Hello
I somehow stumbled upon Cisco's IBNS 2.0 Auto Identity (AI) templates in my CML/VIRL IOSv layer2 image (IOS 15.2(6)).
I find these templates great, because these are the best practices that we tend to hard-code manually - e.g there are templates for Monitor Mode, Closed Mode etc. - it's great. IBNS configuration is a commonly asked topic on these forums and I don't blame anyone for getting it wrong - we end up creating text file snippets that we use over and over. But with AI there is no need for this - you cannot get it wrong and there is nothing to remember.
You start off with the switch in legacy display mode and then perform the IBNS 1.0 to IBNS 2.0 conversion. When I do this on an IOS-XE 9300 device I don't get any AI templates.
I have been looking for this feature in IOS-XE. Does anyone know if it exists in IOS XE 16.12.x ?
I found this obscure Cisco Live presentation, but not much else on official Cisco web.
SW1#show ver
Cisco IOS Software, vios_l2 Software (vios_l2-ADVENTERPRISEK9-M), Version 15.2(CML_NIGHTLY_20190423)FLO_DSGS7, EARLY DEPLOYMENT DEVELOPMENT BUILD, synced to V152_6_0_81_E
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2019 by Cisco Systems, Inc.
Compiled Tue 23-Apr-19 04:48 by mmen
ROM: Bootstrap program is IOSv
Below is more detail about these built-in templates. The good thing is that the commands don't appear in the show-run - less config clutter. You simply use them.
Does this look familiar?
Switch#show template brief
Interface Templates
===================
Template-Name Source Bound-to-Interface
------------- ------ ------------------
AI_CLOSED_MODE Built-in No
AI_LOW_IMPACT_MODE Built-in No
AI_MONITOR_MODE Built-in No
AI_VISIBILITY_MODE Built-in No
Service Templates
=================
Template-Name Source Bound-To-Session
------------- ------ ----------------
webauth-global-inactive Built-in No
webauth-global-absolute Built-in No
DEFAULT_LINKSEC_POLICY_MUST_SECURE Built-in No
DEFAULT_LINKSEC_POLICY_SHOULD_SECURE Built-in No
DEFAULT_CRITICAL_VOICE_TEMPLATE Built-in No
AI_INACTIVE_TIMER Built-in No
AI_CRITICAL_ACL Built-in No
And even the global stuff no longer needs to be memorised (or asked about on these forums!!) - you use this one in your global config with the command source template AI_GLOBAL_CONFIG_TEMPLATE
Switch#show template global source built-in all
Building configuration...
Global Template Name : AI_GLOBAL_CONFIG_TEMPLATE
Modified : No
Global Template Definition : global
dot1x system-auth-control
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting identity default start-stop group radius
aaa accounting system default start-stop group radius
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 6 voice 1
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
!
end
And even more stuff we all use ... Service and Interface Templates:
Switch#show template interface source built-in all
Building configuration...
Template Name : AI_CLOSED_MODE
Modified : No
Template Definition :
dot1x pae authenticator
switchport mode access
mab
access-session closed
access-session port-control auto
service-policy type control subscriber AI_DOT1X_MAB_POLICIES
!
Template Name : AI_LOW_IMPACT_MODE
Modified : No
Template Definition :
dot1x pae authenticator
switchport mode access
mab
access-session port-control auto
service-policy type control subscriber AI_DOT1X_MAB_POLICIES
ip access-group AI_PORT_ACL in
!
Template Name : AI_MONITOR_MODE
Modified : No
Template Definition :
dot1x pae authenticator
switchport mode access
mab
access-session port-control auto
service-policy type control subscriber AI_DOT1X_MAB_POLICIES
!
Template Name : AI_VISIBILITY_MODE
Modified : No
Template Definition :
switchport mode access
access-session port-control auto
service-policy type control subscriber AI_VISIBILITY_POLICY
!
end
Switch#show template service source built-in all
Building configuration...
Built-In Service-Template
=========================
Service-Template : webauth-global-inactive
Template Definition:
idle-timeout 3600
!
Service-Template : webauth-global-absolute
Template Definition:
!
Service-Template : DEFAULT_LINKSEC_POLICY_MUST_SECURE
Template Definition:
linksec-policy Must-secure
!
Service-Template : DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
Template Definition:
linksec-policy Should-secure
!
Service-Template : DEFAULT_CRITICAL_VOICE_TEMPLATE
Template Definition:
voice vlan
!
Service-Template : AI_INACTIVE_TIMER
Template Definition:
idle-timeout 3600
!
Service-Template : AI_CRITICAL_ACL
Template Definition:
access-group AI_PORT_ACL
!
end