Introduction
This document provides guidance for you to find the most reliable Cisco IOS XE software for Catalyst Wireless LAN Controllers (WLCs). This covers:
- Appliances (9800-40,9800-80,9800-L)
- Virtual Controllers (9800-CL in private and public clouds)
- Embedded Wireless Controllers on Catalyst 9000 Series switches
- Embedded Wireless Controllers on Catalyst Access Points (EWC-AP)
The recommendations cover all the releases Cisco IOS XE software applicable to Catalyst 9800 WLCs. Typically, a newly released version (either maintenance release or new code train) is given a minimum of 2-3 weeks soak time in the field, and only if no catastrophic issues are reported, it becomes a candidate for Cisco's general recommendation. These recommendations are updated frequently as we receive feedback through internal testing, TAC cases, etc.
TAC Recommended Builds
Cupertino 17.8.1
Cisco IOS XE 17.8.1 is a short-lived release with no MRs planned. The new features supported in this release are listed in 17.8.1 Release Notes . It is recommended for deployments needing new hardware or new features supported in 17.7.1 and 17.8.1.
Note: Deployments with C9130s and C9124s, if running 17.3.3 need to upgrade to 17.3.4c before upgrading to 17.8.1
Cupertino 17.7.1
Cisco IOS XE 17.7.1 is a short-lived release with no MRs planned. See 17.7.1 EoL Bulletin. The new features supported in this release are listed in 17.7.1 Release Notes. For all features and hardware supported starting 17.7.1, you are recommended to use 17.8.1
Caution: 17.7.1 is impacted by CSCwb13784 which prevents wave 2 and 11ax APs from joining if the path MTU drops below 1000 bytes
Bengaluru 17.6
Cisco IOS XE 17.6.x is a long-lived train with several MRs planned. Cisco recommends 17.6.3 CCO image for all deployments without IOS APs.
17.6.3
IOS XE 17.6.2 is a bug-fix only release. It includes all the fixes in 17.3.5a + the fix for CSCwb13784. For customers using location with CMX or DNA Spaces, please be aware of CSCwb65054. SMU (hot patch) posted on cisco.com
17.6.2
IOS XE 17.6.2 is a bug-fix only release. 17.6.2 is impacted by CSCwb13784 which prevents wave 2 and 11ax APs from joining if the path MTU drops below 1000 bytes. You are recommended to upgrade to 17.6.3
17.6.1
The new features supported in this release are documented in 17.6 Release Notes . 17.6.1 is vulnerable to several critical defects seen in 17.3.4 and you are recommended to upgrade to 17.6.3
Bengaluru 17.5.1
Cisco IOS XE 17.5.1 is a short-lived release with no MRs planned. Refer 17.5 End of Life Bulletin The new features supported in this release are listed in 17.5 Release Notes. For all hardware and features supported starting 17.5, you are recommended to migrate to 17.6.2.
Bengaluru 17.4.1
Cisco IOS XE 17.4.1 is a short-lived release with no MRs planned. Refer 17.4 End of Life Bulletin. The list of features supported in 17.4 are listed in 17.4 Release Notes. For all hardware and features supported starting 17.4, you are recommended to migrate to 17.6.2.
Amsterdam 17.3
Cisco IOS XE 17.3.x is a long-lived train with several MRs planned. 17.3 is the last Cisco IOS-XE release for C9800 WLC to support IOS APs (with the exception of IW3700 which is still supported on later releases). Cisco recommends 17.3.5a CCO image + SMU for all deployments with IOS APs.
17.3 End of Life Bulletin has been announced with last planned MR due by March 31, 2023. Use this timeline to plan your migration to 17.6 release
17.3.5a
Cisco IOS XE 17.3.5a several important fixes including
- Fixes for known triggers of high CPU in WNCd (probes, ARP storm among others)
- CAPWAP keepalive prioritization to prevent APs from dropping when WNCd CPU utilization spikes.
- Syslog to diagnose when SSID stops broadcasting and CLI recovery mechanism. Refer CSCwb01162.
Caution: 17.3.5a CCO image is impacted by CSCwb13784 which prevents wave 2 and 11ax APs from joining if the path MTU drops below 1000 bytes and prevents IOS APs (1700/2700/3700) from joining if the path MTU drops below 1500 bytes.
Fix: SMU (hot patch) posted to cisco.com provides fix for the issue and is mandatory to apply.
17.3.4c
Cisco IOS XE 17.3.4c fixes several critical and wide impact bugs in 17.3.4.
17.3.4
Cisco IOS XE 17.3.4 is a bug-fix only release.
