Configure Network Profiles

Create network profiles for assurance

Creating a network profile for Assurance allows you to configure issue settings and apply them to a site or group of sites independently from the global issues settings. You can enable or disable an issue, and you can change its priority.

Note

  • In Assurance, synchronization to the network device health score is available only for global issue settings, not custom issue settings. For information, see the Cisco Catalyst Assurance User Guide.

  • Some global issues are not customizable. These issues are not displayed in the list of custom issues for you to modify.

  • To display modified issues at the top of the list, sort by Last Modified.

  • To delete custom settings, you must first unassign all the sites.

Procedure

Step 1

From the main menu, choose Design > Network Profiles.

Step 2

Click +Add Profile and choose Assurance.

Step 3

In the Profile Name field, enter a valid profile name and click Next.

Catalyst Center adds the profile and the Edit Profile window appears.

Step 4

Set the DEVICE TYPE and CATEGORY filters to view the type of issues you want to configure.

Step 5

Click an issue in the Issue Name column to open a slide-in pane with the settings.

Note

 

For some issues, changes made to the settings are shared across multiple device types. In the slide-in pane, Catalyst Center displays a caution that indicates the affected device types.

Step 6

To enable or disable whether Catalyst Center monitors the issue, click the Enabled toggle button.

Step 7

To set the issue priority, click the Priority drop-down list and choose the priority:

  • P1: A critical issue that needs immediate attention and can have a wide impact on network operations.

  • P2: A major issue that can potentially impact multiple devices or clients.

  • P3: A minor issue that has a localized or minimal impact.

  • P4: A warning issue that may not be an immediate problem but addressing it can optimize the network performance.

Step 8

(For certain issues) In the Trigger Condition area, you can change the threshold value for when the issue is reported.

Examples of a trigger condition:

No Activity on Radio(2.4 GHz) >= 60 minutes.
Memory Utilization of Access Points greater than 90%.

Step 9

(Optional) If there are any changes to the settings, you can hover your cursor over View Default Settings to display the default settings. Click Use Default to restore all the issue settings to the default values.

Step 10

Click Apply.

Step 11

(For certain issues) Click Manage Subscription to subscribe to external notifications for supported issues when they are triggered.

Step 12

To assign the profile to sites, click Assign Sites. Check the check box next to the sites that you want to associate with this profile and click Save.

The Edit Profile window appears.

Note

 

You can select a parent node or the individual sites. If you select a parent node, all the children under the parent node are also selected. You can uncheck the check box to deselect a site.

Step 13

Click Done.

The newly added profile appears on the Network Profiles window.

Create network profiles for firewall

This workflow shows how to:

  1. Create custom configurations.

  2. Create Firepower Threat Defense (FTD) configurations.

  3. View the profile summary.

Procedure

Step 1

From the main menu, choose Design > Network Profiles.

Step 2

Click +Add Profile and choose Firewall.

The Firewall Type page appears.

Step 3

To create custom configurations for regular firewalls like Adaptive Security Appliance (ASA) firewalls:

  1. In the Name field, enter the profile name.

  2. Choose the number of devices from the Devices drop-down list.

    Note

     

    You can choose up to 10 devices per profile.

  3. Choose the type of device from the Device Type drop-down list.

  4. (Optional) From the Device Tag drop-down list, choose the device tags.

  5. Click Next.

    The Custom Configuration page appears.

  6. From the Template drop-down list, choose a template.

    Note

     

    If there are no templates, you must create at least one template in Design > CLI Templates. For information, see Create templates.

  7. Click Next.

    The Summary page appears. This page summarizes the custom configurations. Based on the selected device type, the page provides a hardware recommendation.

  8. Click Save.

    The Network Profiles page appears.

  9. To assign a site to the network profile, click Assign Sites. For more information, see Create, edit, and delete a site.

Step 4

To create FTD configurations to configure the FTD devices:

  1. In the Name field, enter the profile name.

  2. From the Devices drop-down list, choose the number of devices.

    Note

     

    You can choose up to 10 devices per profile.

  3. To provision an FTD firewall, check the FTD check box.

  4. From the Device Type drop-down list, choose the type of device.

  5. (Optional) Choose the device tags from the Device Tag drop-down list.

  6. Click Next.

    The FTD Configuration page appears.

  7. Click the Routed Mode or Transparent Mode radio button.

  8. Click Next.

    The Summary page appears. This page summarizes the FTD configurations. Based on the selected device type, the page provides hardware recommendations.

  9. Click Save.

    The Network Profiles page appears.

  10. To assign a site to the network profile, click Assign Sites. For information, see Create, edit, and delete a site.

Create network profiles for routing

This workflow shows how to:

  1. Configure the router WAN.

  2. Configure the router LAN.

  3. Configure the integrated switch configuration.

  4. Create custom configurations.

  5. View the profile summary.

Procedure

Step 1

From the main menu, choose Design > Network Profiles.

Step 2

Hover your cursor over + Add Profile and choose Routing.

Step 3

The Router WAN Configuration page displays.

  • Enter the profile name in the Name text box.

  • Choose the number of Service Providers and Devices from the respective drop-down lists. Supports up to three service providers and ten devices per profile.

  • Choose the Service Provider Profile from the drop-down list. For more information, see Configure service provider profiles.

  • Choose the Device Type from the drop-down list.

  • Enter a unique string for the Device Tag to identify the different devices or choose an existing tag from the drop-down list. Use the device tag if two or more devices are of the same type. If all the devices are of a different type, the device tag is optional. Make sure to choose the appropriate tag. Part of the matching criteria for day-zero and day-n templates that apply to the network profile uses your selection.

  • To enable at least one line link for each device to proceed, click O and check the check box next to Connect. Choose the Line Type from the drop-down list. Click OK.

