Configuring Interface Templates

The following sections provide information about Interface Templates and how to configure and bind Interface Templates to a target:

Restrictions for Interface Templates

  • Remote storing and downloading of templates is not supported.

  • To dynamically bind an interface template, the interface template with the same name as referred by AAA Authorization has to be configured on the device.

  • Source template configurations are not supported on port channel interface.

  • ASP macro and Autoconf are not recommended to be used on the same interface at the same time.

Information About Interface Templates

This section describes an interface template, its types and usage.

Interface Template Overview

An interface template is a container of configurations or policies that can be applied to specific ports. When an interface template is applied to an access port, it impacts all traffic that is exchanged on the port.

There are two types of interface templates; user and builtin templates. Builtin templates are created by the system.

You can modify builtin templates. If you delete a modified builtin template, the system restores the original definition of the template.

The following are the available builtin templates:

  • AP_INTERFACE_TEMPLATE (Access Point)

  • DMP_INTERFACE_TEMPLATE (Digital Media Player)

  • IP_CAMERA_INTERFACE_TEMPLATE

  • IP_PHONE_INTERFACE_TEMPLATE

  • LAP_INTERFACE_TEMPLATE (Lightweight Access Point)

  • MSP_CAMERA_INTERFACE_TEMPLATE

  • MSP_VC_INTERFACE_TEMPLATE (Video Conferencing)

  • PRINTER_INTERFACE_TEMPLATE

  • ROUTER_INTERFACE_TEMPLATE

  • SWITCH_INTERFACE_TEMPLATE

  • TP_INTERFACE_TEMPLATE (TelePresence)

Following is an example of a builtin interface template: 

Template Name       : IP_CAMERA_INTERFACE_TEMPLATE
Modified            : No
Template Definition :
 spanning-tree portfast
 spanning-tree bpduguard enable
 switchport mode access
 switchport block unicast
 switchport port-security
 mls qos trust dscp
 srr-queue bandwidth share 1 30 35 5
 priority-queue out 
!

You can also create specific user templates with the commands that you want to include.


Note

The template name must not contain spaces.

You can create an interface template using the template command in global configuration mode. In template configuration mode, enter the required commands. The following commands can be entered in template configuration mode:

Command Description
access-session

Configures access session-specific interface commands.

This is applicable to Identity-Based Networking Services (IBNS) 2.0
authentication

Configures authentication manager Interface Configuration commands.

This is applicable to IBNS1.0
carrier-delay

Configures delay for interface transitions.

default

Sets a command to its defaults.

description

Configures interface-specific description.

dot1x

Configures interface configuration commands for IEEE 802.1X.

ip

Configures IP template.

keepalive

Enables keepalive.

load-interval

Specifies interval for load calculation for an interface.

mab

Configures MAC authentication bypass Interface.

peer

Configures peer parameters for point to point interfaces.

service-policy

Configures CPL service policy.

source

Gets configurations from another source.

spanning-tree

Configures spanning tree subsystem

storm-control

Configures storm control.

subscriber

Configures subscriber inactivity timeout value.

switchport

Sets switching mode configurations


Note

System builtin templates aren’t displayed in the running configuration. These templates show up in the running configuration only if you edit them.

Binding an Interface Template to a Target

Each template can be bound to a target, like an interface or a sub-interface. A template can be attached to a target either statically or dynamically. Static binding of a template involves binding the template to a target, like an interface. Only one template can be bound at a time using static binding. Static binding of another template to the same target will unbind the previously bound template. To configure static binding, use the source template command in interface configuration mode.

Any number of templates can be bound dynamically to a target. To configure dynamic binding using builtin policy maps and parameter maps, enable the Autoconf feature using the autoconf enable command.


Note

You can have statically and dynamically bound templates on the same interface at a time.

Priority for Configurations Using Interface Templates

Configuration applied through dynamically-bound templates has the highest priority, followed by configuration applied directly on the interface, and then configuration applied through statically-bound templates. When similar commands are present at different priority levels, the one at the highest priority is applied. If a configuration at a higher priority level is not applied, then the configuration with the next highest priority is applied to the target.

Multiple templates can be dynamically bound to a target. When multiple templates are dynamically bound, the template that is applied last has the highest priority.

