Tags

, , , ,

If you have worked with Cisco 9800, then you may already know there is a new configuration model that involves 3 tags given below.

  1. Policy Tag
  2. Site Tag
  3. RF Tag

Each AP should have those 3 tags values to get it working . By default, an AP registered to 9800 will get pre-defined “default-policy-tag” , “default-site-tag” & “default-rf-tag“.

If you came from AireOS configuration background, then grasping this new concept and mapping between AireOS & IOS-XE creates more confusion as there is no 1:1 mapping. Therefore the best way to get this new concept is to think fresh.

When designing a large-scale WiFi network with Cisco 9800 it is important to understand these 3 tag values and how significant it for the overall design. In this post, I will cover some of those points. Each of those tag values inherits certain profile configurations. In that way, you need to start with those profile configurations first. Below shows which profiles are mapped to which tag value.

  1. Policy Tag (WLAN Profile & Policy Profile)
  2. Site Tag (AP Join Profile & Flex Profile)
  3. RF Tag (RF Profiles – 2.4GHz, 5GHz & 6GHz)

Here is the basic description of each profile type available in 9800

WLAN Profile – Define SSID with Security settings & WLAN specific advanced settings
Policy Profile – Switching, Access, QoS, Anchoring policy & associated advanced settings
AP Join Profile – AP specific configurations (timers, credentials, Syslog, rouge, etc)
Flex Profile – FlexConnect specific configurations
RF Profile – RF specific config (RRM, DCA, TPC, Data Rates, HDX setting)

If you come from AireOS background, you will notice there are no “AP Group” or ” FlexConnect Group” concepts in 9800. However, those functionalities can be implemented using those tags & profiles. Here are some key considerations specific to those tags.

“Policy Tag” Considerations
In AireOS WLCs by using “AP Group”, you control where a given SSID is being advertised, which interface is mapped to WLAN, or which RF specific parameters those AP get. In IOS-XE (or 9800), “Policy Tag” that includes “WLAN Profile” & “Policy profile“, will achieve a similar goal. In that sense, “Policy Tag” in 9800 is similar to “AP Group” though there is no 1:1 mapping of configuration settings.

When you assign “policy-tag“, it is always recommended to have the same “policy-tag” for the APs where you require fast roaming (without going through full 802.1X authentication when the client moves from one AP to another). Starting with 17.3.x Cisco introduced “wrieless client vlan-persistent” CLI command to allow seamless roaming across different policy profiles.

“Site Tag” Considerations
In AireOS, you configure most of the FlexConnect specific configurations under “FlexConnect Group”. With 9800 these configurations are under “Flex Profile“. If you need to have a different set of AP specific configurations then you need to have different “AP Join Profiles“. These two profiles map into “Site Tag“. In addition to these profile mappings, site tags play a key role in AP distribution among controller processes (WNCdWireless Network Controller daemon). Depending on the 9800 platforms you got, the number of WNCd will be different. The below table summarized it.

You can use “show processes platform | in wncd” CLI command on your 9800 to verify it. Here is a 9800-80 & C9800-CL

C9800-80#show processes platform | in wncd
 21413   21034  S           324548  wncd_0                
 21648   21225  S           327296  wncd_1                
 21857   21455  S           334332  wncd_2                
 22101   21684  S           323372  wncd_3                
 22330   21914  S           400908  wncd_4                
 22548   22143  S           329528  wncd_5                
 22750   22372  S           328444  wncd_6                
 22868   22601  S           325080  wncd_7                

C9800-CL#show processes platform | in wncd
 17028   16745  S           178500  wncd_0

So what’s the concern with “Site Tag” configuration. There is a “default-site-tag” pre-defined in the 9800 and unless you configure a custom site tag & assign it to APs, all your APs will belong to “default-site-tag“. APs with “default-site-tag” will be load-balanced across the number of WNCd available in your 9800 platforms (only applicable to 9800-80, 9800-40, 9800-CL medium & large). In this scenario, if a client roams between two adjacent AP, that will result in an inter-WNCd roaming (which is not ideal). Even though fast roaming (11r) works, there won’t be 802.11k/v information shared among WNCd. This limitation has been removed starting from 17.6.x release onwards.