    If you choose multiple service providers, you can choose:

    • gigabit Ethernet for the primary interface and cellular for the secondary interface,

    • gigabit Ethernet for both interfaces, or

    • cellular for the primary interface and gigabit Ethernet for the secondary interface.

    Note

     

    The cellular interface only supports these integrated services routers:

    • Cisco 1100 Series

    • Cisco 4200 Series

    • Cisco 4300 Series

    • Cisco 4400 Series

  • Click Next.

Step 4

The Router LAN Configuration page displays.

To skip the router LAN configuration, click the Skip radio button and continue to Step 5. To configure the router LAN:

  • Click the Configure Connection radio button and choose L2, L3, or both.

  • If you choose L2, click + Add Row. Choose the Type from the drop-down list and enter the VLAN ID/Allowed VLAN and the Description. You can add multiple rows by clicking + Add Row, and you can delete rows by clicking the X icon.

  • If you choose L3, choose the Protocol Routing from the drop-down list and enter the Protocol Qualifier.

  • Click Next.

Step 5

Based on your router configuration, the Integrated Switch Configuration page displays.

If the Integrated Switch Configuration page does not display, continue to Step 6.

The integrated switch configuration allows you to add new VLANs or retain the previously chosen configuration in the router LAN configuration.

  • To add one or more new VLANs, click + Add Row.

  • Choose the Type from the drop-down list and enter the VLAN ID/Allowed VLAN and the Description.

  • To delete a VLAN, click the X icon.

  • Click Next.

Note

 

Switchport Interface support is available only for Cisco 1100 Series and Cisco 4000 Series integrated services routers.

Step 6

The Custom Configuration page displays.

Custom configurations are optional. You can skip this step and apply the configurations at any time in the Network Profiles window.

If you choose to add custom configurations:

  1. Click the Onboarding Template(s) or Day-N Template(s) tab, as required.

  2. Choose a template from the drop-down list. The templates filter by Device Type and Tag Name.

  3. Click Next.

Step 7

On the Summary page, click Save.

This page summarizes the router configurations. If you have multiple devices, you can click on each device to see its configuration data. The page provides hardware recommendations based on the devices and chosen services.

Step 8

The Network Profiles window displays. In this window, you can edit and delete the network profiles.

Click Assign Site to assign a site to the network profile. For more information, see Create, edit, and delete a site.

Create network profiles for switching

You can apply two types of configuration templates to a switching profile:

  • Onboarding template

  • Day-n template

Before you begin

Define the Onboarding Configuration template that you want to apply to the devices. Such templates contain basic network configuration commands to onboard a device so that it can be managed on the network. See Create Templates to Automate Device Configuration Changes.

Procedure

Step 1

From the main menu, choose Design > Network Profiles.

Step 2

Click +Add Profile and choose Switching.

Step 3

In the Add a Network Profile page, enter the profile name in the Profile Name field.

Step 4

Click the tab for the template type that you want to associate with this profile.

If you want to associate ... Then ...

an onboarding template,

click the OnBoarding Template(s) tab.

a day-n template,

click the Day-N Template(s) tab.

Step 5

Click Attach Templates.

Step 6

In the Add Template slide-in pane, complete these steps:

  1. Under Templates, click a template name.

    You can either search for a template by entering its name in the Search field, or expand a project and choose a template.

    Note

     

    In previous Catalyst Center releases, you were able to associate a tag with a template. This functionality has been removed.

  2. Click Add.

Step 7

Click Save.

The profile that is configured on the switch is applied when the switch is provisioned. You must add the network profile to a site for it to be effective.

Create network profiles for wireless

Before you begin

  • Ensure that you have created wireless SSIDs, RF profiles, and AP profiles under the Design > Network Settings > Wireless tab.

  • If necessary, ensure that you have created templates in the Design > CLI Templates window.

  • If necessary, ensure that you have created feature templates in the Design > Feature Templates window.

Procedure

Step 1

From the main menu, choose Design > Network Profiles.

Step 2

Click Add Profile and choose Wireless.

Step 3

Enter a valid profile name in the Profile Name field.

Step 4

To add sites to the profile, click Assign and do these steps:

  1. In the Add Sites to Profile slide-in pane, check the check box next to the sites that you want to associate with this profile.

    You can select a parent node or the individual site. If you select a parent site, all the children under the parent node are also selected. You can uncheck the check box to deselect a site.

  2. Click Save.

Step 5

Configure the required settings in these tabs:

Step 6

Click Save to add the network profile.

Catalyst Center displays the new network profile on the Design > Network Profiles window.

Add SSIDs to a network profile

Before you begin

Ensure that you have created wireless SSIDs under the Design > Network Settings > Wireless > SSIDs window.

Procedure

Step 1

In the Add a Network Profile window (Design > Network Profiles > Add Profile > Wireless), click the SSID tab.

Step 2

Click Add SSID.

Step 3

From the SSID drop-down list, choose the SSID that you have already created.

Step 4

(Optional) In the WLAN Profile Name field, enter a name for the WLAN profile.

Based on the WLAN profile name, Catalyst Center automatically generates the policy profile name.

Note

 

  • If an SSID associated with a network profile doesn't have site-level overrides on the Design > Network Settings > Wireless window, Catalyst Center uses the WLAN profile name available in the network profile during provisioning.

  • If you must associate an SSID that has site-level overrides on the Design > Network Settings > Wireless window (for configurations such as fabric, FlexConnect, guest anchor, user interfaces, scheduler, and so on) with multiple network profiles, ensure that the WLAN profile name is unique for the SSID across all network profiles to prevent provisioning failure.

  • If an SSID associated with a network profile has site-level overrides, Catalyst Center uses the WLAN profile name or policy profile name from the overridden SSID during wireless controller provisioning for the corresponding sites. This rule applies when the overridden site is associated with the wireless controller's network profiles and is managed by the same wireless controller.

