#CiscoLive

Catalyst Wireless - How to

Successfully Migrate to
Catalyst 9800

Simone Arena,
Principal TME, Cisco Wireless
BRKEWN-2338

#CiscoLive
Agenda

• Building a Migration Strategy

• Migration Best Practices
• AireOS configuration migration
• Design with Access Point (AP) tags in mind
• Wi-Fi 6E: what’s the impact on migration?
• More info…

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Building a Migration Strategy
Where shall I start?

....asking questions!
 Key Questions for Migration
How much IT cost can
What are the migration
be dedicated to the
objectives and timelines?
migration?
What is the status of the Have the scalability or performance
wired infrastructure for requirements changed?
PoE and mGig?
Are you familiar with the
What are the C9800 config model? What are the HW
deployment modes?
Have the APP delivery times?
Centralized, Flex, etc.
requirements changed?
Is it possible to
identify a PoC area?
What hardware and How important is What’s the
software used? For APs, coexistence with AireOS maintenance
What about security? WPA3,
WLCs, Prime, etc.? window?
segmentation, etc.?
Are there new
Is seamless client devices to
roaming needed support?
during migration?

Existing AireOS based

WLAN deployment

Evaluate Design Implement

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
 Build a Migration Strategy – three phases

Evaluate Migration factors/triggers:

• Understand customer requirements • End of Sales (EoS) announcement for all AireOS controllers*
• Evaluate current deployment • EoS announcement of 802.11ac Wave1 APs (x700 series)
• EoS announcement of 802.11ac Wave2 APs (x800 series)
• Evaluate possible product gaps
• AP hardware not supported on AireOS (C9124 and Wi-Fi6E)
• Evaluate new licensing model • New functionalities on C9800 (ISSU, Patching, Programmability, etc.)
• Get all the required information
(topology, device lists, design Important:
requirements, configuration) • No support for 802.11n or older APs on C9800

(*) Go to https://www.cisco.com/c/en/us/products/wireless/index.html#~resources for latest EoS announcements

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
 Wave1 AP support in 17.9.X & 17.12.X
Smoother upgrade path to Wi-Fi6/6E

AP 1700, 2700, 3700 AP 1572

EOVSS/LDOS Apr 30,2024 EOVSS/LDOS Nov 30,2025

Why are we doing this What is supported

To simplify migration of legacy APs (Wave1) to current ❑ Wave1 APs would operate with 17.9.3 & 17.12.x based WLC
generation Wi-Fi 6/6E APs for customer impacted by ❑ Solution matrix will be compatible with 17.9 release
supply chain delays, no extension in life cycle

What is new What is unchanged

❑ EOVSS extended to LDOS . No change in LDOS dates ❑ Wave1 AP EOSM & LDOS dates
❑ Wave1 APs support in 17.9 release train starting 17.9.3 ❑ Wave1 feature support (same as 17.3)
❑ Wave1 APs support extended to 17.12.x ❑ April 2024 is LDOS, need to continue update plans

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
EoS/EoL Update – Access Points Reference

EoSW
Product End of Sale EoVSS LDoS
Maintenance
Wave 1 APs
1700/2700/3700 30-Apr-2019 29-Apr-2020 30-Apr-2024

1570 13-Nov-2020 13-Nov-2021 30-Nov-2025

Wave 2 APs
1830/1840/1850 and 1540 1-May-2022 1-May-2023 30-Apr-2027

2800/3800/4800 31-Oct-2022 1-May-2024 31-Oct-2027

1560 31-Jan-2023 1-May-2024 31-Jan-2028

Wi-Fi 6 APs
9117 30-Apr-2021 30-Apr-2022 30-Apr-2026

9105/9115/9120/9130 No plans
9124 No plans

EoL = End of Life

EoSW = End of Software Maintenance
EoVSS = End of Vulnerability Software Support
LDoS= Last Day of Support

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
EoS/EoL Update - WLC Reference

EoSW
Product End of Sale EoVSS LDOS
Maintenance
Gen 1 AireOS
2504 18-Apr-2018 18-Apr-2019 18-Apr-2021 30-Apr-2023

5508 4-May-2018 1-Aug-2019 31-Jul-2021 31-Jul-2023

8510 4-Jul-2018 3-Sep-2019 2-Sep-2021 30-Sep-2023

Gen 2 AireOS
3504 31-Jan-2021 31-Jan-2023 30-Jan-2025 30-Jan-2027

5520 10-Dec-2021 31-Jan-2023 30-Jan-2025 30-Jan-2027

8540 31-Jan-2022 31-Jan-2023 30-Jan-2025 30-Jan-2027

IOS-XE
9800-L No plans

9800-40 No plans
9800-80 No plans

EoL = End of Life EoVSS = End of Vulnerability Software Support

EoSW = End of Software Maintenance LDoS= Last Day of Support

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Customer Migration scenario - Evaluate
bldg. D
Current deployment:
3504

DC
Anchor
▪ University main campus: 100+ buildings, 5k APs, 35k
site peak of concurrent connected clients. Single roaming
domain

Campus core ▪ AireOS WLCs: two pairs of 8540 in SSO HA pair

running 8.10. Guest Anchor Controllers: 5508
bldg. A bldg. B bldg. N running 8.5 and 3504 running on 8.10
5508
8540-1-A 8540-1-S Anchor ▪ Mix of 802.11ac Wave 2 (AP 3800, 1815, 1560) and
… … older Access Points (APs 3600 and 3700). Started
8540-2-S 8540-2-A Wi-Fi 6 journey with Catalyst 9120 and 9130

… … … ▪ Prime for configuration and monitoring. ISE as Radius

server and guest portal

WLC = Wireless LAN Controller

Older APs 802.11ac W2
HA = High Availability
SSO = Stateful Switch Over

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Customer Migration scenario - Evaluate
bldg. D
Customer requirements:
3504
Anchor
DC ▪ Migrate to the new Catalyst wireless stack with
site C9800 wireless controllers and Catalyst APs.
Leverage new features on Catalyst 9800 like ISSU
Campus core ▪ Refresh old WLCs in End of Sale (EoS) and
consolidate; provide Guest Anchor redundancy
bldg. A bldg. B bldg. N

5508
▪ Replace 802.11ac Wave1 and older APs. Adopt Wi-
8540-1-A 8540-1-S Anchor Fi 6E, Catalyst 9136 as reference model for Wi-Fi 6E
… …
8540-2-S 8540-2-A ▪ Need to pace migration as APs will be replaced in
multiple steps. Need coexistence between legacy
… … … and new network. Seamless roaming is key
▪ Introduce DNA Center for visibility and Assurance
Older APs 802.11ac W2
ISSU = In-Service Software Upgrade

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
 Build a Migration Strategy – three phases

Evaluate Design
• Understand customer requirements • Architecture review
• Evaluate current deployment • Migrate the AireOS configuration
• Evaluate possible product gaps • Feature gap verification
• Evaluate new licensing model • Design with profiles and tags in mind
• Get all the required information • Choose the right software release
(topology, device lists, design
• Brownfield considerations
requirements, configuration)

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Customer Migration scenario - Design
bldg. D
Migration Design considerations:
Anchor

DC
9800-L ▪ Same architecture and design for Foreign WLCs
SSO pair
site
▪ Consolidate Anchor WLCs in one building and
configured in SSO pair
Campus core
▪ Older APs replaced with Wi-Fi 6/6E; Wi-Fi 5 are
bldg. A bldg. B bldg. N kept. The plan is to eventually migrate all the APs to
Wi-Fi 6/6E
9800-1-A 9800-1-S

… … ▪ Migration started with code 17.3.x for Catalyst 9800

(C9800), initial lab tests with 17.3.6. Later tests with
9800-2-S 9800-2-A
17.9.1; finally, customer went in production with
… … … 17.9.2 (and recently upgraded to 17.9.3)
▪ Keep Prime for now and start deploying Cisco DNA
Center for Assurance
Wi-Fi 6 and 6E 802.11ac W2

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
 Build a Migration Strategy – three phases

Evaluate Design Implement

• Understand customer requirements • Architecture review • Lab validation
• Evaluate current deployment • Migrate the AireOS configuration • Identify pilot migration areas
• Evaluate possible product gaps • Feature gap verification • Deploy an area in production
• Evaluate new licensing model • Design with profiles and tags in mind • Start replacing legacy APs
• Get all the required information • Choose the right software release • Post migration checks
(topology, device lists, design
• Brownfield considerations • Monitor stability and proceed
requirements, configuration)

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Customer Migration scenario – Implement
bldg. D
PoC steps:
Anchor

DC
9800-L • Installed C9880 HA pair running 17.3.6 serving a
SSO pair
site small production building
• Initially just #3 AP 3800 to serve some live users.
Campus core Then added other 27 x 3800 APs

bldg. A bldg. B • Used to test the configuration migration and get

familiar with C9800
9800-1-A 9800-1-S

… … PoC
building

…
802.11ac W2

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Customer Migration scenario – Implement
bldg. D
PoC steps:
Anchor

DC
9800-L • Installed C9880 HA pair running 17.3.6 serving a
SSO pair
site small production building
• Initially just #3 AP 3800 to serve some live users.
Campus core Then added other 27 x 3800 APs

bldg. A bldg. B • Used to test the configuration migration and get

familiar with C9800
9800-1-A 9800-1-S

… … PoC • Replaced 3800 APs with 30 x Catalyst 9136 APs

building
and #200 live clients at peak
9800-2-S 9800-2-A

• Installed another C9800 HA pair to test 17.9.2

… software with few APs in the lab

Catalyst 3600 • Added 400 APs in production with 17.9.2

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Migration Best Practices
 Migration Best Practices
Refer to the latest Best Practice on Cisco Connection On-line (CCO)

updated
recently!

https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Migration Best Practices
Deep knowledge of C9800 new configuration model (Profiles & Tags)

Access Points
Important to remember:
▪ Profiles (Policy, AP Join and Radio Frequency (RF))
and tags are the new configuration constructs
▪ Profiles are assigned via tags. Every AP needs to be
assigned to the three AP tags (Policy, Site, RF)
▪ Advantages of the new configuration models:
RF Tag ▪ Modular and reusable config constructs
▪ Flexible to assign configuration to a group of APs
Policy Pag
▪ Easier to manage site specific configuration across geo-
Site Tag distributed locations
▪ No reboot needed when applying config changes via tags
(remember AP groups?)

