Security Configuration Guide, Cisco IOS XE Dublin 17.11.x (Catalyst 9600 Switches)

Restrictions for Interface Templates

Interface templates are not applicable for wireless sessions.
Remote storing and downloading of templates is not supported.
The same configuration cannot be used for port and interface template on the switch.

Information About Interface Templates

About Interface Templates

An interface template is a container of configurations or policies that can be applied to specific ports. When an interface template is applied to an access port, it impacts all traffic that is exchanged on the port.

There are two types of interface templates; user and builtin templates. Builtin templates are created by the system.

You can modify builtin templates. If you delete a modified builtin template the system restores the original definition of the template.

The following are the available builtin templates:

AP_INTERFACE_TEMPLATE (Access Point)
DMP_INTERFACE_TEMPLATE (Digital Media Player)
IP_CAMERA_INTERFACE_TEMPLATE
IP_PHONE_INTERFACE_TEMPLATE
LAP_INTERFACE_TEMPLATE (Lightweight Access Point)
MSP_CAMERA_INTERFACE_TEMPLATE
MSP_VC_INTERFACE_TEMPLATE (Video Conferencing)
PRINTER_INTERFACE_TEMPLATE
ROUTER_INTERFACE_TEMPLATE
SWITCH_INTERFACE_TEMPLATE
TP_INTERFACE_TEMPLATE (TelePresence)

Following is an example of a builtin interface template:

Template Name       : IP_CAMERA_INTERFACE_TEMPLATE
Modified            : No
Template Definition :
 spanning-tree portfast
 spanning-tree bpduguard enable
 switchport mode access
 switchport block unicast
 switchport port-security
 mls qos trust dscp
 srr-queue bandwidth share 1 30 35 5
 priority-queue out 
!

You can also create specific user templates with the commands that you want to include.

Note

The template name must not contain spaces.

You can create an interface template using the template command in global configuration mode. In template configuration mode, enter the required commands. The following commands can be entered in template configuration mode:


Command	Description
access-session	Configures access session specific interface commands.
authentication	Configures authentication manager Interface Configuration commands.
carrier-delay	Configures delay for interface transitions.
dampening	Enables event dampening.
default	Sets a command to its defaults.
description	Configures interface-specific description.
dot1x	Configures interface configuration commands for IEEE 802.1X.
hold-queue	Sets hold queue depth.
ip	Configures IP template.
keepalive	Enables keepalive.
load-interval	Specifies interval for load calculation for an interface.
mab	Configures MAC authentication bypass Interface.
mls	Enables multilayer switching configurations. This command is available on the following devices in template configuration mode: Cisco Catalyst 2960-S Series Switches Cisco Catalyst 2960-X Series Switches Cisco Industrial Ethernet 3000 Series Switches
peer	Configures peer parameters for point to point interfaces.
priority-queue	To set the priority-queue size for a template. This command is available on the following devices in template configuration mode: Cisco Catalyst 2960-S Series Switches Cisco Catalyst 2960-X Series Switches Cisco Industrial Ethernet 3000 Series Switches
queue-set	Configures the QoS queue set on a template. This command is available on the following devices in template configuration mode: Cisco Catalyst 2960-S Series Switches Cisco Catalyst 2960-X Series Switches Cisco Industrial Ethernet 3000 Series Switches
radius-server	Enables RADIUS server configurations. This command is available on the following devices in template configuration mode: Catalyst 4500E Supervisor Engine 7-E Catalyst 4500E Supervisor Engine 7L-E Catalyst 4500E Supervisor Engine 8-E Catalyst 4500-X Series Switches
service-policy	Configures CPL service policy.
source	Gets configurations from another source.
spanning-tree	Configures spanning tree subsystem
storm-control	Configures storm control.
subscriber	Configures subscriber inactivity timeout value.
switchport	Sets switching mode configurations
trust	Sets trust value for the interface.

Note

System builtin templates are not displayed in the running configuration. These templates show up in the running configuration only if you edit them.
The stateful switchover fails if access-session and swithcport mode access are both configured in an interface template. To avoid the switchover failure, configure the switchport mode access command on the interface, instead of in an interface template.
When you configure an interface template, it is recommended that you enter all the required dependent commands on the same template. It is not recommended to configure the dependent commands on two different templates.

