································································· 60
Configuration changes in FIPS mode ··························································································································· 60
Configuration considerations ········································································································································ 61
Enabling FIPS mode ······················································································································································· 61
Displaying and maintaining FIPS ································································································································· 61
FIPS configuration example··········································································································································· 62
Network requirements ··········································································································································· 62
Configuration procedure ······································································································································ 62
Verifying the configuration ··································································································································· 63
Configuring group domain VPN ······························································································································· 64
Overview ········································································································································································· 64
Group domain VPN structure ······························································································································· 64
Group domain VPN establishment ······················································································································ 65
KS redundancy ······················································································································································ 67
Protocols and standards ······································································································································· 68
Configuration restrictions and guidelines ···················································································································· 68
Configuring the GDOI KS ············································································································································· 68
GDOI KS configuration task list ··························································································································· 68
Configuring basic settings for a GDOI KS group ······························································································ 70
Configuring GDOI KS redundancy ····················································································································· 71
Specifying the source address for packets sent by the KS ················································································ 72
Configuring rekey parameters ····························································································································· 73
Displaying and maintaining GDOI KS ················································································································ 73
Configuring the GDOI GM ··········································································································································· 74
GDOI GM configuration task list ························································································································· 74
Configuring a GDOI GM group ·························································································································· 74
Configuring a GDOI IPsec policy ························································································································ 75
Applying a GDOI IPsec policy to an interface ··································································································· 76
Displaying and maintaining GM ························································································································· 76
Group domain VPN configuration example ··············································································································· 77
Network requirements ··········································································································································· 77
Configuration procedure ······································································································································ 78
Troubleshooting group domain VPN ··························································································································· 92
IKE SA negotiation failure ···································································································································· 92
GM registration failure ········································································································································· 92
KS redundancy failure ·········································································································································· 93