Configuring URPF ···················································································································································· 268

URPF check modes ·············································································································································· 268

URPF work flow ···················································································································································· 268

Network application ··········································································································································· 271

URPF configuration example ······························································································································ 272

Configuring MFF ····················································································································································· 273

Basic concepts ····················································································································································· 274

MFF operation modes ········································································································································· 274

MFF work flow ····················································································································································· 275

Protocols and standards ····································································································································· 275

Displaying and maintaining MFF ······························································································································· 277

MFF configuration examples ······································································································································· 277

Configuring auto-mode MFF in a tree network ································································································ 277

Configuring auto-mode MFF in a ring network ································································································ 278

Configuring manual-mode MFF in a tree network ··························································································· 280

Configuring manual-mode MFF in a ring network ··························································································· 282

Configuring password control ································································································································ 284

FIPS compliance ··························································································································································· 286

Password control configuration task list ····················································································································· 286

Enabling password control ········································································································································· 287

Setting global password control parameters ············································································································ 288

Setting user group password control parameters ····································································································· 289

Setting local user password control parameters ······································································································· 290

Setting super password control parameters ·············································································································· 291

Setting a local user password in interactive mode ··································································································· 291

Displaying and maintaining password control ········································································································· 291

Password control configuration example ·················································································································· 292

Configuring FIPS······················································································································································ 295

Overview ······································································································································································· 295

FIPS self-tests ································································································································································· 295

Power-up self-test ················································································································································· 295

Conditional self-tests ············································································································································ 295

Triggering a self-test ············································································································································ 295

Configuring FIPS ··························································································································································· 296

Enabling the FIPS mode ······································································································································ 296

Displaying and maintaining FIPS ······························································································································· 297

FIPS configuration example········································································································································· 297

Configuring IPsec ···················································································································································· 299

IPsec overview ······························································································································································ 299

Implementing ACL-based IPsec ··································································································································· 302

Feature restrictions and guidelines ···················································································································· 302

ACL-based IPsec configuration task list ············································································································· 302

Configuring ACLs ················································································································································ 303

Configuring an IPsec transform set ···················································································································· 304

Configuring an IPsec policy ······························································································································· 305

vii