Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
288
Views
0
Helpful
3
Replies

Catalyst 9k interface templates

munroe
Level 1
Level 1

‎04-09-2025 11:40 AM

I'm investigating using interface templates to optimize our configurations.  However it seems like only a subset if interface commands are available to be applied via a template?  thinks like "ip verify source" and "ip arp inspection..." and "no cdp enable" are not available via the template.  Am I missing something or miss understanding what a template is for?

Labels:
0 Helpful
3 Replies 3

Jens Albrecht
Level 4
Level 4

‎04-09-2025 01:25 PM

Interface Templates are a relatively new feature that was introduced with IOS-XE 16.7.1 if I remember correctly.
Today they cover a lot of routine stuff like STP, storm-control, DHCP snooping or port-based authentication with IBNS 2.0.
It is safe to assume that they will add more features with future releases but this will definitely take some time.

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎04-09-2025 02:18 PM

Just want to know this is about Interface-level "template" and not interface "macro"?  

0 Helpful

andrew.butterworth
Level 7
Level 7

‎04-10-2025 08:54 AM

Interface templates have been around since IOS 15.2 (maybe earlier?) and there has always been some commands that don't work and it varies between software versions and IOS/IOS-XE switches.

I currently have a template for IOS 15.2(7)Ex switches and a template for IOS-XE 16.12.x switches.  Both are based on what DNAC pushes for SDA.

!!! IOS 15.2(7)ex switches !!!
show template interface source user Port-Dot1x-Default-Voice-VLAN-Closed
!
Template Name       : Port-Dot1x-Default-Voice-VLAN-Closed
Template Definition :
 dot1x pae authenticator
 dot1x timeout tx-period 7
 dot1x max-reauth-req 3
 spanning-tree portfast edge
 switchport access vlan 999
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 305
 mab
 access-session host-mode multi-domain
 access-session closed
 access-session port-control auto
 authentication periodic
 authentication timer reauthenticate server
 service-policy type control subscriber Dot1x-MAB-Guest-Default
 service-policy input IPPHONE+PC-BASIC
 ip dhcp snooping limit rate 100
 description ** Port for Endpoints with Voice VLAN dot1x closed**
 srr-queue bandwidth share 1 70 25 5
 srr-queue bandwidth shape  3 0 0 0
 priority-queue out
!
!

show run int gig 1/0/1
!
interface GigabitEthernet1/0/1
 ip arp inspection limit rate 100
 ipv6 nd raguard attach-policy host-policy
 ipv6 snooping attach-policy policy1
 ipv6 dhcp guard
 source template Port-Dot1x-Default-Voice-VLAN-Closed
 spanning-tree portfast edge
!
!

sho derived-config interface gigabitEthernet 1/0/1
!
interface GigabitEthernet1/0/1
 description ** Port for Endpoints with Voice VLAN dot1x closed**
 switchport access vlan 999
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 305
 ip arp inspection limit rate 100
 ip access-group Auth-Default-ACL in
 srr-queue bandwidth share 1 70 25 5
 srr-queue bandwidth shape  3 0 0 0
 priority-queue out
 ipv6 nd raguard attach-policy host-policy
 ipv6 snooping attach-policy policy1
 ipv6 dhcp guard
 authentication periodic
 authentication timer reauthenticate server
 access-session host-mode multi-domain
 access-session closed
 access-session port-control auto
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 7
 dot1x max-reauth-req 3
 spanning-tree portfast edge
 service-policy type control subscriber Dot1x-MAB-Guest-Default
 service-policy input IPPHONE+PC-BASIC
 ip dhcp snooping limit rate 100





!!! IOS-XE 16.12.x switches !!!
show template interface source user DefaultWiredDot1xClosedAuth
!
Template Name       : DefaultWiredDot1xClosedAuth
Template Definition :
 dot1x pae authenticator
 dot1x timeout supp-timeout 7
 dot1x max-req 3
 switchport access vlan 999
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 20
 mab
 access-session host-mode multi-domain
 access-session closed
 access-session port-control auto
 authentication periodic
 authentication timer reauthenticate server
 service-policy type control subscriber Dot1x-MAB-Guest-Default
 service-policy input IPPHONE+PC-BASIC
 service-policy output AutoQos-4.0-Output-Policy
 description ** Port for Endpoints with Voice VLAN dot1x closed **
 ip dhcp snooping limit rate 100
!
!

show run interface GigabitEthernet 1/0/1
!
interface GigabitEthernet1/0/1
 device-tracking attach-policy IPDT_POLICY
 ip access-group IPV4_PRE_AUTH_ACL in
 ipv6 traffic-filter IPV6_PRE_AUTH_ACL in
 source template DefaultWiredDot1xClosedAuth
 spanning-tree portfast
 spanning-tree bpduguard enable
 ip nbar protocol-discovery
!
!

show derived-config interface GigabitEthernet 1/0/1
!
interface GigabitEthernet1/0/1
 description ** Port for Endpoints with Voice VLAN dot1x closed **
 switchport access vlan 999
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 20
 device-tracking attach-policy IPDT_POLICY
 ip access-group IPV4_PRE_AUTH_ACL in
 ipv6 traffic-filter IPV6_PRE_AUTH_ACL in
 authentication periodic
 authentication timer reauthenticate server
 access-session host-mode multi-domain
 access-session closed
 access-session port-control auto
 mab
 dot1x pae authenticator
 dot1x timeout supp-timeout 7
 dot1x max-req 3
 spanning-tree portfast
 spanning-tree bpduguard enable
 service-policy type control subscriber Dot1x-MAB-Guest-Default
 service-policy input IPPHONE+PC-BASIC
 service-policy output AutoQos-4.0-Output-Policy
 ip nbar protocol-discovery
 ip dhcp snooping limit rate 100
!

 

0 Helpful
Customers Also Viewed These Support Documents