17.3.3
Cisco IOS XE 17.3.3 is a bug-fix only release.
Caution: 17.3.3 is vulnerable to CSCvy11981
Symptom: WNCD crash
Trigger: If an AP name is 32 or more characters, there is memory corruption which leads to this crash
Workaround: Ensure no AP name is 32 or more characters
17.3.2a
Cisco IOS XE 17.3.2a , though a maintenance release, introduces features in addition to bug fixes. These features include
- Smart Licensing using Policy [GUI Config only available in 17.4.1]
- OEAP Personal SSID
- AP Authorization using Serial Number [extended to all APs beyond those that present wlancc+FIPS +LSC certificate]
- Assurance and IoT Services Coexistence Without iCAP
- TLS tunnel to DNA-C on Cloud
17.3.1
Cisco IOS XE 17.3.1 introduced support for below hardware and solutions
- 9105I and 9105W Access Points
- Higher throughput template on 9800CL
- Embedded Wireless on Catalyst 9k switches (non-SDA)
- User Defined Network (UDN) and UDN Mobile Application
- BLE Management on Controller
- IOT Module Management
For full list, refer to 17.3 Release Notes
Amsterdam 17.2.1
Cisco IOS XE 17.2.1 is a short lived train with no maintenance releases planned. See 17.2 End of Life Bulletin All 17.2.x releases for C9800 are deferred.due to Field Notice FN70577 and CSCvu24770 . Cisco recommends to migrate to 17.3.4c
Amsterdam 17.1.1
Cisco IOS XE 17.1.1 is a short-lived release with no maintenance planned. See 17.1 End of Life - Bulletin. All 17.2.x releases for C9800 are deferred.due to Field Notice FN70577 and CSCvu24770 . Cisco recommends to migrate to 17.3.4c
Gibraltar 16.12
Cisco IOS XE 16.12 is the first long-lived release train for the 9800. 16.12.1 introduced support for these hardware and solutions.
- 9800-L
- 9800-CL on Google Cloud
- 9120AXE, 9130AXI
- Embedded Wireless Controller on Catalyst Access Point (EWC-AP)
16.12.6a
All 16.12.x release from 16.12.2 through 16.12.6a are bug-fix only releases. 16.12.6a is the last planned MR in this train. Refer 16.12 End of Life Bulletin. Cisco recommends 16.12.6a at the minimum for all deployments and migration to 17.3.5a+SMU 4c or 17.6.3 depending on AP models in your deployment.
Note:All 16.12.x releases prior to 16.12.4a (16.12.1, 16.12.1s, 16.12.1t, 16.12.2s, 16.12.2t, 16.12.3, 16.12.3s) are currently deferred to address CSCvu24770.
Gibraltar 16.11.1
Cisco IOS XE 16.11.1 is a short-lived release with no more maintenance planned. Refer End of Life - Bulletin. For all features in 16.x, Cisco recommends 17.3.4c
Gilbraltar 16.10.1
Cisco IOS XE 16.10.1 is the first release of Cisco IOS XE software that officially supports Catalyst 9800 SKUs (Appliances: 9800-40, 9800-80; 9800 on private/public cloud; 9800-CL, as well as 9800 software on Catalyst 9300 Switches). Cisco IOS XE 16.10.1e is the first release to support Cisco DNA Center integration with the Catalyst 9800. This is short-lived release with no maintenance planned. Refer End of Life - Bulletin. For all features in 16.x, Cisco recommends 17.3.4c
Field Programmable (FPGA) Firmware on Hardware 9800 WLC
On physical Catalyst 9800 WLCs (9800L, 9800-40, 9800-80), besides IOS-XE, there are two other pieces of code that can be upgraded.
- ROM Monitor (ROMMON) - It is the bootstrap program that initializes hardware and boots the IOS-XE software on the C9800 appliance. You can check the ROMMON version running on your appliance by executing this command.
#show rom-monitor chassis {active | standby} R0
- PHY - It refers to physical layer, specifically, the Shared Port Adapter (SPA) module that supports the front end distribution and uplink ports on C9800 appliances. You can view the PHY version running on your appliance by executing this command.
