TAC Recommended IOS-XE Builds for Catalyst 9800 Wireless LAN Controllers

Introduction

This document provides guidance for customers to find the most reliable IOS-XE software for Catalyst Wireless LAN Controllers.  This covers:

• Appliances (9800-40,9800-80,9800-L)
• Virtual Controllers (9800-CL in private and public clouds)
• Embedded Wireless Controllers on Catalyst 9000 Series switches
• Embedded Wireless Controllers on Catalyst Access Points (EWC-AP)

The Cisco Wireless Technical Assistance Center (TAC) recommends builds from each released train of IOS-XE software. Typically, a newly released version (either maintenance release or new code train) is given a minimum of 2-3 weeks soak time in the field, and only if no catastrophic issues are seen, then it becomes a candidate for TAC's general recommendation. These recommendations may be updated on a weekly basis.

TAC Recommended Builds

Amsterdam 17.3.1

IOS-XE 17.3.1 is new long-lived train with several MRs planned. It introduces several new features such as Embedded Wireless on Catalyst 9k switches, User Defined Network (UDN), BLE on controller via DNASpaces, IOT Module Management and WIFI6 Assurance via DNACenter, split http/https for webauth and webadmin, etc.

For customers needing features and hardware support, only available in 17.1.x train, the current cisco.com code available is  17.3.1.  However, 17.3 is vulnerable to

CSCvv45072

Symptom: C9800 experiences continuous crashes when any auto-QoS or custom service-policy is in use. 

Workaround: Disable auto QoS or custom QoS service-policies

Fix: 17.3.1 ES2

CSCvv32535

Symptom: C9800 reloads when Smart License Reservation (SLR) is in use and CLIs related to SLR are executed. For example, SLE registration, #show license reservation #show license tech support,  login to webUI as administrator (as it triggers a "show license all" in the background). 

Workaround: Do not use SLR; use direct connect to CSSM (with or without proxy) or use latest release 8-202008 for on-prem CSSM.

Fix: 17.3 ES2

CSCvv87417

Symptom: No impact when running 17.3 itself but when downgrading from 17.3 to  16.12.4a, telemetry configuration will result in crash of c9800 and boot loop. Workaround: Disable telemetry before downgrading. Issue seen post the fix in 17.3; under investigation.

Amsterdam 17.2.1

IOS-XE 17.2.1 is a short lived train with no maintenance releases planned.

• 17.2.1 and 17.2.1a are deferred for C9800 WLC and any customers running these releases should upgrade to 17.3.1 as soon as possible. SeeField Notice FN70577  and CSCvu24770 .

For features not supported on 16.12, TAC recommends IOS-XE 17.3.1.

Amsterdam 17.1.1

IOS-XE 17.1.1 is a short-lived release with no maintainance planned. See End of Life - Bulletin

• 17.1.1s is the first release in the 17.x train that supports C9800 WLC.
• 17.1.1s and 17.1.1t are deferred for C9800 WLC and any customers running these releases should upgrade to 17.3.1 as soon as possible. SeeField Notice FN70577  and CSCvu24770 .
  

For features not supported on 16.12, TAC recommends IOS-XE 17.3.1.

Gibraltar 16.12

IOS-XE 16.12 will be the first long-lived release train for the 9800. This release introduced support for

• 9800-L
• 9800-CL on Google Cloud
• 9120AXE, 9130AXI
• Embedded Wireless Controller on Catalyst Access Point (EWC-AP)

All 16.12.x releases prior to 16.12.4a (16.12.1, 16.12.1s, 16.12.1t, 16.12.2s, 16.12.2t, 16.12.3, 16.12.3s) are currently deferred to address CSCvu24770.

TAC recommends 16.12.4a for all deployments.

Note: End of Life for 16.12 has been announced with last MR targeted for August 2021

 
1) Beware of CSCvv87417 if downgrading from 17.3. Disable telemetry before downgrading.
2) If running 16.11/16.12.1/16.12.1s, Catalyst 9120AXE Access Points which are only supported starting 16.12.2s will join, download code and get corrupted leading to constant reload. Sometimes capwapd crash will get reported with these reloads. Refer: CSCvr40133  and CSCvr02462. In order to recover, you will need to get console access to AP and download AP image based off 16.12.4a onto the second partition on AP flash.

Please refer to the below for complete SDA compatibility information.

Gibraltar 16.11.1

IOS-XE 16.11.1 is a short-lived release with no more maintenance planned. Refer End of Life - Bulletin.

For all features in 16.x, TAC recommends 16.12.4a.

Gilbraltar 16.10.1

IOS-XE 16.10.1 is the first release of IOS-XE software that officially supports Catalyst 9800 SKUs (Appliances: 9800-40, 9800-80; 9800 on private/public cloud; 9800-CL, as well as 9800 software on Catalyst 9300 Switches).  IOS-XE 16.10.1e is the first release to support Cisco DNA Center integration with the Catalyst 9800. 

This is short-lived release with no maintenance planned. Refer End of Life - Bulletin.

For all features in 16.x, TAC recommends 16.12.4a.

Note for Software Defined Access (SDA)

Always refer to the SDA Compatibility Matrix for code combination recommendations that work best for SDA. It lists specific combinations of code on Cisco DNA Center, the Identity Service Engine (ISE), switches, routers and Wireless LAN Controller codes that have been tested by the SDA Solution Test team at Cisco.

Inter Release Controller Mobility (IRCM)

• For Inter-Release Controller Mobility (IRCM) compatibility with AireOS WLCs, TAC recommends AireOS 8.8.130.0 or above.
• For customers who have older WLCs or Access Points in their environment, and cannot upgrade past AireOS 8.5, contact the TAC for an "8.5 IRCM" special image for 5508/8510/5520/8540/3504, or send an mail to wnbu-escalation@cisco.com.

For AireOS recommended code, please refer to:

https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html