To delete a template, you must remove the binding to all targets. If you bind a template that does not exist, a new template is created with no configurations.

How to Configure Interface Templates

Perform the following tasks to configure a user interface template and bind it to a target.

Configuring Interface Templates

Perform the following task to create user interface templates:

Procedure

  Command or Action Purpose

Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

template name

Example:


Device(config)# template user-template1
Creates a user template and enters template configuration mode.

Note

 
Builtin templates are system-generated.

Step 4

load-interval interval

Example:


Device(config-template)# load-interval 60
Configures the sampling interval for statistics collections on the template.

Note

 
Builtin templates are system-generated.

Step 5

description description

Example:


Device(config-template)# description This is a user template
Configures the description for the template.

Step 6

keepalive number

Example:


Device(config-template)# Keepalive 60
Configures the keepalive timer.

Step 7

end

Example:


Device(config)# end

Exits global configuration mode and returns to privileged EXEC mode.

Configuring Static Binding for Interface Templates

Procedure

  Command or Action Purpose

Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

interface type number

Example:


Device(config)# interface GigabitEthernet 1/0/12

Specifies the interface type and number and enters interface configuration mode.

Step 4

source template name

Example:


Device(config-if)# source template user-template1

Statically applies an interface template to a target.

Step 5

end

Example:


Device(config-if)# end

Exits interface configuration mode and returns to privileged EXEC mode.

Example

To verify static binding use the show running-config interface int-name and the show derived-config interface int-name commands. 

Device# show running-config interface GigabitEthernet 1/0/12

Building configuration...

Current configuration : 71 bytes
!
interface GigabitEthernet1/0/12
source template user-template1
end

Device# show derived-config interface GigabitEthernet 1/0/12
Building configuration...

Derived configuration : 108 bytes
!
interface GigabitEthernet1/0/12
description This is a user template
load-interval 60
keepalive 60
end

Configuring Dynamic Binding of Interface Templates

To configure dynamic binding of interface templates, perform the following tasks:

Before you begin

Ensure that 802.1x port-based authentication is configured on the device. When you are using the ISE server to download and assign a template that includes switchport mode and vlan change commands, the access-session interface-template sticky command is used, which is available only in IBNS 2.0. Hence, VLAN changes using a template require IBNS 2.0.

Procedure

Step 1

Create a template on the device, as specified in the Configuring Interface Templates procedure.

Step 2

Configure the Identity Services Engine (ISE) or any other RADIUS server to download the template name to the device interface. The template is assigned after the device is authenticated successfully.

If you’re using ISE, go to the Policy > Policy Elements > Authorization > Authorization Profile page.

Check the Interface Template check box and enter the name of the template to be assigned to the client interface.

Figure 1. Configure ISE to Assign Interface Template

If you’re using a different RADIUS server, configure the attribute Cisco-AVpair="interface:template=name" with the name of the template. This configuration pushes the template to the device after the initial client authentication is completed.

Step 3

To verify that the template name is downloaded to the interface, use the show authentication sessions interface interface-id details or show access-session interface interface-id details command. To verify that the interface template commands are applied to the interface, use the show derived-config interface interface-id command.

Example

The following example shows how to verify that a template named del_template is downloaded and applied to the TwentyFiveGigE1/0/3 interface on the device: 

Device# show running-config | section del_template
template del_template
access-session port-control auto
no access-session monitor
authentication periodic
Device# show authentication sessions interface tw1/0/3 details
Interface: TwentyFiveGigE1/0/3
IIF-ID: 0x1F9EBBA9
MAC Address: 002f.0100.0001
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: NOAS
Device-type: Un-Classified Device
Device-name: Unknown Device
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: 0404140B00004E1C6E569E0B
Acct Session ID: Unknown
Handle: 0xdb000e24
Current Policy: DOT1x

Server Policies:
Interface Template: del_template

Method status list:
Method State
dot1x Authc Success


Device# show derived-config interface tw1/0/3
Building configuration...

Derived configuration : 321 bytes
!
interface TwentyFiveGigE1/0/3
switchport access vlan 44
switchport mode access
switchport port-security violation restrict
switchport port-security
authentication periodic       
access-session port-control auto 
no access-session monitor 
mab
dot1x pae authenticator
service-policy type control subscriber DOT1x
end

Verifying Interface Templates

Use one or more of the commands listed below to verify the interface template configuration.

