Solved: Re: Every port is creating a "policy-map type control subscriber&

BruteForce · ‎03-05-2025

Hello, I'm trying to apply some policy maps on a 9300 stack on version 17.12.04 of IOS for shaping DOT1X traffic.

As it is right now, every port (interface GigabitEthernet1/0/1) have their own authentication commands: authentication priority dot1x mab, authentication port-control auto, etc. I would like for these ports instead to have a 'source template MYTEMPLATE' on them.

My understanding is by first building class-maps, then policy-maps, then templates, then applying templates to ports, I should be able to achieve my goal. However my BIG PROBLEM is that when I enter my commands, I get the following prompt from the switch.

"This operation will permanently convert all relevant authentication commands to their CPL control-policy equivalents. As thisCatalyst 9000 conversion is irreversible and will disable the conversion CLI 'authentication display [legacy|new-style]', you are strongly advised to back up your current configuration before proceeding.
Do you wish to continue? [yes]: "

If I choose yes and continue, EVERY port on the switch gets its own policy-map with all the policy-map rules inside of them. As you can imagine, this makes going through the running config of a stacked switch a nightmare. To reiterate, "interface GigabitEthernet1/0/1" exists with its commands, but an additional config exists called "policy-map type control subscriber POLICY_Gi1/0/1", and all the policy-map rules are repeated within for every single port.

I've tried first creating the class-maps, then tried the policy maps, then tried created the templates, but I still get the Cisco warning above. The only way to get rid of these individual policies is by reloading a switch; Even archiving won't roll them back. What order am I supposed to enter these commands in?

This topic is not my expertise and I hope I was able to explain my issue. I was having trouble finding similar issues online.

AshSe · ‎03-06-2025

Hey @BruteForce

The issue you're encountering is related to the transition from legacy authentication commands to the newer Control Policy Language (CPL) framework on Catalyst 9000 switches. This transition is irreversible once you confirm the prompt, and it results in the behavior you're describing, where each interface gets its own policy-map, making the configuration difficult to manage.

To avoid this issue and achieve your goal of applying a single source template to your interfaces without creating individual policy-maps for each port, you need to carefully plan the configuration process. Here's the correct order and approach to achieve your desired outcome:

1. Create Class-Maps

Define the traffic classes you want to match. For example, if you're shaping DOT1X traffic, you can create a class-map to match that traffic.

class-map match-any DOT1X-TRAFFIC

  match protocol dot1x

2. Create Policy-Maps

Define the policy-map that applies actions (e.g., shaping, policing) to the traffic matched by the class-map.

policy-map type control subscriber MY_POLICY

class DOT1X-TRAFFIC

     police rate 1000000 bps

3. Create a Template

Define a template that includes the policy-map and other desired configurations. This template will be applied to the interfaces.

template MYTEMPLATE

policy-map type control subscriber MY_POLICY

authentication priority dot1x mab

    authentication port-control auto

4. Apply the Template to Interfaces

Apply the template to the desired interfaces using the source template command.

interface range GigabitEthernet1/0/1 - 48

   source template MYTEMPLATE

5. Avoid the Automatic Conversion

The key to avoiding the automatic conversion of legacy authentication commands to CPL equivalents (and the creation of individual policy-maps for each interface) is to remove the legacy authentication commands from the interfaces before applying the template. If the legacy commands are present, the switch will attempt to convert them, resulting in the behavior you're trying to avoid.

Steps to Remove Legacy Commands:

Remove the legacy authentication commands from all interfaces:

interface range GigabitEthernet1/0/1 - 48

no authentication priority dot1x mab

no authentication port-control auto
Save the configuration:

write memory

6. Apply the Template

After removing the legacy commands, apply the source template to the interfaces as shown in Step 4. Since there are no legacy commands to convert, the switch will not prompt you with the irreversible conversion warning, and the configuration will remain clean.

7. Verify the Configuration

Check the configuration to ensure the template is applied correctly and no individual policy-maps were created for each interface.

show running-config

You should see the source template MYTEMPLATE applied to the interfaces without any additional per-interface policy-maps.

