First Published: March 31, 2020

Last Updated: June 19, 2020

Release Notes for Cisco Catalyst 9800 Series Wireless Controller, Cisco IOS XE Amsterdam 17.2.x

Introduction to Cisco Catalyst 9800 Series Wireless Controllers

The Cisco Catalyst 9800 Series Wireless Controllers comprise next-generation wireless controllers (referred to as controller in this document) built for intent-based networking. The Catalyst 9800 Series Wireless Controllers are Cisco IOS XE based and integrate the radio frequency (RF) capabilities from Cisco Aironet with the intent-based networking capabilities of Cisco IOS XE to create a best-in-class wireless experience for your organization.

The Catalyst 9800 controllers are enterprise ready to power your business-critical operations and transform end-customer experiences:

  • The controllers come with high availability (HA) and seamless software updates that are enabled by hot and cold patching. This keeps your clients and services up and running always, both during planned and unplanned events.

  • The controllers come with built-in security, including secure boot, run-time defenses, image signing, integrity verification, and hardware authenticity.

  • The controllers can be deployed anywhere to enable wireless connectivity, for example, on an on-premise device, on cloud (public or private), or embedded on a Cisco Catalyst switch or a Cisco Catalyst access point (AP).

  • The controllers can be managed using Cisco Digital Network Architecture (DNA) Center, Programmability interfaces, for example, NETCONF and YANG, or web-based GUI or CLI.

  • The controllers are built on a modular operating system. Open and programmable APIs enable the automation of your day zero to day n network operations. Model-driven streaming telemetry provides deep insights into your network and client health.

The Catalyst 9800 Series controllers are available in multiple form factors to cater to your deployment options:

  • Catalyst 9800 Series Wireless Controller Appliance

  • Catalyst 9800 Series Wireless Controller for Cloud

  • Catalyst 9800 Embedded Wireless Controller for a Cisco switch


Note

All of the Cisco IOS-XE programmability-related topics on the Cisco Catalyst 9800 controllers are supported by DevNet, either through community-based support or through DevNet developer support. For more information, go to https://developer.cisco.com.

What's New in Cisco IOS XE Amsterdam 17.2.1a

There are no new features or enhancements in this release.

What's New in Cisco IOS XE Amsterdam 17.2.1

This section provides information about the new features and enhancements in this release.

Aironet Extensions IE (CCX IE) Advertise AP Name: Aironet Extensions Information Elements (IE) is an attribute used by Cisco devices for better connectivity. IE has been enhanced to include the AP Name as an additional information that compatible clients can use. The Cisco Client Extensions (CCX) uses this information to associate with the best AP. For more information, see the Aironet Extensions IE (CCX IE) - Advertise AP Name chapter.

BSSID Counters: The BSSID Counters feature helps to retrieve the BSSID statistics when a client is associated with a WLAN for every configured interval. A new configuration is introduced in the controller per AP profile to enable or disable BSSID statistics on the access points. For more information, see the BSSID Counters chapter.

The following commands are introduced:

  • bssid-stats bssid-stats-frequency bssid-timer-seconds

  • bssid-neighbor-stats interval bssid-interval

Default Gateway Check: Starting from this release, the method to configure the gateway IP has been modified. The ip default-gateway gateway-ip command is not used. Instead, the gateway IP is selected based on the static routes configured. From among the static routes configured, the gateway IP that falls in the same subnet as the RMI subnet is chosen. If no matching static route is found, gateway failover will not work (even if management gateway-failover is enabled). For more information, see the Redundancy Management Interface section in High Availability chapter.

DHCP-required for Flex Local Switching: When this feature is enabled, the client will be able to pass traffic only if it has obtained an IP address through DHCP. In earlier releases DHCP required was only available for central switching. From this release, local switching is supported. For more information, see the Configuring DHCP-Required for FlexConnect section.

Dot11i Roaming: In this release, you can create a Mobility Domain ID (MDID) for each of the APs. All the APs configured with the same MDID share the PMK cache keys even if they are in different site tags. MDID supports PMK cache distribution in both, central authentication and local authentication. For more information, see the Mobility Domain ID - Dot11i Roaming chapter.

Dot11r Support for FlexConnect Local Authentication: From this release, fast transition is supported for FlexConnect local authentication, with local switching deployments. From this release onwards, PMK sharing is also supported via Mobility Domain ID (MDID). MDID is used by 802.11r to define a network in which an 802.11r fast roam is supported. For more information, see the Dot11r Support for FlexConnect Local Authentication chapter.

Static Tri-Radio Support: The Cisco Catalyst 9130 Access Points are designed for high density deployments. The 5 GHz radio can be statically configured as a single 8x8 radio or dual 4x4 radios operating and two channels in the 5GHz band. The modes can be manually configured using CLI. For more information, see the Cisco Access Points with Tri-Radio chapter.

The following commands are introduced:

  • ap name ap-name dot11 5ghz slot 1 dual-radio mode {disable | enable }

  • ap triradio {disable | enable}

  • show ap triradio summary

Fabric in a Box With External Fabric Edge: Starting with this release, the fabric in a box (FiaB) topology supports external fabric edge nodes. In a fabric enabled wireless environment using FiaB (border node, control plane, fabric edge, and wireless controller in the same box), you can expand the network by adding external fabric edge nodes. For more information, see the Fabric in a Box with External Fabric Edge chapter.

IPv6 Non-AVC QoS Support: This features brings IPV6 QoS (excluding AVC) to flex local switching and Fabric deployments. In these modes, the client traffic doesn't go through the controller, so the QoS Marking, Policing and Dropping is done at the AP. For more information, see the IPv6 Non-AVC QoS Support chapter.

Lobby Admin Access and Client Whitelisting: The global administrator creates and enables lobby admin users access to the WLAN. Lobby administrators adds or deletes a client from the allowed list to manage the association with a WLAN or an SSID through the GUI interface only. Changes in GUI include enabling lobby admin access by global administrator, creating new client allowed list by the lobby admin, managing client allowed list by the lobby admin. For more information, see the Lobby Admin Accounts chapter.


