Release Notes for Cisco Catalyst 9800 Series Wireless Controller, Cisco IOS XE Gibraltar 16.10.x

Introduction to Cisco Catalyst 9800 Series Wireless Controllers


The documentation set for this product strives to use bias-free language. For purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product.

Cisco Catalyst 9800 Series comprises next-generation wireless controllers (controller) built for intent-based networking. The Catalyst 9800 Series Wireless Controllers are Cisco IOS XE-based and integrate the radio frequency (RF) capabilities from Cisco Aironet with the intent-based networking capabilities of Cisco IOS XE to create a best-in-class wireless experience for your organization.

The Catalyst 9800 wireless controllers are enterprise-ready to power your business-critical operations and transform end-customer experiences:

  • The controllers come with high availability (HA) and seamless software updates that are enabled by hot and cold patching. This keeps your clients and services on always, both during planned and unplanned events.

  • The controllers come with built-in security, including secure boot, run-time defenses, image signing, integrity verification, and hardware authenticity.

  • The controllers can be deployed anywhere to enable wireless connectivity, for example, on an on-premise device, on cloud (public or private), or embedded on a Cisco Catalyst switch or Catalyst access point (AP).

  • The controllers can be managed using Cisco Digital Network Architecture (DNA) Center, Programmability interfaces, for example, NETCONF and YANG, web-based GUI, or CLI.

  • The controllers are built on a modular operating system. Open and programmable APIs enable the automation of your Day 0 to Dayn network operations. Model-driven streaming telemetry provides deep insights into your network and client health.

The Catalyst 9800 Series Wireless Controllers are available in multiple form factors to cater to your deployment options:

  • Catalyst 9800 Series Wireless Controller Appliance

  • Catalyst 9800 Series Wireless Controller for Cloud

  • Catalyst 9800 Embedded Wireless Controller for a switch


All of the Cisco IOS-XE programmability-related topics on the Cisco Catalyst 9800 Wireless Controller are supported by DevNet, either through community-based support or through DevNet developer support. For more information, go to

What's New in Cisco IOS XE Gibraltar 16.10.1

The following table lists the supported virtual and hardware platforms:

Supported Virtual and Hardware Platforms

Table 1. Supported Virtual and Hardware Platforms



Cisco Catalyst 9800-80 Wireless Controller

Modular wireless controller with up to 100-GE uplinks and seamless software updates.

Controller occupies 2-rack unit space and supports multiple module uplinks.

See Table for the list of supported modules.

Cisco Catalyst 9800-40 Wireless Controller

A fixed wireless controller with seamless software updates for mid-size to large enterprises.

Controller occupies 1-rack unit space and provides four 1-GE or 10-GE uplink ports.

Cisco Catalyst 9800 Wireless Controller for Cloud

A virtual form factor of the Catalyst 9800 Wireless Controller that can be deployed in a private cloud (supports ESXi, KVM, and NFVIS on ENCS hypervisors) or in the public cloud as Infrastructure as a Service (IaaS).

Cisco Catalyst 9800 Embedded Wireless Controller for Switch

Catalyst 9800 Wireless Controller software for the Cisco Catalyst 9300 switch brings the wired and wireless infrastructure together with consistent policy and management.

This deployment model supports only SD Access, which is a highly secure solution for small campuses and distributed branches. The embedded controller supports access points (APs) only in Fabric mode.

The following table lists the host environments supported for private and public cloud.

Table 2. Supported Host Environments for Public and Private Cloud

Host Environment

Software Version

VMware ESXi

  • VMware ESXi vSphere 6.0

  • VMware ESXi vCenter 6.0


  • Linux KVM based on Red Hat Enterprise Linux 7.1 and 7.2

  • Ubuntu 14.04.5 LTS, Ubuntu 16.04.5 LTS


AWS EC2 platform


ENCS 3.8.1 and 3.9.1

YANG Data Models

For the complete list of Cisco IOS XE YANG models available with this release, go to Revision statements embedded in the YANG files indicate if there has been a model revision. The file in the same GitHub location highlights the changes that have been made in this release.

Important Notes

  • By default, the controller uses a TFTP block size value of 512, which is the lowest possible value. This default setting is used to ensure interoperability with legacy TFTP servers. However, you can manually change the block size value to 8192 K using the ip tftp blocksize command in global configuration mode to speed up the transfer process.

  • We recommend that you configure the password encryption aes and the key config-key password-encrypt key commands to encrypt your password.

  • The features and functions that work on IPv4 networks with IPv4 addresses also works on IPv6 networks with IPv6 addresses. For a list of unsupported features, see the Unsupported Features section of the Native IPv6 feature.