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
 Migration Best Practices
Deep knowledge of C9800 new configuration model (Profiles & Tags)
Access Points

RF Tag
Policy Tag RF
WLAN Profile
Profile 2.4GHz RF
Profile
6 GHz
Policy
Profile RF
Profile
5 GHz

• Defines the Broadcast domain (list of • Defines the Radio Frequency (RF)
WLANs to be broadcasted) with the properties of the group of APs per radio
policies of the respective SSIDs
• “Equivalent” to AP Group in AireOS Site Tag
AP
Profile
• Defines the APs’ properties of the site, central (a.k.a.
“local”) or remote (a.k.a. “flex”) site
Flex • For FlexConnect site:
Profile • Defines the fast-roaming domain
• “Equivalent” to Flex Groups in AireOS
SSID = Service Set IDentifier

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Migration Best Practices
Deep knowledge of C9800 new configuration model (Profiles & Tags)

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Migration Best Practices
Build a PoC area with same characteristics of the production network
“Same” topology:
WLCs Anchor
(Primary/Secondary) • “Same” = as close as possible to production
• Anchor Controller, High Availability pair, Firewall and other
WLCs network settings like AAA should be as close as production
Anchor as possible
network
• Test the main features customer cares about
FW

“Same” clients:
PoC network
• Ideally test same clients as in production
• At least Windows, Android and Apple clients
… • Test the different authentication types with same version of
production AAA and web Portal if present
• Focus on particularly old devices and evaluate if some
changes need to be done in the Radio Frequency (RF) default
configuration (e.g., old devices might need lower data rates)
• Particularly critical with 6GHz as client drivers are still unstable
PoC = Proof of Concept
AAA = Authorization Authentication Accounting

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Catalyst 9800
Recommended
releases
What is the recommended release?
Go with latest 17.3.x:
• If you need support for 802.11ac W1 APs (IOS based APs)
• If you want the image with the “star” with the most soak time in the field
• 17.3.7 is the recommended star release
• 17.3.7 introduces:
• Secure data wipe out on the AP with the command “clear ap config”

Go with latest 17.6.x:

• If you want the most stable train for Wi-Fi 6 Catalyst Access Points
• 17.6.5 is recommended for all Wi-Fi 6 deployments without W1 APs (1700/2700/3700/1572).
• In 17.6.5 introduced one important feature on top of mny bug fixes:
• “no accounting-interim” command is supported under the policy profile to disable interim
accounting

Go with latest 17.9.x:

• If need support for newest Catalyst Wireless Wi-Fi 6E APs
• 17.9.3 includes support for 802.11ac W1 APs to ease the migration to C9800 and Wi-Fi 6E
• 17.9.3 also introduces the support for IW9167E
• 17.9.3 is the recommended star release

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Cisco Recommended Software Matrix* Reference

IRCM with IRCM with

IOS-XE AP DNA-C Prime CMX ISE
Gen 1 AireOS Gen 2 AireOS

802.11ax 3.1
17.3.7 802.11ac 8.5.182.104 8.10.185 Matrix 3.10.1 10.6.2 3.0
W1 and W2 2.7

3.1
802.11ax
3.0
17.6.5 802.11ac 8.5.182.104 8.10.185 Matrix 3.10.1 10.6.2
2.7
W2

802.11ax
3.1
(Wi-Fi 6/6E)
17.9.3 8.5.182.104 8.10.185 Matrix 3.10.4 10.6.3 3.0
802.11ac
2.7
W1 and W2
(*) Please bookmark and check these links for the latest info:
http://cs.co/compatibilitymatrix
http://cs.co/recommendediosxe
DNAc Matrix https://www.cisco.com/c/en/us/support/cloud-systems-management/dna-center/products-device-support-tables-list.html

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
AireOS configuration Migration
How? Configuration Migration tool

Need to address three key questions:

• Is a specific AireOS feature supported in Catalyst 9800
• How is the AireOS configuration translated into IOS XE
• Does it make sense to keep certain settings done in AireOS

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Configuration Migration Tool
• Migration tool managed by CX/TAC:
https://cway.cisco.com/wlc-config-converter/

Drop the AireOS config file:

• Upload it directly from GUI:

• Or use the “show run-config command”

output and put it in a .txt file
Choose the AireOS to C9800
converter and click Run

CX = Customer eXperience
TAC = Technical Assistance Center

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Configuration Migration Tool
Migration Tool output:

Translated (CLI supported in IOS-XE)

Unsupported (CLI not supported in IOS-XE)

Not Applicable (CLI deprecated/not used commands)

Unmapped (CLI supported but not yet translated)

CLI = Command Line Interface

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Configuration Migration Tool
Migration Tool output:

• Clear indications on when user input is required: “!$” prefix

• Useful warnings for correctly handing the translated configuration:
Layer3 interfaces, ACLs, hostname, etc. > look for “!%” prefix

ACL = Access Control List

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Configuration Migration Tool
Migration Tool output:

• AireOS CLIs and the correspondent translated IOS-XE commands

• Explanation on why certain decisions were made in translating the
AireOS configuration > Example: SVI interfaces

SVI = Switch Virtual Interface

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
 Port, VLAN, SVI interfaces considerations
Facts:
OOB Management ▪ It’s mandatory to have one L3 interface configured as wireless management
Network interface (WMI)
▪ CAPWAP traffic is terminated to the wireless management interface. There is only
Wireless one wireless management interface
Management
interface ▪ Service port on the appliance belongs to the Management VRF (“Mgmt-intf”). On
Service port the C9800-CL the support for VRF is in the roadmap
L3 interfaces ▪ For centrally switched SSID, it is mandatory to configure a client L2 VLAN
C9800
L2
VLANs Best practices:
... Data ports
▪ Switch Virtual Interface (SVI) for wireless management interface is recommended.
Trunk - LAG ▪ Do not configure SVIs for client VLANs, unless really needed (e.g., DHCP relay) –
Catalyst 9k
this is different from AireOS where Dynamic interface is required.
Stack Wise pair ▪ Connect the uplink ports in a port-channel, configured as trunk to a pair of
switches in Stack Wise virtual or similar technologies. Same AireOS best practice
Enterprise network
▪ C9800-CL in public cloud must use a single L3 port (not SVI) and hence has the
following feature limitation: no support for sniffer mode AP and HyperLocation
DHCP = Dynamic Host Configuration Protocol
VRF = Virtual Route Forwarding | VLAN = Virtual Local Area Network

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Configuration Migration Tool
Migration Tool output:

Unsupported (CLI not supported in IOS-XE)

This is a problem with the tool

Should be “not applicable”

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Configuration Migration Tool
Migration Tool output:

Not Applicable (CLI deprecated/not used commands)

Reason why CLI is not applicable

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Customer scenario
> Configuration review
 WLAN settings
We used to have these commands in AireOS,
shall we keep them in IOS XE WLC?
Q: Do we still need Aironet IE?
C9800-80

A: Yes, if you are running Cisco specific

devices like IP phones and WGBs
Q: Do we still need Band Select?
A: Not on this SSID as you have voice traffic,
and it might affect fast roaming. In other SSIDs
is fine.

Q: What happened to Fast SSID change?

8540

A: No need to enable the feature explicitly,

this is taken care automatically on C9800

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Webauth Configuration
Webauth configuration
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Problem: ! Webauth Global Configuration
Wireless client unable to pop up the captive portal !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

page automatically. If client goes to any website, it ! config interface address virtual 192.0.2.1
! config interface hostname virtual <name>
gets certificate warning message. ! config custom-web webauth-type external
! config custom-web ext-webauth-url <url>

Solution:
! config custom-web redirecturl <https url>
!% Note: parameter-map configuration follow interactive-mode
Need to enable WebAuth on HTTP. In C9800 you when it get configure first time.
!% Please enter prompt option while configuring parameter-map.
don't need to enable HTTP for the entire box (GUI !% e.g. : This operation will permanently convert all relevant

access), but only for WebAuth client connections. authentication commands to their CPL control-policy equivalents.
As this conversion is irreversible and will disable the conversion
CLI 'authentication display [legacy|new-style]', you are strongly
advised to back up your current configuration before proceeding.