Table 1. Show commands to verify Interface Template Configuration

Command

Purpose

show template interface all {all | binding {temp-name | all | target int-name} | brief }

Shows all interface template configurations.

show template interface source {built-in [original] | user}{temp-name | all}}

Shows interface template source configurations.

show template service{all | binding target int-name | brief | source {aaa | built-in | user {temp-name | all}}

Shows all interface template service configurations.

Example: Verifying Interface User Template

Device# show template interface source user all
    Template Name : TEST-1
    Template Definition:   
    load-interval 60
    description TEST_1_TEMPLATE
    keepalive 200
			 !
    Template Name : TEST-2
    Template Definition:   
    load-interval 60
    description TEST-1_TEMPLATE
    keepalive 200

Example: Verifying all Builtin Templates 

Device#  show template interface source built-in all

Building configuration...

Template Name : AP_INTERFACE_TEMPLATE
Modified : No
Template Definition :
switchport mode trunk
switchport nonegotiate
service-policy input AutoConf-4.0-Trust-Cos-Input-Policy
service-policy output AutoConf-4.0-Output-Policy
!
Template Name : DMP_INTERFACE_TEMPLATE
Modified : No
Template Definition :
switchport mode access
switchport block unicast
switchport port-security
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoConf-4.0-Trust-Dscp-Input-Policy
service-policy output AutoConf-4.0-Output-Policy
!
Template Name : IP_CAMERA_INTERFACE_TEMPLATE
Modified : No
Template Definition :
switchport mode access
switchport block unicast
switchport port-security
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoConf-4.0-Trust-Dscp-Input-Policy
service-policy output AutoConf-4.0-Output-Policy
!
Template Name : IP_PHONE_INTERFACE_TEMPLATE
Modified : No
Template Definition :
switchport mode access
switchport block unicast
switchport port-security maximum 3
switchport port-security maximum 2 vlan access
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security
storm-control broadcast level pps 1k
storm-control multicast level pps 2k
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoConf-4.0-CiscoPhone-Input-Policy
service-policy output AutoConf-4.0-Output-Policy
ip dhcp snooping limit rate 15
load-interval 30
!
Template Name : LAP_INTERFACE_TEMPLATE
Modified : No
Template Definition :
switchport mode access
switchport block unicast
switchport port-security violation protect
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security
storm-control broadcast level pps 1k
storm-control multicast level pps 2k
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping limit rate 15
load-interval 30
! 
Template Name : MSP_CAMERA_INTERFACE_TEMPLATE
Modified : No
Template Definition :
switchport mode access
switchport block unicast
switchport port-security
spanning-tree portfast
spanning-tree bpduguard enable
!
Template Name : MSP_VC_INTERFACE_TEMPLATE
Modified : No
Template Definition :
switchport mode access
switchport port-security
spanning-tree portfast
spanning-tree bpduguard enable
load-interval 30
!
Template Name : PRINTER_INTERFACE_TEMPLATE
Modified : No
Template Definition :
switchport mode access
switchport port-security maximum 2
switchport port-security
spanning-tree portfast
spanning-tree bpduguard enable
load-interval 60
!
Template Name : ROUTER_INTERFACE_TEMPLATE
Modified : No
Template Definition :
switchport mode trunk
spanning-tree portfast trunk
spanning-tree bpduguard enable
service-policy input AutoConf-4.0-Trust-Cos-Input-Policy
service-policy output AutoConf-4.0-Output-Policy
!
Template Name : SWITCH_INTERFACE_TEMPLATE
Modified : No
Template Definition :
switchport mode trunk
service-policy input AutoConf-4.0-Trust-Cos-Input-Policy
service-policy output AutoConf-4.0-Output-Policy
!
Template Name : TP_INTERFACE_TEMPLATE
Modified : No
Template Definition :
switchport mode access
switchport port-security maximum 3
switchport port-security maximum 2 vlan access
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security
storm-control broadcast level pps 1k
storm-control multicast level pps 2k
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoConf-4.0-Trust-Dscp-Input-Policy
service-policy output AutoConf-4.0-Output-Policy
ip dhcp snooping limit rate 15
load-interval 30
!
end

