Demystifying the Cisco Catalyst 9800 Configuration Model
In This Insight
In this design validation lab, WWT Solutions and Mobility Discipline Lead, Chris Radford (CCIE #59150 [Wireless], CWNE #144, ECSE #162, ACMP), performed a migration from the Cisco AireOS to the Cisco Catalyst 9800 Wireless LAN Controller, tackling challenges associated with the new operating system and configuration model.
After examining and comparing the components of the AireOS configuration model against that of the new Catalyst 9800, we found many similarities that should make migration and management smoother; however, the Catalyst configuration model provides more flexibility and modularity once properly understood. Plus, the Catalyst 9800 solution design is based on the familiar IOS XE operating system, which will allow for a more uniform device interface across the network.
This validation exercise gave us a deeper comprehension of the Catalyst 9800 functionalities and helped us understand how to best approach the new configuration model; as a result, we are now able to simplify adoption, reduce error and downtime during the transition, and more quickly take advantage of the enhanced capabilities offered by the Catalyst 9800 Wireless LAN Controller.
Comparing and Contrasting AireOS to Cisco Catalyst 9800
Let's review the AireOS configuration model to draw parallels between the various configuration constructs of the legacy configuration model and the Catalyst 9800 configuration model.
The administrator will likely need to configure the following constructions to get a wireless network operational using the Cisco AireOS wireless architecture:
- WLANs: Define the number of SSIDs, and the general and security settings for each.
- AP Groups: Specify the WLANs that each AP will advertise.
- FlexConnect Groups: Define the site-specific settings for FlexConnect WLANs where applicable.
- RF Profiles: Define the RF behavior for one or more APs within an AP Group.
Updated Constructs in Cisco Catalyst 9800
Here are just a few of the changes from AireOS to Cisco Catalyst 9800:
- The Catalyst 9800 wireless solution now consists of Profiles and Tags used to implement the wireless network.
- There are no AP Groups or FlexConnect Groups.
- The WLAN Profile is missing many settings administrators are familiar with.
The following section will provide a high-level overview of the new configuration model before exploring each section in further detail.
Catalyst 9800 Overview
The building blocks for all configuration now reside in Profiles, as illustrated below. There is also now a concept of a Tag that is applied to an AP to associate a configuration Profile with that AP.
The diagram above refers to each "pillar" as a Policy while at the same time containing a Policy Profile and a Policy Tag. In an attempt to minimize confusion, this document will replace the word "Policy" when referring to a particular pillar and instead use the word "Configuration" (e.g. Site Configuration).
The diagram also indicates that the Site Configuration and Radio Policy Configuration are optional. While this is true, and defaults will suffice to implement a wireless network quickly, we recommend defining custom values for the Profiles and Tag within each configuration pillar.
Note: There can be only one tag from each configuration pillar applied to an AP at any given time.
The WLAN Configuration pillar consists of the WLAN Profile, Policy Profile and the Policy Tag.
The WLAN Profiles is where the administrator will define settings including the SSID, the authentication method, advanced protocols (e.g. 802.11r) and other settings that establish the behavior of the SSID.The WLAN Profile is nearly identical to the WLAN construct in AireOS.
Some aspects are going to look very familiar to the AireOS WLAN configuration construct, however one of the most significant pieces missing is the interface assignment. We will take a look at this later but it's important to understand that the WLAN Profile is intended to be associated with settings related to the operation of the SSID only. The Interface assignment determines what VLAN clients are assigned to after they join the SSID.
Note: It may seem counter intuitive that the Security tab is still present within the WLAN Profile and one may ask. Shouldn't that be associated with the Policy Profile?
Keep in mind that the SSID has to advertise the security settings in the Beacon so clients know how to connect. Therefore, authentication and encryption settings are still located in the WLAN Profile.
The Advanced tab should look very familiar to administrators who have experience with the AireOS platform.