Binding an Interface Template to a Target

Each template can be bound to a target. Template binding or sourcing can be either static or dynamic. Static binding of a template involves binding the template to a target, like an interface. Only one template can be bound at a time using static binding. Static binding of another template to the same target will unbind the previously bound template. To configure static binding, use the source template command in interface configuration mode.

Any number of templates can be bound dynamically to a target. To configure dynamic binding using builtin policy maps and parameter maps, enable the autoconf feature using the autoconf enable command.

Note

You can have statically and dynamically bind templates on the same interface at a time.

Priority for Configurations Using Interface Templates

Configuration applied through dynamically-bound templates has the highest priority, followed by configuration applied directly on the interface, and then configuration applied through statically-bound templates. When similar commands are present at different priority levels, the one at the highest priority is applied. If a configuration at a higher priority level is not applied, then the configuration with the next highest priority is applied to the target.

Multiple templates can be dynamically bound to a target. When multiple templates are dynamically bound, the template that is applied last has the highest priority.

To delete a template, you must remove the binding to all targets. If you bind a template that does not exist, a new template is created with no configurations.

Configuring Interface Templates

Perform the following task to create user interface templates:

Procedure

Command or Action Purpose

Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

template name

Example:


Device(config)# template user-template1

Creates a user template and enters template configuration mode.

Note

Builtin template are system-generated.

Step 4

load-interval interval

Example:


Device(config-template)# load-interval 60

Configures the sampling interval for statistics collections on the template.

Note

Builtin template are system-generated.

Step 5

description description

Example:


Device(config-template)# description This is a user template

Configures the description for the template.

Step 6

keepalive number

Example:


Device(config-template)# Keepalive 60

Configures the keepalive timer.

Step 7

end

Example:


Device(config)# end

Exits global configuration mode and returns to privileged EXEC mode.

Configuring Static Binding for Interface Templates

Procedure

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 3	interface `type` `number` Example: `Device(config)# interface GigabitEthernet 1/0/12`	Specifies the interface type and number and enters interface configuration mode.
Step 4	source template `name` Example: `Device(config-if)# source template user-template1`	Statically applies an interface template to a target.
Step 5	end Example: `Device(config-if)# end`	Exits interface configuration mode and returns to privileged EXEC mode.

Example

To verify static binding use the show running-config interface int-name and the show derived-config interface int-name commands.

Device# show running-config interface GigabitEthernet 1/0/12

Building configuration...

Current configuration : 71 bytes
!
interface GigabitEthernet1/0/12
source template user-template1
end

Device# show derived-config interface GigabitEthernet 1/0/12
Building configuration...

Derived configuration : 108 bytes
!
interface GigabitEthernet1/0/12
description This is a user template
load-interval 60
keepalive 60
end

Configuring Dynamic Binding of Interface Templates

Procedure

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 3	interface `type` `number` Example: `Device(config)# interface GigabitEthernet 4/0/1`	Specifies the interface type and number and enters interface configuration mode.
Step 4	service-policy type control subscriber `policymap-name` Example: `Device(config-if)# service-policy type control subscriber POLICY-Gi1/0/12`	Dynamically applies an interface template to a target.
Step 5	end Example: `Device(config-if)# end`	Exits interface configuration mode and returns to privileged EXEC mode.

Verifying an Interface Template

Use one or more of the commands listed below to verify the interface template configuration.

Procedure

Step 1	enable Example: `Device> enable` Enables privileged EXEC mode. Enter your password if prompted.
Step 2	show template interface all {all`\|`binding {`temp-name\|`all`\|`target `int-name`}`\|`brief } Shows all interface template configurations.
Step 3	show template interface source {built-in [original] `\|`user}{`temp-name\|`all}} Shows interface template source configurations.
Step 4	show template service{all`\|`binding target `int-name\|`brief `\|` source {aaa`\|`built-in`\|`user {temp-name`\|` all}} Shows all interface template service configurations.

