Here's my current template that I'm trying to add switchport protected to

template 32-Common
storm-control broadcast level bps 10m
storm-control multicast level bps 10m
storm-control action shutdown
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
switchport access vlan 32
switchport mode access
description 32-Common

Hi Rick,
Yes, I'm trying to understand why some interface commands are not accepted into an interface template so that all commands dont have to be added to each interface individually.

c3850#show run int gig1/0/2
Building configuration...

Current configuration : 89 bytes
!
interface GigabitEthernet1/0/2
source template 32-Common
end

c3850#show derived-config interface gig1/0/2
Building configuration...

Derived configuration : 330 bytes
!
interface GigabitEthernet1/0/2
description 32-Common
switchport access vlan 32
switchport mode access
storm-control broadcast level bps 10m
storm-control multicast level bps 10m
storm-control action shutdown
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
end

No range commands needed for broad changes/updates, just update the reference template and the changes cascade out to the interfaces automatically.

Thanks for the additional information. This is quite puzzling. There are certainly a number of interface commands (and 2 of them are switchport commands) that are accepted in the template. So it is surprising that this switchport protected is not accepted. I do not have an explanation. Perhaps someone else in the community with more experience in this area may have an explanation? Do you have the capability of opening a case with Cisco TAC? If so I suggest asking them about this.

I agree, its an odd one for sure.  I'll try with TAC once I've scoured around a little more.

---

@80211WiGuy wrote:

 storm-control broadcast level bps 10m
 storm-control multicast level bps 10m
 storm-control action shutdown
 storm-control action trap
 spanning-tree portfast
 spanning-tree bpduguard enable
 spanning-tree guard root
 switchport access vlan 32
 switchport mode access
 description 32-Common

---

The term "template" is confusing.  It should be "macro".  

There is a hidden command in IOS and IOS-XE called Switchport Macro (not to be confused with AUTO Switchport Macro).  

macro name BLAH
 storm-control broadcast level bps 10m
 storm-control multicast level bps 10m
 storm-control action shutdown
 storm-control action trap
 spanning-tree portfast
 spanning-tree bpduguard enable
 spanning-tree guard root
 switchport access vlan 32
 switchport mode access
 description 32-Common
@

NOTE:  The "@" tells the system it is the "end of the macro" so this is mandatory.  

To apply the macro into the interface: 

interface <PORT>
 macro apply BLAH

Ah, thats really cool, but I'm afraid it sets it like a simply copy/paste directly into the interface config on every interface within a range.  I'm looking for something where lets say, I'm going to change the access vlan for any port with the assigned template - without having to know the ports.  Just change the access vlan within the template and all the applied ports get updated automatically.

I appreciate the note on macros though, cool stuff!

You want a macro that can change the VLAN?

macro name ZOOM
 switchport access vlan $CHEESE
@

To apply VLAN 123 into a port: 

interface <PORT>
 macro apply ZOOM $CHEESE 123

Sorry for not being clear Leo.  I want the administrator to have the ability to change configs for all ports assigned a given template, without having to know the interface(s). 

For instance,

gig1,2,4 are all assigned the "employee" template
gig3,5,6 are assigned the "guest" template

I can adjust the guest vlan by modifying it in the template, without having to sort through the full switch config and sort out which ports are assigned to guests.  Not a big deal on a single 48 port switch, but a real pain on a 9 switch stack with 432 ports.  I'd like to keep using the "source template" method but its frustrating to find not all interface level configuration commands are available in the template config section - seems like a bug/missed detail to me.

I'm sure we can all relate to multiple cooks in the kitchen changing interface configs without updating things like descriptions which help keep things organised.  The templates make these port config outliers easy to spot and keep standards in place.

Can i see 

Show interface x/x switchport 

I think someone make port as protected and hence you cannot add template under interface.

Here's what you asked for with an example of before and after its configured protected.

c3850#show run int gi1/0/2
Building configuration...

Current configuration : 89 bytes
!
interface GigabitEthernet1/0/2
source template 32-Common
spanning-tree portfast
end

c3850#show derived-config int gi1/0/2
Building configuration...

Derived configuration : 330 bytes
!
interface GigabitEthernet1/0/2
description 32-Common
switchport access vlan 32
switchport mode access
storm-control broadcast level bps 10m
storm-control multicast level bps 10m
storm-control action shutdown
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
end

c3850#show interfaces gi1/0/2 switchport
Name: Gi1/0/2
Switchport: Enabled
Administrative Mode: static access
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 32 (Common)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: disabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Vepa Enabled: false
Appliance trust: none
c3850#conf t
Enter configuration commands, one per line. End with CNTL/Z.
c3850(config)#int gig1/0/2
c3850(config-if)#switchport protected
c3850(config-if)#end
c3850#show run int gi1/0/2
Building configuration...

Current configuration : 111 bytes
!
interface GigabitEthernet1/0/2
switchport protected
source template 32-Common
spanning-tree portfast
end

c3850#show interfaces gi1/0/2 switchport
Name: Gi1/0/2
Switchport: Enabled
Administrative Mode: static access
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 32 (Common)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: disabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: true
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Vepa Enabled: false
Appliance trust: none