25
OL-32830-01 Command Line Interface Reference Guide 484
IPv6 First Hop Security
25.0
Policies
Policies contain the rules of verification that will be performed on input packets.
They can be attached to VLANs and/or port (Ethernet port or port channel).
The final set of rules that is applied to an input packet on a port is built in the
following way:
1. The rules configured in policies attached to the port on the VLAN on which the
packet arrived are added to the set.
1. The rules configured in the policy attached to the VLAN are added to the set if they have not been
added at the port level.
2. The global rules are added to the set if they have not been added at the VLAN or port level.
Rules defined at the port level override the rules set at the VLAN level. Rules
defined at the VLAN level override the globally-configured rules. The
globally-configured rules override the system defaults.
You can only attach 1 policy (for a specific sub-feature) to a VLAN.
You can attach multiple policies (for a specific sub-feature) to a port if they specify
different VLANs.
A sub-feature policy does not take effect until:
• IPv6 First Hop Security is enabled on the VLAN
• The sub-feature is enabled on the VLAN
• The policy is attached to the VLAN or port
Default Policies
Empty default polices exist for each sub-feature and are by default attached to all
VLANs and ports. The default policies are named: "vlan_default" and "port_default":
Rules can be added to these default policies. You do not have to manually attach
default policies to ports. They are attached by default.
When a user-defined policy is attached to a port the default policy for that port is
detached. If the user-define policy is detached from the port, the default policy is
reattached.
To Next Page
Need help?
General