Note

In the existing implementation of the Client Whitelisting feature, WLAN specific allowed list client is added as a wildcard client. This behaviour will be modified in the upcoming major (extended maintenance) release.

Multi-LAG: Multi Link Aggregation Group (multi-LAG) provides flexibility in connecting controller to multiple switching infrastructures. Using multi-LAG, you can connect the multiple uplinks from the controller to separated uplink switches. For more information, see the Link Aggregation Group chapter.

Multicast Filtering: In this release, the Multicast Filtering feature is supported on Layer 3 for IPv4. When you enable this feature, the APs will stop forwarding multicast packets to the clients. For more information, see the Multicast Filtering chapter.

The following command is introduced:

  • multicast filter

Open Roaming: This feature enables mobile users to automatically and seamlessly roam across Wi-Fi and cellular networks. The new configuration template of the open roaming ANQP server simplifies the setup of a Hotspot 2.0 ANQP server. For more information, see the Hotspot 2.0 chapter.

The following command is introduced:

  • open-roaming oi

The following command was modified and type and open-roaming keywords were added.

  • wireless hotspot anqp-server

Opportunistic Key Caching (OKC) Enabling: A new configuration per WLAN in the controller is introduced from this release, to disable or enable Fast-Secure roaming with OKC at the access point. For more information, see the Opportunistic Key Caching chapter.

The following command is introduced:

  • no okc

QBSS-Load Information Element (IE): In this release, the QoS Basic Set Service (QBSS) load is automatically enabled with Wi-Fi Multimedia (WMM). A separate configuration knob is introduced to include or exclude QBSS load information element (IE), which is sent in beacon frames and probe responses. For more information, see the QoS Basic Set Service chapter.

The following command is introduced:

  • qbss-load

Remote LAN Local Switching: Starting with this release, after a CAPWAP DOWN/UP state, existing RLAN local switched client details are not available in the controller.

SGT and VN Attributes Display: Starting with this release, in the web UI, the Policy tab in the Clients page displays the Output VN and Output SGT attributes for Server Policies and Resultant Policies.

Spectrum Analysis: Network administrators receive RF violation issues from end-users or RF issue from DNAC. To analyze the violation, network administrators selects the required access point and analyzes the spectrogram stream. For more information, see the Spectrum Analysis chapter.

Support for Cisco Catalyst Industrial Wireless 6300 Heavy Duty Series Access Point: Starting with this release, bridge mode is supported on the IW6300 AP.

IW 6300 APs deliver secure, scalable, and flexible wireless connectivity to the most hazardous of industrial environments. Using this AP, you can deploy wireless connectivity anywhere, and stay online during the most extreme weather, in consistently hazardous areas, or during dangerous industrial events. It also provides upgraded 802.11ac Wave 2 capability and provides up to 867-Mbps data rate with 2 x 2 MIMO and 2 spatial streams. For more information about Cisco Catalyst Industrial Wireless 6300 AP, see https://www.cisco.com/c/en/us/products/wireless/industrial-wireless-6300-series/index.html

Cisco Catalyst Industrial Wireless 6300 AP supports the following modes:

  • Local Mode

  • Flex Connect Mode

  • Monitor Mode

  • WGB Mode

  • Bridge Mode

  • Flex + Bridge Mode

Target Wake Time: Target wake time (TWT) allows an AP to manage activity in the Wi-Fi network, in order to minimize medium contention between Stations (STAs), and to reduce the required amount of time that an STA in the power-save mode needs to be awake. This is achieved by allocating STAs to operate at non-overlapping times, and/or frequencies, and concentrate the frame exchanges in predefined service periods. For more information, see the Target Wake Time chapter.

Web UI Features

The following list shows the newly introduced web UI features and their path.

  • BSS Coloring Support: Configuration > Wireless > Access Points

  • Device Ecosystem Intelligent Client Scan Reports with MBO: Configuration > Tags & Profiles > WLANs

  • Lobby Admin Access and Client Whitelisting: Administration > User Administration

  • Tri-radio Support: Configuration > Wireless > Access Points

Behavior Changes

  • Sensor mode is not supported on the APs.

  • From this release onwards, Guestshell can access files only from the guest-share directory.

MIBs

The following MIBs were modified by adding new OIDs:

  • CISCO-LWAPP-AP-MIB.my

    • cLApDot11IfDualRadioMode

    • cLApDot11IfDualRadioCapable

    • cLApDot11IfRadioFRACapable

    • cLApDot11IfDualRadioOperation

    • cLApDot11IfRadioRole

    • cLApDot11IfRadioRoleOperation

    • cLApProfileWindowSize

    • cLApProfileCredentialGlobalSecretType

    • cLApProfileCredentialGlobalPasswordType

    • cLApProfile802dot1xSupplicantPasswordType

    • cLApProfileBssidEnableStats

    • cLApProfileBssidStatsFrequency

  • CISCO-LWAPP-RRM-MIB.my

    • clRrmBcoMode

    • clrRrmTriRadioMode

  • CISCO-LWAPP-WLAN-SECURITY-MIB.my

    • cLWSecDot11OsenEnable

  • CISCO-LWAPP-WLAN-MIB.my

    • cLWlanOpportunisticKeyCaching

    • cLWlan11axTwtBroadcastSupport

  • CISCO-LWAPP-WLAN-MIB.my

    • clGuestLanMobileStationProfileName

Supported Hardware

The following table lists the supported virtual and hardware platforms. (See Table 3 for the list of supported modules.)

Table 1. Supported Virtual and Hardware Platforms

Platform

Description

Cisco Catalyst 9800-80 Wireless Controller

A modular wireless controller with up to 100-GE modular uplinks and seamless software updates.

The controller occupies 2-rack unit space and supports multiple module uplinks.

Cisco Catalyst 9800-40 Wireless Controller

A fixed wireless controller with seamless software updates for mid-size to large enterprises.