The other important consideration is the number of APs recommended by Cisco per WNCd. The general recommendation is around 500 AP per site tag ( per WNCd) and not recommended to exceed the max limit of 1600 (9800-80,9800-CL medium & large) or max limit of 800 for 9800-40 controllers. Therefore if you got a large-scale deployment (eg 3K APs) you have to think about how you distribute these APs among WNCd. Assuming you use 9800-80 where you got 8 WNCd, it is a good idea to have 8 “site tags” (if you can divide your entire area to 8 roaming domains while each area got a roughly equal distribution of APs between 300-400 per “site tag” ). You can have more than 8 “site tags” then site-tag 1 to 8 goes to WNCd 0 -7 and then site-tag 9 goes to WNCd 0 & so on. If you are using 9800-40, it is better to have 5 “site tags” or a multiple of 5. Here is a basic diagram shows that AP distribution

If you need to verify which custom “site tag” APs go into which WNCd, then you can use “sh wireless loadbalance tag affinity wncd {0-7}” CLI command to verify it. In my example I only had two custom “site tags” & certain APs had “default-site-tag

9800-80#sh wireless loadbalance tag affinity wncd ?
  <0-7>  Enter wncd instance number

9800-80#sh wireless loadbalance tag affinity wncd 0
9800-80#sh wireless loadbalance tag affinity wncd 1
9800-80#sh wireless loadbalance tag affinity wncd 2
9800-80#sh wireless loadbalance tag affinity wncd 3
9800-80#sh wireless loadbalance tag affinity wncd 4
Tag                       Tag type             No of AP's Joined    
-----------------------------------------------------------------
st2-bun-drs               SITE TAG              156                  

9800-80#sh wireless loadbalance tag affinity wncd 5
Tag                       Tag type            No of AP's Joined    
-----------------------------------------------------------------
st3-bun-outer             SITE TAG               1                    

9800-80#sh wireless loadbalance tag affinity wncd 6
9800-80#sh wireless loadbalance tag affinity wncd 7

You can get the details of AP joined to each WNCd by using “sh wireless loadbalance ap affinity wncd {0-7}” CLI command. Note that “default-site-tag” APs automatically distributed among all WNCd available.

9800-80#sh wireless loadbalance ap affinity wncd 0
AP Mac         Discovery Timestamp      Join Timestamp            Tag            
---------------------------------------------------------------------------------
04eb.409e.6120 06/28/22 07:42:56        06/28/22 07:42:56        default-site-tag
6c71.0df2.616c 06/28/22 07:42:56        06/28/22 07:42:56        default-site-tag

9800-80#sh wireless loadbalance ap affinity wncd 1
AP Mac         Discovery Timestamp      Join Timestamp            Tag            
---------------------------------------------------------------------------------
a4b2.3904.60ac 06/28/22 07:42:56        06/28/22 07:42:56        default-site-tag
a4b2.3906.026c 06/28/22 07:42:56        06/28/22 07:42:56        default-site-tag
.
.
.
.
9800-80#sh wireless loadbalance ap affinity wncd 4
AP Mac         Discovery Timestamp      Join Timestamp            Tag            
---------------------------------------------------------------------------------
6c71.0df2.53b0 06/28/22 07:42:57        06/28/22 07:42:57        st2-bun-drs        
a4b2.3904.07bc 06/28/22 07:42:57        06/28/22 07:42:57        st2-bun-drs         
a4b2.3904.0bd0 06/28/22 07:42:57        06/28/22 07:42:57        st2-bun-drs      
a4b2.3904.0c08 06/28/22 07:42:57        06/28/22 07:42:57        st2-bun-drs         

9800-80#sh wireless loadbalance ap affinity wncd 5
AP Mac         Discovery Timestamp      Join Timestamp            Tag            
---------------------------------------------------------------------------------
00a7.42e8.41f8 06/28/22 07:42:56        06/28/22 07:42:56        st3-bun-outer   
a4b2.3904.0be4 06/28/22 07:42:56        06/28/22 07:42:56        default-site-tag
a4b2.3904.3e60 06/28/22 07:42:56        06/28/22 07:42:56        default-site-tag

When it comes to FlexConnect, “default-site-tag” is not support key caching among the APs. Therefore you must use a custom “site tag” for FlexConnect deployment. The maximum number of AP per site tag is 100 (with 17.8.x you can increase this up to 300). It is recommended to use a unique “site tag” name for each FlexConnect site as sharing keys among different site APs do not make sense.

RF Tag” Consideration
RF Tag is mapping RF profile configurations. It is relatively easy to understand if you have worked with “RF Profile” in AireOS. One thing to remember is if you have assigned a RF profile name that does not created on 9800, AP radio will not come up.

References
If you want to understand 9800 in great detail then get a copy of this book (I highly recommend it). It has been published in June 2022, so information covers up to IOS-XE release 17.8.x features. Look at those authors and you can find many useful talks from them on Ciscolive presentations, another great free resource for your learning.

If you are interested in more 9800-specific training & lab guides, we have developed many contents here at WiFiTraining. Have look at this list & try it out.


Additional References
1. Cisco 9800 configuration best practices
2. Cisco 9800 – Configuration Examples & Technotes