The Cisco Catalyst 9800 utilizes tags and profiles for granular control over AP capabilities. When there are multiple sites and a centralized wireless LAN controller in a data center, FlexConnect is often the configuration of choice. Rather than tunneling all data over a WAN and through a data center, there is an option to having traffic exited out the access point and locally on the switch.
As part of configuring access points for FlexConnect in the Catalyst 9800, there is a new configuration model. Each access point is assigned a Policy Tag, Site Tag, and RF Tag. These tags will set the parameters for what we’re trying to achieve.
The Policy tag includes two profiles used to configure which WLANs are broadcasted tied to a Policy Profile to specify parameters such as the VLAN ID, whether you’re using central or local switching, etc.
The Site tag has two profiles associated to it, Flex Profile and AP Join Profile. This is where an AP is designated to be in local mode or in flex mode. The check box, Local Site State, if disabled becomes flex mode.
The AP Join Profile defines parameters such as CAPWAP timers, SSH, backup WLC, etc.
The RF tag is what was previously known as RF Profiles in AireOS. Parameters for 2.4 GHz and 5 GHz are configured such as data rates.
Configure the WLAN
Configuration > Tags & Profiles > WLANs
Click on the Add button and configure the new WLAN
Configure Security for the WLAN
If needed, configure the Advanced settings. Then click on Apply to Device.
Configure the AP Join Profile
Configuration > Tags & Profiles > AP Join
There’s a default profile already there but we’ll configure a new one. If you’d like granular control over the configuration in the long term then I suggest configuring individual profiles and tags for different sites.
Click Add to set up a new AP Join Profile. If you have a different NTP server per site, then this is where you can configure it, in the General tab.
If you need to adjust the TCP MSS, it can be done under the Client tab.
Under the CAPWAP tab, a Primary and Secondary controller can be configured along with CAPWAP settings for High Availability.
In the Management tab, you can define SSH and user management credentials for the APs.
Everything else I’ll leave as default and click on Update & Apply to Device.
Configure the Flex Profile
Configuration > Tags & Profiles > Flex
This is where we configure our FlexConnect settings. Click on the Add button to add a new Flex Profile. In the General section, give it a good name and description.
Enable Efficient Image Upgrade – One AP will become the primary to download the AP image from the controller over a WAN. The other “subordinate” APs will download the image from the primary AP. This reduces the amount of time it takes for APs to download the image by going over the LAN to the primary AP rather than all APs downloading an image over the WAN.
Set the Native VLAN ID if you want your APs to be on a specific VLAN.
The other tab I’m going to configure is under VLAN. This is where we map our SSIDs to a local VLAN in FlexConnect mode. Then click Apply to Device.
Configure the Policy Profile
Configuration > Tags & Profiles > Policy
The Policy Profile gets combined with the WLAN to create a Policy Tag. For this reason, I recommend configuring a separate Policy Profile for each WLAN. But it is possible to use the same Policy Profile with multiple WLANs.
Click the Add button to modify the General tab of the policy. Give a descriptive name and description. Switch the button for Status to enabled.
In this tab, I’m focusing on a FlexConnect configuration. The main setting for me is disabling Central Switching so client traffic is tunneled back to the C9800.
Under the Access Policies tab, configure any ACLs required. I add the VLAN for this WLAN under the VLAN section. If this VLAN does not match with the VLAN configured in the Flex profile. The VLAN number in the Policy Profile will override the VLAN configured in the Flex Profile.
Configure any QoS and AVC settings you may require and under Mobility you have the ability to configure a Mobility Anchor.
Under the Advanced tab, we can configure settings such as Session and Idle timeouts, mDNS Service Policy, AAA policies, Air Time Fairness and more. Click Apply to Device
Configure RF Profiles
Configuration > Tags & Profiles > RF
The RF Profiles are the same as RF Profiles we dealt with in AireOS. Look over the default RF Profiles and if needed, create your own by clicking on the Add button.
Let’s pretend I have a specific use case for an RF Profile in my HQ site. I’ll start with the 5 GHz band.
In the 802.11 section, I can disable data rates I do not want.
RRM has a lot of options available. These settings vary between environments. Make your choices wisely but I always recommend tuning it from the default settings, especially TPC and DCA. Under Advanced, you can enable/disable Air Time Fairness and other settings. Click Apply to Device and create an RF Profile for 2.4 GHz.
Create a Policy Tag
Configuration > Tags & Profiles > Tags
Click on the Add button to create a new Policy Tag. This is where we add our WLAN and our Policy Profile together. Under WLAN-POLICY, click the Add button.
On the left dropdown, select the SSID you’d like to broadcast. On the right dropdown, select the correct Policy Profile for that SSID. Then click the checkmark. Continue adding the WLANs you need broadcasted with their Policy Profile. Then click Apply to Device.
Create a Site Tag
Configuration > Tags & Profiles > Site
The Site tag is used to group similarly grouped APs in a geographic area. This could be an office, a building, a floor of a building.. whatever you determine as a site.
Click on the Add button. Aside from the name and description, select the AP Join Profile we had created earlier. Because we’re configuring this site to be in FlexConnect mode, we have to uncheck Enable Local Site. This will expose the Flex Profile dropdown where we select our previously configured HQ Flex Profile.
Leaving Enable Local Site checked places the AP in local mode. Click Apply to Device.
Create an RF Tag
Configuration > Tags & Profiles > Tags
Next, we will configure an RF tag for our HQ site with the 2.4 and 5 GHz RF Profiles we created earlier. Click the Add button and select the RF Profiles we created. Then click Apply to Device.
Adding Tags to APs
Configuration > Tags & Profiles > Tags or Configuration > Access Points
After all that configuration, we come to the point where we can finally tag the APs with everything we’ve configured. If you have APs connected, they are probably using the default tags and profiles.
There are two locations to tag Access Points. Either in the Tags section or directly on the access point configuration.
Once the tags are applied to the access point you should see the AP mode change and have the correct tags applied. I should see the AP on the correct subnet as well.
A neat way to see what’s configured on the AP is by clicking on the blue icon near the AP name. This is the AP Operational Configuration Viewer.
Here you can verify what configuration is applied to the AP.
Next, test connectivity.
It was a long tutorial but I wanted to cover configuration from the beginning. To further validate connectivity, you should be able to see the devices MAC address on the switch port where the AP is connected on the correct VLAN.