ONEPolicy Overview

The three primary benefits of using policy in your network are provisioning and control of network resources, security, and centralized operational efficiency. Policy provides for the provisioning and control of network resources by creating policy roles that allow you to determine network provisioning and control at the appropriate network layer, for a given user or device. With a role defined, rules can be created based upon up to 15 traffic classification types for traffic drop or forwarding. A CoS can be associated with each role for purposes of setting priority, forwarding queue, rate limiting, and rate shaping.

Security can be enhanced by allowing only intended users and devices access to network protocols and capabilities. Some examples are:
Note

Note

Any configurations which require the use of the first stage ACL/VLAN processor, do not operate when OnePolicy is enabled. This includes, but is not limited to, certain MPLS, PSTag, VXLAN, and OAM/CFM configurations.
Note

Note

Configuration changes on existing policy mux entries (changing the policy profile for a convergence endpoint to 0 or a different value, disabling LLDP or CDP, etc.) do not take effect until re-authorization. As a result, existing CEP connections remain active and FDB is still learned on policy profile even though CDP/LLDP neighbor times out and show cdp neighbor {detail} and show lldp neighbors is empty. You can force re-authorization by clearing a CEP connection: configure policy convergence-endpoint clear ports [port_list | all].
Note

Note

IDM and ONEPolicy are not supported together and it is not recommended to enable both, since handling rule/role-based actions is not supported, except to support Kerberos Authentication with NAC as a RADIUS server and can be used in conjunction with IDM XML event triggers.
Note

Note

In ONEPolicy mode, when enabling NetLogin web-based, the following warning message appears when the port is not part of any default VLAN:
WARNING: The following netlogin enabled ports 1 are not part of any VLAN. The port has to be part of some VLAN for Web-Based netlogin to work.
For NetLogin web to work, the port must be part of a default VLAN.
Note

Note

Restarting the NetLogin process is not supported when policy is enabled. Doing so results in indeterminate behavior.
Note

Note

If Convergence End Point (CEP) (see Convergence End Point (CEP) Detection) is configured and you have multiple authentication types configured, failure of a higher priority authentication results in the lower priority authentication being used.
# show netlogin session
Multiple authentication session entries
---------------------------------------
Port            : 3:1         Station address   : bc:f1:f2:b4:e7:5e
Auth status     : failed      Last attempt      : Fri Nov  4 13:39:34 2016
Agent type      : dot1x       Session applied   : false
Server type     : radius      VLAN-Tunnel-Attr  : None
Policy index    : 0           Policy name       : No Policy applied
Session timeout : 0           Session duration  : 0:00:00
Idle timeout    : 300         Idle time         : 0:00:00
Auth-Override   : enabled     Termination time: Not Terminated

Port            : 3:1         Station address   : bc:f1:f2:b4:e7:5e
Auth status     : success     Last attempt      : Fri Nov  4 13:38:49 2016
Agent type      : cep         Session applied   : true
Server type     : local       VLAN-Tunnel-Attr  : None
Policy index    : 1           Policy name       : Tes1 (active)
Session timeout : 0           Session duration  : 0:04:16
Idle timeout    : 300         Idle time         : 0:00:00
Auth-Override   : enabled     Termination time: Not Terminated

# show policy convergence-endpoint connections ports all

Convergence End Point Connection Info for port 3:1
Endpoint Type    cisco
Policy Index     1
Discovery Time   Fri Nov  4 13:38:49 2016
Firmware Version
Address Type     1
Endpoint IP
Endpoint MAC     bc:f1:f2:b4:e7:5e