Skip to content
Network as Code

Template

Interface templates are reusable configuration containers that define a standardized set of interface-level settings including switchport configuration, security policies, authentication parameters, QoS policies, and network access control attributes that can be consistently applied across multiple physical interfaces. They streamline network deployment and maintenance by enabling centralized definition of interface behaviors such as 802.1X authentication, MAB (MAC Authentication Bypass), port security, spanning tree settings, storm control, and device tracking policies. Interface templates are essential for maintaining configuration consistency, reducing deployment errors, and simplifying network operations in large-scale environments where standardized interface policies need to be applied across hundreds or thousands of switch ports.

Diagram

Section titled “Diagram”
Diagram

Classes

Section titled “Classes”

configuration (iosxe.devices)

Section titled “configuration (iosxe.devices)”
NameTypeConstraintMandatoryDefault Value
templatesList[templates]No

templates (iosxe.devices.configuration)

Section titled “templates (iosxe.devices.configuration)”
NameTypeConstraintMandatoryDefault Value
nameStringYes
service_policy_type_control_subscriberStringNo
service_policy_inputStringNo
service_policy_outputStringNo
source_templateStringNo
switchportClass[switchport]No
spanning_treeClass[spanning_tree]No
storm_controlClass[storm_control]No
load_intervalIntegermin: 30, max: 600No
ipv4Class[ipv4]No
subscriber_aging_inactivity_timer_valueIntegermin: 1, max: 65535No
subscriber_aging_inactivity_timer_probeBooleantrue, falseNo
subscriber_aging_probeBooleantrue, falseNo
device_trackingBooleantrue, falseNo
device_tracking_attached_policiesList[device_tracking_attached_policies]No
device_tracking_vlan_rangeStringNo
network_access_controlClass[network_access_control]No

switchport (iosxe.devices.configuration.templates)

Section titled “switchport (iosxe.devices.configuration.templates)”
NameTypeConstraintMandatoryDefault Value
modeChoiceaccess, trunkNo
nonegotiateBooleantrue, falseNo
block_unicastBooleantrue, falseNo
port_securityBooleantrue, falseNo
port_security_aging_staticBooleantrue, falseNo
port_security_aging_timeIntegermin: 1, max: 1440No
port_security_aging_typeBooleantrue, falseNo
port_security_aging_type_inactivityBooleantrue, falseNo
port_security_maximum_rangesList[port_security_maximum_ranges]No
port_security_violation_protectBooleantrue, falseNo
port_security_violation_restrictBooleantrue, falseNo
port_security_violation_shutdownBooleantrue, falseNo
access_vlanIntegermin: 1, max: 4094No
voice_vlanIntegermin: 1, max: 4094No
private_vlan_host_association_primary_rangeAnyInteger[min: 2, max: 1001] or Integer[min: 1006, max: 4094] or String[Regex: ^.*[\$\%]\{.*$]No
private_vlan_host_association_secondary_rangeAnyInteger[min: 2, max: 1001] or Integer[min: 1006, max: 4094] or String[Regex: ^.*[\$\%]\{.*$]No
trunk_allowed_vlansClass[trunk_allowed_vlans]No
trunk_native_vlan_tagBooleantrue, falseNo
trunk_native_vlan_idIntegermin: 1, max: 4094No

spanning_tree (iosxe.devices.configuration.templates)

Section titled “spanning_tree (iosxe.devices.configuration.templates)”
NameTypeConstraintMandatoryDefault Value
bpduguardBooleantrue, falseNo
service_policyBooleantrue, falseNo
portfastBooleantrue, falseNo
portfast_disableBooleantrue, falseNo
portfast_edgeBooleantrue, falseNo
portfast_networkBooleantrue, falseNo

storm_control (iosxe.devices.configuration.templates)

Section titled “storm_control (iosxe.devices.configuration.templates)”
NameTypeConstraintMandatoryDefault Value
broadcast_level_pps_thresholdStringNo
broadcast_level_bps_thresholdNumbermin: 0, max: 100000000000.0No
broadcast_level_thresholdNumbermin: 0, max: 10000No
multicast_level_pps_thresholdStringNo
multicast_level_bps_thresholdNumbermin: 0, max: 100000000000.0No
multicast_level_thresholdNumbermin: 0, max: 10000No
action_shutdownBooleantrue, falseNo
action_trapBooleantrue, falseNo

ipv4 (iosxe.devices.configuration.templates)