Verifying Interface User Templates

Device# show template interface source user all
    Template Name : TEST-1
    Template Definition:   
    load-interval 60
    description TEST_1_TEMPLATE
    keepalive 200
			 !
    Template Name : TEST-2
    Template Definition:   
    load-interval 60
    description TEST-1_TEMPLATE
    keepalive 200

Device#  show template interface source built-in all

Building configuration...

Template Name : AP_INTERFACE_TEMPLATE
Modified : No
Template Definition :
switchport mode trunk
switchport nonegotiate
service-policy input AutoConf-4.0-Trust-Cos-Input-Policy
service-policy output AutoConf-4.0-Output-Policy
!
Template Name : DMP_INTERFACE_TEMPLATE
Modified : No
Template Definition :
switchport mode access
switchport block unicast
switchport port-security
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoConf-4.0-Trust-Dscp-Input-Policy
service-policy output AutoConf-4.0-Output-Policy
!
Template Name : IP_CAMERA_INTERFACE_TEMPLATE
Modified : No
Template Definition :
switchport mode access
switchport block unicast
switchport port-security
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoConf-4.0-Trust-Dscp-Input-Policy
service-policy output AutoConf-4.0-Output-Policy
!
Template Name : IP_PHONE_INTERFACE_TEMPLATE
Modified : No
Template Definition :
switchport mode access
switchport block unicast
switchport port-security maximum 3
switchport port-security maximum 2 vlan access
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security
storm-control broadcast level pps 1k
storm-control multicast level pps 2k
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoConf-4.0-CiscoPhone-Input-Policy
service-policy output AutoConf-4.0-Output-Policy
ip dhcp snooping limit rate 15
load-interval 30
!
Template Name : LAP_INTERFACE_TEMPLATE
Modified : No
Template Definition :
switchport mode access
switchport block unicast
switchport port-security violation protect
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security
storm-control broadcast level pps 1k
storm-control multicast level pps 2k
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping limit rate 15
load-interval 30
! 
Template Name : MSP_CAMERA_INTERFACE_TEMPLATE
Modified : No
Template Definition :
switchport mode access
switchport block unicast
switchport port-security
spanning-tree portfast
spanning-tree bpduguard enable
!
Template Name : MSP_VC_INTERFACE_TEMPLATE
Modified : No
Template Definition :
switchport mode access
switchport port-security
spanning-tree portfast
spanning-tree bpduguard enable
load-interval 30
!
Template Name : PRINTER_INTERFACE_TEMPLATE
Modified : No
Template Definition :
switchport mode access
switchport port-security maximum 2
switchport port-security
spanning-tree portfast
spanning-tree bpduguard enable
load-interval 60
!
Template Name : ROUTER_INTERFACE_TEMPLATE
Modified : No
Template Definition :
switchport mode trunk
spanning-tree portfast trunk
spanning-tree bpduguard enable
service-policy input AutoConf-4.0-Trust-Cos-Input-Policy
service-policy output AutoConf-4.0-Output-Policy
!
Template Name : SWITCH_INTERFACE_TEMPLATE
Modified : No
Template Definition :
switchport mode trunk
service-policy input AutoConf-4.0-Trust-Cos-Input-Policy
service-policy output AutoConf-4.0-Output-Policy
!
Template Name : TP_INTERFACE_TEMPLATE
Modified : No
Template Definition :
switchport mode access
switchport port-security maximum 3
switchport port-security maximum 2 vlan access
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security
storm-control broadcast level pps 1k
storm-control multicast level pps 2k
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoConf-4.0-Trust-Dscp-Input-Policy
service-policy output AutoConf-4.0-Output-Policy
ip dhcp snooping limit rate 15
load-interval 30
!
end

Device# show template interface source built-in all 

Building configuration...

