Create advanced templates for router and AP configurations

Introduction

Advanced templates allow you to apply additional Cisco IOS configurations to one or more gateways, and allows customization and additional logic using variables provided in the template. Templates can be created for the gateway's IOS router configuration, or the Access Point (AP) configuration.

For example, advanced templates allow configuration such as permitting an incoming connection to IOx App port 9443 from a WAN interface, or permit incoming network access from a WGB network.

Advanced templates are applied to gateways only after the standard template settings are successfully configured, and must follow the guidelines described in the following Best Practices.

Requirements

  • Knowledge of Cisco IOS router configuration.
  • Knowledge of Cisco router access point configuration.
  • Knowledge of Apache FreeMarker™ template engine's FreeMarker Template Language (FTL), as described in this document and the Apache FreeMarker Manual.

Impact of changing templates on gateways that are currently configured on Advanced Templates

For a gateway that is currently configured with an Advanced Template, if the configuration is changed by either modifying the existing template or by switching to another template, the gateway will reboot and reconfigure with the new settings. However, if the configuration change is only related to the WiFi preshared key, WGB preshared key or Site-to-Site preshared key, then the changes will be applied without a gateway reboot.

Best practices

Follow these guidelines when creating template to ensure that your template does not conflict with normal gateway operation.

Breaking these rules can also break the router network configuration.

  1. Claim the gateway using a standard configuration template.
  2. Can push down a local enable account using Advanced Template
    (example: username lab privilege 15 password test1234)
  3. Log into the gateway either via console or remotely using enable account
  4. Save current configuration to flash as flash:saved-config
  5. Make the configuration changes
  6. Test the functionality against the updated configuration
  7. Perform diff of working configuration against saved configuration
    show arch conf diff flash:saved-config system:running-config
  8. Use the diff output create the advanced template
  9. Add logic and variables as necessary
  10. Test new template

Guidelines for the router configuration

  • Do not change any configuration related to CGNA.
  • Do not use, modify, or delete the admin or operator users.
  • Do not use, modify, or delete the tracking object numbers 2 or 4.
  • Do not use, modify, or delete the ACL name "GWIPS".
  • Do not modify the base-ir800.cfg file.
  • Avoid modifying or deleting the profile names "Flex_IKEv2" or "CVPN_I2PF".
  • Avoid modifying or deleting the route-maps "RM_Tu2" or "RM_WAN_ACL".
  • Avoid modifying or deleting the ACL name "NAT_ACL"

Security guidelines

  • Creating local users and opening other access paths to the gateways, such as starting an HTTP or TFTP services can have security implications.
  • Use privilege levels to limit what local users can do.
  • Use strong passwords wherever applicable.
  • The impact of advanced templates, and the potential security issues, is the users' responsibility when using advanced templates.

FreeMarker template syntax and rules

Overview

Advanced templates are comprised of standard Cisco IOS configurations. To include any variables or other programming constructs (such as "If Else" conditions, loops, etc.), create Advanced Templates using the Apache FreeMarker™ template engine's FreeMarker Template Language (FTL). See the Apache FreeMarker Manual for complete information.

Advanced templates can also include variable definitions. Values for the variables can be provided as needed. The Fixed per Gateway option allows the variables to be defined for each gateway that is claimed.

Supported template variables

You can use 2 types of variables in your FTL template syntax:

  • Predefined variables - These variables are available in GMM and can be used in the Advanced Templates. These are described in the following table.
  • Custom variables - These variables can be specified while defining the Advanced Template. Custom variables must be prefixed with the keyword "custom." (for example: custom.ip_address).
    Note: Custom variables defined in the Advanced Templates will be automatically detected by GMM and the values for these variables can be defined when applying Advanced Templates to the gateways.

Predefined variables

The following predefined variables can be used in advanced templates.

