Policies, Global Parameters And System Defaults - Cisco 300 Series Administration Manual

Security: IPV6 First Hop Security

Policies, Global Parameters and System Defaults

Policies, Global Parameters and System Defaults
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
A malicious host could send IPv6 messages with a different destination IPv6
address for the last hop forwarding, causing overflow of the NBD cache.
An embedded mechanism in the NDP implementation, which limits the number of
entries allowed in the INCOMPLETE state in the Neighbor Discovery cache,
provides protection.
Each feature of FHS can be enabled or disabled individually. No feature is enabled
by default.
Features must initially be enabled on specific VLANs. When you enable the
feature, you can also define global configuration values for that feature's rules of
verification. If you do not define a policy that contain different values for these
verification rules, the global values are used to apply the feature to packets.
Policies
Policies contain the rules of verification that are performed on input packets. They
can be attached to VLANs and also to ports and LAGs. If the feature is not enabled
on a VLAN, the policies have no effect.
Policies can be user-defined or default policies (see below).
Default Policies
Empty default polices exist for each FHS feature and are by default attached to all
VLANs and interfaces. The default policies are named: "vlan_default" and
"port_default" (for each feature):
• Rules can be added to these default policies. You cannot manually attach
default policies to interfaces. They are attached by default.
• Default policies can never be deleted. You can only delete the user-added
configuration.
User-Defined Policies
You can define policies other than the default policies.
20
421