Manualshelf

R21xx-HP FlexFabric 11900 Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP FlexFabric 11000 Switch Products
161162163164165166167168169170
155
consumes more system resources when multiple data flows exist between two subnets to be
protected.
Protocols and standards
RFC 2401, Security Architecture for the Internet Protocol
RFC 2402, IP Authentication Header
RFC 2406, IP Encapsulating Security Payload
RFC 4552, Authentication/Confidentiality for OSPFv3
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features,
commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non
-FIPS mode.
IPsec tunnel establishment
The switch supports establishing only ACL-based IPsec tunnels.
ACL-based IPsec tunnel—Protects packets identified by an ACL. To establish an ACL-based IPsec tunnel,
configure an IPsec policy, reference an ACL in the policy, and apply the policy to a physical interface. By
referencing various ACL rules, you can configure flexible IPsec policies according to your network
conditions.
Implementing ACL-based IPsec
To ensure a successful ACL-based IPsec setup, read the feature restrictions and guidelines carefully before
you configure an ACL-based IPsec tunnel.
Feature restrictions and guidelines
ACL-based IPsec can protect only traffic that is generated by the device and traffic that is destined for the
device. You cannot use an ACL-based IPsec tunnel to protect user traffic. In the ACL that is used to identify
IPsec protected traffic, ACL rules that match traffic forwarded through the device do not take effect. For
example, an ACL-based IPsec tunnel can protect log messages the device sends to a log server, but it
cannot protect traffic that is forwarded by the device for two hosts, even if the host-to-host traffic matches
an ACL permit rule. For more information about configuring an ACL for IPsec, see "Configuring an ACL."
Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51 and
50, respectively. Make sure flows of these protocols are not denied on the interfaces with IKE or IPsec
configured.
ACL-based IPsec configuration task list
The following is the generic configuration procedure for implementing ACL-based IPsec:
1. Configure an ACL for identifying data flows to be protected.
2. Configure IPsec transform sets to specify the security protocols, authentication and encryption
algorithms, and the encapsulation mode.