The three primary benefits of using policy in your network are provisioning and control of network resources, security, and centralized operational efficiency. Policy provides for the provisioning and control of network resources by creating policy roles that allow you to determine network provisioning and control at the appropriate network layer, for a given user or device. With a role defined, rules can be created based upon up to 15 traffic classification types for traffic drop or forwarding. A CoS can be associated with each role for purposes of setting priority, forwarding queue, rate limiting, and rate shaping.
Note
Any configurations which require the use of the first stage ACL/VLAN processor, do not operate when OnePolicy is enabled. This includes, but is not limited to, certain MPLS, PSTag, VXLAN, and OAM/CFM configurations.Note
Configuration changes on existing policy mux entries (changing the policy profile for a convergence endpoint to 0 or a different value, disabling LLDP or CDP, etc.) do not take effect until re-authorization. As a result, existing CEP connections remain active and FDB is still learned on policy profile even though CDP/LLDP neighbor times out and show cdp neighbor {detail} and show lldp neighbors is empty. You can force re-authorization by clearing a CEP connection: configure policy convergence-endpoint clear ports [port_list | all].Note
IDM and ONEPolicy are not supported together and it is not recommended to enable both, since handling rule/role-based actions is not supported, except to support Kerberos Authentication with NAC as a RADIUS server and can be used in conjunction with IDM XML event triggers.Note
In ONEPolicy mode, when enabling NetLogin web-based, the following warning message appears when the port is not part of any default VLAN:WARNING: The following netlogin enabled ports 1 are not part of any VLAN. The port has to be part of some VLAN for Web-Based netlogin to work.For NetLogin web to work, the port must be part of a default VLAN.
Note
Restarting the NetLogin process is not supported when policy is enabled. Doing so results in indeterminate behavior.Note
If Convergence End Point (CEP) (see Convergence End Point (CEP) Detection) is configured and you have multiple authentication types configured, failure of a higher priority authentication results in the lower priority authentication being used.# show netlogin session Multiple authentication session entries --------------------------------------- Port : 3:1 Station address : bc:f1:f2:b4:e7:5e Auth status : failed Last attempt : Fri Nov 4 13:39:34 2016 Agent type : dot1x Session applied : false Server type : radius VLAN-Tunnel-Attr : None Policy index : 0 Policy name : No Policy applied Session timeout : 0 Session duration : 0:00:00 Idle timeout : 300 Idle time : 0:00:00 Auth-Override : enabled Termination time: Not Terminated Port : 3:1 Station address : bc:f1:f2:b4:e7:5e Auth status : success Last attempt : Fri Nov 4 13:38:49 2016 Agent type : cep Session applied : true Server type : local VLAN-Tunnel-Attr : None Policy index : 1 Policy name : Tes1 (active) Session timeout : 0 Session duration : 0:04:16 Idle timeout : 300 Idle time : 0:00:00 Auth-Override : enabled Termination time: Not Terminated # show policy convergence-endpoint connections ports all Convergence End Point Connection Info for port 3:1 Endpoint Type cisco Policy Index 1 Discovery Time Fri Nov 4 13:38:49 2016 Firmware Version Address Type 1 Endpoint IP Endpoint MAC bc:f1:f2:b4:e7:5e