Add webauth-http-enable command under the !% Do you wish to continue? [yes]: yes
parameter-map type webauth global
definition of parameter–map: virtual-ip ipv4 192.0.2.1 virtual-host <name>
parameter-map type webauth global parameter-map type webauth global
virtual-ip ipv4 192.0.2.1 virtual-host <name> type webauth
webauth-http-enable redirect for-login <http url>
redirect on-success <https url>

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
mDNS Configuration
mDNS configuration
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! mdns profile and service mapping
Scenario: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
AireOS configuration was correctly translated and [skip]

hence Location Services were not enabled on the mdns-sd service-list aireos-default-mdns-profile-out OUT

mDNS service policy. match AirTunes

match Printer-IPPS
match Printer-SOCKET
Recommendation: match HP_Photosmart_Printer_2
Configure the mDNS policy to use Location match HomeSharing

Specific Services (LSS) to optimize mDNS match HP_Photosmart_Printer_1

responses to clients: match Airplay

mdns-sd service-policy aireos-default-mdns-profile

mdns-sd service-policy aireos-default-mdns-profile service-list aireos-default-mdns-profile-in IN

[…] service-list aireos-default-mdns-profile-out OUT
location lss !% "location lss" skipped since it is disabled in any of
"mdns service" mapped under "mdns profile".

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Policy Profile settings
Policy Profile settings

Q: In AireOS we set the value to "0" to have max timeout, does it apply the same to C9800?
A: In C9800, before 17.4.1 if it is set to 0, then session timeout is disabled > all roams are SLOW.
Starting 17.4.1, for 802.1x SSID if you set it to zero, it’s reconfigured to max allowed

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Policy Profile settings

Q: In AireOS we set the value to "0" to have max timeout, does it apply the same to C9800?
A: In C9800, before 17.4.1 if it is set to 0, then session timeout is disabled > all roams are SLOW.
Starting 17.4.1, for 802.1x SSID if you set it to zero, it’s reconfigured to max allowed

Q: can we use the default policy profile as a “normal” profile

A: Yes, absolutely

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
 Catalyst 9800 IOS-XE 17.12

Policy Profile settings > Default session timeout

What it is?
• The default session timeout is changed from 30 mins to 8 hours starting 17.12.1
• Why? Some clients don’t like frequent re-auth and re-keying and there have been multiple TAC
cases related to this, solved with longer session time out
• This new would help relieve the pressure on AAA servers

Before 17.12 > timeout is 30 mins Starting 17.12 > timeout is 8 hours

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
APs to Tags mapping
AP to Tags assignment
• Without an existing configuration, when the AP joins the C9800 it gets assigned the
default tags: namely the default-policy-tag, default-site-tag and default-rf-tag
• The AP <> tags mapping can have multiple tag sources:
▪ Static: admin configuration
▪ Location: Basic Setup flow
▪ Filter: regular expression
▪ AP: the tags are saved on AP

These are in order of priority.

You can only change the priority
order of Filter and AP source

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
AP to Tags assignment – Source: Static
• The static Tag <> AP binding is based on AP’s Ethernet MAC and it’s a configuration
on the Controller: upon joining the C9800, the configuration is applied and AP gets
assigned to the selected tags
• Go to Configuration > Wireless > Access Points

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
AP to Tags assignment – Source: Static
• To statically assign Tags to multiple APs, you can use the Advanced Wireless Setup
> Click on Start Now and select “Tag APs” and select the APs you wish to map:

1 2 3

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
AP to Tags assignment – Source: Location
• Used to be only available only with the Basic Wireless Setup…not very useful!

• But a lot of people like the concept of “location” and are using it via CLI to assign tags to multiple
APs in a “location”…so we listened

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
AP to Tags assignment – Source: Location
What is it?
• Starting 17.5 (!!), you can use it on the GUI as well
• Go to Configuration > Tags & Profiles > Tags > AP > Location
Step1: Define a location and assign desired tags. Step2: Select/Assign multiple APs to the Location

1 2

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
AP to Tags assignment – Source: Filter
• Filter: You need an AP naming convention (ex., AP_<#>_<site>, where site can be building, floor,
area) and your APs have already been named correctly
• Configuration>Tags & Profiles>Tags go to AP>Filter: add a rule with a regex expression to match
APs with e.g., “site1” in the name and assign them to the desired tags

• When the AP with name containing “site1” joins the C9800 or it’s renamed, it’s assigned to the
tags specified in the filter. Since this is an AP tag change, a CAPWAP restart is triggered
automatically, the AP will disjoin and join back (less than 30s)
CAPWAP = Control and Provisioning of Wireless Access Points

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
AP to Tags assignment – Source: AP
• The AP present the tags upon joining, no AP <> tag mapping is needed on C9800
• The AP retains its tags when joining a new WLC, if the tags are defined on the new
WLC and there is no higher priority mapping (e.g., static)
• Before 17.6, to push the tags information to the AP, you need to use a CLI
command in exec mode:
C9800#ap name <APname> write tag-config

• Using the CLI command could be cumbersome, we have solutions:

• Event Manager Script (useful for 17.3.x release)
• Graphical user interface (GUI) settings in 17.4.1 and later
• Starting 17.6. new feature called AP Tag Persistency

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
 AP to Tags assignment – AP (SW >17.6)
Configuring AP Tag Persistency

Configuration > Tags & Profiles > Tags: • From 17.6.1 this is supported in CLI in
global configuration mode:
C9800(config)#ap tag persistency enable

• 17.6.2 and 17.7 adds support from GUI

Note: This will enable writing tags to the AP as

it joins. For this to be applied to existing APs
joined to the C9800, they will need to rejoin
the WLC (CAPWAP restart)

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Verifying AP Tag source
Run the show command below:
C9800#show ap tag summary

Number of APs: 1

AP Name AP Mac Site Tag Name Policy Tag Name RF Tag Name Misconfigured Tag Source

---------------------------------------------------------------------------------------------
AP1 <MAC> flex-site1 flex-tag default-rf-tag No AP
AP2 <MAC> site-8-500 issu default-rf-tag No Static

For Persistency mapping, ensure that the Tag Source shows AP, indicating
that the tags were successfully written to the AP and learnt/used by the WLC.

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Design with AP Tags in mind
Site Tags – AP to WNCd distribution
DB
IOSd Manager Config DB Ops DB
Facts:
WNCd WNCd ... WNCd ▪ AP to WNCd distribution today is based on AP site tag and is
decided at AP join time.
Ops data Ops data Ops data

WNCd(1) WNCd(2) ... WNCd(n) ▪ If default-site-tag is used APs are distributed using round-
robin algorithm across all WNCd processes
▪ If custom/named site-tags are used, then all APs in the same
named-site tags are assigned to the same WNCd. Consider
Catalyst 9800
site tag = roaming domain
▪ Site tags are distributed using the least loaded WNCd in terms
Enterprise network of number of site tags (not number of APs)
• Use the recommended number of site tags per platform and
evenly distribute APs among those:
Platform Recommended # of site tags
... ... ...
... C9800-80 8 or a multiple (16, 24, …)
... ... ... C9800-CL (large) 7 or a multiple (14, 21,..)

Area 1 Area 2 Area N C9800-40 5 or a multiple (10, 15, …)

Site tag Site tag Site tag C9800-CL (Medium) 3 or a multiple (6, 9,..)

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Disclaimer for the
next set of slides…
If you are able to follow the design
guidelines…

If you don’t see any problems with

the WNCd CPU load…
(CPU is > 70% for at least 5 mins)

Then, relax….

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Can I use default-site-tag? Please…
Scenario#1: Large warehouse
Catalyst 9800-80 ▪ Large warehouse = one single roaming domain. Local mode
SSO pair
AP deployment
▪ Customer cannot design with custom site tags: No AP names,
no APs on maps, difficult to identify AP areas, and simply too
much operational cost…
Core Network
Design Question: Can I use the default-site-tag?
▪ Default-site-tag: APs will be distributed in round robin across
the WNCds, and this may result in inter-WNCd roaming
▪ Assumption: If the system is not heavely loaded > clients
and/or AP scale is 30-40% of the max scale supported on the
C9800
Design Answer: it’s ok to put all APs in the default-site-tag
default
▪ Fast roaming (11r, OKC, etc.) is supported across WNCds
Site tag ▪ 802.11k/v is also supported across WNCds starting 17.7
▪ This recommandation is valid for all authentication types with
APs in local mode

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Site Tags Design – Large venue deployment
Scenario#2: Large venue deployment
Catalyst 9800-80 ▪ Conference center, stadium, large venue, where you have a
SSO pair
lot of clients, and these clients can roam seamlessly
everywhere > Large roaming domain

What are the recommendations in this case?