  • If you encounter ERR_SSL_VERSION_OR_CIPHER_MISMATCH error from the GUI after a reboot or system crash, we recommend that you regenerate the trustpoint certificate.

    The procedure to generate a new self signed trustpoint is as follows:

    configure terminal
    no crypto pki trustpoint <trustpoint_name>
    no ip http server
    no ip http secure-server
    ip http server
    ip http secure-server
    ip http authentication <local/aaa>
    ! use local or aaa as applicable.
  • SNMPv3 user configuration is not reflected in the running configuration. Only SNMPv3 group configuration is visible.

  • The Cisco Catalyst 9800 Series Wireless Controller has a service port, which is referred to as GigabitEthernet 0 port. You cannot use this port for RADIUS, SNMP, DNAC Telemetry, and other communications.

    The service port only supports the following IP protocols:

    • HTTP

    • HTTPS

    • SSH

    • Licensing for Smart Licensing feature to communicate with CSSM

Supported Hardware

The following table lists the supported Cisco Catalyst 9800 Series Wireless Controller hardware models and the default license levels they are delivered with.

The Base PIDs are the model numbers of the controller.

The Bundled PIDs indicate the orderable part numbers for the Base PIDs that are bundled with a particular network module. Entering the show version , show module , or show inventory command on such a controller (bundled PID), displays its Base PID.

Table 3. Supported PIDs and Ports

Controller Model



4 1/10-Gigabit Ethernet SFP or SFP+ ports and two power supply slots


8 1/10-Gigabit Ethernet SFP/SFP+ ports and two power supply slots

The following QSFP+ ports are also supported:

  • EPA-18X1GE

  • EPA-10X10GE

  • EPA-1X40GE

  • EPA-2X40GE

  • EPA-1X100GE


Catalyst Wireless Controller as an infrastructure for Cloud.

Cisco Catalyst 9800 Embedded Wireless Controller for Switch

Catalyst Wireless Controller function on Switch

Optics Modules

Cisco Catalyst 9800 Series Wireless Controller support a wide range of optics. The list of supported optics is updated on a regular basis. See the tables at this URL for the latest transceiver module compatibility information:

Compatibility Matrix

The following table provides software compatibility information.

Table 4. Compatibility Matrix

Cisco Catalyst 9800 Series Wireless Controller

Cisco Identity Services Engine

Cisco CMX

Cisco Prime Infrastructure

Cisco AireOS-IRCM Interoperability

Gibraltar 16.10.1






Web UI System Requirements

The following subsections list the hardware and software required to access the Web UI:

Table 5. Hardware Requirements

Processor Speed


Number of Colors


Font Size

233 MHz minimum1

512 MB2


1280 x 800 or higher


1 We recommend 1 GHz
2 We recommend 1 GB DRAM

Software Requirements

Operating Systems:

  • Windows 7 or later

  • Mac OS X 10.11 or later


  • Google Chrome—Version 59 or later (on Windows and Mac)

  • Microsoft Edge (on Windows)

  • Mozilla Firefox—Version 54 or later (on Windows and Mac)

  • Safari—Version 10 or later (on Mac)

Supported Cisco Access Point Platforms

The following Cisco AP platforms are supported in this release:

Indoor Access Points

  • Cisco Aironet 1700 Series Access Points

  • Cisco Aironet 1800 Series Access Points

  • Cisco Aironet 2700 Series Access Points

  • Cisco Aironet 2800 Series Access Points

  • Cisco Aironet 3700 Series Access Points

  • Cisco Aironet 3800 Series Access Points

  • Cisco Aironet 4800 Series Access Points

Outdoor Access Points

  • Cisco Aironet 1542 Access Points

  • Cisco Aironet 1560 Series Access Points

  • Cisco Aironet 1570 Series Access Points

Integrated Access Points

  • Integrated Access Point on Cisco 1100 ISR

Network Sensor

  • Cisco Aironet 1800s Active Sensor

For information about Cisco Wireless software releases that support specific Cisco AP modules, see the "Software Release Support for Specific Access Point Modules" section in the Cisco Wireless Solutions Software Compatibility Matrix document.

Upgrading the Controller Software

This section describes the various aspects of upgrading the controller software.

Finding the Software Version

The package files for the Cisco IOS XE software are stored on the system board flash device (flash:).

Use the show version privileged EXEC command to see the software version that is running on your controller.


Although the show version output always shows the software image running on the controller, the model name shown at the end of this output is the factory configuration, and does not change if you upgrade the software license.

