The C9800 Configuration Model: Tags, Profiles, and Policies Explained
The C9800 Configuration Model: Tags, Profiles, and Policies Explained
When Cisco designed the Catalyst 9800 wireless controller, they faced a fundamental problem with the AireOS configuration model: settings were global, not location-specific. You couldn't limit configuration changes to a group of APs, reuse settings across deployments, or apply site-specific tweaks without redeploying entire configurations. The solution was the C9800 configuration model—a complete rethinking of how wireless controllers organize and apply settings.
Understanding this model is critical. It's the foundation for everything you'll do with the C9800, and it directly affects how you'll design, deploy, and troubleshoot your network.
The Five Core Profiles
The C9800 configuration model centers on five distinct profile types. Each serves a specific purpose, and together they give you granular control over every aspect of your wireless deployment.
| Profile Type | Purpose | Scope | Key Content |
|---|---|---|---|
| AP Join Profile | General AP settings applied globally or per-AP | Global configuration level | CAPWAP timers, 802.1X supplicant, SSH/Telnet settings, Control and Provisioning of Wireless APs (CAPWAP) parameters |
| WLAN Profile | Define SSID, security settings, and broadcast behavior | Per-WLAN | SSID name, WPA/WPA2/WPA3 settings, authentication method, encryption, broadcast options |
| Policy Profile | Client-side policies and access control | Per-WLAN or per-AP group | Client VLAN, authentication, authorization, accounting (AAA) settings, access control lists (ACLs), session and idle timeouts |
| FlexConnect Profile | Site-level settings for FlexConnect deployments | Per-site or per-FlexConnect group | Native VLAN, ACL mapping, roaming domain, FlexConnect-specific settings |
| RF Profile | Radio frequency characteristics per band | Per-band (2.4 GHz, 5 GHz, 6 GHz) | Power settings, channel sets, 802.11 parameters, band-specific radio behavior |
By default, every AP gets three profiles: an AP Join profile, a policy profile, and an RF profile. The key difference from AireOS is that these profiles are now modular and reusable. You define them once and assign them to as many APs as needed.
The Three Tag Types
Tags are how you bind profiles to access points. They're the connective tissue between configuration templates and actual devices. There are three tag types, and each AP must have exactly one of each.
Policy Tag
The policy tag defines the list of WLANs/SSIDs that broadcast on an AP and the associated policies. Think of it as the broadcast domain for your APs. It answers the question: "What WLANs should this AP advertise, and what policies apply?"
The policy tag groups a set of WLAN profiles with a set of policy profiles. When you assign a policy tag to an AP, you're saying: "Use these WLANs with these policies." This is similar to the AP group concept in AireOS, but with far more flexibility because policy tags are reusable across sites and can be updated dynamically (triggering only a CAPWAP restart, not a full AP reboot).
Site Tag
The site tag is where you place AP Join profile settings and determine if an AP runs in local mode or FlexConnect. It's a C9800-specific construct with no direct AireOS equivalent. The site tag contains settings that are geographically or logically relevant to a specific location—CAPWAP timers optimized for your WAN link, Backup Primary/Secondary AP designations, dotX credential details, and so on.
If you're using local mode, the site tag is optional—you can rely on defaults. But if you need site-specific AP Join settings (which is common in multi-site deployments with different network characteristics), you'll configure the site tag and assign it during AP provisioning.
In FlexConnect mode, the site tag is mandatory and is where all FlexConnect-specific settings live: native VLAN, ACL mapping, roaming domain, and seamless roaming parameters.
RF Tag
The RF tag defines the radio frequency profiles for each band your AP supports. Every AP has an RF tag (by default, it gets default-rf-tag, which uses the 5 GHz and 2.4 GHz profiles from global config). If you need custom RF settings for a subset of APs—different power levels, channel restrictions, or band-specific parameters—you create a named RF profile and assign it via the RF tag.