Section titled “ipv4 (iosxe.devices.configuration.templates)”
NameTypeConstraintMandatoryDefault Value
dhcp_snooping_limit_rateIntegermin: 1, max: 2048No
dhcp_snooping_trustBooleantrue, falseNo
access_group_inStringNo
access_group_outStringNo

device_tracking_attached_policies (iosxe.devices.configuration.templates)

Section titled “device_tracking_attached_policies (iosxe.devices.configuration.templates)”
NameTypeConstraintMandatoryDefault Value
nameStringNo
vlan_rangeStringYes

network_access_control (iosxe.devices.configuration.templates)

Section titled “network_access_control (iosxe.devices.configuration.templates)”
NameTypeConstraintMandatoryDefault Value
dot1x_paeChoiceauthenticator, both, supplicantNo
dot1x_max_reauth_reqIntegermin: 1, max: 10No
dot1x_max_reqIntegermin: 1, max: 10No
dot1x_timeout_tx_periodIntegermin: 1, max: 65535No
mabBooleantrue, falseNo
mab_eapBooleantrue, falseNo
access_session_closedBooleantrue, falseNo
access_session_monitorBooleantrue, falseNo
access_session_port_controlChoiceauto, force-authorized, force-unauthorizedNo
access_session_control_directionChoiceboth, inNo
access_session_host_modeChoicemulti-auth, multi-domain, multi-host, single-hostNo
access_session_interface_template_stickyBooleantrue, falseNo
access_session_interface_template_sticky_timerIntegermin: 1, max: 65535No
authentication_periodicBooleantrue, falseNo
authentication_timer_reauthenticate_serverBooleantrue, falseNo
authentication_timer_reauthenticate_rangeIntegermin: 1, max: 65535No
cts_manualBooleantrue, falseNo
cts_manual_policy_static_sgtIntegermin: 2, max: 65519No
cts_manual_policy_static_trustedBooleantrue, falseNo
cts_manual_propagate_sgtBooleantrue, falseNo
cts_role_based_enforcementBooleantrue, falseNo

port_security_maximum_ranges (iosxe.devices.configuration.templates.switchport)

Section titled “port_security_maximum_ranges (iosxe.devices.configuration.templates.switchport)”
NameTypeConstraintMandatoryDefault Value
rangeIntegermin: 1, max: 3072Yes
vlanBooleantrue, falseNo
vlan_accessBooleantrue, falseNo

trunk_allowed_vlans (iosxe.devices.configuration.templates.switchport)

Section titled “trunk_allowed_vlans (iosxe.devices.configuration.templates.switchport)”
NameTypeConstraintMandatoryDefault Value
idsListInteger[min: 1, max: 4094]No
rangesList[ranges]No

ranges (iosxe.devices.configuration.templates.switchport.trunk_allowed_vlans)

Section titled “ranges (iosxe.devices.configuration.templates.switchport.trunk_allowed_vlans)”
NameTypeConstraintMandatoryDefault Value
fromIntegermin: 1, max: 4094Yes
toIntegermin: 1, max: 4094Yes

By centralizing interface configuration, templates ensure consistency, reduce errors, and simplify network operations for large-scale deployments.

Template Parameters

Section titled “Template Parameters”

Key Components:

  • Template Name (name): The identifier for the interface template.

  • Service Policies (service_policy_input, service_policy_output): Apply input/output QoS policies to interfaces.

  • Load Interval (load_interval): Sets the statistics collection interval.

  • Subscriber Aging Timer (subscriber_aging_inactivity_timer_value): Configures inactivity timer for subscriber sessions.

  • Device Tracking (device_tracking): Enables device tracking on the interface.

  • Switchport Settings (switchport): Defines switchport mode, native VLAN, allowed VLANs, negotiation, port security, voice VLAN, and related attributes.

  • Network Access Control (network_access_control): Configures 802.1X, MAB, access session, authentication, CTS, and related security policies.

  • Spanning Tree (spanning_tree): Sets BPDU guard, portfast, and related spanning tree settings.

  • Storm Control (storm_control): Configures broadcast/multicast thresholds and actions.

  • IPv4 Settings (ipv4): Sets DHCP snooping, access groups, and trust settings.

