After a long delay, I finally finished configuring and testing a new IBNS 2.0 template. A link can be found on my NAD template page. There aren’t a lot of changes between this template and my original C3PL template. Here is a list of the changes:
- Dot1x and MAB are configured to run separately in the policy map. MAB will kick in once Dot1x fails. Concurrent Dot1x and MAB is not officially supported by Cisco so this policy map is compliant. You can use the same policy map in my other C3PL based template.
- Port templates! Instead of having to drop several lines of configuration on each port, you can configure a template and apply that template to the port.
Not every port command can be assigned to a template. For example, an IOS 15 switch I tested with wouldn’t allow me to apply the the “dot1x timeout tx-period” and “dot1x max-reauth-req” configuration in the template but an IOS 16.6 switch did.
In order to view the running configuration of a port configured with a template, you must use the command “show derived-config interface <interface>”. Doing a “show run int <interface>” will only show you the applied config. Here are screen shots showing the difference:
Monitor Mode port configuration with template
Low Impact Mode port configuration with template
Closed Mode port configuration with template