Tag Assignment and Defaults
When an AP joins the C9800 for the first time, it receives default tags automatically:
default-policy-tag– Contains default WLAN and policy settingsdefault-site-tag– Contains default AP Join profile and site settingsdefault-rf-tag– Contains the default 5 GHz and 2.4 GHz RF profiles
You can override these through static assignment, dynamic tag filters (regex-based), or CSV import. Starting with release 16.12.2, you must explicitly map WLAN profiles to policy profiles within a policy tag for SSIDs to broadcast. Before that release, mappings were automatic—a significant change in how configuration is managed.
Real-World Example: Multi-Site Deployment
Let's say you have three sites with different characteristics:
- Site A (HQ): Wired link, high bandwidth, low latency → Aggressive CAPWAP heartbeat
- Site B (Branch): MPLS link, moderate bandwidth → Moderate CAPWAP timers
- Site C (Remote): Cellular backup, poor WAN → Conservative CAPWAP timers, FlexConnect mode
In AireOS, you'd have to create separate AP groups or accept global settings. In C9800, you'd do this:
- Create a single policy tag with all your WLANs and policies (reusable everywhere)
- Create three site tags:
hq-site,branch-site,remote-sitewith optimized AP Join profiles for each - Create RF profiles if Site C needs different power settings due to coverage constraints
- Assign tags to APs statically or via filter rules
Now, if you need to change a WLAN's security settings, you update the policy tag once—all APs see the change. If Site A needs different heartbeat timers, you modify only the hq-site tag. This modularity is why the C9800 configuration model is so powerful.
Profiles vs. Tags: Key Differences
You configure profiles (WLAN profiles, policy profiles, AP Join profiles, RF profiles). You assign tags (policy tag, site tag, RF tag) to APs. This separation is crucial for understanding the model.
| Profiles (Configuration Templates) | Tags (Assignment Mechanism) |
|---|---|
| Define features and functionalities | Bind profiles to APs |
| Created once, reused across many APs | Assigned to individual APs or groups |
| Examples: "corp-wlan", "corporate-policy", "secure-rf-profile" | Examples: "policy_corp", "site_hq", "rf_outdoor" |
| Multiple profiles can exist (you select which to use in tags) | Each AP assigned exactly three tags (one per type) |
Assigning Tags in Practice
There are five methods to assign tags to APs, with different priorities. Higher-priority sources override lower ones:
| Priority | Tag Source | How It Works | Use Case |
|---|---|---|---|
| 1 (Highest) | Static | Network admin selects AP and manually assigns tags in GUI or via config | Few APs, stable deployments |
| 2 | Location | C9800 internal construct; group three tags (policy, site, RF) and assign APs | Geo-distributed sites using basic setup |
| 3 | Filter | Regex-based rule matching AP name or MAC to assign tags dynamically | Migration from AireOS, naming conventions used |
| 4 | AP (PnP/Push) | Tag info stored in AP memory (Plug and Play) or pushed from controller | Branch deployments, brownfield migration |
| 5 (Lowest) | Default | No explicit assignment; AP uses default tags | Initial AP join, no other mapping configured |
The most common approach for large deployments is filter-based assignment. For example, if you name APs as ap-floor1-xxxx, ap-floor2-xxxx, etc., you can create a filter rule that matches ap-floor1-.* and assigns the floor1-policy tag, building1-site tag, and default-rf tag automatically.
Checking Tag Configuration via CLI
To see what tags are assigned to each AP, use the show ap tag summary command:
c9800# show ap tag summary
Number of APs: 3
AP Name AP Mode Site Policy Tag Name RF Tag Name Misc/iguard
ap-3600-c1 AP-3600-C1 1(3.1.0) PROD-CORP-TAG default-rf-tag Static
ap-3800-c2 AP-3800-C2 1(3.1.0) PROD-CORP-TAG default-rf-tag Static
ap-3800-sj AP-3800-SJ 1(3.1.0) PROD-CORP-TAG default-rf-tag Static
The output tells you how each AP got its tags (Static, Location, Filter, AP, or Default). If you see an AP with unexpected tags, this command quickly identifies the source so you can correct it.
Migration from AireOS: Key Considerations
When moving from AireOS to C9800, you're not just upgrading hardware—you're adopting a new configuration philosophy. Here's what changes:
- AP Groups become Policy Tags: Your AireOS AP group (containing SSIDs and policies) maps to a C9800 policy tag.
