The three primary benefits of using policy in your network are provisioning and control of network resources, security, and centralized operational efficiency. Policy provides for the provisioning and control of network resources by creating policy roles that allow you to determine network provisioning and control at the appropriate network layer, for a given user or device. With a role defined, rules can be created based upon up to 15 traffic classification types for traffic drop or forwarding. A CoS (Class of Service) can be associated with each role for purposes of setting priority, forwarding queue, rate limiting, and rate shaping.
Extreme Management Center Policy Manager provides a centralized point and click configuration, and one click pushing of defined policy out to all network elements. Use Extreme Management Center Policy Manager for ease of initial configuration and response to security and provisioning issues that may come up during real-time network operation.
Note
When OnePolicy is enabled certain MPLS (Multiprotocol Label Switching), PSTag, VXLAN, and OpenFlow configurations may not operate.Note
Configuration changes on existing policy mux entries (changing the policy profile for a convergence endpoint to 0 or a different value, disabling LLDP (Link Layer Discovery Protocol) or CDP, etc.) do not take effect until re-authorization. As a result, existing CEP connections remain active and FDB (forwarding database) is still learned on policy profile even though CDP/LLDP neighbor times out and show cdp neighbor {detail} and show lldp neighbors is empty. You can force re-authorization by clearing a CEP connection: configure policy convergence-endpoint clear ports [port_list | all].Note
IDM and ONEPolicy are not supported together and it is not recommended to enable both, since handling rule/role-based actions is not supported, except to support Kerberos Authentication with NAC as a RADIUS server and can be used in conjunction with IDM XML event triggers.Note
In ONEPolicy mode when enabling Netlogin MAC/web-based, the following warning message appears when the port is not part of any default VLAN.WARNING: The following netlogin enabled ports 1 are not part of any VLAN. The port has to be part of some VLAN for MAC and Web-Based netlogin to work.For Netlogin MAC and web to work, the port must be part of a default VLAN.
Note
If you configure multiple authentication types, failure of a higher priority authentication results in the lower priority authentication being used.Slot-2 Stack.45 # show netlogin session Multiple authentication session entries --------------------------------------- Port : 3:1 Station address : bc:f1:f2:b4:e7:5e Auth status : failed Last attempt : Fri Nov 4 13:39:34 2016 Agent type : dot1x Session applied : false Server type : radius VLAN-Tunnel-Attr : None Policy index : 0 Policy name : No Policy applied Session timeout : 0 Session duration : 0:00:00 Idle timeout : 300 Idle time : 0:00:00 Termination time: Not Terminated Port : 3:1 Station address : bc:f1:f2:b4:e7:5e Auth status : success Last attempt : Fri Nov 4 13:38:49 2016 Agent type : cep Session applied : true Server type : local VLAN-Tunnel-Attr : None Policy index : 1 Policy name : Tes1 (active) Session timeout : 0 Session duration : 0:04:16 Idle timeout : 300 Idle time : 0:00:00 Termination time: Not Terminated # show policy convergence-endpoint connections ports all Convergence End Point Connection Info for port 3:1 Endpoint Type cisco Policy Index 1 Discovery Time Fri Nov 4 13:38:49 2016 Firmware Version Address Type 1 Endpoint IP Endpoint MAC bc:f1:f2:b4:e7:5e