Key Notes:

The irreversible conversion warning occurs because the switch detects legacy authentication commands on the interfaces. By removing these commands first, you prevent the switch from attempting the conversion.
Always back up your configuration before making significant changes.
If the switch has already performed the conversion, the only way to revert is to reload the switch with a previously saved configuration.

Hope This Helps!!!

AshSe

Community Etiquette:

Insert photos/images inline - don't attach.
Always mark helpful and correct answers, it helps others find what they need.
For a prompt reply, kindly tag @name. An email will be automatically sent to the member.

View solution in original post

AshSe · ‎03-06-2025

Hey @BruteForce

The issue you're encountering is related to the transition from legacy authentication commands to the newer Control Policy Language (CPL) framework on Catalyst 9000 switches. This transition is irreversible once you confirm the prompt, and it results in the behavior you're describing, where each interface gets its own policy-map, making the configuration difficult to manage.

To avoid this issue and achieve your goal of applying a single source template to your interfaces without creating individual policy-maps for each port, you need to carefully plan the configuration process. Here's the correct order and approach to achieve your desired outcome:

1. Create Class-Maps

Define the traffic classes you want to match. For example, if you're shaping DOT1X traffic, you can create a class-map to match that traffic.

class-map match-any DOT1X-TRAFFIC

  match protocol dot1x

2. Create Policy-Maps

Define the policy-map that applies actions (e.g., shaping, policing) to the traffic matched by the class-map.

policy-map type control subscriber MY_POLICY

class DOT1X-TRAFFIC

     police rate 1000000 bps

3. Create a Template

Define a template that includes the policy-map and other desired configurations. This template will be applied to the interfaces.

template MYTEMPLATE

policy-map type control subscriber MY_POLICY

authentication priority dot1x mab

    authentication port-control auto

4. Apply the Template to Interfaces

Apply the template to the desired interfaces using the source template command.

interface range GigabitEthernet1/0/1 - 48

   source template MYTEMPLATE

5. Avoid the Automatic Conversion

The key to avoiding the automatic conversion of legacy authentication commands to CPL equivalents (and the creation of individual policy-maps for each interface) is to remove the legacy authentication commands from the interfaces before applying the template. If the legacy commands are present, the switch will attempt to convert them, resulting in the behavior you're trying to avoid.

Steps to Remove Legacy Commands:

Remove the legacy authentication commands from all interfaces:

interface range GigabitEthernet1/0/1 - 48

no authentication priority dot1x mab

no authentication port-control auto
Save the configuration:

write memory

6. Apply the Template

After removing the legacy commands, apply the source template to the interfaces as shown in Step 4. Since there are no legacy commands to convert, the switch will not prompt you with the irreversible conversion warning, and the configuration will remain clean.

7. Verify the Configuration

Check the configuration to ensure the template is applied correctly and no individual policy-maps were created for each interface.

show running-config

You should see the source template MYTEMPLATE applied to the interfaces without any additional per-interface policy-maps.

Key Notes:

The irreversible conversion warning occurs because the switch detects legacy authentication commands on the interfaces. By removing these commands first, you prevent the switch from attempting the conversion.
Always back up your configuration before making significant changes.
If the switch has already performed the conversion, the only way to revert is to reload the switch with a previously saved configuration.

Hope This Helps!!!

AshSe

Community Etiquette:

Insert photos/images inline - don't attach.
Always mark helpful and correct answers, it helps others find what they need.
For a prompt reply, kindly tag @name. An email will be automatically sent to the member.

BruteForce · ‎03-07-2025

Thank you very much for the help! I did not think to remove the legacy commands from the ports first. I went through many reload trying to figure this out.

Every port is creating a "policy-map type control subscriber" command

1. Create Class-Maps

2. Create Policy-Maps

3. Create a Template

4. Apply the Template to Interfaces

5. Avoid the Automatic Conversion

Steps to Remove Legacy Commands:

6. Apply the Template

7. Verify the Configuration

Key Notes:

1. Create Class-Maps

2. Create Policy-Maps

3. Create a Template

4. Apply the Template to Interfaces

5. Avoid the Automatic Conversion

Steps to Remove Legacy Commands:

6. Apply the Template

7. Verify the Configuration

Key Notes: