Service Template

Service templates are dynamic policy containers that define a collection of network access control attributes including VLAN assignments, access control lists, QoS policies, security group tags, and redirection policies that can be dynamically applied to authenticated users or devices based on their identity and authorization profile. They enable centralized definition of user experience policies that are automatically activated during authentication events, providing consistent network access controls including bandwidth management, network segmentation, web redirection, and security enforcement. Service templates are essential components of Identity Services Engine (ISE) integration and network access control deployments, enabling role-based network access with automated policy enforcement and streamlined user onboarding processes.

By defining service templates, you enable automated, role-based policy enforcement for authenticated users and devices, supporting dynamic network access control and segmentation.

Key Components:

• Template Name (name): The identifier for the service template.

• Description (description): Descriptive text for the template.

• VLAN ID (vlan, voice_vlan): Assigns access or voice VLANs to clients.

• Inactivity Timer (inactivity_timer, inactivity_timer_probe): Sets inactivity timeout and probe options.

• Access Control Lists (access_groups): Applies ACLs for traffic filtering.

• Security Group Tag (sgt): Assigns SGT for security segmentation.

• Absolute Timer (absolute_timer): Sets a maximum session duration.

• Interface Templates (interface_templates): Applies common interface settings.

• QoS Service Policies (service_policy_qos_input, service_policy_qos_output): Configures input/output QoS policies.

• Web Redirection (redirect_url, redirect_url_match_acl, redirect_url_match_action): Sets web redirect URL and associated ACLs.

• DNS ACLs (dns_acl_preauth): Applies DNS ACLs for pre-authentication.

• Linksec Policy (linksec_policy): Configures link security policy.

• VNID (vnid): VXLAN Network Identifier for segmentation.

• mDNS Service Policy (mdns_service_policy): Applies mDNS policy for service discovery.

• Tags (tags): Assigns tags for role or group identification.

Key Parameters Briefly Explained:

• name: Template identifier.
• description: Template description.
• vlan, voice_vlan: VLAN assignments.
• inactivity_timer, inactivity_timer_probe: Inactivity timer settings.
• access_groups: ACLs for access control.
• sgt: Security Group Tag.
• absolute_timer: Session duration limit.
• interface_templates: Common interface settings.
• service_policy_qos_input, service_policy_qos_output: QoS policies.
• redirect_url, redirect_url_match_acl, redirect_url_match_action: Web redirection.
• dns_acl_preauth: DNS ACLs for pre-auth.
• linksec_policy: Link security.
• vnid: VXLAN ID.
• mdns_service_policy: mDNS policy.
• tags: Role/group tags.

You can use these service template parameters to define granular and dynamic network access policies. Customize VLAN assignments, security policies, QoS parameters, and redirection behaviors to fit your organization’s security posture, user experience requirements, and network segmentation needs. Adjusting these parameters lets you tailor access controls based on user identity and device posture.

The following configuration describes how to set up a service template on a Cisco IOS-XE device, including template definition, VLAN assignment, inactivity timers, access groups, security group tags, and QoS policies for dynamic policy enforcement.

service-template EMPLOYEE-TEMPLATE
 description Template for employee access
 vlan 100
 voice vlan
 inactivity-timer 1800 probe
 access-group EMPLOYEE-ACL
 sgt 10
 absolute-timer 28800
 interface-template EMPLOYEE-INTERFACE-TEMPLATE
 service-policy type control subscriber input EMPLOYEE-QOS-IN
 service-policy type control subscriber output EMPLOYEE-QOS-OUT

The following YAML code defines multiple service templates on an IOS-XE device, specifying attributes such as VLAN assignments, inactivity timers, access groups, security group tags, redirection policies, and QoS service policies for dynamic policy application.

iosxe:
  devices:
    - name: Device1
      configuration:
        service_templates:
          - name: EMPLOYEE-TEMPLATE
            description: Template for employee access
            vlan: 100
            voice_vlan: true
            inactivity_timer: 1800
            inactivity_timer_probe: true
            access_groups:
              - EMPLOYEE-ACL
            sgt: 10
            absolute_timer: 28800
            interface_templates:
              - EMPLOYEE-INTERFACE-TEMPLATE
            service_policy_qos_input: EMPLOYEE-QOS-IN
            service_policy_qos_output: EMPLOYEE-QOS-OUT
            tags:
              - EMPLOYEE
              - INTERNAL
          - name: GUEST-TEMPLATE
            description: Template for guest access with web redirect
            vlan: 200
            inactivity_timer: 3600
            access_groups:
              - GUEST-ACL
            sgt: 20
            redirect_url: https://portal.company.com/guest
            redirect_url_match_acl: WEB-REDIRECT-ACL
            redirect_url_match_action: one-time-redirect
            dns_acl_preauth: DNS-GUEST-ACL
            tags:
              - GUEST
              - RESTRICTED
          - name: IOT-TEMPLATE
            description: Template for IoT devices
            vlan: 300
            linksec_policy: should-secure
            sgt: 30
            vnid: "300"
            mdns_service_policy: IOT-MDNS-POLICY