Core Network ▪ Use custom site tags and evenly distribute APs among these
▪ Recommendation: Have the number of site tags matching the
number of WNCds on that platform:
Platform # site tag
...
C9800-80 8
C9800-CL (large) 7
C9800-40 5
C9800-CL (Medium) 3

▪ This is to minimize the number of inter-WNCd roaming events

and reduce any inter-process communication performance
Area 1
Site tag
Area 2
Site tag ... Area N
Site tag penalty

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
 runs on Catalyst Wireless stack!!

• Main event WLC: C9800-80 running 17.9.2

• #506 Catalyst APs, mix of Catalyst 9120

and 9130 with dual-5 GHz
• Peak client count: 13k+ devices

• Designed with #8 site tags

• In this case, the site tag represent eight

areas with virtual boundaries

Area 1
Site tag
Area 2
Site tag ... Area 8
Site tag

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
 runs on Catalyst Wireless stack!!

Here is the snapshot of the CPU load on WNCds at peak time!

WLC-5#show processes cpu platform sorted | inc Name|---|wncd
Pid PPid 5Sec 1Min 5Min Status Size Name
------------------------------------------------------------------
17843 17835 38% 38% 38% R 692220 wncd_1
18417 18410 27% 26% 25% R 670252 wncd_6
18073 18065 22% 17% 16% S 644844 wncd_3
18302 18295 20% 18% 16% S 597696 wncd_5
17958 17950 16% 15% 14% R 590720 wncd_2
18188 18180 14% 14% 13% S 616372 wncd_4
17728 17720 12% 10% 9% S 611416 wncd_0
18531 18525 0% 30% 28% R 660912 wncd_7

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
 runs on Catalyst Wireless stack!!

• Keynote WLC: C9800-40 running 17.9.2 • Keynote WLC: C9800-40 running 17.9.2
• #46 Catalyst 9104 • #46 Catalyst 9104 (HD Antenna)
• site 4100+
Peak client count: tag 1 • Peak client count: 4100+
• Designed with #3 site tags • Designed with #3 site tags

site tag 3
site tag 2

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
 runs on Catalyst Wireless stack!!

Here is the snapshot of the CPU load on WNCds:

WLC-1#show processes cpu platform sorted | inc Name|---|wncd
Pid PPid 5Sec 1Min 5Min Status Size Name
-----------------------------------------------------------------------
16226 16218 8% 9% 13% S 486196 wncd_1
16111 16103 8% 8% 12% S 505936 wncd_0
16341 16333 7% 7% 8% S 495408 wncd_2
16570 16563 0% 0% 0% S 324328 wncd_4
16456 16448 0% 0% 0% S 326604 wncd_3

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
What if you didn’t/could not follow the
site tag design recommendations?

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Site Tags – AP to WNCd distribution
Before 17.10 (17.9.3), site tags are distributed among WNCds
using the least loaded criteria based on the # of site tags.
Area 1 Area 2 Area 3
Site tag Site tag Site tag
(20 APs) (250APs) (60 APs) Problem: Current algorithm can result in uneven WNCd load, as
Area 4 Area 5 Area 6 it doesn’t take into considerations the number of APs or clients
Site tag Site tag Site tag
(56 APs) (170APs) (28 APs) per site tag and it’s dependent the order of AP joining.
Unbalanced system > not efficient ▪ Example: C9800-CL medium (#3 WNCd), six custom site tags with
uneven number of APs per tag, and APs joining in this order:
▪ Area1 : #20 APs > WNCd0
#76 #420 #88
▪ Area2 : #250 AP > WNCd1
▪ Area3 : #60 AP > WNCd2
▪ Area4 : #56 APs > WNCd0 (all WNCd has #1 tag, starting again from WNCd0)
Area 4 Area 5 Area 6 ▪ Area5 : #170 APs > WNCd1 (as WNCd0 has already #2 tags)
(56 APs) (170APs) (28 APs) ▪ Area6 : #28 APs > WNCd2 (as WNCd2 as it’s the least loaded for # of tags )
Area 1 Area 2 Area 3 ▪ The resulting AP to WNCds mapping is the following:
(20 APs) (250APs) (60 APs)
▪ WNCd0 > site tags: area1, area4 > #76 (20+56) APs
▪ WNCd1 > site tags: area2, area5 > #420 (250+170) APs
WNCd0 WNCd1 WNCd2 ▪ WNCd2 > site tags: area3, area6 > #88 (60+28) APs

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Site Tags – New load balancing Algorithm
▪ If you have the number of site tags > the number of WNCd
for that C9800 platform, there is now an optimized way to
Area 1
Site tag
Area 2
Site tag
Area 3
Site tag
load balance APs across WNCd processes
▪ Starting 17.9.3 and 17.10, the algorithm to distribute APs
Area 4 Area 5 Area 6
Site tag Site tag Site tag among WNCds may use the load parameter configured
under the site tag:
C9800(config)#wireless tag site <site-tag-name>
C9800(config-site-tag)#load <num> (0 to 1000)

▪ Load is an estimate of the relative WNCd capacity reserved

for that site tag. It’s about reserving a part of the WNCd for
a site tag (group of APs)
▪ What contributes to the load of the WNCd: all control plane
activities > client joining, authentication, roaming, client
probes, but also features like mDNS that require CPU time
WNCd0 WNCd1 WNCd2
▪ IMPORTANT: For load balancing to be efficient it is expected
to configure “load” for all the custom site tags
#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Site Tags – New load balancing Algorithm
How to choose the load?
Area 1 Area 2 Area 3
▪ The default value 0 means no load indication for the site
Site tag Site tag Site tag tag. Nothing changes, the algorithm is the same as in
Area 4 Area 5 Area 6
previous releases
Site tag Site tag Site tag
▪ Most common option: Office building with multiple
floors/areas. Each floor/area is one site tag. If you
estimate similar client/traffic load on each floor/area > set
the “load” equal the # of APs for each site
▪ Weighted option: In the building one of the floor/area has
a conference/training center with a higher expected
activity (e.g., lot of clients joining, leaving and roaming) >
set a higher weighted “load” that specific site tag. For
instance, if #10 APs are present at the conference center
area, configure the load to be 20
WNCd0 WNCd1 WNCd2

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
 Site Tags – New load balancing Algorithm
Let’s see it in action:
Area 1 Area 2 Area 3
▪ Let’s go back to previous example: C9800-CL (#3 WNCd),
Site tag Site tag Site tag six site tags configured with the load = number of APs:
▪ Area1 : #20 APs > site-tag load = 20
Area 4 Area 5 Area 6 ▪ Area2 : #250 AP > site-tag load = 250
Site tag Site tag Site tag
▪ Area3 : #60 AP > site-tag load = 60
▪ Area4 : #56 APs > site-tag load = 56
Load balanced system ▪ Area5 : #170 APs > site-tag load = 170
▪ Area6 : #28 APs > site-tag load = 28
#250 #170 #164
▪ With the new load balance algorithm, the resulting site tag
Area 6
to WNCds mapping would be the following (pre-allocated):
(Load 28) ▪ WNCd0 > site tags: area2 > #250 APs
Area 4 ▪ WNCd1 > site tags: area5 > #170 APs
(Load 56)
Area 2 Area 3
▪ WNCd2 > site tags: area1,area3,area4,area6 >#164 (20+60+56+28) APs
Area 5
(Load 250) (Load 60)
▪ The result is a load balanced and more efficient system
(Load170)
Area 1
(Load 20)

WNCd0 WNCd1 WNCd2

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
 Site Tags – New load balancing Algorithm
Important things to note:
▪ For the new algorithm to take into consideration the load,
and be independent of AP joining order (this example),
configure the load parameter under the site tags and reboot
the C9800

Load balanced system ▪ For a site tag to be considered for load balancing, it needs
to have at least one joined AP. This information is saved and
#250 #170 #164 remembered by the system for subsequent runs.
▪ Since AP join times can vary, the system waits for an hour
Area 6
(Load 28) for APs to come up before persisting the information. The
Area 4
(Load 56)
reboot should be triggered after at least one hour of uptime.
Area 2 Area 5 Area 3
(Load 250) (Load170) (Load 60)

Area 1
(Load 20)

WNCd0 WNCd1 WNCd2

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Site Tags – New load balancing Algorithm
What if you don’t reboot?
▪ If the C9800 is not rebooted, the load balance algorithm is
Area 1 Area 2 Area 3
(load 20) (load 250) (load 60) still improved as it takes into consideration the site load with
the configured load parameter, but it’s going to be
Area 4 Area 5 Area 6
(load 56) (load 170) (load 28) dependent on the order of AP joining

Fairly Load balanced system ▪ If APs are de-registered and join again, the resulting AP to
WNCds mapping would be the following (given the same
#104 #250 #230 order of joining):
▪ Area1 : #20 APs > WNCd0
▪ Area2 : #250 AP > WNCd1
Area 6 ▪ Area3 : #60 AP > WNCd2
(Load 28) Area 5
(Load 170) ▪ Area4 : #56 APs > WNCd0 (lowest Load)
Area 4
Area 2 ▪ Area5 : #170 APs > WNCd2 (lowest Load)
(Load 56) Area 3
▪ Area6 : #28 APs > WNCd0 (lowest Load)
(Load 250)
(Load 60)
Area 1
(Load 20)
▪ The result is a fairly load balanced and efficient system
WNCd0 WNCd1 WNCd2

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Site Tags – AP to WNCd distribution
IOSd
DB
Manager Config DB Ops DB What if?
▪ Customer cannot define named site tags (no AP names, no
WNCd WNCd ... WNCd
Ops data Ops data Ops data
APs on maps) or simply doesn’t want to do it
... WNCd(n)
▪ Customer has already configured a site tag with a lot of APs
(e.g., 600 APs on a 9800-40), so the load cannot help
WNCd(1) WNCd(2)

Catalyst 9800
Starting 17.12.1, we have a solution!