Template Name       : AP_INTERFACE_TEMPLATE
Modified            : No
Template Definition :
 switchport mode trunk
 switchport nonegotiate
 mls qos trust cos
 srr-queue bandwidth share 1 30 35 5
 priority-queue out 
!
Template Name       : DMP_INTERFACE_TEMPLATE
Modified            : No
Template Definition :
 spanning-tree portfast
 spanning-tree bpduguard enable
 switchport mode access
 switchport block unicast
 switchport port-security
 mls qos trust dscp
 srr-queue bandwidth share 1 30 35 5
 priority-queue out 
!
Template Name       : IP_CAMERA_INTERFACE_TEMPLATE
Modified            : No
Template Definition :
 spanning-tree portfast
 spanning-tree bpduguard enable
 switchport mode access
 switchport block unicast
 switchport port-security
 mls qos trust dscp
 srr-queue bandwidth share 1 30 35 5
 priority-queue out 
!
Template Name       : IP_PHONE_INTERFACE_TEMPLATE
Modified            : No
Template Definition :
 spanning-tree portfast
 spanning-tree bpduguard enable
 switchport mode access
 switchport block unicast
 switchport port-security maximum 3
 switchport port-security maximum 2 vlan access
 switchport port-security violation  restrict
 switchport port-security aging time 2
 switchport port-security aging type inactivity
 switchport port-security
 storm-control broadcast level pps 1k
 storm-control multicast level pps 2k
 storm-control action trap
 mls qos trust cos
 service-policy input AUTOCONF-SRND4-CISCOPHONE-POLICY
 ip dhcp snooping limit rate 15
 load-interval 30
 srr-queue bandwidth share 1 30 35 5
 priority-queue out 
!
Template Name       : LAP_INTERFACE_TEMPLATE
Modified            : No
Template Definition :
 spanning-tree portfast
 spanning-tree bpduguard enable
 switchport mode access
 switchport block unicast
 switchport port-security violation  protect
 switchport port-security aging time 2
 switchport port-security aging type inactivity
 switchport port-security
 storm-control broadcast level pps 1k
 storm-control multicast level pps 2k
 storm-control action trap
 mls qos trust dscp
 ip dhcp snooping limit rate 15
 load-interval 30
 srr-queue bandwidth share 10 10 60 20
 priority-queue out 
!
Template Name       : MSP_CAMERA_INTERFACE_TEMPLATE
Modified            : No
Template Definition :
 spanning-tree portfast
 spanning-tree bpduguard enable
 switchport mode access
 switchport block unicast
 switchport port-security
!
Template Name       : MSP_VC_INTERFACE_TEMPLATE
Modified            : No
Template Definition :
 spanning-tree portfast
 spanning-tree bpduguard enable
 switchport mode access
 switchport block unicast
 switchport port-security violation  restrict
 switchport port-security aging time 2
 switchport port-security aging type inactivity
 switchport port-security
 ip dhcp snooping limit rate 15
 load-interval 30
!
Template Name       : PRINTER_INTERFACE_TEMPLATE
Modified            : No
Template Definition :
 spanning-tree portfast
 spanning-tree bpduguard enable
 switchport mode access
 switchport port-security maximum 2
 switchport port-security
 load-interval 60
!
Template Name       : ROUTER_INTERFACE_TEMPLATE
Modified            : No
Template Definition :
 spanning-tree portfast trunk
 spanning-tree bpduguard enable
 switchport mode trunk
 mls qos trust dscp
 srr-queue bandwidth share 1 30 35 5
 priority-queue out 
!
Template Name       : SWITCH_INTERFACE_TEMPLATE
Modified            : No
Template Definition :
 switchport mode trunk
 mls qos trust cos
 srr-queue bandwidth share 1 30 35 5
 priority-queue out 
!
Template Name       : TP_INTERFACE_TEMPLATE
Modified            : No
Template Definition :
 spanning-tree portfast
 spanning-tree bpduguard enable
 switchport mode access
 switchport port-security maximum 3
 switchport port-security maximum 2 vlan access
 switchport port-security violation  restrict
 switchport port-security aging time 2
 switchport port-security aging type inactivity
 switchport port-security
 storm-control broadcast level pps 1k
 storm-control multicast level pps 2k
 storm-control action trap
 ip dhcp snooping limit rate 15
 load-interval 30
!
End