Key Parameters Briefly Explained:

  • name: Template identifier.
  • service_policy_input, service_policy_output: QoS policy application.
  • load_interval: Statistics interval.
  • subscriber_aging_inactivity_timer_value: Subscriber inactivity timer.
  • device_tracking: Enables device tracking.
  • switchport: Switchport configuration (mode, VLANs, port security, voice VLAN).
  • network_access_control: Security and authentication settings.
  • spanning_tree: Spanning tree features.
  • storm_control: Storm control thresholds and actions.
  • ipv4: IPv4-specific settings.

You can use these template parameters to define standardized interface configurations for your network devices. Customize switchport, security, authentication, spanning tree, storm control, and IPv4 settings to fit your operational requirements and ensure consistent policy enforcement across interfaces.

Sample Configuration

Section titled “Sample Configuration”

The following configuration describes how to set up an interface template on a Cisco IOS-XE device, including switchport settings, security policies, authentication, spanning tree, storm control, and IPv4 features.

interface template TEMPLATE1
 service-policy input input
 service-policy output output
 load-interval 90
 subscriber aging inactivity timer value 600
 device-tracking
 switchport mode trunk
 switchport trunk native vlan 100
 switchport trunk allowed vlan 10-20,30
 switchport nonegotiate
 switchport block unicast
 switchport port-security
 switchport port-security aging static
 switchport port-security aging time 600
 switchport port-security aging type inactivity
 switchport port-security maximum 10 vlan access
 switchport port-security maximum 20 vlan
 switchport port-security maximum 30
 switchport port-security violation protect
 switchport voice vlan 11
 dot1x pae supplicant
 dot1x max-reauth-req 3
 dot1x max-req 5
 dot1x timeout tx-period 600
 mab
 mab eap
 access-session closed
 access-session monitor false
 access-session port-control force-authorized
 access-session control-direction in
 access-session host-mode multi-domain
 access-session interface-template sticky
 access-session interface-template sticky timer 600
 authentication periodic
 authentication timer reauthenticate 600
 cts manual
 cts manual policy static sgt 100
 cts manual policy static trusted
 cts manual propagate sgt
 cts role-based enforcement
 spanning-tree bpduguard enable
 spanning-tree portfast
 spanning-tree portfast disable
 storm-control broadcast level 80
 storm-control multicast level 70
 storm-control action shutdown
 storm-control action trap
 ip dhcp snooping limit rate 1024
 ip dhcp snooping trust
 ip access-group ACL_IN in
 ip access-group ACL_OUT out

Example YAML Code

Section titled “Example YAML Code”

The following YAML code sets up an interface template on an IOS-XE device, specifying switchport, security, authentication, spanning tree, storm control, and IPv4 settings.

iosxe:
  devices:
    - name: Device1
      configuration:
        templates:
          - name: TEMPLATE1
            service_policy_input: input
            service_policy_output: output
            load_interval: 90
            subscriber_aging_inactivity_timer_value: 600
            device_tracking: true
            switchport:
              mode: trunk
              trunk_native_vlan_id: 100
              trunk_allowed_vlans:
                ids: [30, 40]
                ranges:
                  - from: 10
                    to: 20
              nonegotiate: true
              block_unicast: true
              port_security: true
              port_security_aging_static: true
              port_security_aging_time: 600
              port_security_aging_type_inactivity: true
              port_security_maximum_ranges:
                - range: 10
                  vlan: true
                  vlan_access: true
                - range: 20
                  vlan: true
                - range: 30
              port_security_violation_protect: true
              voice_vlan: 11
            network_access_control:
              dot1x_pae: supplicant
              dot1x_max_reauth_req: 3
              dot1x_max_req: 5
              dot1x_timeout_tx_period: 600
              mab: true
              mab_eap: true
              access_session_closed: true
              access_session_monitor: false
              access_session_port_control: force-authorized
              access_session_control_direction: in
              access_session_host_mode: multi-domain
              access_session_interface_template_sticky: true
              access_session_interface_template_sticky_timer: 600
              authentication_periodic: true
              authentication_timer_reauthenticate_range: 600
              cts_manual: true
              cts_manual_policy_static_sgt: 100
              cts_manual_policy_static_trusted: true
              cts_manual_propagate_sgt: true
              cts_role_based_enforcement: true
            spanning_tree:
              bpduguard: true
              portfast: true
              portfast_disable: false
            storm_control:
              broadcast_level_threshold: 80
              multicast_level_threshold: 70
              action_shutdown: true
              action_trap: true
            ipv4:
              dhcp_snooping_limit_rate: 1024
              dhcp_snooping_trust: true
              access_group_in: ACL_IN
              access_group_out: ACL_OUT