  • If you modify the WLAN profile name for an existing SSID that is provisioned on a wireless controller, during the wireless controller reprovisioning, this SSID is deleted and recreated with the new WLAN profile name.

  • When you upgrade to this release from a release earlier than Release 2.3.5, Catalyst Center populates the provisioned WLAN profile name and policy profile name to the corresponding existing SSIDs.

Step 5

(Optional) From the 802.11be Profile Name drop-down list, choose an 802.11be profile.

This profile is applicable for wireless controllers running Cisco IOS XE Release 17.15.2 or later. The wireless controllers use only one dot11be-profile, which is the default-dot11be-profile. When you choose a 802.11be profile, the corresponding attributes map to the default-dot11be-profile on the wireless controller.

For more information about 802.11be profiles, see Create an 802.11be profile.

Step 6

Specify whether the SSID is fabric or nonfabric using the Yes or No radio buttons.

To create a nonfabric SSID, click No, and configure these parameters:

  • Click the Enable SSID Scheduler toggle button and choose the scheduler from the drop-down list.

  • To use an interface for traffic switching, click the Interface radio button. From the Interface Name drop-down list, choose an interface name for the SSID, or click the plus icon () to create a wireless interface.

  • To use a VLAN group for traffic switching, click the VLAN Group radio button. From the VLAN Group Name drop-down list, choose a VLAN group name for the SSID, or click the plus icon () to create a VLAN group.

  • In the Do you need Anchor for this SSID? area, click Yes to add an anchor to the SSID. By default, No is the selection.

  • If you choose Yes, from the Select Anchor Group drop-down list, choose an anchor group for the SSID. For more information about anchor groups, see Create an anchor group.

  • If you choose No, to enable local switching for WLAN, check the Flex Connect Local Switching.

    If you add an anchor to the SSID, you can't enable Flex Connect Local Switching.

    Note

     

    If you modify any nonflex SSIDs that are already provisioned on the wireless controller to flex SSIDs (or conversely), you must reprovision the wireless controller. If you don't reprovision the wireless controller, the expected intent isn't configured on the wireless controller. For example, if you modify a nonflex SSID to a flex SSID and don't reprovision the wireless controller, the SSID remains nonflex on the wireless controller and flex site tags aren't created.

    If you enable Flex Connect Local Switching for an SSID, all the APs on the floor where the network profile is mapped, switch to FlexConnect mode.

    The Flex Group option is enabled in the Advanced Settings tab. For more information, see Add AP groups, flex groups, site tags, and policy tags to a network profile.

    When you enable local switching, any FlexConnect AP that advertises this WLAN can locally switch data packets.

  • If you have enabled the Flex Connect Local Switching check box, enter a value for the VLAN ID in the Local to VLAN field.

    Note

     

    When you modify the local VLAN ID of an existing SSID and reprovision the AP without reprovisioning the wireless controller, the latest value of the local VLAN ID updates in the flex profile that is used by the AP. If the same flex profile is used by other APs, these APs also have the local VLAN ID update.

Step 7

(Optional) To add another SSID, click the plus icon () and configure its parameters.

Note

 

If you add multiple SSIDs to the network profile, you must configure all the SSIDs with the same 802.11be profile.

What to do next

Configure the other necessary settings for the network profile. For more information, see Create network profiles for wireless.

Add AP zones to a network profile

An AP zone allows you to associate different SSIDs and RF profiles for a set of APs on the same site. You can use device tags to identify the APs for which you want to apply AP zone. From the AP Zones tab, you can create separate AP zones with a subset of SSIDs configured in the network profile for a device tag.

Catalyst Center applies the AP zone configurations to APs during AP provisioning.


Note

  • Catalyst Center doesn't apply AP zone configurations to the APs claimed from the Plug and Play (PnP) process.

  • If an AP zone is already provisioned on an AP and you update the AP zone configuration, you must reprovision the wireless controller. Reprovisioning the AP is not necessary.

During AP provisioning:

  • Based on the device tag and site of the AP, Catalyst Center selects the corresponding AP zone and automatically assigns the RF profile.

  • If two AP zones are configured for an AP, you can choose the required AP zone.

  • If there are no AP zones for an AP, you can choose the required RF profile.

Before you begin

Ensure that you have created wireless SSIDs under the Design > Network Settings > Wireless > SSIDs window.

Procedure

Step 1

In the Add a Network Profile window (Design > Network Profiles > Add Profile > Wireless), click the AP Zones tab.

Step 2

Click Add AP Zone.

Step 3

In the AP Zone Name field, enter a name for the AP zone.

Step 4

From the Device Tags drop-down list, check the check box next to the device tags that you want to choose.

Step 5

From the RF Profile drop-down list, choose an RF profile.

Step 6

From the SSID drop-down list, choose the SSIDs.

Step 7

(Optional) To add another AP zone, click the plus icon () and configure its parameters.

What to do next

Configure the other necessary settings for the network profile. For more information, see Create network profiles for wireless.

To apply the AP zone configuration to an AP:

  1. Reprovision the wireless controller. For more information, see Provision a Cisco AireOS Controller and Provision a Cisco Catalyst 9800 Series Wireless Controller.

  2. Provision the AP. For more information, see Provision Cisco APs on day 1.

Add feature templates to a network profile

You can attach feature templates to a network profile.

Procedure

Step 1

In the Add a Network Profile window (Design > Network Profiles > Add Profile > Wireless), click the Feature Templates tab.

Step 2

Click Add Feature Template.

Step 3

In the Add Feature Template slide-in pane, do these steps:

  1. Click Filter by Device Type(s) and choose a device type.

    You can either search for a device name by entering its name in the Search field, or expand Switches and Hubs or Wireless Controller and choose a device type.

  2. Expand Wireless and choose the feature templates that you want to attach to this network profile.

    You can use the Search Feature Template Designs field to filter the feature templates.