Device# show template interface binding all
    Template-name               Source      Method          Interface
    =============               ====      ==========      ==========
IP_PHONE_INTERFACE_TEMPLATE    Built-in    Dynamic        Gi1/0/1, Gi1/0/2, Gi1/0/3
                                                          Gi1/0/4, Gi1/0/5, Gi1/0/6
                                                          Gi1/0/7, Gi1/0/8, Gi1/0/9
                                                          Gi1/0/10, Gi1/0/11, Gi1/0/12
                                                          Gi1/0/13, Gi1/0/14, Gi1/0/15
                                                          Gi1/0/16, Gi1/0/17, Gi1/0/18
                                                          Gi1/0/19, Gi1/0/20, Gi1/0/21
                                                          Gi1/0/22, Gi1/0/23, Gi1/0/24
                                                          Gi1/1/1, Gi1/1/2, Gi1/1/3
   
IP_PHONE_INTERFACE_TEMPLATE    Built-in     Static        Gi4/0/4

Device# show template interface binding target GigabitEthernet 1/0/4
 			Interface            Method       Source            Template     
    =========           ==========    =====             =========
    Gi1/0/4              Dynamic      built-in          IP_PHONE_INTERFACE_TEMPLATE 
                         Static       user              TEST
                         Dynamic      Modified-built-in TEST

Device# show template service all
 			  
    User-defined template:
    ====================== 

    Template Name      : SVC-1
    Template Definition:   
    vlan 100
    access-group acl1

    built-in template:
    ====================== 

    Template Name      : SVC-2
    Template Definition:   
    vlan 100
    access-group acl1

    aaa downloaded template:
    ==========================
    Template Name      : SVC-2
    Template Definition:   
    vlan 100
    access-group acl1

Device# show template binding target GigabitEthernet 1/0/4

  Interface Templates:
    Interface            method       Source            Template     
    =========           ==========    =====             =========
    Gi1/0/4              Dynamic      built-in          IP_PHONE_INTERFACE_TEMPLATE 
                         Static       user              TEST
                         Dynamic      Modified-built-in TEST
  Service Templates:
   Template            Source         Session-Mac      
   ========            ====           ================
   SVC1                user           aa-bb-cc-dd-ee-ff 
   SVC2                built-in       ab-ab-ab-ab-ab-ab
   SVC3                aaa            ac-ac-ac-ac-ac-ac

Example: Configuring User Interface Templates

Example: Configuring User Templates

Device# enable
Device (config)# configure terminal
Device(config)# template user-template1
Device(config-template)# load-interval 60
Device(config-template)# description This is a user template
Device(config-template)# Keepalive 60
Device(config)# end

Example: Sourcing Interface Templates

Device> enable
Device# configure terminal
Device(config)# interface fastethernet 4/0/0
Device(config-if)# source template user-template1
Device(config-if)# end

Example: Dynamically Binding Interface Templates

Device> enable
Device# configure terminal
Device(config)# interface GigabitEthernet 4/0/1
Device(config-if)# service-policy type control subscriber POLICY_Gi1/0/12
Device(config-if)# end

Feature Information for Interface Templates

This table provides release and related information for the features explained in this module.

These features are available in all the releases subsequent to the one they were introduced in, unless noted otherwise.


Release	Feature Name	Feature Information
Cisco IOS XE Gibraltar 16.11.1	Interface Templates	An interface template provides a mechanism to configure multiple commands at the same time and associate it with a target such as an interface.
Cisco IOS XE Cupertino 17.7.1	Interface Templates	Support for this feature was introduced on the Cisco Catalyst 9600 Series Supervisor 2 Module (C9600X-SUP-2).

Bias-Free Language

Results

Chapter: Interface Templates

Interface Templates

Restrictions for Interface Templates

Information About Interface Templates

About Interface Templates

Binding an Interface Template to a Target

Priority for Configurations Using Interface Templates

Configuring Interface Templates

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Configuring Static Binding for Interface Templates

Procedure

Example:

Example:

Example:

Example:

Example:

Example

Configuring Dynamic Binding of Interface Templates

Procedure

Example:

Example:

Example:

Example:

Example:

Verifying an Interface Template

Procedure

Example:

Verifying Interface User Templates

Example: Configuring User Interface Templates

Example: Configuring User Templates

Example: Sourcing Interface Templates

Example: Dynamically Binding Interface Templates

Feature Information for Interface Templates

Was this Document Helpful?

Contact Cisco