#show platform hardware chassis active qfp datapath pmd ifdev | include FW
New firmware is typically released to protect the health of the system (temperature sensors, fan, power supply etc) and to address problems with data forwarding ina nd out of the physical ports. Cisco recommends upgrading to latest FPGA firmware available. Upgrade Procedure along with the specific defects that for which new firmware was released if documented at Upgrade C9800 FPGA. Table 1 lists the version for each platform.
|
ROMMON |
Ethernet PHY |
Fiber PHY |
9800-L-F |
16.12(3r) |
N/A |
17.3.2 |
9800-L-C |
16.12(3r) |
17.3.2 |
N/A |
9800-40 |
N/A |
N/A |
16.0.0 |
9800-80 |
17.3(3r) |
N/A |
16.0.0 |
High Availability Software Maintenance on 9800 WLC
C9800 provides multiple features that ensure availability during software maintenance phase of the deployment lifecycle. These include In-Service Software Upgrade (ISSU), Rolling AP upgrade, Hot and Cold Patch to address WLC defects or psirts, AP patches to address AP specific fixes as well as to support newer AP models on existing controller code.
ISSU
ISSU support was introduced in 17.3.1 and is limited to long-lived releases (17.3.x, 17.6.x, and 17.9.x). That is, ISSU works
- Within long-lived major releases , for example, 17.3.x to 17.3.y, 17.6.x to 17.6.y, 17.9.x to 17.9.y
- Between long-lived major releases , for example, 17.3.x to 17.6.x, 17.3.x to 17.9.x
Note: This is limited to two long-lived releases after the current supported long-lived release.
ISSU is NOT supported
- Within minor releases of short-lived release trains, for example 17.4.x to 17.4.y or 17.5.x to 17.5.y
- Between minor and major releases of short-lived release trains, for example 17.4.x to 17.5.x
- Between long-lived and short-lived releases 17.3.x to 17.4.x or 17.5.x to 17.6.x.
Software Maintenance Upgrade (SMU) Patch
C9800 supports both Cold and Hot Patching which enables bug fixes to be provided as a Software Maintenance Upgrade (SMU) file.
- Hot Patch - System reload is not required meaning WLC and APs continue to operate. In case of 9800 Stateful Switchover (SSO) pair, SMU install process applies the patch to both chassis.
- Cold Patch - System reload is needed for Cold Patch. In case of 9800 SSO pair, cold patch can be applied without downtime.
Access Point Service Pack
Fixes for software defects on Access Points (APs) can be delivered via Access Point Service Packs. This requires reload of the APs but not of the 9800 WLC.
Access Point Device Pack
Support for newer AP models is made available on existing WLC code, without needing WLC code upgrade. This AP will only support the features available in existing WLC code.
Guidelines and Requirements
- SMU patches are only generated for long-lived releases like 16.12, 17.3, 17.6 etc after their MD release.
- SMUs can only be applied on 9800 WLC running Network Advantage License at the minimum. Refer Wireless Features Matrix for different Licenses
- SMUs that are applicable to most deployments, are posted to cisco.com for customers to download on their own.
- SMU or a patch is not possible for all bug fixes. Code changes involved in the bug fix typically determine the patchability.
- Applicability of SMU is evaluated on a per-defect basis. If your C9800 qualifies for an SMU patch, based on its licensing and you need an SMU for a specific defect, please engage Cisco's Technical Assistance Center (TAC) to get the bug evaluated.
Refer C9800 WLC Patching Guide for more details on these capabilities.
Cisco.com Location of SMUs, APSP and APDP images for different 9800s
Step 1. Navigate to Downloads Home, and search for 9800 in the search bar for Select a Product, choose 9800 form factor applicable to you.

Step 2. From Software Type menu, choose SMU or APSP or APDP as needed.

Note for Software Defined Access (SDA)
Always refer to the SDA Compatibility Matrix for code combination recommendations that work best for SDA. It lists specific combinations of code on Cisco DNA Center, the Identity Service Engine (ISE), switches, routers and Wireless LAN Controller codes that have been tested by the SDA Solution Test team at Cisco.
Inter Release Controller Mobility (IRCM)
- IRCM is not supported with 2504/7510/vWLC Controllers and only supported with 5508/8510/5520/8540/3504 platforms.
- For Inter-Release Controller Mobility (IRCM) compatibility with AireOS WLCs,
- TAC recommends AireOS 8.10.171.0 for all deployments.
- For deployments with older WLCs or Access Points in their environment, which cannot be upgraded past AireOS 8.5, TAC recommends 8.5.182.104 IRCM code.
Note:Not all 8.5 code versions support IRCM. 8.5 IRCM versions available on cisco.com include 8.5.164.0, 8.5.164.216, 8.5.176.0, 8.5.176.1. 8.5.176.2, 8.5.182.104.
For AireOS recommended code, please refer to:
https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html
Features supported On Catalyst 9800 Series Wireless LAN Controllers
Release Notes
Cisco IOS XE Wireless Feature List per Release
AireOS to Cisco IOS XE feature Comparison Matrix
Flexconnect Feature Matrix for wave2 and 11ax Access Points