  3. From the Tags drop-down list under APPLICABILITY, choose the applicable tags.

  4. Click Add.

What to do next

Configure the other necessary settings for the network profile. For more information, see Create network profiles for wireless.

Add templates to a network profile

You can associate a template with a network profile.

Before you begin

You must create the necessary templates in the Design > CLI Templates window. For more information, see Create templates.

Procedure

Step 1

In the Add a Network Profile window (Design > Network Profiles > Add Profile > Wireless), click the Templates tab.

Step 2

Do this task:

  • To associate an onboarding template, click the OnBoarding Template(s) tab.

  • To associate a day-n template, click the Day-N Template(s) tab.

Step 3

Click Attach Templates.

Step 4

In the Add Template slide-in pane, do these steps:

  1. Under Templates, click a template name.

    You can either search for a template by entering its name in the Search field, or expand a project and choose a template.

  2. Click Add.

What to do next

Configure the other necessary settings for the network profile. For more information, see Create network profiles for wireless.

Overview of AP groups, flex groups, site tags, and policy tags

You can define custom names for AP groups, site tags, and policy tags in the Advanced Settings tab of the Design > Network Profiles > Wireless window. For more information, see Add AP groups, flex groups, site tags, and policy tags to a network profile.

Catalyst Center configures and applies the newly added custom names specified in the Provision Group settings of the Advanced Settings tab to the APs during AP provisioning.


Note

  • AP group and flex group configurations are applicable to Cisco AireOS Wireless Controllers.

  • Site tag and policy tag configurations are applicable to Cisco Catalyst 9800 Series Wireless Controllers.

    Newly added site tag and policy tag configurations are applied when you provision the APs. Provisioning the wireless controller alone doesn’t configure the new custom tags on the APs. You must reprovision the wireless controller or the APs if there are any modifications to the tags after provisioning.

    Consider these scenarios while provisioning or reprovisioning the wireless controller and APs:

    • If there are no custom site or policy tags configured on the network profile, Catalyst Center uses the autogenerated tags and configures it on the wireless controller and applies the changes to the APs only during AP provisioning.

    • If there are custom site or policy tags configured on the network profile, Catalyst Center configures the custom tags on the wireless controller and applies the changes to the APs only during AP provisioning.

    • If the wireless controller and AP are already provisioned with autogenerated tags and if you create new custom tags in the network profile, you must reprovision the wireless controller or the AP to apply the changes.

    • If the wireless controller and AP are already provisioned with custom tags and if you delete the custom tags from the network profile, you must reprovision the wireless controller or the APs.

      • Reprovisioning the wireless controller deletes the custom tag configurations and configures the autogenerated tags on the wireless controller and the associated APs.

      • Reprovisioning the APs directly, without reprovisioning the wireless controller, configures the autogenerated tags on the APs but doesn’t delete the custom tag configurations from the wireless controller. The tags are deleted during the next wireless controller reprovisioning.

    • If you've upgraded to Catalyst Center with FlexConnect Native VLAN override configured and site tags that are mapped to the same custom Flex profile for all the floors in a site, you must reconfigure the network profile with different site tags for each floor or else provisioning may fail.

You can use the same AP groups and flex groups across sites (buildings or floors) across multiple areas. Child sites inherit the AP groups and flex groups from their parent sites. However, if you create AP groups or flex groups for a child site, it overrides the settings inherited from its parent site. If an SSID is overridden for different floors in a building, you can’t reuse the AP groups or flex groups for such floors. For AP group and flex group reuse examples, see Custom AP group and flex group reuse examples.

Consider these scenarios while using the same AP groups and flex groups across multiple sites:

  • You must configure the same RF profile for the shared AP groups.

    For example, the custom AP group AP-Group-1 is shared across Network-Profile-1 and Network-Profile-2. It’s managed by the same wireless controller with the same AP zone name (default or custom AP zone). If Network-Profile-1 uses RF-Profile-1 and Network-Profile-2 uses RF-Profile-2, a validation error occurs during provisioning. You must configure the same RF profile for AP-Group-1.

  • You must configure the same AP zone name for the shared custom AP groups.

    For example, the custom AP group AP-Group-1 is shared across Network-Profile-1 and Network-Profile-2. Both network profiles use the same RF profile RF-Profile-1. If Network-Profile-1 uses the AP zone default-zone and Network-Profile-1 uses AP-Zone-1, a validation error occurs during provisioning. You must configure the same AP zone name for AP-Group-1.

  • For shared custom AP groups, if any site with active APs is removed and the RF profile is also modified simultaneously, do one of these tasks before reprovisioning the APs:

    • Create another custom AP group and reprovision the APs in the sites that are removed from the custom AP group.

    • Reprovision the APs without creating a custom AP group so that the AP uses the Catalyst Center-generated AP group. Later, reprovision the APs with the updated RF profile and the shared custom AP group.

    For example, the custom AP group AP-Group-1 that uses RF-Profile-1 is shared across Building-1/Floor-1 and Building-2/Floor-2. When you provision APs on Building-1/Floor-1 and Building-2/Floor-2, the APs join AP-Group-1 on both the floors. If you change the RF profile to RF-Profile-2 and simultaneously remove Building-2/Floor-2 from AP-Group-1, a validation error occurs during provisioning. You must reprovision the APs on Building-2/Floor-2 to move them to the required AP group. Later, reprovision APs on Building-1/Floor-1.

  • For shared custom AP groups, if the AP zone name is changed, you must reprovision the existing APs in the old AP zone. Later, reprovision the APs with the new AP zone and the custom AP group.