Enterprise network

(RRM based)
... ...
...
...
Auto WNCd load
... ... ... balancing
Area 1
Multi-floor building Site tag

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
 Catalyst 9800 IOS-XE 17.12

RRM based Auto WNCd load balancing

What is it?
• RRM-based, automatic way of clustering APs and evenly distribute them across WNCds.
• RF based clusters (AP Areas) are formed using RSSI info received from RRM AP neighbour reports
• The algorithm can be run on demand or scheduled. It’s off by default and it requires the APs deployed and a stable RF
(APs have their neighbours discovered). Works with any site tag configuration.
• The resulting AP load balancing is applied upon WLC reboot or admin trigger which causes AP CAPWAP restart
• When applied, it overwrites any other load balancing based on site tag and load

... ... ...

AP Area
... ... ...
AP Area
Load balanced system

... ... ...

AP Area AP area
... ... ...

... ... ...

AP area AP Area
... ... ... WNCd0 WNCd1 WNCd2

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
 Catalyst 9800 IOS-XE 17.12

RRM based auto WNCd load balancing

How does the auto load balancing algorithm work?
• Form the AP clusters (neighbourhood) based on RSSI received from AP neighbour report on 5GHz
• Further divide AP clusters into sub-neighbourhoods if the # of APs goes above a defined size (400)
• Create areas from each sub-neighbourhood. Each area size will be MAX 100 AP. A sub-
neighbourhood can have up to 4 areas.
• Assign areas to WNCd processes to optimize APs to WNCd load balancing

Cluster #1- Sub#1

Area1 Area2 Area3 Area4 Area1 Area2 Area3
... ... ... ...
RF separation

... ... ... ...

... ...
AP Cluster #2 (300 APs)
... ...
Area1 Area2 Area3 Area4
Cluster #1- Sub#2
AP Cluster #1 ( 800 APs)

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
 Catalyst 9800 IOS-XE 17.12

RRM based auto WNCd load balancing

When shall I use it? (vs. the site tag design)
• Customer has an existing deployments with site tags configured with a lot of APs
(e.g., > 500/600 APs per site tag): using RRM based auto load algorithm is the only
way to optimize AP load balancing in this case, as it distributes APs into smaller RF
based groups/sites and assign them to WNCds
• Very large venue, one big RF domain: RRM based auto load balancing splits the large
RF domain into RF based sites and distribute the APs evenly across WNCd processes
• Customer cannot (no AP maps, no AP names, etc.) or is not willing to design with
custom site tags. Customer wants to use the default-site-tag > using RRM based
auto load balance assigns APs in the same RF neighbourhood to one WNCd, limiting
the inter-WNCd communication that would be extreme if using default-site-tag
(remember? round robin!)
• In an existing deployment, if you have high CPU issues due to an unbalanced system,
use the auto RRM load balance system instead of redesigning the site tags.

In the other cases…go with the existing site tag design recommendations
#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Wi-Fi 6E: what’s the impact
on migration?
 Wi-Fi 6/6E runs on Cisco Catalyst Wireless
Supported Access Points

C9136 CW9166/64 CW9162

Wi-Fi 6/6E
9130 9124 9120 9115 9105

Wi-Fi 6
Catalyst 9800
Wireless LAN Controller (WLC)

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
 How do I start adopting 6GHz?
Answer: Inter Release Controller Mobility (IRCM)

Note: Anchor WLC can be C9800 Scenario 1: AireOS WLC supports IRCM
AireOS Guest • Introduce new 6/6E AP hadware on the new C9800 and
Anchor
support seamless roaming and Guest Anchor with existing
Secure Mobility 8.10 networks
(CAPWAP) 8.5 IRCM
• This method allows the smooth coexistence of both
WLCs, with RF areas migrated as needed, without any
overnight switchover.
• Things to consider:
17.9.3 Mobility 8.10
Group A 8.5 IRCM • If the controller is limited to 8.5 (5508, 8510), we will need a
special IRCM version (8.5.182.104), to connect them to IOS-XE
Catalyst
AireOS • TIP: Always configure the primary/secondary WLC in APs. The
9800
new WLC will reject unsupported APs, but if any AP could work
in both controller types, this will avoid APs joining the wrong
one, or flip-flopping between them, until the migration is ready
to proceed
• Fast & secure roam will only be supported if the WLAN profile is
Wi-Fi 6E and Wi-Fi 6 APs Wi-Fi5 and older APs the same on the two WLCs

Fast roaming
#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
 Customer Migration Scenario 2.4/5 GHz

2.4/5/6 GHz
• Move “per RF blocks”
• Move a building or complete floor into the new hardware and software
Gym
Gym

Cafeteria
Cafeteria
Library Library

Science Science

Administration Physics
Administration Physics

Avoid “Sale & Pepper” deployments. Do not mix APs on different WLCs at same time.

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
How do I start adopting 6GHz?
Answer: Inter Release Controller Mobility (IRCM)

Scenario 2: Catalyst network with W1 APs

C9800 Guest
Anchor You have already started your C9800 journey, Wave 1 APs are
17.3.7 still present (1700/2700/3700) and want to refresh them with
17.6.5 Wi-Fi 6E

• Upgrade your C9800 to 17.9.3 (and soon to 17.12.1 for

additional AP hardware support)

17.3.7

Catalyst
9800

Wi-Fi5 W1 APs Wi-Fi 6 & Wi-Fi5 W1 APs

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
How do I start adopting 6GHz?
Answer: Inter Release Controller Mobility (IRCM)

Scenario 2: Catalyst network with W1 APs

C9800 Guest
Anchor You have already started your C9800 journey, Wave 1 APs are
17.3.7 still present (1700/2700/3700) and want to refresh them with
17.6.5 Wi-Fi 6E

• Upgrade your C9800 to 17.9.3 (and soon to 17.12.1 for

additional AP hardware support)

17.9.3 • Replace older APs with 6E APs and join the same C9800
17.3.7
• Pace your migration by moving APs when ready
Catalyst
9800 • Note: Anchor can be on AireOS as well (8.10 or 8.5 IRCM
latest

Wi-Fi 6E
Wi-Fi5 W1 APs Wi-Fi 6 & Wi-Fi5 W1 APs

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
How do I start adopting 6GHz?
Answer: Inter Release Controller Mobility (IRCM)

Scenario 3: Catalyst network with W1 APs

C9800 Guest
Anchor You have already started your C9800 journey, Wave 1 APs are
17.3.7 still present (1700/2700/3700) and want to refresh them with
Secure Mobility
(CAPWAP) 17.6.5 Wi-Fi 6E. But you don't want to upgrade the existing C9800

• Introduce new AP hadware on the new supported IOS XE

release and support seamless roaming and Guest Anchor
with exsiting C9800 networks
17.9.3 Mobility 17.3.7
Group A • The release combination shown have been tested at scale,
check IRCM deployment guide*
Catalyst Catalyst
9800 9800
• Fast & secure roam will only be supported if the WLAN
profile is the same on the two WLCs

• Pace your migration by moving APs when ready

Wi-Fi 6E and Wi-Fi 6 APs Wi-Fi 6 & Wi-Fi5 W1 APs • Note: Anchor can be on AireOS as well (8.10 or 8.5 IRCM
latest
(*) https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-
Fast roaming 8/b_c9800_wireless_controller-aireos_ircm_dg.html
#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
How do I start adopting 6GHz?
What about outdoor areas?

