Last updated on May 6th, 2020 at 09:15 pm
After just over a year on the market, the new Cisco Catalyst 9800 WLAN controllers based on IOS-XE software are finally set to replace the previous generation based on AireOS software.
With the new WLAN controllers there is a model for use case, all of them with feature parity and with full functionalities but different client or access points number capability. There are dedicated hardware with the c9800-80, c9800-40 or the new c9800-L, or virtual containers with the c9800-CL, integrated software in compatible models such as the Catalyst 9300, or even a mobility express like software to be integrated in the new Catalyst 9100 access points to function as master controllers in lite deployments.
With respect to the supported access points, all those that comply with the 802.11ac Wave 2 standard are maintained, and new ones based on 802.11ax are added. Thus, APs from the 1700/2700/3700 series, the 1800/2800/3800/4800 series, and the newest Catalyst 9115/9120/9130 are supported (next to come in this family are the 9105 and 9140).
Cisco has done a complete redesign of the configuration interface, making it more user-friendly than the old AireOS, but also quite similar to it, so the configuration methodology, although different, is conceptually similar to that one.
This would be the basic explanation for this new end-to-end configuration methodology:
- WLAN profile: this involves creating the basic features of the WLAN, such as the SSID, the type of security (encryption, authentication) and parameters for radio behavior such as radio interface in use, radio and/or channel balancing, limits in the number of associated clients, use of 802.11k/v, channel scanning or WMM. Like before, it is possible to create different WLAN profiles using the same SSID, but with different characteristics, which allows greater flexibility depending on the type of devices using it, whether or not they support certain standards. As it was on previous AireOS, if the WLAN profile id is lower than 16, it would be automatically assigned to newly provisioned APs automatically, so it is a good practice not to use these identifiers.
- Policy Profile: This is the second part of the WLAN profile configuration, and it is directly related to the network policies that will be applied to the device that will connect to the WLAN with which it will be associated. Features such as whether association, authentication, switching or DHCP will be central or not (in case you want to deploy the centralized or local data plane, Flexconnect), whether if the traffic will be tunneled to an anchor or not, the VLAN tag name where the WLAN will be mapped, use of ACLs, QoS profiles, session timers, NAC related parameters, etc. It is recommended to disable the default policy to prevent any new provisioned AP from broadcasting an uncontrolled SSID.
- AP Join Profile: due to the fact that the customization of the default profile is limited, it is recommended to create a new one to define parameters such as NTP, or to enable the remote access to the AP’s and to configure the credentials to be used, or to define a primary/secondary controller, activation of the AP rogue detection functionality, etc. It should be mentioned that, due to a pending patch defect, activation of encryption in the CAPWAP tunnel using DTLS is not possible, and if it is, AP’s 4800 cannot register with the controller.
- Flex Profile: In case of using AP’s in Flexconnect mode, when forwarding the data traffic locally to the switch where the AP is connected to, it is necessary to create a Flex profile. This profile manages the native VLAN of the AP, the WLA-VLAN mapping or the pre-authentication ACL for the use of captive portals, for example.
- RF Profiles: the use of RF profiles allows manipulating the predefined behavior of the radio in terms of limiting the effective range by modifying the transmission power, or enabling the support of link speeds in use, setting the mandatory basic data rates, or preventing access to poor connections or helping in the optimization of the roaming process with the use of signal strength thresholds.
- Tags: finally, all the previous profiles are associated between them in a 2-by-2 fashion through their mapping in this section: Policy Tags (WLAN & Policy), Site Tags (AP Join & Flex) and RF tags (RF 5GHz & 2.4GHz). These tags will be assigned to the AP’s to define its configuration. The good news is that you can define configuration rules per AP when they are not yet connected, creating an initial provisioning for them to self-configure once they are unboxed and connected in a plug-and-play fashion.
Although the use of Site tags is not required for an AP to start working, due to the fact that there are multiple internal processes that take into account the AP tags to split resources, it is a good practice to segment the AP’s using the Site tags. This is the case of credential cache redistribution, RRM algorithm to not impact all of the AP’s when changes are applied, but only those grouped in zones predefined by the administrators.
Finally, Cisco has achieved that a change in the configuration on the AP does not cause a complete restart of the AP, but a brief disconnection to apply the changes.
