ONEPolicy Overview

The three primary benefits of using policy in your network are provisioning and control of network resources, security, and centralized operational efficiency. Policy provides for the provisioning and control of network resources by creating policy roles that allow you to determine network provisioning and control at the appropriate network layer, for a given user or device. With a role defined, rules can be created based upon up to 15 traffic classification types for traffic drop or forwarding. A CoS (Class of Service) can be associated with each role for purposes of setting priority, forwarding queue, rate limiting, and rate shaping.

Security can be enhanced by allowing only intended users and devices access to network protocols and capabilities. Some examples are:
  • Ensuring that only approved stations can use SNMP (Simple Network Management Protocol), preventing unauthorized stations from viewing, reading, and writing network management information
  • Preventing edge clients from attaching network services that are appropriately restricted to data centers and managed by the enterprise IT organization such as DHCP (Dynamic Host Configuration Protocol) and DNS services
  • Identifying and restricting routing to legitimate routing IP addresses to prevent DoS, spoofing, data integrity and other routing related security issues
  • Ensuring that FTP/TFTP file transfers and firmware upgrades only originate from authorized file and configuration management servers
  • Preventing clients from using legacy protocols

Extreme Management Center Policy Manager provides a centralized point and click configuration, and one click pushing of defined policy out to all network elements. Use Extreme Management Center Policy Manager for ease of initial configuration and response to security and provisioning issues that may come up during real-time network operation.

Note

Note

Any configurations which require the use of the first stage ACL/VLAN processor, do not operate when OnePolicy is enabled. This includes, but is not limited to, certain MPLS, PSTag, VXLAN, OAM/CFM, and OpenFlow configurations.
Note

Note

Configuration changes on existing policy mux entries (changing the policy profile for a convergence endpoint to 0 or a different value, disabling LLDP (Link Layer Discovery Protocol) or CDP, etc.) do not take effect until re-authorization. As a result, existing CEP connections remain active and FDB (forwarding database) is still learned on policy profile even though CDP/LLDP neighbor times out and show cdp neighbor {detail} and show lldp neighbors is empty. You can force re-authorization by clearing a CEP connection: configure policy convergence-endpoint clear ports [port_list | all].
Note

Note

IDM and ONEPolicy are not supported together and it is not recommended to enable both, since handling rule/role-based actions is not supported, except to support Kerberos Authentication with NAC as a RADIUS server and can be used in conjunction with IDM XML event triggers.
Note

Note

In ONEPolicy mode, when enabling NetLogin web-based, the following warning message appears when the port is not part of any default VLAN:
WARNING: The following netlogin enabled ports 1 are not part of any VLAN. The port has to be part of some VLAN for Web-Based netlogin to work.
For NetLogin web to work, the port must be part of a default VLAN.
Note

Note

On ExtremeSwitching X870 series switches, MLAGs do not operate when ONEPolicy is enabled, since MLAGs consume all ACL resources. To use MLAGs when ONEPolicy is enabled, use the profile-modifier feature to free up ACL resources from any specific policy profile (see Platform Rule Allocation).
Note

Note

Restarting the NetLogin process is not supported when policy is enabled. Doing so results in indeterminate behavior.
Note

Note

If Convergence End Point (CEP) (see Convergence End Point (CEP) Detection) is configured and you have multiple authentication types configured, failure of a higher priority authentication results in the lower priority authentication being used.
# show netlogin session
Multiple authentication session entries
---------------------------------------
Port            : 3:1         Station address   : bc:f1:f2:b4:e7:5e
Auth status     : failed      Last attempt      : Fri Nov  4 13:39:34 2016
Agent type      : dot1x       Session applied   : false
Server type     : radius      VLAN-Tunnel-Attr  : None
Policy index    : 0           Policy name       : No Policy applied
Session timeout : 0           Session duration  : 0:00:00
Idle timeout    : 300         Idle time         : 0:00:00
Auth-Override   : enabled     Termination time: Not Terminated

Port            : 3:1         Station address   : bc:f1:f2:b4:e7:5e
Auth status     : success     Last attempt      : Fri Nov  4 13:38:49 2016
Agent type      : cep         Session applied   : true
Server type     : local       VLAN-Tunnel-Attr  : None
Policy index    : 1           Policy name       : Tes1 (active)
Session timeout : 0           Session duration  : 0:04:16
Idle timeout    : 300         Idle time         : 0:00:00
Auth-Override   : enabled     Termination time: Not Terminated

# show policy convergence-endpoint connections ports all

Convergence End Point Connection Info for port 3:1
Endpoint Type    cisco
Policy Index     1
Discovery Time   Fri Nov  4 13:38:49 2016
Firmware Version
Address Type     1
Endpoint IP
Endpoint MAC     bc:f1:f2:b4:e7:5e