Configuration procedure ································································································································ 456

Displaying and maintaining IPv6 uRPF ·········································································································· 456

IPv6 uRPF configuration example ················································································································· 456

Configuring FIPS ························································································· 458

Overview ························································································································································ 458

Configuration restrictions and guidelines ······································································································· 458

Configuring FIPS mode ·································································································································· 459

Entering FIPS mode ······························································································································· 459

Configuration changes in FIPS mode ···································································································· 460

Exiting FIPS mode ································································································································· 461

FIPS self-tests ················································································································································ 461

Power-up self-tests ································································································································ 462

Conditional self-tests ······························································································································ 462

Triggering self-tests ································································································································ 463

Displaying and maintaining FIPS ··················································································································· 463

FIPS configuration examples ························································································································· 463

Entering FIPS mode through automatic reboot ······················································································ 463

Entering FIPS mode through manual reboot ·························································································· 464

Exiting FIPS mode through automatic reboot ························································································ 466

Exiting FIPS mode through manual reboot ···························································································· 466

Configuring attack detection and prevention ··············································· 468

Attacks that the device can prevent ··············································································································· 468

Single-packet attacks ····························································································································· 468

Scanning attacks ···································································································································· 469

Flood attacks ·········································································································································· 470

TCP fragment attack ······························································································································ 471

Login DoS attack ···································································································································· 471

Login dictionary attack ··························································································································· 471

Blacklist feature ·············································································································································· 471

Attack detection and prevention configuration task list ·················································································· 472

Configuring an attack defense policy ············································································································· 472

Creating an attack defense policy ·········································································································· 472

Configuring a single-packet attack defense policy ················································································· 472

Configuring a scanning attack defense policy ························································································ 474

Configuring a flood attack defense policy ······························································································ 474

Configuring attack detection exemption ································································································· 479

Applying an attack defense policy to an interface ·················································································· 479

Applying an attack defense policy to the device ···················································································· 480

Enabling log non-aggregation for single-packet attack events ······························································· 480

Configuring TCP fragment attack prevention ································································································· 481

Configuring the IP blacklist feature ················································································································ 481

Configuring login attack prevention ················································································································ 482

Enabling the login delay ································································································································· 482

Displaying and maintaining attack detection and prevention ········································································· 483

Attack detection and prevention configuration examples ··············································································· 485

Interface-based attack detection and prevention configuration example ··············································· 485

IP blacklist configuration example ·········································································································· 488

Configuring MACsec ··················································································· 490

Basic concepts ······································································································································· 490

MACsec services ··································································································································· 490

MACsec applications ······························································································································ 491

MACsec operating mechanism ·············································································································· 491

Protocols and standards ························································································································ 493

Feature and hardware compatibility ··············································································································· 493

General restrictions and guidelines ················································································································ 493

MACsec configuration task list ······················································································································· 494

Enabling MKA ················································································································································ 494

Table of Contents