DNA Mobility Innovations

Catalyst 9800 Wireless Controller Lab Guide

Top Feature Configurations in Catalyst 9800 Controller

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
Agenda

01 Catalyst Wireless Controller New Configuration Model

1) Configuring 802.1x WLAN with Wireless Basic Workflow
2) Configuring Webauth Guest WLAN with Wireless Advanced Workflow

02 Applying AVC on WLAN profile

03 Flex connect – Central Auth/Local Switching

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
Lab Topology
Internet
SSIDs
#POD1
POD1 #POD1-Guest DNAC
10.10.105.30
POD1-AP1915 Gi0
NAT
Router
ESXi running VMs

SSIDs
#POD2 Sw1
POD1-C9800 10.10.10.3
#POD2-Guest
POD2 Gig1/0/2
Gig1/0/8 Trunk .
.
POD2-AP1915 .
Gi0
POD10-C9800 10.10.100.3
CORE-SW-3850
Sw2 VLAN10:10.10.10.1 ISE 10.10.105.35
.
.
VLAN100:10.10.100.1
VLAN105:10.10.105.1
SSIDs
#PODX Port 1
#PODX-Guest
PODX
PODX-AP1915 Gi0
WLC-3504 Anchor
MGMT = 10.10.200.3 VLAN 200

X = POD number
 PODs IP addressing Scheme

IP addressing
Devices VLAN ID IP address/URL Gateway User Name/PW Password/Enable
DHCP server PodX X0 10.10.X0.1 10.10.X0.1 N/A N/A
PodX C9800 X0 10.10.X0.3 10.10.X0.1 admin/Cisco123 Cisco123
ISE 2.3 105 10.10.105.35 10.10.105.1 admin Public123!

Note : Here ‘X’ is your POD number

Accessing the Lab
Please connect your Laptop to the SSID “#C9800-Lab (PSK – Cisco123)”.

You will obtain an IP address from VLAN 200: 10.10.200.0 /24 subnet and then user can access there respective POD network (10.10.X0.0/24 )
*Please use your own device for wireless connectivity.
The Lab is divided into different sections with step by step configurations and sections for reference as indicated.

Client Devices used in Lab Topology

Users use their own Wireless Clients to associate to POD SSIDs for testing connectivity and passing data traffic.

Lab WLCs has dedicated VLANs for each POD

POD1 POD2 POD3 POD4 POD5 POD6 POD7 POD8 POD9 POD10

Management VLAN 10 20 30 40 50 60 70 80 90 100

.
Please DO NOT change any settings and configurations unless instructed in the Lab Exercise.
Please follow the Lab guide to complete the exercises if any questions and issues feel free to ask or consult your lab proctors.
Save your configurations as you proceed with Lab Exercises as not to lose configs in case of a crash or outage.
Exercise 1:
Catalyst Wireless Controller New Configuration Model TASKS
1) Configuring 802.1x WLAN with Wireless Basic Workflow
2) Configuring Webauth Guest WLAN with Wireless Advanced Workflow

Global
S a l e s Tr a i n i n g
 Task 1 Adding AAA for Radius/802.1x authentication
Step1: Login to WLC –WLC9800 https://10.10.X0.3 (admin/Cisco123) Here X is the POD number
From WLC main menu go to Configuration > AAA > +AAA Wizard and configure the following:
Server: Name= ISE, Server Address=10.10.105.35, Shared Secret=cisco and click Next
Server Group Association: Name=ISE-Server-Group, From Available Servers select ISE, click ‘>’ to assigned list, and click Next
MAP AAA: Select Authentication > Method List Name enter ISE-ML, Type=dot1x, Under Available Server Groups select ISE-Server-Group then Apply to Device
For Authorization, select Type = network. Under Available Server Groups select ISE-Server-Group then Apply to Device button
Configuring 802.1x WLAN with Wireless Basic Workflow
Step3: Under General configure the following:
Step1: From WLC page top right menu Click on Wireless Location Name as “pod-site” description can be any name
Wizard icon and select Basic Wireless setup Location Type (whether it is local or Flex/remote site); we are configuring
Local/Central site so choose Local
Leave the Client density as Typical (user can choose low, typical or high)

Step 2: To start configuring the basic wireless setup click ‘Add’ Step 4: Next, we need to create the WLAN for this location In Wireless Network tab,
Click +Add then click on Define new
Step 5: Create Profile Name and SSID as #PODX (where X is the pod Step 7: Make sure your #PODx WLAN is selected.
number) and enable status Under Policy Details select Management VLAN = VLAN00x0.
Then click the check Add button to continue.