Use the show install summary privileged EXEC command to see the information about the active package.

You can also use the dir filesystem: privileged EXEC command to see the directory names of other software images that you have stored in flash memory.

Software Images

  • Release—Cisco IOS XE Gibraltar 16.10.1

  • Image—Universal

  • File Name—C9800-universalk9_wlc.16.10.01.SPA.bin

Software Installation Commands

Cisco IOS XE Gibraltar 16.10.1

To install and activate a specified file, and to commit changes to be persistent across reloads, run the following command:

Device# install add file filename [ activate| commit]

To separately install, activate, commit, end, or remove the installation file, run the following command:

Device# install ?


We recommend that you use the GUI for installation.

add file tftp: filename

Copies the install file package from a remote location to a device, and performs a compatibility check for the platform and image versions.

activate[ auto-abort-timer]

Activates the file and reloads the device. The auto-abort-timer keyword automatically rolls back image activation.


Makes changes that are persistent over reloads.

rollback to committed

Rolls back the update to the last committed version.


Cancels file activation, and rolls back to the version that was running before the current installation procedure started.


Deletes all unused and inactive software installation files.


This section provides information about the licensing packages for the features that are available in the Cisco Catalyst 9800 Series Wireless Controller.

The software features that are available on the controller fall under these license categories:

  • AIR DNA Essentials (AIR-DNA-E)

  • AIR DNA Advantage (AIR-DNA-A) (Includes the features that are available with the Cisco DNA Essentials license and more.)


    The controller starts with AIR-DNA-A as the default. Any change in the license level requires a reboot.


After adding new license in the Cisco Smart Software Manager (CSSM) for customer virtual account, run the license smart renew auth command on the controller to get the license status changed from Out OF Compliance to Authorized.

Base Licenses

Base licenses are perpetual licenses and can be used even after the expiry of Air-DNA-A and AIR-DNA-E. Base licenses include:

  • AIR Network Essentials (AIR-NE)

  • AIR Network Advantage (AIR-NA) (Includes the features that are available in the Network Essentials license.)

License Term

The licenses are available for a three, five, or seven-year periods.

For a more detailed overview on Cisco Licensing, go to

Guidelines and Restrictions


  • Internet Group Management Protocol (IGMP)v3 is not supported on Cisco Aironet Wave 2 APs.

  • Do not deploy OVA files directly to VMware ESXi 6.5. We recommend that you use an OVF tool to deploy the OVA files.

  • AP connection over network address translation (NAT) and port address translation (PAT) is not supported in the following specific scenarios (all the following conditions need to be met):

    • Data-DTLS channel is ON

    • Packets sent from the controller are bigger than minimum Path MTU packets (576B in case of IPv4) with network PMTU >= 1485.

    • PAT configured on the router or firewall and the network PMTU is less than or equal to 1485.

    • AP connection over NAT/PAT is supported in all other scenarios.


    This restriction is not applicable from Cisco IOS XE Gibraltar 16.12.2s onwards.

  • Mobility NAT is not supported.

  • Firefox Version 63.x is not supported.

  • The Cisco Wave 1 APs may download the image twice while moving from Cisco AireOS Release 8.3 to Cisco IOS XE Gibraltar 16.10.1. This increases the AP downtime during migration.

  • Ensure that you remove the controller from Cisco Prime before disabling or enabling Netconf-YANG. Otherwise, the system may reload unexpectedly.

  • Unidirectional Link Detection (UDLD) protocol is not supported.

  • Voice over WLAN (VoWLAN) using SIP is not supported for FlexConnect local switching deployments.

  • The Cisco Catalyst 9800 Series Wireless Controllers (C9800-CL, C9800-L, C9800-40, and C9800-80) support a maximum of 14,000 leases with internal DHCP scope.

  • When you configure the Cisco Catalyst 9800 Series Wireless controllers with Cisco Aironet 3700 Series Access Points, through IPv6, and then connect IPv6 capable clients, the IP addresses of all the IPv6 clients are not updated on the controller.


Integrated Access Point on Cisco 1100 ISR is not supported.

Interoperability with Clients

This section describes the interoperability of the controller software with client devices.

The following table lists the configurations used for testing client devices.

Table 6. Test Configuration for Interoperability

Hardware or Software Parameter

Hardware or Software Type


Cisco IOS XE Gibraltar 16.10.1

Cisco Wireless Controller

See Supported Hardware.

Access Points


  • 802.11ac

  • 802.11a

  • 802.11g

  • 802.11n (2.4 GHz or 5 GHz)




See Table 2.