The controller occupies 1-rack unit space and provides four 1-GE or 10-GE uplink ports.

Cisco Catalyst 9800 Wireless Controller for Cloud

A virtual form factor of the Catalyst 9800 Wireless Controller that can be deployed in a private cloud (supports ESXi, KVM, Microsoft Hyper-V, and NFVIS on ENCS hypervisors), or in the public cloud as Infrastructure as a Service (IaaS) in Amazon Web Services (AWS) and Google Cloud Platform (GCP) marketplace.

Cisco Catalyst 9800 Embedded Wireless Controller for Switch

The Catalyst 9800 Wireless Controller software for the Cisco Catalyst 9000 switches bring the wired and wireless infrastructure together with consistent policy and management.

This deployment model supports only SD Access, which is a highly secure solution for small campuses and distributed branches.

Cisco Catalyst 9800-L Wireless Controller

The Cisco Catalyst 9800-L Wireless Controller is the first low-end controller that provides a significant boost in performance and features.

The following table lists the host environments supported for private and public cloud.

Table 2. Supported Host Environments for Public and Private Cloud

Host Environment

Software Version

VMware ESXi

  • VMware ESXi vSphere 6.0, 6.7, and 7.0

  • VMware ESXi vCenter 6.0, 6.5, 6.7 and 7.0

KVM

  • Ubuntu 14.04.5 LTS, Ubuntu 16.04.5 LTS

AWS

AWS EC2 platform

NFVIS

ENCS 3.8.1 and 3.9.1

GCP

GCP marketplace

Microsoft Hyper-V

Windows 2019 Server and Windows Server 2016 (Version 1607) with Hyper-V Manager (Version 10.0.14393)

The following table lists the supported Cisco Catalyst 9800 Series Wireless Controller hardware models.

The Base PIDs are the model numbers of the controller.

The Bundled PIDs indicate the orderable part numbers for the Base PIDs that are bundled with a particular network module. Running the show version , show module or show inventory command on such a controller (bundled PID) displays its Base PID.

Note that unsupported SFPs will bring down a port. Only Cisco-supported SFPs (GLC-LH-SMD and GLC-SX-MMD) should be used on the RP port of C9800-80-K9 and C9800-40-K9.

Table 3. Supported PIDs and Ports

Controller Model

Description

C9800-CL-K9

Cisco Catalyst Wireless Controller as an infrastructure for Cloud.

C9800-80-K9

Eight 1/10-Gigabit Ethernet SFP or SFP+ ports and two power supply slots.

The following SFPs are supported:

  • GLC-BX-D

  • GLC-BX-U

  • GLC-EX-SMD

  • GLC-LH-SMD

  • GLC-SX-MMD

  • GLC-ZX-SMD

  • GLC-TE

The following enhanced SFPs are supported:

  • SFP-10G-AOC1M

  • SFP-10G-AOC2M

  • SFP-10G-AOC3M

  • SFP-10G-AOC5M

  • SFP-10G-AOC7M

  • SFP-10G-AOC10M

  • SFP-10G-SR

  • SFP-10G-SR-S

  • SFP-10G-SR-X

  • SFP-10G-ER

  • SFP-10G-ZR

  • SFP-H10GB-ACU7M

  • SFP-H10GB-ACU10M

  • DWDM-SFP10G-30.33

  • DWDM-SFP10G-61.41

The following QSFP+s are supported:

  • QSFP-40G-SR4

  • QSFP-40G-LR4

  • QSFP-40GE-LR4

  • QSFP-40G-ER4

  • QSFP-40G-SR4-S

  • QSFP-40G-LR4-S

  • QSFP-40G-SR-BD

  • QSFP-40G-BD-RX

  • QSFP-100G-SR4-S

  • QSFP-100G-LR4-S

C9800-40-K9

Four 1/10-Gigabit Ethernet SFP or SFP+ ports and two power supply slots

The following SFPs are supported:

  • GLC-BX-D

  • GLC-BX-U

  • GLC-LH-SMD

  • GLC-SX-MMD

  • GLC-EX-SMD

  • GLC-ZX-SMD

  • GLC-TE

The following enhanced SFPs are supported:

  • SFP-10G-AOC1M

  • SFP-10G-AOC2M

  • SFP-10G-AOC3M

  • SFP-10G-AOC5M

  • SFP-10G-AOC7M

  • SFP-10G-AOC10M

  • SFP-10G-SR

  • SFP-10G-SR-S

  • SFP-10G-SR-X

  • SFP-10G-ER

  • SFP-10G-ZR

  • SFP-H10GB-ACU7M

  • SFP-H10GB-ACU10M

  • DWDM-SFP10G-30.33 - DWDM-SFP10G-61.41

C9800-L-C-K9

  • 4x2.5/2-Gigabit ports

  • 2x10/5/2.5/1-Gigabit ports

The following SFPs are supported:

  • GLC-BX-D

  • GLC-BX-U

  • GLC-LH-SMD

  • GLC-SX-MMD

  • GLC-ZX-SMD

  • GLC-TE

C9800-L-F-K9

  • 4x2.5/2-Gigabit ports

  • 2x10/1-Gigabit ports

The following SFPs are supported:

  • GLC-BX-D

  • GLC-BX-U

  • GLC-SX-MMD

  • GLC-ZX-SMD

  • GLC-TE

  • SFP-10G-SR

  • SFP-10G-SR-S

  • SFP-10G-SR-X

  • SFP-H10GB-ACU7M

  • SFP-H10GB-ACU10M

Optics Modules

Cisco Catalyst 9800 Series Wireless Controller supports a wide range of optics. The list of supported optics is updated on a regular basis. See the tables at the following location for the latest transceiver module compatibility information:

https://www.cisco.com/en/US/products/hw/modules/ps5455/products_device_support_tables_list.html

Supported APs

The following Cisco APs are supported in this release.