Example: Verifying Interface Template Binding for all templates

Device# show template interface binding all
    Template-name               Source      Method          Interface
    =============               ====      ==========      ==========
IP_PHONE_INTERFACE_TEMPLATE    Built-in    Dynamic        Gi1/0/1, Gi1/0/2, Gi1/0/3
                                                          Gi1/0/4, Gi1/0/5, Gi1/0/6
                                                          Gi1/0/7, Gi1/0/8, Gi1/0/9
                                                          Gi1/0/10, Gi1/0/11, Gi1/0/12
                                                          Gi1/0/13, Gi1/0/14, Gi1/0/15
                                                          Gi1/0/16, Gi1/0/17, Gi1/0/18
                                                          Gi1/0/19, Gi1/0/20, Gi1/0/21
                                                          Gi1/0/22, Gi1/0/23, Gi1/0/24
                                                          Gi1/1/1, Gi1/1/2, Gi1/1/3
   
IP_PHONE_INTERFACE_TEMPLATE    Built-in     Static        Gi4/0/4

Example: Verifying Static Template Binding for a Target Interface

Device# show template interface binding target GigabitEthernet 1/0/4
 			Interface            Method       Source            Template     
    =========           ==========    =====             =========
    Gi1/0/4              Dynamic      built-in          IP_PHONE_INTERFACE_TEMPLATE 
                         Static       user              TEST
                         Dynamic      Modified-built-in TEST

Example: Verifying Dynamic Template Binding for all templates

Device# show template service all
 			  
    User-defined template:
    ====================== 

    Template Name      : SVC-1
    Template Definition:   
    vlan 100
    access-group acl1

    built-in template:
    ====================== 

    Template Name      : SVC-2
    Template Definition:   
    vlan 100
    access-group acl1

    aaa downloaded template:
    ==========================
    Template Name      : SVC-2
    Template Definition:   
    vlan 100
    access-group acl1

Example: Verifying Template Binding for a Target Interface

Device# show template binding target GigabitEthernet 1/0/4

  Interface Templates:
    Interface            method       Source            Template     
    =========           ==========    =====             =========
    Gi1/0/4              Dynamic      built-in          IP_PHONE_INTERFACE_TEMPLATE 
                         Static       user              TEST
                         Dynamic      Modified-built-in TEST
  Service Templates:
   Template            Source         Session-Mac      
   ========            ====           ================
   SVC1                user           aa-bb-cc-dd-ee-ff 
   SVC2                built-in       ab-ab-ab-ab-ab-ab
   SVC3                aaa            ac-ac-ac-ac-ac-ac

Configuration Examples for Interface Templates

Example: Configuring User Interface Templates

Example: Configuring User Templates 

Device# enable
Device (config)# configure terminal
Device(config)# template user-template1
Device(config-template)# load-interval 60
Device(config-template)# description This is a user template
Device(config-template)# Keepalive 60
Device(config)# end

Example: Sourcing Interface Templates

Device> enable
Device# configure terminal
Device(config)# interface fastethernet 4/0/0
Device(config-if)# source template user-template1
Device(config-if)# end

Example: Dynamically Binding Interface Templates

Configure a template on the device:

Device# configure terminal    
Device(config)# tempalte user_template 
Device(config-template)# access-session port-control auto
Device(config-template)# no access-session monitor
Device(config-template)# authentication periodic

Configure RADIUS Server attribute with the template name:

Cisco-AVpair="interface:template=user_template"

Feature History for Interface Templates

This table provides release and related information for the features explained in this module.

These features are available in all the releases subsequent to the one they were introduced in, unless notedotherwise.

Release

Feature

Feature Information
Cisco IOS XE Gibraltar 16.11.1

Interface Templates

An interface template provides a mechanism to configure multiple commands at the same time and associate it with a target such as an interface.

Cisco IOS XE Bengaluru 17.5.1

Interface Templates - cts manual command

The command cts manual was introduced. It can be configured in the template configuration mode.

Cisco IOS XE Cupertino 17.7.1

Interface Templates

This feature was implemented on Cisco Catalyst 9600 Series Supervisor 2 Module (C9600X-SUP-2).

Use the Cisco Feature Navigator to find information about platform and software image support. To access Cisco Feature Navigator, go to https://cfnng.cisco.com/.