    For example, Network-Profile-1 is assigned to Building-1/Floor-1 with AP-Group-1, RF-Profile-1, and AP-Zone-1. Network-Profile-2 is assigned to Building-2/Floor-2 with AP-Group-1, RF-Profile-1, and AP-Zone-1. The managed AP location for the Wireless-Controller-1 is configured as Building-1 and Building-2. AP1 is provisioned on Building-1/Floor-1 and AP2 is provisioned on Building-2/Floor-2. If you change the AP group to New-AP-Group and AP zone to AP-Zone-3 on both Network-Profile-1 and Network-Profile-2, and reprovision AP1 or AP2 with AP-Zone-3 on the corresponding floors, a validation error occurs. You must reprovision AP1 and AP2 with AP-Zone-1. Later, reprovision AP1 and AP2 with AP-Zone-3 and New-AP-Group.

  • For shared custom AP groups, if you modify the AP zone on a parent site, these modifications are also inherited by the child sites. You must create the required AP zone on the network profile assigned to the child site.


    Note

    If the child site has overridden configurations, the configurations aren’t overwritten.

    For example, Building-1 contains child sites Floor-1 and Floor-2. Network-Profile-1 is assigned to Building-1 and Floor-1, and AP-Group-1, AP-Zone-1, and RF-Profile-1 are configured for Building-1. Network-Profile-2 is assigned to Floor-2, and AP-Group-1, AP-Zone-1, and RF-Profile-1 are configured for Floor-2. AP1 is provisioned on Floor-1 and AP2 is provisioned on Floor-2 with AP-Zone-1. AP zone configuration for AP-Group-1 on Building-1 is updated to use AP-Zone-2 and RF-Profile-2. Since Floor-2 inherits values from Building-1, any updates to the AP group settings on Building-1 are automatically reflected in Floor-2. So, even though APZone-2 doesn't exist in Network-Profile-2, it’s updated in the Floor-2 AP group settings due to inheritance. If you reprovision AP1 on Floor-1 with AP-Zone-2, a validation error occurs. You must create AP-Zone-1 in Network-Profile-2.

  • For shared custom AP groups, if the SSID is changed in the AP group, you must reprovision the APs on all the sites that use the modified AP group. If you reprovision the APs on only a few sites using the modified AP group, the AP provisioning fails. To ensure successful reprovisioning of APs, we recommend that you do one of these tasks:

    • Create a unique custom AP group at the sites requiring updates to the AP group. This custom AP group can be shared by multiple sites before you reprovision the APs.

    • Reprovision the wireless controller.

    For example, the custom AP group APGroup1 is shared across Building-1/Floor-1 and Building-2/Floor-2. Building-1/Floor-1 has AP-Group-1 with AP-Zone-1, the SSID WLAN-1, and the RF profile Typical. Building-1/Floor-2 has AP-Group-1 with AP-Zone-1, the SSID WLAN-2, and the RF profile Typical. AP1 is provisioned on Floor-1 and uses AP-Group-1. If you provision AP2 on Floor-2 with AP-Zone-1, WLAN-2, Typical, a validation error occurs. You can create a unique custom AP group for Floor-2 before reprovisioning AP2.

  • For shared custom AP groups, if you change the RF profile and reprovision the corresponding APs, the custom AP group is updated with the new RF profile across sites for all the APs using the custom AP group.

    For example, the custom AP group AP-Group-1 is shared across Network-Profile-1 and Network-Profile-2. Network-Profile-1 is assigned to Building-1/Floor-1 and uses RF-Profile-1. Network-Profile-2 is assigned to Building-2/Floor-2 and uses RF-Profile-1. AP1 is provisioned on Floor-1 and AP2 is provisioned on Floor-2. If you update the RF profile of AP-Group-1 to RF-Profile-2, and reprovision the APs, all APs using AP-Group-1 are updated to use RF-Profile-2.

  • You can't use the same flex group on multiple sites with different native VLAN or AAA override VLAN.

Custom policy tags can be reused across sites (areas, buildings, and floors). When you assign a custom policy tag to a site—an area, a building, or multiple floors in a building—all APs provisioned to that site and AP zone can use the same custom policy tag. By default, the custom policy tags are applicable for APs in the default AP zone; for custom AP zones, edit the policy tag and assign the custom policy tag to the required zones.


Note

While reusing the custom policy tags:

  • Child sites inherit the custom policy tags from the parent sites. However, if you create another policy tag for the child site, it overrides the settings inherited from the parent site.

  • A custom policy tag can be assigned to multiple sites and multiple AP zones. All AP zones associated with the policy tag must share the same set of SSIDs and the SSIDs must have the same configuration. If a policy tag is associated to multiple AP zones that have different SSID configurations, an error is shown while editing the policy tag or the network profile.

  • A custom policy tag can’t be shared when any of the sites that share the custom policy tag and are managed by the same wireless controller have different SSID configurations due to a site-level SSID override. In such cases, a validation error occurs during provisioning—either AP provisioning or wireless controller provisioning (if the Skip AP Provision check box is unchecked) due to different WLAN profile and policy profile mappings for the same custom policy tag. An error message with the reason for failure is displayed in the configuration preview. The error message provides details for up to five sites that have a mismatch for the custom policy tag. For more information on the custom policy tag usage, see Custom policy tag reuse use case examples.

  • Custom policy tag reuse is supported when learning device configurations from a pre-existing infrastructure as well.

  • Policy tags are mapped to WLAN and RLAN profiles. Any changes in the policy tag may impact the RLAN configurations.

  • Policy tag reuse isn’t supported for Catalyst Center autogenerated tags.

Custom flex profiles are configured either during wireless controller provisioning or during AP provisioning accordingly:

  • During wireless controller provisioning: If there’s a flex feature template attached to the network profile, a custom flex profile or a Catalyst Center autogenerated flex profile (based on the option selected while configuring a custom site tag) is created during wireless controller provisioning. The custom flex profile is configured with the same settings as that of the default flex profile except for the Catalyst Center intent configurations as defined in the feature template with IP Overlap enabled. When you provision the AP after provisioning the wireless controller, the custom flex profile isn’t overwritten except for the FlexConnect VLAN settings (Native VLAN and AAA Override VLAN), if configured.