Step 6: Check Security>Layer2>Security Mode = WPA + WPA2 and Auth Key Mgmt = 802.1x
Go to tab AAA and select ISE-ML from Authentication List, click Apply to Device

Step8 : Next, go to AP Provisioning Tab to assign the AP to your location.

Select your AP and click the Arrow to move it to Location, on the right
Then click Apply to configure.
The AP will reboot and will be configured with the appropriate tags.
 Verification: Behind the scenes Policy Profile, Site Tag creation
Once the basic wireless setup is configured the system will automatically create the site policy profile and site tags
To verify navigate to WLC main menu Configuration > Tags > Policy and check Pod-site is created

Similarly, go to Configuration > Policy and verify that tag for policy profile name pod-site_WLANID_1 tied to pod-site_#PodX
Also verify the site tag Configuration > Tags > Site > Pod-site has Name and AP Join Profile set to Pod-site which we created from the wizard.
As this is a Central Site i.e. AP operating in local modes the ‘Enable Local Site’ box shows Enabled.
Client Connect to Pod-SSID:
Connect a client to the SSID PODX( username= podx / password= Cisco123) and the user should get the IP address from VLAN105
(select your Management VLAN) ( 10.10.x0.xxx)

Go to WLC Monitoring>Clients page and click on the client to verify the Policy profile is pod-site_WLANID_1
 Task 2 Configuring Webauth Guest WLAN with Wireless Advanced Workflow
Step1: Login to C9800 PODx http://10.10.X0.3 (admin/Cisco123) and click on
Wireless Wizard icon and Select Advanced option (x is POD #) Step2: Create Profile Name and SSID with naming convention as #PODX-Guest and
enable the status. From the Security tab select Layer 2 security to ‘None’ and click
Click on Start Now > WLAN Profile then click on button
Save & Apply to Device
 Task 2 Configuring Webauth Guest WLAN with Wireless Advanced Workflow Cont’d
Step 3: Navigate to policy profile and click on to configure a guest policy profile
by naming it ‘guest-policy-profile’ Step 4: Navigate to policy Tag and click on Edit.
Enable the Status and make sure Central Switching, Central Auth, Central DHCP, Central Click on pod-site that has already been created and click on +Add in order
Association are Enabled (Checked) to add Guest SSID and WLAN Profile
Move to Access Policy tab and from VLAN/VLAN Group select VLAN 105 (all PODs) – Guest
Click Save & Apply to Device
Task 2 Configuring Webauth Guest WLAN with Wireless Advanced Workflow Cont’d
Step 5: To configure Local Web Auth. Navigate to Configuration > Security > Web Auth
and click on Global which is created by default. Create a Banner Text that you
desire to show when a client connects to the SSID and hit Apply. You can also
create a different Parameter Map Name by clicking on Add
Step 6: Navigate to Configuration> AAA and click on Authentication to add a login Authentication method as shown below

Step 7: Navigate back to WLAN Profile. Select Guest SSID and click on Security > Layer 3 and map Webauth Parameter Map as ‘global’ which we
have modified in previous step.
Step 8: Navigate to Administration> User administration and click on ADD to create username and password (Cisco123) for Local webauth

Step 9: Connect a client to Guest WLAN and use credentials created and verify The
default banner Cisco Systems is displayed on your client device.

guest
Cisco123
Exercise 2
FlexConnect - Configure 802.1x WLAN for
Central Authentication, Local Switching

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
Step 1: Navigate to Wireless Advanced Workflow and click on WLAN Profile in order to create a new WLAN for Flex Exercise.
Select WLAN Profile Name as PODx-Flex and enable Status as shown below.
Click on Policy Profile and click on Add

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
Step 2: From Policy profile. Select Policy profile name and appropriate VLAN as shown below

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
Step 3: From Wireless Advanced Setup Work flow, Navigate to Policy Tags to add a new Policy Tag for Flex.
Select Policy Tag name and click on Add to map Flex SSID created and policy Profile created to the appropriate Flex SSID

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
Step 4: From Advanced Wireless Flow navigate to Flex Profile and click on Add to create Flex profile with appropriate settings.

