Owner's Manual

After you enable OF on a port, all packets received on the port that do not match ingress forwarding

criteria (unknown packets) are sent to the controller. The controller processes these packets using OF

and programs the forwarding database (FDB) entries using the flow configuration messages. Each packet

received is processed by the controller in stages, where each stage performs a different function. This is

referred to as the “ingress pipeline.” For example, if the ingress packet is an link layer discovery protocol

(LLDP) packet, the software uses it for topology mapping.

Policies

A policy is one or more rules that define the operation of a tenant, switch, link, network, host, or network

connection. Each policy has three sections:

• the policy header that provides the policy ID, name, provider ID, and tenant ID

• the rule section that identifies the unique rule name and match criteria that specifies the resource

• the action section that defines the action (permit, block, or redirect) for traffic from the resource that

meets the match criteria

The action and policy header information is defined when you create the policy. The rule section is

defined when you associate a policy with a resource.

Important Points to Remember

• Use the GUI or REST APIs to create and configure policies.

• Policies are managed by a provider or a tenant.

• Associate policies with a network or an end point.

• To enable a policy, create the policy and apply a rule to it. To apply multiple rules for an endpoint or

network, create multiple policies and associate them with the resource.

• You can apply a provider policy to provider resources and a tenant.

• If you apply a policy to a tenant, it applies to all of the tenant’s networks as well.

• When associating the policy, you can specify a list of resources, such as a list of endpoints or

networks.

• Policy rules use the flow-mod OF message type. Each flow-mod message is associated with a

priority that you use to program the content addressable memory (CAM) entries on the switch. The

first rule with a host identity tag (HIT) has the highest priority within a logical group.

• A policy does not have an associated priority by default.

• Endpoint policies have a higher priority than network policies. For example, if you define a policy that

drops any traffic from a specified endpoint and then define another policy that directs traffic from a

network to a quality of service (QoS) profile, traffic received from the endpoint is dropped.

• Policies can only have one rule.

• You must specify the policy priority when associating a policy with a resource.

• The policy priority range is from 1 to 1023.

• If you create a network policy, the flow-mod messages for the rules in the policy are updated to

include the network’s VLAN ID in the match criteria.

Policy Configuration and Types

You can configure the following policy types and behaviors:

• Network

• Endpoint

Active Fabric Features