  • During AP provisioning: If there’s no feature template attached to the network profile, a custom flex profile is created during AP provisioning. The custom flex profile is configured with the same settings as that of the default flex profile except for the FlexConnect VLAN settings (Native VLAN and AAA Override VLAN), if configured. Catalyst Center enables the pairwise master key (PMK) propagation in the custom flex profile during AP provisioning.

Custom AP group and flex group reuse examples

Scenario 1

A custom AP group and flex group are shared between multiple sites with no site overrides and all sites are managed by the same wireless controller.

Site

Site override

AP group, AP zone, and RF profile

Native VLAN ID override

Primary wireless controller

Area-1/Building-1/Floor-1

None

Custom-AP-Group-1, default-zone, Typical

None

Wireless-Controller-1

Area-2/Building-1/Floor-1

None

Custom-AP-Group-1, default-zone, Typical

None

Wireless-Controller-1

In this scenario, the custom AP group and flex group can be shared between the sites and the APs can be successfully provisioned to these sites using the same custom AP group.

Scenario 2

A custom AP group is shared between multiple sites where some sites have site overrides for SSID and all the sites are managed by the same wireless controller.

Site

Site override

AP group, AP zone, and RF profile

Primary wireless controller

Area-1/Building-1/Floor-1

Site override - PSK changes

Custom-AP-Group-1, AP-Zone-1, HIGH

Wireless-Controller-1

Area-2/Building-1/Floor-1

None

Custom-AP-Group-1, AP-Zone-1, HIGH

Wireless-Controller-1

In this scenario, the custom AP group can't be reused as it has different WLAN profile mapping for the same SSID. If you provision APs to these sites using the same custom AP group, a validation error occurs during provisioning.


Note

The AP provisioning for the first site in this site hierarchy (Area-1/Building-1/Floor-1) is successful but a validation error is displayed during the second AP provisioning at Area-2/Building-1/Floor-1, which is attempting to reuse the custom AP group.

Scenario 3

A custom AP group is shared between multiple sites with different RF profiles and all the sites are managed by the same wireless controller.

Site

Site override

AP group, AP zone, and RF profile

Primary wireless controller

Area-1/Building-1/Floor-1

None

Custom-AP-Group-1, AP-Zone-1, HIGH

Wireless-Controller-1

Area-2/Building-1/Floor-1

None

Custom-AP-Group-1, AP-Zone-1, LOW

Wireless-Controller-1

In this scenario, the custom AP group can't be reused as it has different RF profiles. If you provision APs to these sites using the same custom AP group, a validation error occurs during provisioning.


Note

The AP provisioning for the first site in this site hierarchy (Area-1/Building-1/Floor-1) is successful but a validation error is displayed during the second AP provisioning at Area-2/Building-1/Floor-1, which is attempting to reuse the custom AP group.

Scenario 4

A custom AP group is shared between multiple sites where some sites have no site overrides for SSID for the primary controller, but has an override for the secondary controller.

Site

Site override

AP group, AP zone, and RF profile

Primary wireless controller

Secondary wireless controller

Building-1

None

Custom-AP-Group-1, AP-Zone-1, HIGH

Wireless-Controller-1

Wireless-Controller-2

Building-1/Floor-1

None

Custom-AP-Group-1, AP-Zone-1, HIGH

Wireless-Controller-1

Wireless-Controller-2

Building-1/Floor-2

None

Custom-AP-Group-1, AP-Zone-1, HIGH

Wireless-Controller-1

Wireless-Controller-2

Building-2/Floor-1

SSID override

Custom-AP-Group-1, AP-Zone-1, LOW

Wireless-Controller-2

None

In this scenario, the custom AP group can't be reused as it has different WLAN profile mapping for the same SSID for Wireless-Controller-2. If you provision APs to these sites using the same custom AP group, a validation error occurs during provisioning.


Note

The AP provisioning for the first site in this site hierarchy (Building-1/Floor-1) is successful but a validation error is displayed during the second AP provisioning at Building-2/Floor-1, which is attempting to reuse the custom AP group.

Scenario 5

A custom AP group is shared between multiple sites with different sets of WLANs and all sites are managed by the same wireless controller.

Site

Site override

AP group, AP zone, and RF profile

Primary wireless controller

Area-1/Building-1/Floor-1

None

Custom-AP-Group-1, AP-Zone-1 (WLAN-1, WLAN-2), HIGH

Wireless-Controller-1

Area-2/Building-1/Floor-1

None

Custom-AP-Group-1, AP-Zone-1 (WLAN-3, WLAN-4), HIGH

Wireless-Controller-1

In this scenario, the custom AP group can't be reused as it has different WLAN profile mapping for the same wireless controller. If you provision APs to these sites using the same custom AP group, a validation error occurs during provisioning.


Note

The AP provisioning for the first site in this site hierarchy (Area-1/Building-1/Floor-1) is successful but a validation error is displayed during the second AP provisioning at Area-2/Building-1/Floor-1, which is attempting to reuse the custom AP group.

Custom policy tag reuse use case examples

Scenario 1

A custom policy tag is shared between multiple sites with no site overrides and all sites are managed by the same Cisco Wireless Controller.

Site

Site override

Policy tag and AP zone

Primary wireless controller

Building 1/Floor 1

None

Custom Policy Tag 1, default-zone

wireless controller 1

Building 1/Floor 2

None

Custom Policy Tag 1, default-zone

wireless controller 1

In this scenario, the custom policy tags can be shared between the sites and the APs can be successfully provisioned to these sites using the same custom policy tag.

Scenario 2

A custom policy tag is shared between multiple sites where some sites have site overrides for SSID and all the sites are managed by the same wireless controller.