As you can see above, the QoS tab is no longer present in the WLAN Profile. The one exception is the QoS-related configuration parameter for WMM. Like authentication and encryption, WMM is advertised in the SSID Beacon and defines whether or not the SSID support QoS. Additional QoS settings (e.g. QoS metal) should be thought of as policy constructs as they implement a limit on what QoS markings are allowed. This is consistent with keeping SSID characteristics within the WLAN Profile, and policy settings associated with the SSID (e.g. QoS metal, AVC Profile, etc.), separate. Once all of the settings relevant to the SSID are configured the next step is to define a Policy Profile.
The Policy Profile is the second configuration profile within the WLAN Configuration pillar. The administrator will find many of the settings they are used to configuring within a WLAN in the Policy Profile including the interface, QoS metal, various timers, etc. Each configuration construct within this profile is associated with a policy decision. This remains consistent with keeping policy-related settings associated with a WLAN (e.g. interface, session timeout, etc.) separate from the settings that define the SSID behavior.
Note: If the Policy Profile will be associated with a WLAN using FlexConnect local switching it is possible to select a VLAN defined on the WLC from the VLAN/VLAN Group drop-down menu. If a VLAN is selected from the drop-down menu (and not manually entered) it is being referenced by the VLAN Name and not the VLAN ID. When configuring the Flex Profile (covered later in the document) you need to use the exact same VLAN Name (case sensitive) as defined in the Policy Profile.
Once the administrator has defined both the WLAN Profile and the Policy Profile, it is necessary to create a mapping to bind them together. The Catalyst 9800 configuration model uses the Policy Tag to create this mapping. A Policy Tag can be thought of as an AP Group in the AireOS configuration model. The Policy Tag may contain up to sixteen WLAN Profile to Policy Profile maps to support multiple SSIDs per AP. This is identical to the WLAN limitation within an AP Group in AireOS. An AP can have only one Policy Tag assigned at any given time.
The administrator can choose to create multiple Policy Tags with various combinations of WLAN Profile to Policy Profile maps based on their needs. This will most likely reflect the AP Group configuration in their existing AireOS wireless network.
With the Policy Tag defined the Catalyst 9800 WLC has sufficient configuration to make an SSID operational. However, there are other configuration settings that are most likely needed that will be found in Profiles from the other pillars of the configuration model. We will take a look at these in the following section.
The Site Configuration pillar consists of the Flex Profile (where applicable), AP Join Profile and the Site Tag. The Site configuration is primarily used to implement FlexConnect within the Catalyst 9800 WLC. The Site Tag may also be used to tweak the AP behavior based on its location. It is considered a best practice to use a custom Site Tag to group APs at a roaming domain level (e.g. APs in the same building).
Within the Site Tag the administrator can specify whether or not the site is local. When the Site Tag is configured as a local site you should think "Local Mode" in terms of the AP operating mode. If the site is not configured as a local site, the Site Tag will change the AP operating to mode to FlexConnect mode when applied.
Note: As illustrated below, the AP can no longer be directly configured for FlexConnect mode. The AP is configured for FlexConnect mode when a Site Tag is applied that is not configured as a local site.
When the Site Tag is not configured as a local site, the tag will also contain a Flex Profile to configure the AP with the applicable FlexConnect settings. The Flex Profile will contain many of the parameters and administrator would normally configure within a FlexConnect Group including efficient image upgrade, ACLs, local authentication, etc.
An important FlexConnect configuration setting is the WLAN-VLAN mapping. With the AireOS solution, this would be configured at the AP level or within a FlexConnect group. As illustrated below, there is no FlexConnect tab within the AP configuration. Without FlexConnect groups, this WLAN-VLAN mapping must be achieved through Policy Tag and Site Tag coordination.
Within the Flex Profile you define VLANs that will provision sub-interfaces on the AP wired interface to facilitate local switching.
Note: If the Policy Profile associated with the Policy Tag applied to the AP at the remote site has a VLAN selection using the VLAN Name (not the VLAN ID), the Flex Profile VLAN Name must match identically (case sensitive).
AP Join Profile
The AP Join Profile allows the administrator to specify all settings related to the behavior of the AP. Examples include CAPWAP timers, SSH/Telnet, TCP MSS, rogue AP detection settings, etc. Many of these settings were scattered throughout the AireOS web UI but are now in a single, consolidated profile to simplify configuration.