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
Step 5: From Advanced Wireless Work Flow navigate to Site Tag and click on Add.
Select Site Tag Name/description and uncheck the Enable Local Site check box to be able to select Flex Profile as
shown below

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
Step 6: You have finished with creating Policy, Site and RF Tags.
Next Step is to attach these Tags to the APs and push the configuration to the APs

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
Basic Wireless Setup for FlexConnect For reference Only – ANO way
Step 1: Navigate to Configuration>Basic and click on Add in order to create a new site for FlexConnect

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
Basic Wireless Setup for FlexConnect For reference Only – ANO way
Step 2: Define location and select Flex for location Type.

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
Basic Wireless Setup for FlexConnect For reference Only – ANO way
Step 3: Click on Wireless Network and create a WLAN by clicking on define now.
Select appropriate VLAN and switching method as show below

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
Basic Wireless Setup for FlexConnect For reference Only – ANO way
Step 4: Click on AP provisioning and select appropriate Access points to be added to Remote site.

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
Exercise 3

RRM/ RF Profile

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
RRM Parameter adjustments
(1) Navigate to Configuration> RRM. Set appropriate trap thresholds for your environment and Adjust monitor intervals
– (defaults are sufficient).
(2) Repeat Steps for 2.4 GHz band

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
(3) Click on Coverage. Enable/Disable Global Coverage Hole Detection- Defaults values are fine.
(4) Repeat Steps for 2.4 GHz band

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
 (5) Click on DCA. Choose DCA operational mode. Select DCA operating channels
(6) Repeat steps for 2.4 GHz band

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
 (9) Click on RF Grouping. Choose operational
(7) Click on TPC. Choose TPC operational mode and set
mode and identify Current RF group leader and
your TPC threshold value.
Group members.
(8) Repeat steps for 2.4 GHz band.
(10) Repeat steps for 2.4GHz

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g
Exercise 4
AVC/ QoS

Apply AV on WLAN profile

Use AVC/QoS feature to mark, drop or rate limit an application.

Global
S a l e s Tr a i n i n g
Configuring Application Visibility(AV) on WLC
Step1:. From C9800 main menu go to Configuration>Services>Application Visibility

Step 2: User can see the Available Profiles and select the one on which to enable the AVC.
Select the pod-site_WLANID_1 profile and enable it.
Then click Apply
Step 3: Now connect a client to the #PODx SSID and pass traffic Step 5: Similarly, if the user want to view per client AV
by browsing to different sites. Now wait for few seconds and then stats then click on Clients tab and select the client and
go to C9800 main menu Monitor > Application Visibility click on View Application Details button

Step 4: The page will show a graphical view of the over all
apps running on the network. This will show all the apps usage in a % based pie-chart and in
User can filter it per SSID, direction and time ( up to 48 hrs.). tabular format
User can see the apps which clients are accessing.
Applying Application Visibility and Control (AVC) through QoS
Step 1: Now if the user wants to control the applications ( Mark, Drop or Rate limit) or the traffic then he can configure AVC.
In this exercise we will create a QoS policy to drop the YouTube application.
Go to Configuration > Services > QoS
Click on Add button and it will take you to QoS policy page.
Step 2: Configure the ‘Policy Name’ as pod#-QoS.
Click Add Class-Maps then from AVC/User Defined select AVC and check Drop box to mark the traffic to be dropped.
Match Type = protocol. From the Available Protocol(s) Select YouTube** and Twitter as dropped, then click Save
Select the profile on which user wants to apply this QoS policy, pod-site_WLANID_1 and click Save & Apply to Device

Step 3 Verification: Connect a client to the SSID #PODX and try accessing different sites e.g. cisco.com and also try accessing
YouTube or Twitter.
The client should be able to browse to all sites except YouTube or Twitter which are marked to be dropped
in the QoS policy.
PROCTOR NOTES
CLEAN UP WLC

 Check all WLAN – delete

 Check WLAN basic workflow site is deleted
 Check policy profiles are delete
 Check tags >POD >Site >Policy, RF are deleted
 Anchor config > Peer config, remove anchor
 Remove AAA ISE (ISE method list, server, server group

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
S a l e s Tr a i n i n g