Site

Site override

Policy tag and AP zone

Primary wireless controller

Building 1/Floor 1

Site Override

Custom Policy Tag 1, default-zone

wireless controller 1

Building 1/Floor 2

None

Custom Policy Tag 1, default-zone

wireless controller 1

In this scenario, the custom policy tag cannot be reused because the same tag has two different WLAN profile and policy profile mappings for the same SSID. If you provision APs to these sites using the same custom policy tag, a validation error occurs during provisioning.


Note

The AP provisioning for the first site in this site hierarchy (Building 1/Floor 1) will be successful but a validation error is shown during the second AP provisioning at Building 1/Floor 2, which is attempting to reuse the custom policy tag.

Scenario 3

A custom policy tag is shared between multiple sites where some sites have site overrides for SSID and the sites are managed by different primary wireless controllers.

Site

Site override

Policy tag and AP zone

Primary wireless controller

Building 1/Floor 1

Site Override

Custom Policy Tag 1, default-zone

wireless controller 2

Building 1/Floor 2

None

Custom Policy Tag 1, default-zone

wireless controller 1

In this scenario, the custom policy tags can be reused and the APs can be successfully provisioned to these sites using the same custom policy tag.

Scenario 4

A custom policy tag is shared between sites which have different policy profile (learned from pre-existing infrastructure) and all the sites are managed by the same wireless controller.

Site

Site override

Policy profile

Policy tag and AP zone

Primary wireless controller

Building 1/Floor 1

None

Profile 1 (learned from pre-existing infrastructure)

Custom Policy Tag 1, default-zone

wireless controller 1

Building 1/Floor 2

None

Profile 2 (learned from pre-existing infrastructure)

Custom Policy Tag 1, default-zone

wireless controller 1

In this scenario, the custom policy tag cannot be reused because the same tag is mapped to two different policy profiles for the same SSID on the same wireless controller. If you provision APs to these sites using the same custom policy tag, a validation error occurs during provisioning.


Note

The AP provisioning for the first site in this site hierarchy (Building 1/Floor 1) will be successful but a validation error is shown during the second AP provisioning at Building 1/Floor 2, which is attempting to reuse the custom policy tag.

Scenario 5

A custom policy tag is shared between multiple sites where some sites have no site overrides for the primary wireless controller and some sites have overrides for the secondary wireless controller. All the sites are managed by the same primary wireless controller and have N+1 HA configured.

Site

Site override

Policy tag and AP zone

Primary wireless controller

Secondary wireless controller

Building 1/Floor 1

No Override from Global level

Custom Policy Tag 1, default -zone

wireless controller 2

-

Building 2

Site Override

Custom Policy Tag 1, default -zone

wireless controller 1

wireless controller 2

Building 2/Floor 1

No Override from Building 2

Custom Policy Tag 1, default -zone

wireless controller 1

wireless controller 2

Building 2/Floor 2

No Override from Building 2

Custom Policy Tag 1, default -zone

wireless controller 1

wireless controller 2

In this scenario, since all the sites are managed by the same N+1 wireless controller, the custom policy tag cannot be reused for wireless controller 2 because the same tag has two different WLAN profile and policy profile mappings for the same SSID on the same wireless controller (wireless controller 2). A validation error occurs when you provision wireless controller 2. However, there's no error expected while provisioning the wireless controller 1.


Note

Validation is done independently for each of the wireless controllers.

Scenario 6

A custom policy tag is shared across areas with the same network profile.

Site

Site override

Policy tag and AP zone

Primary wireless controller

Area 1/Building 1/Floor 1

None

Custom Policy Tag 1, default-zone

wireless controller 1

Area 2/Building 2/Floor 1

None

Custom Policy Tag 1, default-zone

wireless controller 1 or 2

In this scenario, custom policy tags can be shared across wireless controllers managing different areas under the same network profile.

Scenario 7

A custom policy tag is shared across areas with multiple network profiles.

Example 1

In this example, custom policy tag can be reused across areas with different network profiles.

Site

Network profile

Site override

Policy tag and AP zone

Primary wireless controller

Area 1/Building 1/Floor 1

Profile 1

None

Custom Policy Tag 1, default-zone

wireless controller 1

Area 2/Building 2/Floor 1

Profile 2

None

Custom Policy Tag 1, default-zone

wireless controller 1 or 2

Example 2

In this example, the custom policy tag cannot be reused due to site override in Area 2.

Site

Network profile

Site override

Policy tag and AP zone

Primary wireless controller

Area 1/Building 1/Floor 1

Profile 1

None

Custom Policy Tag 1, default-zone

wireless controller 1

Area 2/Building 2/Floor 1

Profile 2

Site Override in Area 2

Custom Policy Tag 1, default-zone

wireless controller 1 or 2

Scenario 8

A custom policy tag is shared across multiple AP zones.

Example 1

In this example, the same custom policy tag can be reused across two AP zones (workarea, corridor) when they have the same set of SSID (SSID 1).

Site

Site override

Policy tag and AP zone

Primary wireless controller

Area 1/Building 1/Floor 1

None

Custom Policy Tag 1, workarea (SSID 1)

wireless controller 1

Area 2/Building 2/Floor 1

None

Custom Policy Tag 1, corridor (SSID 1)

wireless controller 1

Example 2

In this example, the custom policy tag cannot be reused because the AP zones do not have the same set of SSIDs.

Site

Site Override

Policy Tag and AP Zone

Primary wireless controller

Area 1/Building 1/Floor 1

None

Custom Policy Tag 1, workarea (SSID 1, SSID 2)

wireless controller 1

Area 2/Building 2/Floor 1

None

Custom Policy Tag 1, corridor (SSID 1)

wireless controller 1

Note

Reconfiguring a shared custom policy tag (for example, swapping the AP zone for a policy tag with another tag) results in conflicting configurations for existing APs on different floors that are yet to be reprovisioned. This prevents provisioning because the APs that are yet to be provisioned are still using the old configuration. However, reconfiguration of a shared custom policy tag is allowed in cases where all the APs that share the tag are on the same floor. The APs are updated with the latest configuration when you reprovision the APs of all the zones.