Scenario 3: Mixed indoor and outdoor areas

• Wi-Fi 6E is not available outdoor yet
C9800

17.9.3 • Wi-Fi 6E SSIDs will not be broadcasted outdoor

• WLAN Design*:
• Define a new WLAN/SSID with support for 6Ghz and
Indoor area Outdoor area WPA3 in all bands. This will give you the possibility to
have fast & secure roaming between indoor and outdoor
on 2.4 and 5Ghz
• Configure two WLANs with same SSID, one with support
for 6Ghz and one only 2.4 and 5 Ghz. This would support
slow roam only (client will authenticate again and start
fresh on roam-to WLC). The roaming can still be
seamless (same client IP is maintained)

Wi-Fi 6E and Wi-Fi 6 APs Mix of outdoor APs (*) for more details on WLAN Design, please refer to “Architecting Next
Generation Wireless Network with Catalyst Wi-Fi 6E Access Points” -
BRKEWN-2024

Seamless roaming
#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
More info?
 Where can I find more info?
Wireless and Mobility page on CCO: Other links on CCO:
https://www.cisco.com/c/en/us/products/wireless/index.html
• C9800 Best Practices:
https://www.cisco.com/c/en/us/products/collateral/wireless/catal
yst-9800-series-wireless-controllers/guide-c07-743627.html

• Wireless Migration Tech guide (Partners only):

https://salesconnect.cisco.com/open.html?c=2afc6956-71cd-
4562-aab3-2728d3d48d0f

• C9800 YouTube channel:

https://www.youtube.com/results?search_query=ciscowlan

• IRCM Development Guide:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/techn
otes/8-8/b_c9800_wireless_controller-aireos_ircm_dg.html

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Available in any physical or
virtual store near you!
Paper or eBook

Visit the Cisco store for discount

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Fill out your session surveys!

Attendees who fill out a minimum of four session

surveys and the overall event survey will get
Cisco Live-branded socks (while supplies last)!

Attendees will also earn 100 points in the

Cisco Live Challenge for every survey completed.

These points help you get on the leaderboard and increase your chances of winning daily and grand prizes

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
 • Visit the Cisco Showcase
for related demos

• Book your one-on-one

Meet the Engineer meeting

• Attend the interactive education

with DevNet, Capture the Flag,
Continue and Walk-in Labs

your education • Visit the On-Demand Library

for more sessions at
www.CiscoLive.com/on-demand

BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Thank you

#CiscoLive
Gamify your Cisco Live experience!
Get points for attending this session!

How:
1 Open the Cisco Events App.

2 Click on 'Cisco Live Challenge’ in the side menu.

3 Click on View Your Badges at the top.

4 Click the + at the bottom of the screen and scan the QR code:

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
#CiscoLive
Bonus content
More on the Configuration
Migration tool
Configuration Migration Tool
Migration Tool output:

Translated (CLI supported in IOS-XE)

Unsupported (CLI not supported in IOS-XE)

config radius auth ipsec authentication hmac-sha1 3
config radius auth ipsec authentication hmac-sha1 4
config radius auth ipsec authentication hmac-sha1 5
config radius auth ipsec authentication hmac-sha1 6
config radius auth ipsec encryption des 3
config radius auth ipsec encryption des 4
config radius auth ipsec encryption des 5
config radius auth ipsec encryption des 6

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Configuration Migration Tool
Migration Tool output:

Translated (CLI supported in IOS-XE)

Unsupported (CLI not supported in IOS-XE)

Not Applicable (CLI deprecated/not used commands)

config spanningtree port mode off 1 ->> ”SPT is not applicable in C9800."

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Configuration Migration Tool
Migration Tool output:

Translated (CLI supported in IOS-XE)

Unsupported (CLI not supported in IOS-XE)

Not Applicable (CLI deprecated/not used commands)

Unmapped (CLI supported but not yet translated)

config custom-web webtitle "Welcome To <Company_Name>"

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Configuration Migration – Steps
Step 1 – Upload AireOS in online tool

Recommended: The online tool is updated to the latest CCO release and has the latest fixes
The Migration tool integrated in the WebUI is related to a specific IOS-XE release (good to check
specific feature support) but might not have latest fixes. Same for the Prime integrated tool

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Configuration Migration – Steps
• Step 2 - Analyze the tool output and
Download the “Translated config”
• Step 3 – Edit the config file as needed.
It’s not recommended to copy directly in
bootflash: and use it as running config >
need to edit passwords, verify SVIs,
ACLs, etc.
• Step 4 – Copy each section of the
configuration to C9800’s running-config.
• Recommendation: use CLI to copy &
paste. Alternatively, you can use the CLI
embedded tool in WebUI once assigned
an IP and login credentials
• Note: APs are not automatically assigned
to tags, no AP or Flex Group conversion

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Pushing tags to APs
> EEM script (17.3.x)
Pushing tags to the AP (SW < 17.6.1)
Simple script to do “write tag-config” automatically
• Download the script from here: https://github.com/fsedano/eem_ap_push
• On c9800 create a directory under bootflash and load the script > easily done via WebUI
Administration > Management> File Manager: double click on bootflash. Click on New Folder and create folder “applets”
1 2

Double click on new folder and Click on Upload file Load the “appush.tcl” file
3 4

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Pushing tags to the AP (SW < 17.6)
• Verify the script is there:
C9800#dir bootflash:/applets
Directory of bootflash:/applets/
301922 -rw- 1850 Oct 1 2020 09:46:19 +00:00 appush.tcl

• Configure Embedded Event manager (EEM) to use the script:

C9800(config)#event manager directory user policy "bootflash:/applets"
C9800(config)#event manager policy appush.tcl Primary controller

• Run the command when you want push the tags to the APs:
C9800#event manager run appush.tcl
Send --> ap name AP1 write tag-config

• Verify on the AP:

AP1# show capwap client config AP1# show capwap client config
[..]snip [..]snip
AP Policy Tag : UNKNOWN AP Policy Tag : flex-tag
AP RF Tag : UNKNOWN AP RF Tag : default-rf-tag
AP Site Tag : UNKNOWN AP Site Tag : flex-site
AP Tag Source : 0 AP Tag Source : 1
Before After
#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Removing AP Tag Persistency
Enter the command no ap tag persistency enable
in the Global Configuration Mode as shown below:
9800CL(config)#no ap tag persistency enable

Note: this will disable the feature on C9800, it will NOT

remove the tags on the APs. For that you can use the
following Advanced Tab setting on AP GUI page
The equivalent exec level command:
C9800#ap name <name> no write tag-config

Or clear the CAPWAP config on the AP

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
More on site tag
Design
 The wireless

Wireless Config Analyzer Express (WCAE)

engineer trowel

• Do I have a problem with WNCd load balancing?

• WCAE is your friend! Run the WCAE > you get a report like this:
starting 17.9

• This is not a balanced system, but CPU is low > IMPORTANT: No need to redesign!
• WCAE is here: https://developer.cisco.com/docs/wireless-troubleshooting-tools

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Site Tags – AP to WNCd distribution
Let’s just change the order of APs joining..

Area 1 Area 3 Area 2

▪ Example: C9800-CL medium (#3 WNCd), six custom site tags with
Site tag Site tag Site tag uneven number of APs per tag. Same as before, but with a different
(20 APs) (60APs) (250APs)
join order:
Area 5 Area 4 Area 6 ▪ Area1 : #20 APs > WNCd0
Site tag Site tag Site tag
(170APs) (56APs) (28 APs) ▪ Area3 : #60 AP > WNCd2
▪ Area2 : #250 AP > WNCd1
Fairly balanced ▪ Area5 : #170APs > WNCd0 (all WNCd has #1 tag, starting again from
WNCd0)
▪ Area4 : #56 APs > WNCd1 (as WNCd0 has already #2 tags)
#190 #116 #278 ▪ Area6 : #28 APs > WNCd2 (as WNCd2 as it’s the least loaded for # of tags )

▪ The resulting AP to WNCds mapping is the askew:

Area 5
▪ WNCd0 > site tags: area1, area5 > #190 (20+170) APs
Area 4 Area 6
(170APs) (56APs) (28 APs) ▪ WNCd1 > site tags: area3, area4 > #114 (60+56) APs
▪ WNCd2 > site tags: area2, area6 > #278 (250+28) APs
Area 1 Area 3 Area 2
(20 APs) (60APs) (250 APs)
▪ This proves that with software < 17.9.3 (17.10), the distribution of
APs across WNCd and hence the result system balance is
WNCd2
WNCd0 WNCd1 dependent on the AP joining order

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Site Tags – AP to WNCd distribution
Before 17.10 (and 17.9.3), another solution to get to a load balanced
system would be to reconfigure the tags to have an even number of
APs. Changing tags, will trigger a disruption as the APs will go for a
Area 1 Area 2 Area 3
Site tag Site tag Site tag CAPWAP restart.
(90 APs) (95 APs) (92 APs)
▪ Example: C9800-CL medium (#3 WNCd), six custom site tags with ~
Area 4 Area 5 Area 6
Site tag Site tag Site tag even number of APs per tags and APs joining in this order:
(88 APs) (105APs) (114APs)
▪ Area1 : #90 APs > WNCd0
▪ Area2 : #95 AP > WNCd1
Balanced systems ▪ Area3 : #92 AP > WNCd2
▪ Area4 : #88 APs > WNCd0 (all WNCd has #1 tag, starting again from
#178 #200 #206 WNCd0)
▪ Area5 : #105 APs > WNCd1 (as WNCd0 has already #2 tags)
▪ Area6 : #114 Ps > WNCd2 (as WNCd2 as it’s the least loaded for # of tags )
Area 4 Area 5 Area 6 ▪ The resulting AP to WNCds mapping is the askew:
(88 APs) (105APs) (114APs) ▪ WNCd0 > site tags: area1, area4 > #178 (90+88) APs
▪ WNCd1 > site tags: area2, area5 > #200 (95+105) APs
Area 1 Area 2 Area 3
(90 APs) (95 APs) (92 APs) ▪ WNCd2 > site tags: area3, area6 > #206 (92+114) APs

WNCd2
▪ System turns out to be balanced
WNCd0 WNCd1

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Configuring the site tag Load- WebUI
Configuration > Tags & Profiles > Tags -> Site

Load* = Estimate of the relative load contributed by this group of APs (site-tag). AP count can be
used as a good approximation.