Indoor Access Points

  • Cisco Aironet 1700 Series Access Points

  • Cisco Aironet 1800 Series Access Points

  • Cisco Aironet 2700 Series Access Points

  • Cisco Aironet 2800 Series Access Points

  • Cisco Aironet 3700 Series Access Points

  • Cisco Aironet 3800 Series Access Points

  • Cisco Aironet 4800 Series Access Points

  • Cisco Catalyst 9115AXI Access Points

  • Cisco Catalyst 9117AXI Access Points

  • Cisco Catalyst 9120AXI Access Points (VID 06 or earlier) - supported from 17.3.1 to 17.3.5

  • Cisco Catalyst 9120AXI Access Points (VID 07 or earlier) - supported in 17.3.6

  • Cisco Catalyst 9120AXE Access Points (VID 06 or earlier) - supported from 17.3.1 to 17.3.5

  • Cisco Catalyst 9120AXE Access Points (VID 07 or earlier) - supported in 17.3.6

  • Cisco Catalyst 9120AXP Access Points

  • Cisco Catalyst 9130AXI Access Points (VID 03 or earlier) - supported in 17.3.6

    For information about Cisco Catalyst 9105, 9120, or 9130 Access Points support, see the Field Notice 72424.

  • Cisco Catalyst 9130AXE Access Points

Outdoor Access Points

  • Cisco Aironet 1542 Access Points

  • Cisco Aironet 1560 Series Access Points

  • Cisco Aironet 1570 Series Access Points

  • Cisco Industrial Wireless 3700 Series Access Points

  • Cisco Catalyst Industrial Wireless 6300 Heavy Duty Series Access Point

  • Cisco 6300 Series Embedded Services Access Point

  • Cisco Catalyst 9124AXI Access Points - supported from 17.3.4

  • Cisco Catalyst 9124AXD Access Points - supported from 17.3.4

  • Cisco Catalyst 9124AXE Access Points - supported from 17.3.5a

Integrated Access Points

  • Integrated Access Point on Cisco 1100 ISR

Network Sensor

  • Cisco Aironet 1800s Active Sensor

For information about Cisco Wireless software releases that support specific Cisco AP modules, see the "Software Release Support for Specific Access Point Modules" section in the Cisco Wireless Solutions Software Compatibility Matrix document.

Compatibility Matrix

The following table provides software compatibility information.

Table 4. Compatibility Information

Cisco Catalyst 9800 Series Wireless Controller Software

Cisco Identity Services Engine

Cisco CMX

Cisco Prime Infrastructure

Cisco AireOS-IRCM Interoperability

Cisco DNA Center

Amsterdam 17.2.1

2.7

2.6

2.4

10.6.2

10.6

10.5.1

3.8

8.10.171.0

8.10.162.0

8.10.122.0

8.10.121.0

8.10.113.0

8.10.112.0

8.10.105.0

8.9.111.0

8.9.100.0

8.8.125.0

8.8.120.0

8.8.111.0

8.5.164.0

See Cisco DNA Center Compatibility Information

GUI System Requirements

The following subsections list the hardware and software required to access the Cisco Catalyst 9800 Controller GUI.

Table 5. Hardware Requirements

Processor Speed

DRAM

Number of Colors

Resolution

Font Size

233 MHz minimum1

512 MB2

256

1280 x 800 or higher

Small
1 We recommend 1 GHz.
2 We recommend 1-GB DRAM.

Software Requirements

Operating Systems:

  • Windows 7 or later

  • Mac OS X 10.11 or later

Browsers:

  • Google Chrome: Version 59 or later (on Windows and Mac)

  • Microsoft Edge: Version 40 or later (on Windows)

  • Safari: Version 10 or later (on Mac)

  • Mozilla Firefox: Version 60 or later (on Windows and Mac)


Note

Firefox Version 63.x is not supported.

Before You Upgrade

Ensure that you familiarize yourself with the following points before proceeding with the upgrade:


Caution

During controller upgrade or reboot, if route processor ports are connected to any Cisco switch, ensure that the route processor ports are not flapped (shut/no shut process). Otherwise, it may lead to a kernel crash.


Note

  • ISSU feature is supported only within and between major releases, for example, 17.3.x (within a release) and 17.3.x to 17.6.x (among major releases).

  • Controller upgrade from Cisco IOS XE Bengaluru 17.3.x to Cisco IOS XE Bengaluru 17.6.x or Cisco IOS XE Cupertino 17.9.x or later using ISSU may fail if the domain command is configured. Ensure that you run the no domain command before starting an ISSU upgrade because the domain command has been removed from Cisco IOS XE Bengaluru 17.6.x.

  • Controller upgrade from Cisco IOS XE Bengaluru 17.3.x to any release using ISSU may fail if the snmp-server enable traps hsrp command is configured. Ensure that you remove the snmp-server enable traps hsrp command from the configuration before starting an ISSU upgrade because the snmp-server enable traps hsrp command has been removed from Cisco IOS XE Bengaluru 17.4.x.

  • Rolling AP upgrade, which is a part of the ISSU feature, is not supported for mesh APs.ISSU feature is in Beta for this release.

The following Wave 1 APs are not supported from 17.4 to 17.9.2, 17.10.x and 17.11.x.

  • Cisco Aironet 1570 Series Access Point

  • Cisco Aironet 1700 Series Access Point

  • Cisco Aironet 2700 Series Access Point

  • Cisco Aironet 3700 Series Access Point


Note

  • Support for the above APs were reintroduced from Cisco IOS XE Cupertino 17.9.3.

  • Support for these APs does not extend beyond the normal product lifecycle support. Refer to the individual End of Support bulletins.

  • Feature support is on parity with 17.3.x release. Features introduced in 17.4.1 or later are not supported on these APs in 17.9.3 release.

  • You can migrate directly to 17.9.3 from 17.3.x, where x=4c or above.

  • If APs fail to detect the backup image after running the archive download-sw command, perform the following steps:

    1. Upload the image using the no-reload option of the archive download-sw command: 

      Device# archive download-sw /no-reload tftp://<tftp_server_ip>/<image_name>

    2. Restart the CAPWAP process using capwap ap restart command. This allows the AP to use the correct backup image after the restart (reload is not required.) 