Although Cisco has developed a configuration migration tool from AireOS to IOS-XE that may be helpful, personally I don’t like it. The way that the translation adds custom names to every policy profile increase later job to try to understand that configuration.
Personally, it may be preferable to take advantage of the migration to start over and not to inherit any unwanted or unused configurations. In the other way, configuration translation might be very helpful if you want to know how to configure certain unknown features, such as MAC filtering over WLAN.
On the other hand, if you migrate AP’s from an AireOS controller, there are parameters that will remain configured, especially those that have been customized in the AP, such as the name, the broadcast power or channel parameters. That is another good practice to redo, so to factory-reset the AP configuration in the AireOS controller before pushing the AP to the new IOS-XE controller.
As in the rest of the Catalyst family, the 9800 controller provides the administrator with a configuration wizard through the console port, which allows setting basic connectivity parameters. Then a second configuration wizard known as zero-day is provided through the browser. However, if you wish to go beyond the basic standard configuration, to set a different physical interface for management and WLAN management, or if you wish to configure a VLAN for them, you will need to interrupt this wizard and proceed with the configuration of the Catalyst 9800 manually.
The basic setup is shown below via the wizard:
Basic management setup configures only enough connectivity
for management of the system, extended setup will ask you
to configure each interface on the system
In order to proceed with DAY 0 Wireless configuration,
please configure Wireless Controller (WLC) with an
IP address, a local username and password and enable
https server via the “ip http/s server” and
“ip http authentication local” commands; then access the
WLC via http/s
Would you like to enter basic management setup? [yes/no]:
Configuring global parameters:
Enter host name [WLC]:
Enter enable secret:
Enter enable password:
Enter virtual terminal password:
Setup account for accessing HTTP server? [yes]:
Configure SNMP Network Management? [no]:
Enter interface name used to connect to the
management network from the above interface summary: GigabitEthernet0
Configuring interface GigabitEthernet0:
Configure IP on this interface? [no]:
IP address for this interface:
Subnet mask for this interface [255.0.0.0] :
The following configuration command script was created: Se presenta un resumen de la configuración creada
 Go to the IOS command prompt without saving this config.
 Return back to the setup without saving this config.
 Save this configuration to nvram and exit.!
Enter your selection : 2
It should be noted that, with the default shipped IOS-XE version 16.10 as standard, it is not possible to configure any other interface than GigabitEthernet0 as management, so it will be necessary to modify it later through the CLI.
After this wizard, the appliance restart and we can access the Day-0 wizard through the browser, where we can configure the rest of the basic parameters required before accessing the functional interface of the Catalyst 9800.
However, for those more adventurous and who want to configure the controller manually, the following configuration is an example of the parameters needed in order to avoid the appearance of the Day-0 wizard once the web interface is accessed.
no ip address
no mop enabled
no mop sysid
ip address 10.6.6.6 255.255.255.0
ip address 10.9.9.9 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.6.6.1
ip default-gateway 10.6.6.1
switchport mode access
switchport access vlan 999
switchport mode trunk
switchport trunk allowed vlan 666
switchport trunk native vlan 100
ntp server 10.1.1.1
ip http server
ip http secure-server
ip http tls-version TLSv1.2
ip http client source-interface Vlan999
ip ssh source-interface Vlan999
ip http authentication local
aaa new model
aaa authentication login default local
aaa authentication exec default local
aaa authentication enable default enable
ip domain-name ent.corp
crypto key generate rsa general modulus 2048 label ent-ssh
ip ssh rsa keypair-name ent-ssh
ip ssh version 2
user admin privilege 15 algorithm-type sha256 secret Passw0rd!
enable algorithm-type scrypt secret Passw0rd!
line vty 0 15
transport input ssh
wireless mobility group name ENT-CORP
wireless management interface Vlan666
no ap dot11 5ghz shutdown
no ap dot11 24ghz shutdown
parameter-map type webauth global
virtual-ip ipv4 192.0.2.1
In both cases, after the configuration wizard or the manual setting, we are presented with the dashboard of the elastic WLC with all the configuration sections.
Keep an eye into next post for new Cisco Catalyst 9800 WLAN controller configuration tips.