Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
713
Views
0
Helpful
9
Replies

Can templates use custom variables defined on a system level?

eekman
Level 1
Level 1

‎11-25-2023 02:33 AM

I would like to create templates that have some sensitive information hidden. Let's take a SNMP community string as an example. Besides the System-wide global community string saved in the system settings of DNAC, I have several other community strings that I would like to use in templates - but not visible to the template editor directly in the template hub. Using normal variables is not an option. 

Is it possible to define some sort of environmental variable and use that in templates, something like this:

snmp-server community {{ __some_variable }} RO accesslist MYACL

Labels:
0 Helpful
9 Replies 9

pieterh
VIP
VIP

‎11-27-2023 06:55 AM

when defining variables, possible values and default values
you have the option "Sensitive Value" , which makes the default hidden

pieterh_0-1701096896917.png

is this what you are looking for ?

 

0 Helpful

eekman
Level 1
Level 1
In response to pieterh

‎12-07-2023 12:11 AM

No, the that means someone have to manually enter a value.

0 Helpful

pieterh
VIP
VIP
In response to eekman

‎12-07-2023 12:28 AM - edited ‎12-07-2023 12:29 AM

you can combine this with a default value, resulting in the value will not be shown
plus when deploying you can still manually enter a different value

0 Helpful

Preston Chilcote
Cisco Employee
Cisco Employee

‎12-06-2023 11:06 AM

The SNMP credentials used by Cisco DNA (aka Catalyst Center) should be configured in Design->Network Settings-> Device Credentials, not in a template.  But your question is still valid for SNMP configs needed for other network management systems.

A lot of IOS commands let you configure passwords not in clear text by specifying the password level.  Unfortunately, this doesn't apply to snmp v2, so the best answer for you is to move to snmp v3 for better security.

 

0 Helpful

eekman
Level 1
Level 1
In response to Preston Chilcote

‎12-07-2023 12:18 AM

That is another topic really. SNMP was just an example, the same problem exists for SNMP v3 or any other configuration that you would like to hide, used in a lot of sites, should be dynamic but not visible in a template.

As I understand it DNAC does not have the functionality I'm looking for right now.

0 Helpful

pieterh
VIP
VIP
In response to eekman

‎12-07-2023 12:45 AM

If you switch to Velocity templates you can read a variable from a file
Note, you need to upload this file to the Template directory on the DNA center server

 

0 Helpful

eekman
Level 1
Level 1
In response to pieterh

‎12-07-2023 12:58 AM

OK, interesting. Thanks!

0 Helpful

Preston Chilcote
Cisco Employee
Cisco Employee

‎12-07-2023 09:38 AM

@eekman The point I made about passwords in IOS-XE is still relevant for you.  You don't have to confgure passwords in clear text.  For example: 

enable secret 5 $1$iUjJ$cDZ03KKGh7mHfX2RSbDqP.   

 You won't be able to do this for SNMP v2 though.  For that you need to leverage v3.  If you go down this route, you will need to read up on the different encryption types available in IOS-XE and which is recommended for your security needs.

0 Helpful

eekman
Level 1
Level 1
In response to Preston Chilcote

‎12-07-2023 09:54 AM

That is not the problem. The question is if it is possible to put data in a variable that is defined outside the scope of the template.

0 Helpful
Customers Also Viewed These Support Documents