      Device# capwap ap restart

      Note

      The AP will lose connection to the controller during the join process. When the AP joins the new controller, it will see a new image in the backup partition. So, the AP will not download a new image from the controller.

  • Fragmentation lower than 1500 is not supported for RADIUS packets generated by wireless clients in Gi0 (OOB) interface.

  • Cisco IOS XE allows you to encrypt all the passwords used on the device. This includes user passwords and SSID passwords (PSK). For more information, see the "Password Encryption" section of the Cisco Catalyst 9800 Series Configuration Best Practices document.

  • While upgrading to Cisco IOS XE 17.3.x and later releases, if the ip http active-session-modules none command is enabled, you will not be able to access the controller GUI using HTTPS. To access the GUI using HTTPS, run the following commands in the following order:

    1. ip http session-module-list pkilist OPENRESTY_PKI

    2. ip http active-session-modules pkilist

  • Cisco Aironet 1815T OfficeExtend Access Point will be in local mode when connected to the controller. However, when it functions as a standalone AP, it gets converted to FlexConnect mode.

  • The Cisco Catalyst 9800-L Wireless Controller may fail to respond to the BREAK signals received on its console port during boot time, preventing users from getting to the ROMMON. This problem is observed on the controllers manufactured until November 2019, with the default config-register setting of 0x2102. This problem can be avoided if you set config-register to 0x2002. This problem is fixed in the 16.12(3r) ROMMON for Cisco Catalyst 9800-L Wireless Controller. For information about how to upgrade the ROMMON, see the Upgrading ROMMON for Cisco Catalyst 9800-L Wireless Controllers section of the Upgrading Field Programmable Hardware Devices for Cisco Catalyst 9800 Series Wireless Controllers document.

  • By default, the controller uses a TFTP block size value of 512, which is the lowest possible value. This default setting is used to ensure interoperability with legacy TFTP servers. If required, you can change the block size value to 8192 to speed up the transfer process, using the ip tftp blocksize command in global configuration mode.

  • We recommend that you configure the password encryption aes and the key config-key password-encrypt key commands to encrypt your password.

  • If the following error message is displayed after a reboot or system crash, we recommend that you regenerate the trustpoint certificate:
     ERR_SSL_VERSION_OR_CIPHER_MISMATCH

    Use the following commands, as given in the following order, to generate a new self-signed trustpoint certificate:

    1. device# configure terminal

    2. device(config)# no crypto pki trustpoint trustpoint_name

    3. device(config)# no ip http server

    4. device(config)# no ip http secure-server

    5. device(config)# ip http server

    6. device(config)# ip http secure-server

    7. device(config)# ip http authentication local/aaa

  • Do not deploy OVA files directly to VMware ESXi 6.5. We recommend that you use an OVF tool to deploy the OVA files.

  • Ensure that you remove the controller from Cisco Prime Infrastructure before disabling or enabling Netconf-YANG. Otherwise, the system may reload unexpectedly.

  • Unidirectional Link Detection (UDLD) protocol is not supported.

  • SIP media session snooping is not supported on FlexConnect local switching deployments.

  • The Cisco Catalyst 9800 Series Wireless Controllers (C9800-CL, C9800-L, C9800-40, and C9800-80) support a maximum of 14,000 leases with internal DHCP scope.

  • Configuring the mobility MAC address using the wireless mobility mac-address command is mandatory for both HA and 802.11r.

  • If you have Cisco Catalyst 9120 (E/I/P) and Cisco Catalyst 9130 (E) APs in your network and you want to downgrade, use only Cisco IOS XE Gibraltar 16.12.1t. Do not downgrade to Cisco IOS XE Gibraltar 16.12.1s.

  • The following SNMP variables are not supported:

    • CISCO-LWAPP-WLAN-MIB: cLWlanMdnsMode

    • CISCO-LWAPP-AP-MIB.my: cLApDot11IfRptncPresent, cLApDot11IfDartPresent

  • If you are upgrading from Cisco IOS XE Gibraltar 16.11.x or an earlier release, ensure that you unconfigure the advipservices boot-level licenses on both the active and standby controllers using the no license boot level advipservices command before the upgrade. Note that the license boot level advipservices command is not available in Cisco IOS XE Gibraltar 16.12.1s and 16.12.2s.

  • The Cisco Catalyst 9800 Series Wireless Controller has a service port that is referred to as GigabitEthernet 0 port.

    The following protocols and features are supported through this port:

    • Cisco DNA Center

    • Cisco Smart Software Manager

    • Cisco Prime Infrastructure

    • Telnet

    • Controller GUI

    • HTTP

    • HTTPS

    • Licensing for Smart Licensing feature to communicate with CSSM

    • SSH

  • During device upgrade using GUI, if a switchover occurs, the session expires and the upgrade process gets terminated. As a result, the GUI cannot display the upgrade state or status.

  • From Cisco IOS XE Bengaluru 17.4.1 onwards, the telemetry solution provides a name for the receiver address instead of the IP address for telemetry data. This is an additional option. During the controller downgrade and subsequent upgrade, there is likely to be an issue—the upgrade version uses the newly named receivers, and these are not recognized in the downgrade. The new configuration gets rejected and fails in the subsequent upgrade. Configuration loss can be avoided when the upgrade or downgrade is performed from Cisco DNA Centre.

  • Communication between Cisco Catalyst 9800 Series Wireless Controller and Cisco Prime Infrastructure uses different ports:

    • All the configurations and templates available in Cisco Prime Infrastructure are pushed through SNMP and CLI, using UDP port 161.

    • Operational data for controller is obtained over SNMP, using UDP port 162.

    • AP and client operational data leverage streaming telemetry:

      • Cisco Prime Infrastructure to controller: TCP port 830 is used by Cisco Prime Infrastructure to push the telemetry configuration to the controller (using NETCONF).

