Cisco WLC 9800 - Working with Tags and Profiles

In this article, we take a look at the building blocks of Catalyst 9800 WLAN Controllers configuration, which is very different from the older AireOS WLAN Controllers, and how to organize your configuration in such a way that makes it easier to work with over time.

Introduction

This article is going to quickly go through the concept of Tags and Profiles in Cisco’s 9800 WLAN Controller platform and how they are connected. Plenty of documentation exists that explains how to configure each of these pieces, but the purpose of this article is mostly to give a broader view and paint a picture of the overall structure.

About Tags and Profiles

In the older Cisco WLCs running AireOS, configuration for access points was simply done using AP Groups and RF Profiles. The AP Group would control which SSIDs were available and which VLAN(s) they connect to, while the RF Profile would configure custom radio frequency settings to tweak the wireless environment to your needs. When using access points in FlexConnect mode, you would also need to configure a FlexConnect Group for WLAN-to-VLAN mappings.

This configuration approach has been completely re-done in the newer Cisco 9800 WLCs running IOS-XE, and the configuration has been broken down into several smaller pieces to allow for a more modular configuration that can be tweaked specifically per location or use case.

Unfortunately, the web UI of the Cisco WLC 9800 where all of this comes together could use some work, as it is perhaps not presented in the best way as all of these components are just thrown together in the same place.

Sure, there is both a Basic and an Advanced Wizard (not pictured) to get you most of the way there, but if you need to tweak some configuration later on, outside the wizard, you need to know where to look.

What you need to know, is that each piece of configuration is contained within a Profile, which is then added to Tags, which are then applied (or “tagged”) to the access points themselves.

Hopefully, the image below adds some clarity to things. Here, you can see some of the most interesting pieces of configuration found in each Profile and which Tag they are mapped to.

To see a more detailed description of which configuration is contained in each Profile, check out the link below for Cisco’s documentation.

Cisco.com - Understand Catalyst 9800 Wireless Controllers Configuration Model

With that said, let’s move on to some tips for properly structuring your configuration.

Standardizing Tags and Profiles Names

With so many small building blocks of configuration in the newer WLCs, it is very important to name each Profile and Tag in such a way that it is easy for you to decipher which component is responsible for which configuration and where to edit each of this blocks, should the need arise.

Continuing from the earlier image, it would be wise to introduce either a prefix or suffix to all of your different Tags and Profiles to keep them distinguisalbe form each other and easier to find, especially in case you need to dive into the CLI and look at the configuration in there.

One common mistake is that the network administrator simply starts putting names on these Tags and Profiles as they go without any long-term thinking, meaning you could end up with a configuration that is hard to understand for both themselves and outsiders.

For example, if your organization has a corporate headquarter it might be “easy” for the network administrator to call every single Tag and Profile the same, “ACME-HQ”. This quickly becomes hard to work with since it kind of unnecessarily cripples your ability to read and understand the configuration as a whole, simply because everything has the same name, regardless of what that Tag or Profile actually signifies.

However, if you instead go with the standard of adding a short prefix to each component, it will be much easier to recognize each component and what they are used for.

For example, all of your Tags and Profiles used at your corporate headquarter could look something like below.

Sometimes it makes sense to reuse certain Tags or Profiles if their settings can be applied to many different sites (location), but always try to think twice before spreading out a Tag or Profile between different places, so you don’t end up having to redo them/create new ones later when you want to change some small parameter for a specific site.

Depending on if you are using FlexConnect or central switching (or a mix of both), some Tags and Profiles might be easier to reuse in many places. For example, in the image above the Policy Tag is named “PT-ACME-Standard” because it could work in many different places where WLANs and their Policy Profiles are very standardized.

Avoid using Default Profiles and Tags

Just a short note on this, but it’s probably a good idea to stay away from the default Profiles and Tags that exist on the WLC from the very start and instead focus on creating your own Profiles and Tags.

Historically, there were some performance disadvantages to things like the default Site Tag, because it could impact roaming behavior due to how the WLC handled AP and their clients inside of the WLC processing daemons. While some work has been done on this front to improve this, it is still recommended to use customs tags (especially Site Tags) in general.

This allows you to learn where each piece of this modular configuration fits in and gives you a proper chance to review all these configurations yourself. When leaving configuration to default values, things can sometimes go wrong.

References

Understand Catalyst 9800 Wireless Controllers Configuration Model

CYBERSECURITY & NETWORKING BLOG