9800 Configuration Catalyst 9800

C9800 – Tags & Profiles – Policy Tag

supertech

Policy Tag

The policy tag is made up of the WLAN Profile and the Policy profile as shown below, it is used to combine the WLAN configuration with the policies such as QOS or anchoring. in AireOS this is a combination of all the settings applied under the WLAN creation.

Note: the RLAN-POLICY is used for configuring LAN ports on APs such as 1815W

WLAN Profile

The WLAN profile portion contains the SSID, Security, and Advanced WLAN settings.

WLAN profile General tab is similar to the general tab in AireOS minus the VLAN setup which is provided by the Policy profile explained later.

  • Profile Name: this is the name used to reference the SSID and does not need to match the SSID name.
  • SSID: Service Set Identifier is the name that broadcast for the WLAN
  • WLAN ID: this is a unique value that is used in combination with the MAC address to form the BSSID.
  • Status: enable or disable the WLAN
  • Raio Policy: ability to set what radios are used for the WLAN.
  • Broadcast SSID: disabling hides the SSID

WLAN profile Security tab is very similar to the security tab in a WLAN on AireOS as it contains the Layer2, Layer3, and AAA server setup for the WLAN. The layer 2 tab handles the security settings for WPA, PMF, 802.11r/FT, and MPSK (Multiple PSK).

The layer 3 tab is used for doing web authentication. The web auth parameter map is used to map WLANs to different web auth portals. These parameter maps are configured under Configuration > Security > Web Auth. Pre-authentication ACLs can be defined here as well.

The AAA tab maps to an authentication list that is defined under Configuration > Security > AAA. This allows for server groups to be applied at once rather than having to select each authentication and accounting server for each WLAN like in AireOS. Local EAP is also configured on this tab and linked to a predefined profile as well.

The WLAN profile Advanced tab contains all of the sttings that are transmitted about the WLAN in the beacon.

  • Coverage Hole Detection
  • Aironet IE – Disable if not using CCX clients
  • P2P Blocking – Disabled is off, Drop mean drop and traffic between peers on the WLAN, Forward-Upstream allows the LAN to decide what can be passed, Allow Private Group will allows traffic within the WLAN
  • 11ac Mu-MIMO
  • Max Client connections – Per WLAN, AP Per WLAN, and AP Radio Per WLAN
  • 802.11v Support
  • 802.11ax settings
  • load-balance and band select
  • WMM Policy
  • mDNS mode
  • Off Channel Scanning Defer
  • 802.11k Assisted Roaming
  • DTIM Period in beacon intervals
  • Device Analytics

Policy Profile

The Policy Profile is used to define the access policies, QOS/AVC, Mobility, and advanced policy settings.

The General tab defines the name for the policy, Cisco TrustSec settings, and WLAN Switching Policies.

  • Name of the policy
  • passive client – keeps track of clients with static IPs such as printers
  • Encrypted Traffic Analytics – uses netflow to export data from CAPWAP
  • Cisco TrustSec Settings
  • WLAN Switching Poicy
    • Central Switching – enable/disable
    • Central Authentication – enable/disable
    • Centeral DHCP – enable/disable
    • Central Association – enable/disable
    • Flex NAT/PAT – enable/disable

Access Polices tab is used to define the WLAN settings for the wired network.

  • RADIUS Profiling
  • HTTP TLV Caching
  • DHCP TLV Caching
  • WLAN Local Profiling
  • VLAN
    • VLAN/VLAN Group – this can be an already named VLAN or the VLAN number.
    • Multicast VLAN – this defines which VLAN in a group is used for multicast traffic.
  • WLAN ACL – ACL applied to the WLAN no just preauth
  • URL Filters – pre and post auth URL filtering

QOS and AVC tab

  • Auto QOS – Predefined QOS profiles
    • Enterprise
    • Voice
    • Guest
    • Fastlane
  • QOS SSID Policy – Egress and Ingress using Platinum, Gold, Silver, and Bronze.
  • QOS Client Policy
  • SIP-CAC – used for voice network settings
  • Flow Monitor for IPv4 and IPv6

Mobility Tab is used to setup the mobility anchors. the Export Anchor is set on the Anchor WLC and the table is used to setup the list of anchors to export to on the foreign. The Priority level is used to setup failover with 1 being the first anchor to use and 2-3 being a backup. If 2 WLCs are setup as the same priority then it will load balance between the 2 WLC listed.

The Advanced tab is advanced settings for the policy and WLAN settings.

  • WLAN Timeout
  • DHCP
    • IPv4 DHCP Req.
    • DHCP server (override at the WLAN level)
    • DHCP options settings
  • AAA Policy
    • Allow AAA Override
    • NAC State
    • Policy Name
    • Accounting list/group
  • Fabric Profile
  • mDNS service policy
  • Hotspot Server
  • UDN (User Defined Network) settings
  • Umbrella Settings
  • WLAN Flex Policy – override for FLEX Profile
  • Air Time Fairness Policies
  • EoGRE Tunnel Profile

Related Posts

Catalyst 9800 Uncategorized

CWA in AireOS vs IOS-XE using Cisco ISE

supertech
9800 Configuration Catalyst 9800

Flexconnect in AireOS vs IOS-XE(9800)

supertech