Variable Description Example
gw.sn The gateway serial number FGL211223DF
gw.model The gateway model IR829GW-LTE-GA-EK9
gw.wan_if The gateway's WAN interface, such as GigabitEthernet0 or Cellular0 Cellular0
gw.wan_if_sec (Dual LTE only) The gateway's secondary WAN interface Cellular1/0
gw.subnet The subnet for the gateway's 32 IPs (a /27 address) 10.9.18.32
gw.netmask The gateway's 32 IP subnet 255.255.255.224
gw.ip The gateway's IPv4 address 10.9.18.33
gw.ip_prefix The first 3 octets of the gateway IP address, separated by "." This makes calculating IPs easier. 10.9.18
gw.ip_suffix The last octet of the gateway IP address 33
gw.gos_ip The gateway's GuestOS IP address 10.9.18.34
gw.lan_if The gateway's LAN interface name, such as "Gi1" or "Vlan1", depending on the model. Gi1
gw.lan_ip The gateway's LAN IP address 10.9.18.49
gw.lan_subnet The gateway's LAN subnet mask 10.9.18.48
gw.lan_netmask The gateway's LAN netmask 255.255.255.240
gw.lan_wildcard The gateway's LAN wildcard. This is the negative of lan_netmask for ACL 0.0.0.15
gw.vpn.pri.ip The Site-to-Site VPN's peer IP address (primary) 172.28.1.11
gw.vpn.sec.ip The Site-to-Site VPN's peer IP address (secondary) 172.28.1.12

Advanced template syntax examples

The following advanced template examples include IOS configuration commands along with the FreeMarker FTL syntax and variables.

Example router template

The following example uses a supported GMM variable:

ip nat inside source static tcp ${gw.gos_ip} 9443 interface ${gw.wan_if} 9443
ip access-list extended filter-internet
permit tcp any any eq 9443

At the time of applying the template to the gateway, the following ios configuration will be used based on the above template

ip nat inside source static tcp 10.9.18.34 9443 interface Cellular0 9443
ip access-list extended filter-internet
permit tcp any any eq 9443

Example AP template

The following example uses a custom variable, which uses the prefix "custom.".

interface Dot11Radio0
power local ${custom.power_level}

At the time of applying the template to the gateway, the following AP configuration will be used based on the above template when the user provides 12 as the value for the power_level

interface Dot11Radio0
power local 12

Create and apply Advanced Templates

Create advanced templates

  1. Go to Gateway > Templates and click the Advanced templates tab.
  2. Click Add Advanced template.
  3. Enter the template settings:
    • Name—The name that appears in the GMM UI.
    • Description—The purpose or result of the template.
    • Type—Select AP or Router to determine the configuration the template is applied to.
    • Template—The template syntax in FTL described in the Apache FreeMarker Manual.
  4. Variables—The custom variables defined in the template will be auto detected and displayed. Select the template type such as text, password or dropdown. Note: The predefined variables will not be listed here.
  5. Click Save.

Create Advanced Templates

Enable the Advanced template in a Standard template

The advanced template settings are only applied after the standard template settings are successfully configured on the gateway.

Create Advanced Templates

Create or edit a Gateway template.

  1. Next to Advanced Router Template, select Enable.

  2. Choose one of the following options to decide when to provide values for the template variables:

    • Select Fixed for all Gateways to enter the template variables now. The settings will be applied when the gateways are claimed, and will be the same for all gateways.
    • Select Distinct per Gateway to allow users to enter unique variable values for each gateway after it is claimed.

  3. Select the template name from the drop-down list.

    If you select Fixed for all Gateways , enter the values for the template variables (if the template included variables). If your model is any model except IR829, go to Step 7.

  4. Next to Advanced AP Template, select Enable.

  5. Choose one of the following to decide when to provide values for the template variables:

    • Select Fixed for all Gateways to enter the template variables now. The settings will be applied when the gateways are claimed.
    • Select Distinct per Gateway to allow users to enter unique variable values for each gateway after it is claimed.

  6. Select the template name from the drop-down list.

    If Fixed for all Gateways was selected, enter the values for the template variables (if the template included variables).

  7. Complete the other template settings and click Save.

Specifying variables for Distinct per Gateway option

  1. Select Gateway > Gateways and select the Monitor tab.
  2. Select a gateway checkbox.
  3. Click the Networking tab > Advanced Configuration > Advanced Router Templates.
  4. If gateway model is IR829, then the Advanced AP Templates option will be available under the Networking tab > Advanced Configuration.
  5. Enter the variable value(s).
  6. Click Save.

Create Advanced Templates