R2511-HP MSR Router Series Security Configuration Guide(V5)
iv
Configuration procedure ···································································································································· 132
Configuring port security features ······························································································································ 133
Configuring NTK ················································································································································· 133
Configuring intrusion protection ························································································································ 134
Enabling port security traps ································································································································ 134
Configuring secure MAC addresses ·························································································································· 135
Configuration prerequisites ································································································································ 136
Configuration procedure ···································································································································· 136
Configuring port security for WLAN ports ················································································································ 137
Setting the port security mode of a WLAN port······························································································· 137
Enabling key negotiation ···································································································································· 138
Configuring a PSK ··············································································································································· 138
Ignoring authorization information from the server ·································································································· 138
Displaying and maintaining port security ·················································································································· 139
Port security configuration examples ························································································································· 139
Configuring the autoLearn mode ······················································································································· 139
Configuring the userLoginWithOUI mode ········································································································ 141
Configuring the macAddressElseUserLoginSecure mode ················································································ 146
Troubleshooting port security ······································································································································ 149
Cannot set the port security mode ····················································································································· 149
Cannot configure secure MAC addresses ········································································································ 149
Cannot change port security mode when a user is online ·············································································· 149
Configuring IPsec ···················································································································································· 151
Overview ······································································································································································· 151
Basic concepts ····················································································································································· 151
IPsec implementation on an encryption card ··································································································· 153
IPsec tunnel interface ··········································································································································· 154
IPsec for IPv6 routing protocols ·························································································································· 155
IPsec RRI································································································································································ 155
Protocols and standards ····································································································································· 156
FIPS compliance ··························································································································································· 156
Implementing IPsec ······················································································································································· 156
Implementing ACL-based IPsec ··································································································································· 157
Configuring an ACL ············································································································································ 158
Configuring an IPsec transform set ···················································································································· 160
Configuring an IPsec policy ······························································································································· 162
Applying an IPsec policy group to an interface ······························································································· 168
Binding an IPsec policy, IPsec policy group, or IPsec profile to an encryption card ··································· 168
Enabling the encryption engine ························································································································· 170
Enabling the IPsec module backup function ····································································································· 170
Configuring the IPsec session idle timeout ········································································································ 170
Enabling ACL checking of de-encapsulated IPsec packets ············································································· 171
Configuring the IPsec anti-replay function ········································································································ 171
Configuring a shared source interface policy group······················································································· 172
Configuring packet information pre-extraction ································································································ 173
Enabling invalid SPI recovery ···························································································································· 173
Configuring IPsec RRI ·········································································································································· 173
Enabling transparent data transmission without NAT ····················································································· 175
Enabling fragmentation before/after encryption ····························································································· 175
Implementing tunnel interface-based IPsec ················································································································ 175
Configuring an IPsec profile ······························································································································· 176
Configuring an IPsec tunnel interface ··············································································································· 178
Enabling packet information pre-extraction on the IPsec tunnel interface ····················································· 179
Applying a QoS policy to an IPsec tunnel interface ························································································ 180