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Verifying the site tag Load- CLI
C9800#show wireless loadbalance tag affinity

Tag Tag type No of AP's Joined Wncd Instance

------------------------------------------------------------------------

area2 SITE TAG 250 0 #250 APs

area5 SITE TAG 170 1
#170 APs
area1 SITE TAG 20 0
area3 SITE TAG 60 0
area4 SITE TAG 56 0 #164 APs
area6 SITE TAG 28 0

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Questions on AP <> WNCd load balancing
Q1: I have a C9800-80 and 12 site tags. Given the recommendation to use #8 site tags or multiple
and evenly distribute APs, shall I redesign?
A1: No site tag redesign should be done unless there is a high CPU utilization issue. If you do have an
issue and your deployment is a large venue, with a large roaming domain, then it’s recommended to
use the same number of site tags as WNCd
Q2: I have an existing deployment (site tags already configured) and I add new site tags and configure
the load parameter only the new ones, what is going to happen?
A2: This is not recommended. If load is configured, it should be configured on all tags, existing and
new. Otherwise, the load balance will not be efficient
Q3: I have configured the load and rebooted the WLC; after some time, I want to tweak the load
configuration of a few site tags. If I change the load on these tags, what’s going to happen?
A3: The load balance will not be the best until you reboot the WLC again. If not rebooted and the APs
disconnect and re-join, they will be load balanced based on the least loaded WNCd instance and
dependent on the order of AP join

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Setting
Primary/Secondary/
Tertiary
(EEM script)
Moving APs between C9800 controllers
Event Manager script

• (Optional) Configure a first EEM script to just get the number of APs and print the configuration to
be pushed. Just copy and paste the below lines in configuration mode:
event manager applet CHECK_APS
event none
action 101 cli command "en"
action 102 cli command "term len 0"
action 104 cli command "sh ap summary | ex AP Name|Number of APs:|-----------------------------"
action 106 foreach line "$_cli_result" "\n"
action 107 regexp "^([^ ]+).*\r$" "$line" _match _AP_NAME
action 108 if $_regexp_result eq "1"
action 113 puts "ap name $_AP_NAME controller primary WLC1 IP1"
action 114 puts "ap name $_AP_NAME controller secondary WLC2 IP2"
action 115 puts "ap name $_AP_NAME controller tertiary WLC3 IP3"
action 116 end
action 117 end

• Run the script with the following command:

C9800#event manager run CHECK_APS

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Moving APs between C9800 controllers
Event Manager script
• Configure the actual EEM script to push the Primary/Secondary and eventually Tertiary
configuration to the APs. This applies to all the APs you have on the controller:
event manager applet PRIMARY_SECONDARY_TERTIARY
event none maxrun 600
action 101 cli command "en"
action 102 cli command "term len 0"
action 104 cli command "sh ap summary | ex AP Name|Number of APs:|-----------------------------"
action 106 foreach line "$_cli_result" "\n"
action 107 regexp "^([^ ]+).*\r$" "$line" _match _AP_NAME
action 108 if $_regexp_result eq "1"
action 110 cli command "ap name $_AP_NAME no controller primary WLC1"
action 111 cli command "ap name $_AP_NAME no controller secondary WLC2"
action 112 cli command "ap name $_AP_NAME no controller tertiary WLC3"
action 123 cli command "ap name $_AP_NAME controller primary C9800-OEAP 2.228.173.185"
action 124 cli command "ap name $_AP_NAME controller secondary Gladius1 192.168.25.41"
action 125 cli command "ap name $_AP_NAME controller tertiary Gladius2 192.168.25.42"
action 135 end
action 136 end
action 141 cli command "sh ap config general | i Cisco Controller"
action 142 puts "Final Configuration:"
action 143 puts "($_cli_result)”

!! In case of fallback disabled or you want to move APs immediately, add this line
action 126 cli command "ap name $_AP_NAME reset capwap"

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Moving APs between C9800 controllers
Event Manager script - verification

• AP is not configured with Primary/Secondary/Tertiary

C9800#sh ap name AP-1815 config general | b Primary Cisco Controller Name
Primary Cisco Controller Name : Not Configured
Primary Cisco Controller IP Address : 0.0.0.0
Secondary Cisco Controller Name : Not Configured
Secondary Cisco Controller IP Address : 0.0.0.0
Tertiary Cisco Controller Name : Not Configured
Tertiary Cisco Controller IP Address : 0.0.0.0
Administrative State : Enabled

• Let’s verify if settings are correct first (only one AP is on the WLC):
C9800#event manager run CHECK_APS
ap name AP-1815 controller primary C9800-1 10.1.1.1
ap name AP-1815 controller secondary C9800-2 1 10.2.2.2
ap name AP-1815 controller tertiary C9800-3 10.3.3.3

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Moving APs between C9800 controllers
Event Manager script - verification

• Push the configuration to the APs

C9800#event manager run PRIMARY_SECONDARY_TERTIARY
Final Configuration:
Primary Cisco Controller Name : C9800-1
Primary Cisco Controller IP Address : 10.1.1.1
Secondary Cisco Controller Name : C9800-2
Secondary Cisco Controller IP Address : 10.2.2.2
Tertiary Cisco Controller Name : C9800-3
Tertiary Cisco Controller IP Address : 10.3.3.3

• Let’s verify if settings have been applied

C9800#sh ap name AP-1815 config general | b Primary Cisco Controller Name
Primary Cisco Controller Name : C9800-1
Primary Cisco Controller IP Address : 10.1.1.1
Secondary Cisco Controller Name : C9800-2
Secondary Cisco Controller IP Address : 10.2.2.2
Tertiary Cisco Controller Name : C9800-3
Tertiary Cisco Controller IP Address : 10.3.3.3
Administrative State : Enabled

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
More on Migration
scenarios
How do I start adopting 6GHz?
Answer: Inter Release Controller Mobility (IRCM)

Scenario 5: AireOS WLC not supporting IRCM

AireOS Guest
Anchor • Not possible to establish IRCM between AireOS controller
8.10
and new 9800 handling Wi-Fi6E APs
Secure Mobility
(CAPWAP) 8.5 IRCM
• Limited options available > Forces more aggressive
migration process.

• Migration considerations:
17.9.2 8.3 • Keep the two networks separated ; migrate physical RF
areas as new APs are added.
Catalyst
AireOS
• Fast and seamless roaming is not possible.
9800
• Avoid migrations “per floor” as in most building types, it is
normal to see clients roaming between APs on different
floor.
• Temporarily, replace the legacy controller with one that
supports IRCM.
Wi-Fi 6E and Wi-Fi 6 APs Wi-Fi5 Wave 1 and older APs

No Fast roaming
#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Access Points – Migration Options Reference

Wi-Fi 6 AP Wi-Fi 6E AP
Model/Series Last AireOS support IOS-XE Support Migration Notes
Equivalent Equivalent
700/700W Series 8.10 Not supported 9105 9162 Migration through IRCM
1040 8.3 Not supported 9115 9164 AP needs to be replaced
1260 8.3 Not supported 9115 9164 AP needs to be replaced
Either 8.5 IRCM, or Hardware
1600 8.5 Not supported 9115 9164
replaced
1700 8.10 17.3 9115 9164 Migration through IRCM
2700 8.10 17.3 9120 9166 Migration through IRCM
3700 8.10 17.3 9120 9166 Migration through IRCM
Hardware replaced or IRCM
1810 8.10 Up to 17.3 9105 9162
between IOS-XE versions
1815/1830/1840/1850 8.10 Supported 9105 9162 Directly supported
2800/3800/4800 8.10 Supported 9120/9130 9164/9166 Directly supported
1540 8.10 Supported 9124 NA Directly supported
1550 8.5 Not supported NA NA Migration through IRCM
1560 8.10 Supported 9124 NA Directly supported

1570 8.10 Up to 17.3 9124 NA Migration through IRCM

Complete List : Cisco Wireless Solutions Software Compatibility Matrix: https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
 AireOS and IOS-XE coexistence – RF Grouping
RRM works in a mixed controller environment, and you can have one RF master. It’s
recommended not to rely on RF leader auto election and select RF Master statically.

RF tag = Floor2
RF Leader
Policy tag = Floor2
common
AP Group = Floor1
• C9800 and AireOS controllers can create one RF
RF tag = Floor1 RF Group
Policy tag = Floor1
domain and share a common RF plan
Catalyst AireOS
WLC
• The RF group name on both AireOS and C9800
9800
controllers needs to match
CAPWAP tunnel
• 8.10 is recommended on AireOS
• A RF leader is elected (based on controller capacity) and
common channel and power plan will be used for all APs
• APs will be not show up as rogue on the other controller

• NOTE: if have custom RF profiles or Flexible Radio

Assignment (FRA), then Policy, RF Tags and Profile
names need to match the AP Group and RF profile
names on AireOS WLC.

