Re: DNAC and C9800 Confusion regarding site tag

StefanSeubert44470 · ‎10-26-2022

Hello dear community,
I noticed something strange on our WLAN controllers today. I had a WLAN controller that had a separate site tag for almost every access point, even though all access points are on the same floor.
The WLAN controller (C9800-CL) and access points (C9120axi) are provisioned by DNAC.
Up to now, it was actually always the case that a separate site tag was created for each floor. All access points on the floor received this tag during provisioning.
I then checked other WLAN controllers. On another controller which serves a building with 12 floors, I have only three site tags.
Our WLAN settings in the DNA Center were created in an early version and meanwhile the scope in DNAC has been extended as well.
Does anyone here happen to know when DNAC creates a site tag?

DNAC Version: 2.3.3.5

C9800 Version: 17.6.2 & 17.6.4

At that time it was still a site tag per floor
We stumbled upon this because we have roaming problems in some locations and FAST roaming is apparently only supposed to work well if the APs have the same site tag and thus exchange the key.

In my research I also stumbled upon the topic of MDID. Here I do not understand what is meant by "open configuration model". CLI and GUI do not give that. In the DNAC I also find nothing.

Many thanks and greetings,
Stefan

Parthiv Shah · ‎10-26-2022

Hi

Do you see this problem even when you provisioning in 2.3.3.5 or is this different site tag issue was already happened pre-2.3.3.5 and just noticed it?

Thanks
Parthiv

StefanSeubert44470 · ‎10-26-2022

Hi Parthiv,

we have applied the update to 2.3.3.5 2 weeks ago.
The access points of the site where each AP got a site tag was provisioned before. But I do not know if with DNAC 2.3.3.3 or 2.3.3.4.
BR Stefan

Parthiv Shah · ‎10-26-2022

Hi,

If it was provisioned in Pre-2.3.3.5 release than that is possible. Can you check provisioning in 2.3.3.5 and if it still doesn’t work, let us know?

Thanks
Parthiv

willwetherman · ‎10-26-2022

Hi @StefanSeubert44470

This is my understanding of how DNA Center provisions Cisco 9800 WLC Site Tags and Policy Tags:

An auto-generated Site Tag is created at the building level of the network hierarchy with all floors under the same building inheriting the same Site Tag. Access points that are provisioned to multiple floors within the same building inherit the same Site Tag.

An auto-generated Policy Tag is created at the floor level of the network hierarchy. Access points that are provisioned to the same floor within the same building inherit the same Policy Tag.

As an example, consider a scenario with the following DNA Center locations:

Site1/Building1/Floor1

Site1/Buidling1/Floor2

Site1/Building2/Floor1

AP1 that is assigned to Site1/Building1/Floor1 will be assigned Site Tag 'ST_Site1_Buiding1_<UID>_<Index> ' and Policy Tag 'PT_Site1_Building1_Floor1_<UID>'

AP2 that is assigned to Site1/Building1/Floor2 will be assigned Site Tag 'ST_Site1_Buiding1_<UID>_<Index>' and Policy Tag 'PT_Site1_Building1_Floor2_<UID>'

AP3 that is assigned to Site1/Building2/Floor1 will be assigned Site Tag 'ST_Site1_Buiding2_<UID>_<Index>' and Policy Tag 'PT_Site1_Building2_Floor1_<UID>'

I've recently upgraded one of our sites to DNA Center version 2.3.3.5 (that was built on version 2.1.2.x) with 9800-40 version 17.6.4 and the behavior has not changed. When provisioning existing/new access points, one Site Tag is provisioned per building and one Policy Tag is provisioned per floor. Note that DNA Center 2.1.2.X introduced the ability to create custom Site Tags which can be configured under the Wireless Network Profile and mapped to different floors. A custom Site Tag allows the administrator to group access points on a per floor or a building level and create a roaming domain. The auto-generated site tag by DNA Center is created at a building level while a custom site allows the tag to be mapped over to a building or on a per floor level.

Can you look at the configuration of the DNA Center Wireless Network Profile(s) that are associated to the sites that you are experiencing issues with and check if any of these profiles have any custom Site Tags configured? If you have custom Site Tags, then this will explain why you have separate tags per floor at least. If your access points are being allocated separate Site Tags on the same floor, then I can only assume that you are hitting a bug as this is not expected/documented behavior. I would advise raising this with TAC.

Will

StefanSeubert44470 · ‎11-17-2022

Hi Will,

at the moment we don´t use custom site tags because we run in another issue with this when we provision the APs. I have also perceived your explanation in the past as follows. Site Tag based on the building and Policy Tag per floor.

Nevertheless, I had access points in a building that consistently all had their own auto site tag.
Since the custom site tag didn't work for us, I recreated the building, created the floors and provisioned the APs to these new floors. Here, the DNAC again provisioned everything correctly.
What I noticed here is that DNAC creates a new auto site tag after a certain number of APs.
We have a 12-floor building with about 150 APs and at about 75 I saw that within a floor now again two different site tags were provisioned.
Probably this is due to the best practice recommendation of Cisco that you should have max. 100 APs per site tag.
It's just stupid that you can not control this and must pay attention to it, otherwise there may be roaming problems.

I will now have a look at the custom site tag and check why we are running into an error here. According to the bug info, you should recreate the wireless profile once. For this I have to build a test environment first.

Stefan

willwetherman · ‎11-19-2022

Hi @StefanSeubert44470

Thanks for sharing your observations. I was not aware that DNAC provisioned multiple site tags per building depending on the number of APs installed. I've read through the various user guides and release notes, and there is no mention of this behavior. I have also not observed this in any of my deployments, which in some buildings have 300+ APs installed.

100 APs per site tag also seems quite low (unless you are using Flexconnect) and contradicts the recommendations in the Cisco Catalyst 9800 Series Best Practice Guide (https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html#Roamingbetweenpolicytags) which recommends to limit the number of APs per site tag to no more than 500. The best practice document also states that all APs within the same roaming domain should be assigned to the same site tag otherwise optimised/fast roaming will not work correctly which is what you have indicated. Could you be hitting the below bug. Out of interest is your deployment using local switching or Flexconnect as this could also explain the differing behavior?

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc69467

Will

StefanSeubert44470 · ‎11-21-2022

Hi Will

the bug report describes exactly our problem. And now it explains why we don't have it anymore. In the meantime we have updated the DNAC to 2.3.35.

But in this version I also saw that it created a new site tag after about 70. However, from then on all APs were provided with the new site tag.
I am no longer sure where I read about the 100 APs per site tag. But 500 would be sufficient. We use FlexConnect with all our APs

BR Stefan

Tobias Heisele · ‎11-21-2022

Hi @StefanSeubert44470 ,

regarding APs per Sitetag, see https://www.ciscolive.com/c/dam/r/ciscolive/global-event/docs/2022/pdf/BRKEWN-2087.pdf "Site Tag - Design considerations" p56ff.

DNAC normally creates one set of profiles/tags on the WLC per Wireless Network Profile within Design area.

HTH