      • Controller to Cisco Prime Infrastructure: TCP port 20828 is used for Cisco IOS-XE 16.10.x and 16.11.x, and TCP port 20830 is used for Cisco IOS-XE 16.12.x, 17.1.x and later releases.

  • To migrate public IP address from 16.12.x to 17.x. ensure that you configure the service internal command. If you do not configure the service internal command, the IP address does not carry forward.

  • When you encounter the SNMP error "SNMP_ERRORSTATUS_NOACCESS 6", it means that the specified SNMP variable is not accessible.

Upgrading the Controller Software

This section describes the various aspects of upgrading the controller software.

Finding the Software Version

The package files for the Cisco IOS XE software are stored in the system board flash device (flash:).

Use the show version privileged EXEC command to see the software version that is running on your controller.


Note
Although the show version output always shows the software image running on the controller, the model name shown at the end of the output is the factory configuration, and does not change if you upgrade the software license.

Use the show install summary privileged EXEC command to see the information about the active package.

Use the dir filesystem: privileged EXEC command to see the directory names of other software images that you have stored in flash memory.

Software Images

  • Release: Cisco IOS XE Amsterdam 17.2.x

  • Image: Universal

  • File Name: C9800-universalk9_wlc.17.2.x.SPA.bin

Software Installation Commands

Cisco IOS XE Amsterdam 17.2.x

To install and activate a specified file, and to commit changes to be persistent across reloads, run the following command:

device# install add file filename [activate |commit]

To separately install, activate, commit, end, or remove the installation file, run the following command:

device# install ?

Note

 

We recommend that you use the GUI for installation.

add file tftp: filename

Copies the install file package from a remote location to a device, and performs a compatibility check for the platform and image versions.

activateauto-abort-timer]

Activates the file and reloads the device. The auto-abort-timer keyword automatically rolls back image activation.

commit

Makes changes that are persistent over reloads.

rollback to committed

Rolls back the update to the last committed version.

abort

Cancels file activation, and rolls back to the version that was running before the current installation procedure started.

remove

Deletes all unused and inactive software installation files.

Licensing

This section provides information about the licensing packages for the features that are available in the Cisco Catalyst 9800 Series Wireless Controller.

The software features that are available on the controller fall under these license categories:

  • AIR DNA Essentials (AIR-DNA-E)

  • AIR DNA Advantage (AIR-DNA-A) (Includes the features that are available with the Cisco DNA Essentials license and more.)


    Note

    The controller starts with AIR-DNA-A as the default. Any change in the license level requires a reboot.


Note

After adding new license in the Cisco Smart Software Manager (CSSM) for customer virtual account, run the license smart renew auth command on the controller to get the license status changed from Out OF Compliance to Authorized.

Base Licenses

Base licenses are perpetual licenses and can be used even after the expiry of Air-DNA-A and AIR-DNA-E. Base licenses include:

  • AIR Network Essentials (AIR-NE)

  • AIR Network Advantage (AIR-NA) (Includes the features that are available in the Network Essentials license.)

License Term

The licenses are available for a three, five, or seven-year periods.

For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide.

Interoperability with Clients

This section describes the interoperability of the controller software with client devices.

The following table lists the configurations used for testing client devices.

Table 6. Test Configuration for Interoperability

Hardware or Software Parameter

Hardware or Software Type

Release

Cisco IOS XE Amsterdam 17.2.x

Cisco Wireless Controller

See Supported Hardware.

Access Points

See Supported APs.

Radio

  • 802.11ax

  • 802.11ac

  • 802.11a

  • 802.11g

  • 802.11n

Security

Open, PSK (WPA2-AES), 802.1X (WPA2-AES) (EAP-FAST, EAP-TLS)

802.11ax

RADIUS

See Compatibility Matrix

Types of tests

Connectivity, traffic (ICMP), and roaming between two APs

The following table lists the client types on which the tests were conducted. Client types included laptops, hand-held devices, phones, and printers.

Table 7. Client Types

Client Type and Name

Driver or Software Version

Wi-Fi 6 Devices (Mobile Phone and Laptop)
Apple iPhone 11 iOS 14.1

Apple iPhone SE 2020

 iOS 14.1
Dell Intel AX1650w Windows 10 ( 21.90.2.1)
Dell Latitude 5491 (Intel AX200) Windows 10 Pro (21.40.2)
Samsung S20 Android 10
Samsung S10 (SM-G973U1) Android 9.0 (One UI 1.1)
Samsung S10e (SM-G970U1) Android 9.0 (One UI 1.1)
Samsung Galaxy S10+ Android 9.0

Samsung Galaxy Fold 2

 Android 10

Samsung Galaxy Flip Z

 Android 10

Samsung Note 20

 Android 10

Laptops
Acer Aspire E 15 E5-573-3870 (Qualcomm Atheros QCA9377) Windows 10 Pro (12.0.0.832)
Apple Macbook Air 11 inch OS Sierra 10.12.6
Apple Macbook Air 13 inch OS Catalina 10.15.4
Apple Macbook Air 13 inch OS High Sierra 10.13.4
Macbook Pro Retina OS Mojave 10.14.3
Macbook Pro Retina 13 inch early 2015 OS Mojave 10.14.3

Dell Inspiron 2020 Chromebook

Chrome OS 75.0.3770.129

Google Pixelbook Go

Chrome OS 84.0.4147.136

HP chromebook 11a

Chrome OS 76.0.3809.136

Samsung Chromebook 4+

Chrome OS 77.0.3865.105
Dell Latitude 3480  (Qualcomm DELL wireless 1820) Win 10 Pro (12.0.0.242)
Dell Inspiron 15-7569 (Intel Dual Band Wireless-AC 3165) Windows 10 Home (18.32.0.5)
Dell Latitude E5540 (Intel Dual Band Wireless AC7260) Windows 7 Professional (21.10.1)
Dell XPS 12 v9250 (Intel Dual Band Wireless AC 8260 ) Windows 10 (19.50.1.6)
Dell Latitude 5491 (Intel AX200) Windows 10 Pro (21.40.2)
Dell XPS Latitude12 9250 (Intel Dual Band Wireless AC 8260) Windows 10 Home (21.40.0)

Lenovo Yoga C630 Snapdragon 850 (Qualcomm AC 2x2 Svc)

Windows 10 (1.0.10440.0)
Lenovo Thinkpad Yoga 460 (Intel Dual Band Wireless-AC 9260) Windows 10 Pro ( 21.40.0)

Note

 
For clients using Intel wireless cards, we recommend that you to update to the latest Intel wireless drivers if the advertised SSIDs are not visible.

