HP FlexFabric 11000 Switch Products : R21xx-HP FlexFabric 11900 Security Configuration Guide : Page 6

iv

Configuring ARP packet validity check ············································································································· 132

Configuring ARP restricted forwarding ············································································································· 133

Displaying and maintaining ARP detection ······································································································ 133

User validity check and ARP packet validity check configuration example ·················································· 133

Configuring ARP automatic scanning and fixed ARP ······························································································· 135

Configuration guidelines ···································································································································· 135

Configuration procedure ···································································································································· 135

Configuring ARP gateway protection ························································································································ 136

Configuration guidelines ···································································································································· 136

Configuration procedure ···································································································································· 136

Configuration example ······································································································································· 136

Configuring ARP filtering ············································································································································· 137

Configuration guidelines ···································································································································· 137

Configuration procedure ···································································································································· 137

Configuration example ······································································································································· 138

Configuring uRPF ····················································································································································· 139

uRPF check modes ························································································································································ 139

uRPF work flow ····························································································································································· 139

Network application ···················································································································································· 142

Configuration procedure ············································································································································· 142

Configuration example ················································································································································ 143

Network requirements ········································································································································· 143

Configuration procedure ···································································································································· 143

Configuring FIPS······················································································································································ 144

Overview ······································································································································································· 144

Startup methods for entering the FIPS mode ····································································································· 144

Configuration changes in FIPS mode ················································································································ 145

Configuration restrictions and guidelines ·················································································································· 145

Enabling FIPS mode ····················································································································································· 146

FIPS self-tests ································································································································································· 146

Power-up self-test ················································································································································· 147

Conditional self-test ············································································································································· 147

Triggering a self-test ············································································································································ 147

Displaying and maintaining FIPS ······························································································································· 147

FIPS configuration examples ······································································································································· 148

FIPS configuration example (automatic reboot) ······························································································· 148

FIPS configuration example (manual reboot) ··································································································· 149

Configuring IPsec ···················································································································································· 151

Overview ······································································································································································· 151

Security protocols and encapsulation modes ··································································································· 151

Security association ············································································································································· 153

Authentication and encryption ··························································································································· 153

IPsec implementation ··········································································································································· 154

Protocols and standards ····································································································································· 155

FIPS compliance ··························································································································································· 155

IPsec tunnel establishment ··········································································································································· 155

Implementing ACL-based IPsec ··································································································································· 155

Feature restrictions and guidelines ···················································································································· 155

ACL-based IPsec configuration task list ············································································································· 155

Configuring an ACL ············································································································································ 156

Configuring an IPsec transform set ···················································································································· 157

Configuring a manual IPsec policy···················································································································· 159

Configuring an IKE-based IPsec policy ············································································································· 161