The Wireless Management Interface (WMI) is the mandatory Layer 3 interface on the Cisco Catalyst 9800 Wireless Controller. It is used for all communications between the controller and access points. Also, it is used for all CAPWAP or inter-controller mobility messaging and tunneling traffic.

WMI is also the default interface for in-band management and connectivity to enterprise services, such as, AAA, syslog, SNMP, and so on. You can use the WMI IP address to remotely connect to the device using SSH or Telnet (or) access the Graphical User Interface (GUI) using HTTP or HTTPs by entering the wireless management interface IP address of the controller in the address field of your browser.

Note	There is only one Wireless Management Interface (WMI) on the controller.

Note

Layer 3 interface is not supported in Cisco Catalyst 9800-CL Cloud Wireless Controller Guest anchor scenarios. Instead, it is recommended to use the Layer 2 interfaces and SVI for WMI. It is recommended to use Layer 3 interface for Public cloud deployments only and not for on-premise as it poses some limitations. The following are the sample Layer 3 and Layer 2 interface configurations: Layer 3 interface configuration: interface GigabitEthernet2 no switchport ip address <ip_address> <mask> negotiation auto no mop enabled no mop sysid end Layer 2 interface configuration: interface GigabitEthernet2 switchport trunk allowed vlan 25,169,504 switchport mode trunk negotiation auto no mop enabled no mop sysid end

The Wireless Management Interface is a Layer 3 interface and can be configured with an IPv4 address, IPv6 address, or using a dual-stack configuration.

It is always recommend to use a wireless management VLAN and configure WMI as a Switched VLAN Interface (SVI). If the uplink port or port-channel to the next-hop switch is configured as a dot1q trunk, the wireless management VLAN would be one of the allowed tagged VLAN on the trunk.

The recommendation is true independently of the deployment mode of APs (local, FlexConnect, or SDA) with the following exceptions:

• The WMI is configured as an L3 port for Cisco Catalyst 9800 Wireless Controller deployed in a Public Cloud environment.

• The WMI is configured as a loopback interface for embedded wireless controller in Cisco Catalyst 9000 switches.

It is always recommended to statically assign IPv6 address in WMI and not configure using the ipv6 auto-config command.

Note	The ipv6 auto-config command is not supported.

Note	You can use only one AP manager interface on Cisco Catalyst 9800 Wireless Controller called the WMI to terminate CAPWAP traffic.

NAT enables private IP networks that use non-registered IP addresses to connect to the Internet. NAT operates on a device, usually connecting two networks. Before packets are forwarded onto another network, NAT translates the private (not globally unique) addresses from the internal network into public addresses. NAT can be configured to advertise to the outside world only few addresses for the entire internal network. This ability provides more security by effectively hiding the private network details.

If you want to deploy your Cisco Catalyst 9800 Wireless Controller on a private network and make it reachable from internet, you need to have the controller behind a router, firewall, or other gateway device that uses one-to-one mapping Network Address Translation (NAT).

To do so, perform the following:

• Configure the NAT device with 1:1 static mapping of the Wireless Management interface IP address (private IP) to a unique external (public) IP address configured on the NAT device.

• Enable the NAT feature on the Wireless Controller and specify its external public IP address. This public IP is used in the discovery responses to APs, so that the APs can then send CAPWAP packets to the right destination.

• Make sure that the external APs discover the public IP of the controller using DHCP, DNS, or PnP.

Note	You need not enable NAT if the Cisco Catalyst 9800 Wireless Controller is deployed with a public address. Instead you will need to configure the public IP directly on the Wireless Management Interface (WMI).

In a CAPWAP environment, a lightweight access point discovers a wireless controller by using CAPWAP discovery mechanisms, and then sends a CAPWAP join request to the controller. The controller sends a CAPWAP join response to the access point that allows the access point to join the controller.

If the wireless controller is behind a NAT device, the controller responds to the discovery response in the following ways:

• Using the public IP.

• Using the private IP.

• Using public and private IP.

The Public IP needs to be mapped to the controller’s Private IP using static 1:1 NAT configuration on the router or firewall performing the NAT translation.

If your wireless controller manages only Access Points reachable through the public internet (external APs), you need to configure the controller so it responds with only the Public IP in the discovery response.

If your wireless controller manages both internal and external APs, you need to configure the controller so it responds with both Public and Private IPs in the discovery response.