Tablets
Apple iPad Pro iOS 13.5
Apple iPad Air2 MGLW2LL/A iOS 12.4.1
Apple iPad Mini 4 9.0.1 MK872LL/A iOS 11.4.1
Apple iPad Mini 2 ME279LL/A iOS 12.0
Microsoft Surface Pro 3 – 11ac Qualcomm Atheros QCA61x4A
Microsoft Surface Pro 3 – 11ax Intel AX201 chipset. Driver v21.40.1.3
Microsoft Surface Pro 7 – 11ax Intel Wi-Fi chip (HarrisonPeak AX201) (11ax, WPA3)
Microsoft Surface Pro X – 11ac & WPA3 WCN3998 Wi-Fi Chip (11ac, WPA3)

Mobile Phones
Apple iPhone 5 iOS 12.4.1
Apple iPhone 6s iOS 13.5
Apple iPhone 8 iOS 13.5
Apple iPhone X MQA52LL/A iOS 13.5
Apple iPhone 11 iOS 14.1
Apple iPhone SE MLY12LL/A iOS 11.3
ASCOM SH1 Myco2 Build 2.1
ASCOM SH1 Myco2 Build 4.5
ASCOM Myco 3 v1.2.3 Android 8.1
Drager Delta VG9.0.2
Drager M300.3 VG2.4
Drager M300.4 VG2.4
Drager M540 DG6.0.2 (1.2.6)
Google Pixel 2 Android 10
Google Pixel 3 Android 11

Google Pixel 3a

Android 11
Google Pixel 4 Android 11
Huawei Mate 20 pro Android 9.0
Huawei P20 Pro Android 9.0

Huawei P40

Android 10
LG v40 ThinQ Android 9.0

One Plus 8

Android 10

Oppo Find X2

Android 10

Redmi K20 Pro

Android 10
Samsung Galaxy S7 Andriod 6.0.1
Samsung Galaxy S7 SM - G930F Android 8.0
Samsung Galaxy S8 Android 8.0
Samsung Galaxy S9+ - G965U1 Android 9.0
Samsung Galaxy SM - G950U Android 7.0

Sony Experia 1 ii

Android 10
Sony Experia xz3 Android 9.0

Xiaomi Mi10

Android 10
Spectralink 8744 Android 5.1.1
Spectralink Versity Phones 9540 Android 8.1
Vocera Badges B3000n 4.3.2.5
Vocera Smart Badges V5000 5.0.4.30
Zebra MC40 Android 5.0
Zebra MC40N0 Android 4.1.1
Zebra MC92N0 Android  4.4.4
Zebra TC51 Android 7.1.2
Zebra TC52 Android 8.1.0
Zebra TC55 Android 8.1.0
Zebra TC57 Android 8.1.0
Zebra TC70 Android 6.1
Zebra TC75 Android 6.1.1
Printers
Zebra QLn320 Printer LINK OS 6.3
Zebra ZT230 Printer LINK OS 6.3
Zebra ZQ310 Printer LINK OS 6.3
Zebra ZD410 Printer LINK OS 6.3
Zebra ZT410 Printer LINK OS 6.3
Zebra ZQ610 Printer LINK OS 6.3
Zebra ZQ620 Printer LINK OS 6.3

Wireless Module

Intel 11ax 200

 Driver v22.20.0

Intel AC 9260

 Driver v21.40.0

Intel Dual Band Wireless AC 8260

Driver v19.50.1.6

Caveats

Caveats describe unexpected behavior in Cisco IOS releases in a product. Caveats that are listed as Open in a prior release are carried forward to the next release as either Open or Resolved.


Note

All incremental releases contain fixes from the current release.

Cisco Bug Search Tool

The Cisco Bug Search Tool (BST) allows partners and customers to search for software bugs based on product, release, and keyword, and aggregates key data such as bug details, product, and version. The BST is designed to improve the effectiveness in network risk management and device troubleshooting. The tool has a provision to filter bugs based on credentials to provide external and internal bug views for the search input.

To view the details of a caveat, click the corresponding identifier.

Open Caveats for Cisco IOS XE Amsterdam 17.2.1a

Caveat ID

Description

CSCvu00121

Cisco Aironet AP 185x/184x reboots by deadlock triggered kernel panic in radio driver code.

Open Caveats for Cisco IOS XE Amsterdam 17.2.1

Caveat ID

Description

CSCvm75074

Correct the severity level of logs generated by smart-agent from notice to debug.

CSCvt01659

Client traffic is stuck, after controller receives the Change of Authorization (CoA) as part of Local Web Authentication (LWA) and Central Web Authentication (CWA).

CSCvt11877

Random switchovers are observed on the Cisco Catalyst 9800 Wireless Controller for Cloud in HA mode.

CSCvt19736

11ax feature is automatically enabled after upgrading from Cisco IOS XE 16.12.2s to Cisco IOS XE 17.1.1s.

CSCvt29596

Current Tx rate for 802.11ax clients are displayed incorrectly on the controller.

CSCvt35141

Deny webauth WLANs from being tagged to authentication servers that has load balancing enabled.

CSCvt35766

Controller is allowing WPA-TKIP + WPA2‚ without any encryption.

CSCvt37835

Client is unable to associate when extended supported rates are used.