Types of tests

Connectivity, traffic (ICMP), and roaming between two APs

The following table lists the client types on which the tests were conducted. Client types included laptops, hand-held devices, phones, and printers.


Caveats describe unexpected behavior in Cisco IOS releases. Caveats that are listed as Open in a prior release are carried forward to the next release as either Open or Resolved.


All incremental releases will cover fixes from the current release.

Cisco Bug Search Tool

The Cisco Bug Search Tool (BST) allows partners and customers to search for software bugs based on product, release, and keyword, and aggregates key data such as bug details, product, and version. The BST is designed to improve the effectiveness in network risk management and device troubleshooting. The tool has a provision to filter bugs based on credentials to provide external and internal bug views for the search input.

To view the details of a caveat, click the corresponding identifier.

Open Caveats

Caveat ID



All configs are not available in the new Active after a switchover.


Increase the TFTP default block size to reduce image download time.


The show tech wireless command is showing PSK information in clear text.


The client delete reason is shown as "WLAN Down", which is not the correct reason.


The ipv6 radius source-interface vlan command cannot be unconfigured.


The ap country command input (in lower case) is not working properly.


Configuring IPv6 non-local group mobility multicast also configures IPv4 non-local multicast.


The RF profile assigned power label and channel width is failing.


Issuing the show tech-support wireless command from web UI results in controller reload.


The standby chassis is not showing redundancy IP address.


Pre-shared key (PSK) configuration is not giving an option to enter the PSK.


Observing wncd traceback in new active controller after Stateful Switchover (SSO).


The fully qualified domain name (FQDN) is not getting applied in datapath when being pushed from Identity Services Engine, post MAC Authentication Bypass (MAB).


Scanners (MC3190 and MC32N0) are not connecting to the controller after the image upgrade.


Custom webauth bundle with higher file size than the supported file size is failing to load js.


Cisco Catalyst 9800-40 Wireless Controller in HA-active mode reloaded without core files as peer switch was not in standby mode during upgrade.


Clients are getting deleted due to 802.11r pre-authentication failure.


Clients are getting deleted with "Invalid MDIE" error code.


Tracebacks are flooding the controller.


APs are getting reset while adding or removing description.


Running the show logging profile wireless internal filter mac command pauses controller indefinitely.


High Availability (HA) switchover retains the old active chassis uplink status irrespective of the status of the current active link.


Cisco Aironet 2800 subordinate APs are unable to download an image from the primary AP.


Multi-instance load balance is not working for APs joined over CAPWAPv6 tunnel.


While upgrading, subordinate APs are not fetching image from the controller.


The clear wireless statistics fabric memory command reports error and generates core file on the standby controller.


Client is excluded due to VLAN failure, when VLAN name is propagated from the VLAN Trunk Protocol (VTP) server.


The Controller GUI check boxes are not displayed in Firefox.


Client is stuck in Layer 2 authentication on the Guest controller as roam fails on the Inter-Release Controller Mobility (IRCM) when ipv4 dhcp required command is enabled.


After SSO, CAPWAP IPv6 access point disjoins and joins back when wireless management and the AP VLAN are the same.


If the login URL for Local Web Authentication (LWA) external webauth contains a question mark (?) character, the URL is not accepted by the UI.


The output of the show ap auto-rf dot11 24ghz command is not displaying any data.


FlexConnect mode AP is not learning client MAC address, URL, IP address for the configured pre-auth URL filter.


The EXEC prompt timestamp configuration on the VTY line causes functionality issues on the WebUI.

Related Documentation

Information about Cisco IOS XE is available at:

Cisco Validated Designs documents are available at:

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use the Cisco MIB Locator found at:

Cisco Wireless Controller

For more information about the Cisco wireless controller, lightweight APs, and mesh APs, see these documents:

The installation guide for your controller is available at:

For all Cisco Wireless Controller software-related documentation, see:

Cisco Catalyst 9800 Wireless Controller Data Sheets

Cisco Embedded Wireless Controller on Catalyst Access Points

For more information about the Cisco Embedded Wireless Controller on Catalyst Access Points, see:

Wireless Products Comparison

Cisco Prime Infrastructure

Cisco Prime Infrastructure Documentation

Cisco Connected Mobile Experiences

Cisco Connected Mobile Experiences Documentation

Cisco DNA Center

Cisco DNA Center Documentation

Communications, Services, and Additional Information

  • To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.

  • To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.

  • To submit a service request, visit Cisco Support.

  • To discover and browse secure, validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.

  • To obtain general networking, training, and certification titles, visit Cisco Press.

  • To find warranty information for a specific product or product family, access Cisco Warranty Finder.