Now that both the Flex Profile and AP Join Profile have been created it is time to bind them together and classify the site as local or not. The Catalyst 9800 configuration model uses the Site Tag to create this binding and configure the site classification.
When the Site Tag is configured as a non-local site, it is analogous to a FlexConnect Group. When applied the Site Tag reconfigures the AP to operate in FlexConnect mode and applies the FlexConnect settings in the Flex Profile. The Site Tag also defines the seamless roaming domain for FlexConnect APs.
Note: The limit of 100 APs per Site Tag (Flex Group) remains as it did with AireOS.
The Radio Configuration pillar consists of an RF Profile for each frequency band and an RF Tag. While the concept of profiles and tags is new, this should be the most familiar to administrators who are used to the AireOS configuration model.
RF Profiles in the Catalyst 9800 configuration model are virtually identical to their counterparts in the AireOS configuration model. The configuration model consists of an RF Profile for both the 2.4 and 5 GHz frequency bands.
The RF Tag is used to associate a 2.4 and 5 GHz RF Profile with an AP. The RF Tag makes a binding or mapping of an RF Profile for each band.
After all the Profiles and Tags have been configured, the Tags must be applied to the APs for the configuration to take effect. This section will review a couple of methods for provisioning APs with Tags.
Each AP can be tagged individually by navigating to Configuration > Wireless > Access Points and clicking the AP where the tag should be provisioned.
If the APs have already joined the Catalyst 9800 WLC, the administrator can use the following procedure to apply tags in bulk based on flexible search criteria. From the WLC home page click the Wireless Setup icon in the upper right corner and select Advanced.
Scroll to the bottom of the page and click the Start Now button.
Scroll to the bottom of the page and click the menu icon to load the AP search tool.
Each column can be used to filter the list of APs so that the administrator can easily and efficiently apply different tags to different groups of APs.
The "select all" check box can be used once the filter is applied to select a large group of APs to apply the tag to.
Note: Applying a tag to an AP will cause the CAPWAP connection to the WLC to drop and come back up. Make sure this is performed during a change window to minimize disruption.
After the tags have been applied the Catalyst 9800 solution provides a simple way to verify the tags associated with an AP using the AP Operational Configuration Viewer. Navigate to Configuration > Wireless > Access Points and click the blue icon next to the AP name as shown below.
This will trigger a pop-up window containing the Tags and their respective Profiles associated with the AP.
Not only does this view show the Tags and Profiles associated with the AP, the window also includes the status and configuration of other important elements in a quick at a glance view. This tool can be very useful for reinforcing the new configuration model and troubleshooting during testing.
Configuration Migration Tool
Cisco has published a configuration migration tool to simplify the migration process available to anyone with a valid CCO account. This tool should not be thought of as a silver bullet to develop a Catalyst 9800 configuration for customers migrating from AireOS. Instead, this tool should be used as a starting point for developing the config.
The tool is located at https://cway.cisco.com/tools/WirelessConfigConverter/ and requires the AireOS "show run-config startup commands" output or TFTP config backup as the input.
Click the "Drop file here" button to upload the configuration file, select AireOS-->Catalyst 9800 from the drop-down menu, and click the "Run" button to generate the migrated configuration.
Once the tool is finished migrating the configuration the page will load the following information below the "Run" button. From this page the administrator can quickly and easily view the Translated, Unsupported, Not Applicable and Unmapped configuration.
The tool also provides the ability to export these groups of configurations to a CSV file where the data can be further analyzed and manipulated before being implemented on the Catalyst 9800 WLC. Note that the CSV export will contain lines that begin with the character "!" to represent a description of the lines to follow. When implementing this configuration on the Catalyst 9800 WLC, do not include these lines.
This design validation exercise gave us a deeper comprehension of the Catalyst 9800 functionalities and helped us both learn more about the functionality of the Catalyst 9800 versus AireOS and helped us understand how to best approach the new configuration model. By following our instructions above, we hope the reader will be able to simplify adoption, reduce error and downtime during the transition, and more quickly take advantage of the enhanced capabilities offered by the Catalyst 9800 Wireless LAN Controller.