CSCvt41035

AP 360 view is not showing client count, ch/tx/rx utilization for 2.4 GHz, but shows for 5 GHz.

CSCvt41053

AP shows incorrect WLAN to VLAN assignment.

CSCvt41519

Controller reloads unexpectedly when an AP with same name of an existing AP joins.

CSCvt42261

Cisco DNA Centre Swim upgrade failed.

CSCvt46733

Cisco Catalyst 9800 Series Wireless Controller Address Resolution Protocol (ARP) handling design change.

CSCvt47787

Roaming is not successful when NAC is enabled in the policy profile.

CSCvt48319

Remove all client lists from the show tech wireless command output.

CSCvt49983

The show ap auto RF command output is displaying invalid values for some APs.

CSCvt52436

Controller is unable to downgrade license.

CSCvt55482

Controller displays incorrect number of interferers.

CSCvt57421

Cisco Aironet 4800 AP is underpowered when USB is disabled.

Resolved Caveats for Cisco IOS XE Amsterdam 17.2.1a

Caveat ID

Description

CSCvt47413

IW-6300H/1562/2800/3800/4800 series APs are failing DFS compliance

CSCvt98797

Channel Availability Check (CAC) is skipped after channel change on 2800/3800/4800/1560/IW6300

CSCvu02495

Wave 2 AP boot failure with message saying bad lzma header and AP unable to boot and join controller.

Resolved Caveats for Cisco IOS XE Amsterdam 17.2.1

Caveat ID

Description

CSCvk79909

Remove all standby R0 commands from the show tech wireless command output.

CSCvq66798

External web authentication log out page is not working.

CSCvq68047

OpenDNS resolver IPs are not coming with NETCONF/RESTCONF with defaults.

CSCvq70386

The show hw-module subslot 0/1 transceiver 0 idprom brief command failed to show any output.

CSCvq80854

Simplify WLAN configuration for Layer 2 and Layer 3 security options.

CSCvr09334

The show ap auto-rf dot11 24ghz command output is not displaying entries of Cisco Aironet 4800 AP, after a day.

CSCvr13531

Core files under standby bootflash is shown twice on the web UI.

CSCvr24930

Controller is displaying wncd crash@ewlc_dgram_msg_and_msgbuf_free message with In-Service Software Upgrade (ISSU) flow in scale.

CSCvr26579

Controller deauthenticates client when receiving DHCP release from the client.

CSCvr44175

System displays memory warning during controller image download.

CSCvr45109

Traceback is observed on the standby controller while unconfiguring port-channel.

CSCvr52588

QoS police configuration is deleted after adding or removing it to policy profile using web UI.

CSCvr70395

Controller is sending delete event for AP impersonation.

CSCvr71770

Wired multicast Domain Name System (mDNS) packet is getting punted to WNCD.

CSCvr84336

Client is stuck in IP learn state with flex mode AP.

CSCvr91736

Web UI is not displaying slot-2 details in 360 degree view.

CSCvr96040

NETCONF/RESTCONF server is not reachable after a switchover.

CSCvs01799

Stack_mgr process logs only the internal btrace logs.

CSCvs03191

Controller is unable to scale above 3000 new allowed list users with multiple WLANs using bulk import.

CSCvs15446

Cisco Catalyst 9800-L Wireless Controller HA: Traceback is observed after reload.

CSCvs17412

Backhaul configuration for PSK is showing error as resource not found.

CSCvs20264

Off-channel interference is not being reported.

CSCvs21105

Update & Apply to Device button is not working after configuring FT-PSK with WPA2+WPA3 in web UI.

CSCvs31054

Btman core has been observed.

CSCvs34222

Print a warning message during packet (SWPortMacConflict) drop.

CSCvs45249

Unable to enter a valid URL for urlfilter.

CSCvs60927

Frequent AP channel changes are observed on the 5GHz band radio.

CSCvs63467

IPv6 dual stack is not working.

CSCvs72078

Client retries and Rx packets on Cisco DNA Centre is different from the value seen on the AP.

CSCvs72524

Though dynamic channel allocation (DCA) is set to be OFF, it is still assigning channels to AP radios.

CSCvt13127

Controller is not able to display medium power when AP sends 25W message.

CSCvt16139

Controller is not sending redirect URL if client is already trying to authenticate.

CSCvt31798

Controller running Cisco IOS XE Gibraltar 16.12.3 software is not sending RSSI messages over NMSP.

CSCvt55181

Unable to configure SNMP settings using GUI in Japanese mode.

Related Documentation

Information about Cisco IOS XE is available at:

https://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-xe/index.html

Cisco Validated Designs documents are available at:

https://www.cisco.com/go/designzone

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use the Cisco MIB Locator found at:

http://www.cisco.com/go/mibs

Cisco Wireless Controller

For more information about the Cisco wireless controller, lightweight APs, and mesh APs, see these documents:

The installation guide for your controller is available at:

For all Cisco Wireless Controller software-related documentation, see:

https://www.cisco.com/c/en/us/support/wireless/catalyst-9800-series-wireless-controllers/tsd-products-support-series-home.html

Cisco Catalyst 9800 Wireless Controller Data Sheets

Cisco Embedded Wireless Controller on Catalyst Access Points

For more information about the Cisco Embedded Wireless Controller on Catalyst Access Points, see:

https://www.cisco.com/c/en/us/support/wireless/embedded-wireless-controller-catalyst-access-points/tsd-products-support-series-home.html

Wireless Products Comparison

Cisco Prime Infrastructure

Cisco Prime Infrastructure Documentation

Cisco Connected Mobile Experiences

Cisco Connected Mobile Experiences Documentation

Cisco DNA Center

Cisco DNA Center Documentation

Communications, Services, and Additional Information

  • To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.

  • To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.

  • To submit a service request, visit Cisco Support.

  • To discover and browse secure, validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.

  • To obtain general networking, training, and certification titles, visit Cisco Press.

  • To find warranty information for a specific product or product family, access Cisco Warranty Finder.