Cisco Wireless Segmentation with Profiles and Tags

Large enterprise networks might have many access points (AP), and not all APs require the same settings.

With the previous generation of WLCs running AireOS, many settings were global settings that applied to all access points (AP). Whether they needed it or not.

The Cisco Wireless LAN controllers (WLC) based on IOS-XE, such as the Catalyst 9800, allow granular control of all settings without configuring every AP individually. They accomplish this by using a combination of tags and profiles.

In a nutshell, here is how it works:

  • We configure settings and parameters in profiles.
  • We link these profiles to tags.
  • We add tags to one or more APs.

Here’s how to visualize this:

Cisco Wlc Ios Xe Tags Profiles Ap

This is a scalable method to configure many APs based on the requirements of the wireless LAN. Here is an example:

Cisco Wlc Ios Xe Segmentation Two Sites Aps Tags

Imagine we have a network with multiple sites. Site one only has an office. Site two has an office and an R&D department. The wireless LAN in the office might use a different SSID and different security settings than the wireless LAN for the R&D department. By using different tags that use other profiles, we can quickly apply different settings to groups of APs.


There are three tags:

  • Policy tag
  • Site tag
  • RF tag

We’ll examine each in detail.

Default Tags

By default, APs get assigned the following default tags:

  • Policy: default-policy-tag
  • Site: default-site-tag
  • RF: default-rf-tag

I’m using Cisco IOS Software [Dublin], C9800-CL Software (C9800-CL-K9_IOSXE), Version 17.11.1, RELEASE SOFTWARE (fc2) for the upcoming examples.

Here’s a screenshot where you can see the default tags:

Cisco Wlc 9800 Edit Ap Default Tags

You can edit these default tags, or you can create new ones. Let’s take a closer look at these tags.

Policy Tag

The policy tag is where we link a WLAN profile and policy profile. Take a look at the screenshot below:

Cisco Wlc 9800 Default Policy Tag Default Policy Profile

In the policy tag settings, we can see two things:

  • This tag uses the “default-policy-profile” profile.
  • This tag uses the “TEST” WLAN profile.

Here’s how to visualize this tag:

Cisco Wlc Policy Tag Policy Profile Wlan Profile

Site Tag

The site tag is where we link the AP join profile (and Fabric Control Plane Name). Here is a screenshot of the site tag settings:

Cisco Wlc 9800 Default Site Tag Default Ap Profile

The “default-site-tag” tag uses the profile “default-ap-profile”. Here’s a visualization:

Cisco Wlc Site Tag Default Ap Profile

RF Tag

The RF tag links the RF profiles for the different frequencies. Here is a screenshot of the “default-rf-tag” tag:

Cisco Wlc 9800 Default Rf Tag Band Rf Profile

This output is interesting. By default, it has a “default-rf-profile-6ghz” for the 6 GHz band, but for the 2.4 and 5 GHz bands, it refers to the global config instead of a profile. I’m surprised they didn’t use a profile by default for the 2.4 and 5 GHz bands as well. Here’s how to visualize this:

Cisco Wlc Site Tag Default Rf Profile

Let me show you the “global config” items. Here’s what these global configuration settings look like:

Cisco Wlc 9800 Global Network 5hgz Band

Below are the default RRM settings per band:

Cisco Wlc 9800 Global Rrm 5hgz Band

There are global configuration items, not a profile. However, these settings can also be configured in a profile. I’m unsure why they used global settings for these two bands. Here is a visualization of all default AP tags and profiles:

Cisco Wlc Ap Default Tags And Profiles


A profile is a collection of settings and parameters. There are many different profiles we can use, such as:

  • AP Join Profile
  • Calendar Profile
  • Flex Profile
  • Multi BSSID Profile
  • Policy Profile
  • Power Profile
  • Remote LAN Profile
  • RF/Radio Profile
  • WLAN Profile

The WLC has some default profiles which you can edit, or you can create new profiles. We’ll take a look at the most common profiles.

AP Join Profile

The AP join profile has all settings related to the AP. For example:

  • General
    • Country code
    • LED state
    • NTP Server
    • OfficeExtend
  • Client
    • TCP MSS
    • Heartbeat and discovery timers
    • Backup and secondary WLC
  • AP
  • Management
    • TFTP
    • System Log
    • Telnet
    • SSH
    • CDP
  • Security
    • Rogue Detection
  • ICap
    • Client Telemetry
    • AP Telemetry
  • QoS
    • DSCP settings

Here is what it looks like:

Cisco Wlc 9800 Ap Join Profile

WLAN Profile

This profile is where we configure the SSID and security settings for the wireless LAN. For example:

  • General
    • SSID
    • Status (enabled or disabled)
    • Broadcast SSID
    • Radio Policy
      • 6 GHz
      • 5 GHz
      • 2.4 GHz
  • Security
    • Layer two
      • WPA, WPA2, WPA3, WEP.
      • WPA parameters
      • WPA2/WPA3 encryption
      • Protected management frame
      • Fast transition
      • Authentication key management
      • MPSK
    • Layer three
      • Web policy
    • AAA
      • Authentication list
      • Local EAP Authentication
  • Advanced
    • P2P Blocking Action
    • MIMO settings
    • Client Steering
    • Max Client Connections
    • Load balance
    • Band select
    • WMM Policy
    • mDNS
    • Assisted Roaming
    • DTIM Period
  • Add To Policy Tags
    • This is where you link the WLAN profile to a policy tag.

Here is what it looks like:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 788 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

730 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!