Add AP groups, flex groups, site tags, and policy tags to a network profile

Catalyst Center allows you to add AP groups, flex groups, site tags, and policy tags in a network profile. Adding AP groups and flex groups saves time during AP provisioning by eliminating the need to make repetitive configuration changes and ensures consistency across your devices. If you don't configure the custom names, Catalyst Center uses the autogenerated AP group names and tags for the APs.


Note

Flex group configuration is available only when the network profile has at least one associated flex-based SSID.

Before you begin

  • Ensure that you have assigned a site to the network profile.

  • To create flex group names, under the SSIDs tab, ensure that you have checked the Flex Connect Local Switching check box and defined the VLAN ID in the Local to VLAN field to mark the nonfabric SSID as a flex-based SSID. For more information, see Add SSIDs to a network profile.

    If you have enabled Flex Connect Local Switching for an SSID, all the APs on the floor where the network profile is mapped, switch to FlexConnect mode.

  • For information about reprovisioning the wireless devices, and using the groups and tags, see Overview of AP groups, flex groups, site tags, and policy tags.

Procedure

Step 1

In the Add a Network Profile window (Design > Network Profiles > Add Profile > Wireless), hover your cursor over Advanced Settings and click Provision Group.

Step 2

(Optional) To create an AP group in the network profile, expand AP Groups and AP Profiles and click Create Custom AP Group.

In the Add AP Group slide-in pane, do these steps:

  1. In the AP Group Name field, enter the AP group name.

  2. From the AP Zone drop-down list, choose an AP zone.

    To broadcast all the SSIDs associated with the network profile, choose Not Applicable.

    Note

     

    This drop-down list is enabled if you have added AP zones to the network profile in the AP Zones tab. For more information, see Add AP zones to a network profile.

    If you choose an AP zone, the RF profile is inherited from the AP zone configuration.

  3. From the AP Profile drop-down list, choose an AP profile.

    To create an AP profile, click Create New. For more information, see AP profiles.

  4. From the RF Profile drop-down list, choose an RF profile.

    Note

     

    This drop-down list is disabled if you choose an AP zone from the AP Zone drop-down list.

  5. In the Select Sites area, you can either search for a site by entering its name or expand Global to choose a site.

  6. Click Save.

Step 3

(Optional) To create a flex group in the network profile, expand Flex Group and click Create Flex Group.

In the Create Flex Group slide-in pane, do these steps:

  1. In the Flex Group Name field, enter the flex group name.

  2. In the Select Sites area, you can either search for a site by entering its name or expand Global to choose a site.

  3. Click Save.

Step 4

(Optional) To create a site tag in the network profile, expand Site Tags and AP Profiles and click Create Custom Site Tag.

In the Create Site Tag slide-in pane, do these steps:

  1. In the Site Tag Name field, enter the site tag name.

  2. From the AP Profile drop-down list, choose an AP profile.

    To create an AP profile, click Create New. For more information, see AP profiles.

  3. In the Flex Profile Name field, enter the flex profile name.

    Note

     

    To enable the Flex Profile Name field, in the SSID tab, check the Flex Connect Local Switching check box. For more information, see Add SSIDs to a network profile.

    To use a Catalyst Center autogenerated name, check the Auto generate Flex Profile Name check box.

  4. In the Select Sites area, you can either search for a site by entering its name or expand Global to choose a site.

    You can select multiple areas under an area.

  5. Click Save.

Step 5

(Optional) To create a policy tag in the network profile, expand Policy Tag and click Create Policy Tag.

In the Create Policy Tag slide-in pane, do these steps:

  1. In the Policy Tag Name field, enter the policy tag name.

  2. From the AP Zone drop-down list, choose an AP zone.

    Note

     

    This drop-down list is enabled if you have added AP zones to the network profile in the AP Zones tab. For more information, see Add AP zones to a network profile.

  3. In the Select Sites area, you can either search for a site by entering its name or expand Global to choose a site.

  4. Click Save.

What to do next

Configure the other necessary settings for the network profile. For more information, see Create network profiles for wireless.

Configure additional interfaces for a network profile

An additional interface on a Cisco Wireless Controller maps a WLAN to a VLAN or subnet. You can configure additional interfaces for a network profile for wireless.

Procedure

Step 1

In the Add a Network Profile window (Design > Network Profiles > Add Profile > Wireless), hover your cursor over Advanced Settings and click Additional Interface.

Step 2

To create an additional interface, click Create New Interface and do these steps:

  1. In the Interface Name field of the Add Interface slide-in pane, enter a name for the interface.

  2. In the VLAN ID field, enter a VLAN ID.

    For Cisco AireOS Wireless Controllers, the valid range is from 1 through 4094. For Cisco Catalyst 9800 Series Wireless Controllers, the valid range is from 2 through 4094.

  3. Click Save.

Alternatively, you can create an additional interface on the Design > Network Settings > Wireless > Interfaces & VLAN Groups > Interfaces window. For more information, see Create a wireless interface.

Step 3

To add additional interfaces to a network profile, do one of these tasks

  • Click the plus icon () next to the required additional interface.

  • Click the additional interface name, and then click Add Selected.

    Note

     

    To choose multiple additional interfaces, press Shift, click the additional interface names, and then click Add Selected.

  • To add all the additional interfaces, click Add All. You can use the Search field to filter the additional interfaces.

What to do next

After configuring the necessary settings for the network profile, click Save. For more information, see Create network profiles for wireless.