- General Settings scatter across Profile Types: Global AireOS settings land in AP Join profile (CAPWAP timers, SSH), RF profile (RF characteristics), or Site Tag (location-specific tweaks).
- Flexibility increases, but complexity can too: You now have fine-grained control, but you need to understand where each setting lives. This is why many deployments use Cisco DNA Center—it abstracts the profile/tag complexity.
- No reboot on tag changes (usually): In AireOS, changing an AP group meant a reboot. In C9800, changing a policy tag or RF tag triggers a CAPWAP restart (20–25 seconds) but not a full reboot. This is a massive operational win for large deployments.
If you're migrating APs from an AireOS controller to C9800, remember that AireOS doesn't expose tag information. The AP carries tag info in memory (via Plug and Play) or you assign tags statically on C9800 once it joins.
FlexConnect-Specific Tag Behavior
In FlexConnect mode, the site tag is where all the magic happens. The site tag is configured as "remote" (not local), and it contains the Fast Roaming domain, native VLAN, ACL mappings, and seamless roaming settings.
Critical: For FlexConnect deployments requiring fast roaming (802.11r, CCKM, OKC), do not use the default-site-tag. Create a unique site tag per Flex site. The reason is simple—the client key is not distributed among FlexConnect APs in the default-site-tag, so roaming will never be optimized. With a custom site tag, clients retain key information and roam seamlessly within that site.
Also, if you're running multiple FlexConnect sites in the same deployment, do not reuse the same site tag across different physical locations. The C9800 doesn't know about physical geography—it relies on site tag names to manage client roaming domains. If two sites share a tag, roaming will misbehave.
Site Tag Recommendations for Local Mode APs
For local mode APs (the most common deployment), here are best practices for site tag usage:
| Scenario | Recommendation | Reasoning |
|---|---|---|
| Single site, uniform APs | Use default-site-tag | No need for custom settings; defaults work fine |
| Multiple sites, different WAN characteristics | Create custom site tag per site | Optimize CAPWAP timers for each link (cellular = aggressive retry, wired = fast detection) |
| Large venue, multiple floors/zones | Use location feature (groups three tags) | Simplifies assignment and management; logical grouping |
| High-density deployment (stadium, airport) | Consider Cisco DNA Center | Automates site tag assignment based on AP name or location, reduces manual overhead |
Validating Tag Configuration
After assigning tags, validate that everything is configured correctly. Use the config validate command to catch inconsistencies:
c9800(config)# wireless config validate
% Configuration validation passed
This checks for issues like:
- WLAN assigned to a policy profile that doesn't exist
- Same WLAN mapped to multiple policy profiles with conflicting AAA settings
- RF tag referencing a non-existent RF profile
A typical misconfiguration error: assigning the same WLAN to two different policy profiles with different Application Visibility and Control (AVC) settings in a single policy tag. The show avc statuscommand flags this as an error.
Key Takeaways
The C9800 configuration model represents a fundamental shift from global, monolithic AireOS settings to modular, reusable profiles and tags. Here's what you need to remember:
- Profiles are templates: WLAN, policy, AP Join, FlexConnect, and RF profiles define your configuration building blocks.
- Tags bind profiles to APs: Policy tag (WLANs + policies), site tag (AP Join + site settings), RF tag (radio profiles). Each AP gets one of each.
- Tags have assignment priorities: Static > Location > Filter > AP/PnP > Default. Use the highest priority that fits your deployment model.
- Modularity is the win: Update a profile once, and all APs using that profile's tag see the change (with minimal disruption for tag changes).
- FlexConnect requires custom site tags: Default-site-tag doesn't support optimized fast roaming; create unique site tags per Flex location.
- Validate configuration: Use
wireless config validateandshow ap tag summaryto catch misconfigurations before they affect users. - Think in layers: Don't try to cram all settings into one profile. Separate concerns: WLANs in WLAN profiles, policies in policy profiles, AP settings in site tags. This keeps configurations manageable and reduces mistakes.
Once you internalize the profile-and-tag model, the C9800 becomes far more intuitive. You'll design configurations that scale, troubleshoot more efficiently, and avoid the rigid constraints that made AireOS difficult to manage at scale.