RF tag = Floor1
Policy tag = Floor 1 AP group = Floor1
#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
AireOS and IOS-XE coexistence – RF Grouping
RRM works in a mixed controller environment, and you can have one RF master. It’s
recommended not to rely on RF leader auto election and select RF Master statically.
RF Leader
Consider the group leader priority:
common
Maximum AP /RF
RF Group Group Leader Maximum AP's
Group
name
Lower priority 3504 150 500
Catalyst AireOS
9800 WLC C9800-L 250 500

5508 500 1000

C9800-CL (Small) 1000 2000

5520 1500 3000

C9800-40 2000 4000

C9800-CL (Medium) 3000 6000

8510/8540 6000 6000

C9800-CL (Large) 6000 12000

Higher priority C9800-80 6000 12000

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
 AireOS and IOS-XE coexistence – RF Grouping
For large scale and high-density deployments, with thousand of APs and heavy
roaming, consider placing each WLC in a separate RF group

Different
RF Group 1 RF Group 2
Mobility Group A RF Group Mobility Group A • If it’s a very large deployments C9800 and
name
AireOS controllers should be configured with
Catalyst
9800
AireOS
WLC
their own respective RF domain
• The RF group name on the AireOS and C9800
controllers will be different
CAPWAP tunnel
• If seamless roaming is desired at the border
zones between the RF domains where:
• Place the AP is the same mobility group
• APs will be not show up as rogue on the other
controller in this case

Border
Zones

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Design for
AireOS and IOS
XE coexistence
during migration
 AireOS and IOS-XE coexistence
Inter Release Controller Mobility (IRCM) is your friend!

Mobility Group Primary questions:

• Is seamless and fast roaming
Catalyst AireOS
needed?
9800 WLC
• Is Guest Anchor deployed?
• Is a unique Dynamic Channel
and Power plan needed across
Catalyst 9800 AireOS Controllers (Cisco RRM)?
Deployment Deployment

RRM = Radio Resource Management

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
AireOS and IOS-XE coexistence – Roaming
Secure Mobility
(CAPWAP)
• Mobility Group provides seamless
roaming between WLCs
• IRCM guarantees support for mobility
across different platforms and releases
Catalyst AireOS
AireOS • Mobility Group between AireOS and
9800 WLC
8.10
8.5 IRCM IOS-XE WLCs is only supported on:
• 3504, 5520, 8540 (8.10 recommended)
• 5508, 8510 with 8.5 IRCM (special release)

AireOS
• This is because C9800 only support
Catalyst 9800
Deployment Deployment CAPWAP based mobility tunnels
(Secure Mobility)
• Note: Secure Mobility is NOT supported
on AireOS WISM2, 7510, 2500 and
virtual WLC (vWLC)
#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
 AireOS and IOS-XE coexistence – Roaming
int vlan 10
ip address 10.10.10.1

Trunk: vlan 10 Trunk: same or different VLAN • All client roaming between AireOS
Catalyst AireOS WLC and C9800 are L3 roaming
9800 8.10
8.5 IRCM
• The client session will be anchored to
CAPWAP Secure CAPWAP tunnel
the first WLC that the client has joined
CAPWAP • The point of presence to the wired
network doesn’t change when roaming
between C9800 and AireOS and vice
versa
Catalyst 9800 AireOS
Deployment Deployment • This is independent of the VLAN
mapped to the SSID on the wired side
Seamless
roaming
10.10.10.122 10.10.10.122
#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
 AireOS and IOS-XE coexistence – Roaming
int vlan 10
ip address 10.10.100.1
Recommendations:
Trunk: vlan 10 Trunk: vlan 100 • In the Design Migration phase, whenever
Catalyst AireOS possible, use different VLAN IDs and
8.10
9800
8.5 IRCM use different subnets
CAPWAP Secure CAPWAP tunnel
• Consequence: clients will get a different
IP whether it joins first 9800 or AireOS;
CAPWAP
seamless roaming is anyway guaranteed
• When this might not be possible:
• Customer is not willing to change the VLAN design
Catalyst 9800 AireOS when adding C9800 (this might include AAA and
Deployment Deployment Firewall changes)
• Customer leverages Public IP subnets so they
don't have another subnet to assign
Seamless
• Customer leverages Static IPs
roaming
10.10.100.25 10.10.100.25
#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
 Customer Migration scenario: Mobility Config.
AireOS

?
IOS XE

Make sure configuration matches on both sides. No need for Data Link Encryption, so disable it:

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
AireOS and IOS-XE coexistence – Guest Anchor
C9800 Guest
Anchor
• Same IRCM code recommendations
Secure Mobility apply for Foreign – Anchor
(CAPWAP)

• List of parameters that must match

between Foreign and Anchor:
• WLAN and Policy profiles names
Catalyst AireOS • WLAN profile > security settings
9800 8.10
8.5 IRCM • Policy profile > DHCP need to match
• WebAuth parameter-map name and type

• Note: When anchoring to and from

Catalyst 9800 AireOS AireOS, use the IRCM image and match
Deployment
Deployment WLAN profile name, security and DHCP
settings
#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
Customer Migration
scenario:
Moving APs between
WLCs @scale
Moving APs between WLCs @scale
How to move APs between WLCs @ scale? Best way is to change the Primary WLC
for all the APs you want to move > Priming the APs with the new WLC’s IP
1. Match the C9800-1 configuration using a different set of IP for Management interface
2. Configure C9800-2 with same AP tags and enable tag persistency on both WLCs
3. On C9800-1 change the primary WLC on APs to point to C9800-2. This can be done easily
with DNA Center Configure AP workflow or with the new Priming Profile in 17.10. For release
before 17.10, see the Event Manager script in bonus slides

Site tag con

fig Site tag
Policy tag file
Policy tag
RF tag capwap RF tag

AP tag persistency C9800-1 C9800-2 AP tag persistency

AP
AP Config:
config:
Primary:
Primary: C9800-2
C9800-CL
Secondary: C9800-1

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Moving APs between WLCs @scale
How to move APs between WLCs @ scale? Best way is to change the Primary WLC
for all the APs you want to move > Priming the APs with the new WLC’s IP
1. Match the C9800-1 configuration using a different set of IP for Management interface
2. Configure C9800-2 with same AP tags and enable tag persistency on both WLCs
3. On C9800-1 change the primary WLC on APs to point to C9800-2. This can be done easily
with DNA Center Configure AP workflow or with the new Priming Profile in 17.10. If no Cisco
DNA Center, for release before 17.10, see the Event Manager script in bonus slides
4. APs will move C9800-2. In this case, AP will download the new code, reboot and join again

AP
Site tag image Site tag
Policy tag Policy tag
RF tag capwap RF tag

AP tag persistency C9800-1 C9800-2 AP tag persistency

AP
AP Config:
config:
Primary:
Primary: C9800-2
C9800-CL
Secondary: C9800-1

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
DNA Center: Configure AP workflow

2 Select the APs to be primed

Choose the “Configure

1
Access Point” Workflow

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
DNA Center: Configure AP workflow
Configure Primary and
3
optionally Secondary WLC

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
DNA Center: Configure AP workflow

5 Review and apply the configuration

4 Schedule the changes

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
 NEW in Catalyst 9800 IOS-XE 17.10.1

AP Priming Profile and AP Priming Filter

AP Priming Profile

• Contains the hostname and IP address of the Primary, Secondary, and Tertiary WLCs
• Primary and Secondary WLCs are mandatory
• Mapped to an AP Primary Filter

AP Priming Filter

• Similar structure as the filter for AP tag mapping

• Uses RegEx string to match APs based on their names > need APs to be named!
• Applies the mapped AP Priming Profile to the matched APs

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
AP Priming Profile and Filter - Considerations

• Max of 128 AP Priming Profiles can be configured

• Max of 1024 AP filters can be configured

• Either for AP tag mapping or AP priming
• Reduces number of AP filters available for tagging

• Pre-requisite: APs need to have a name to use the AP Priming filter

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
Configuring the AP Priming Profile
C9800# configure terminal
C9800(config)# wireless profile ap priming <Priming Profile Name>
C9800(config-priming)# primary <Primary WLC Name> <Primary WLC IP Address>
C9800(config-priming)# secondary <Secondary WLC Name> <Secondary WLC IP Address>
C9800(config-priming)# tertiary <Tertiary WLC Name> <Tertiary WLC IP Address>
C9800(config-priming)# priming-override
Overrides existing priming configurations;
NEEDED for already configured APs – Not
enabled by default
Example of AP Priming Profile:
wireless profile ap priming ap-priming-profile
primary C9800-2 10.10.110.3
secondary C9800-1 10.10.210.3
priming-override

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
Configuring the AP Priming Filter

C9800# configure terminal

C9800(config)# ap filter name <Filter Name> type priming
C9800(config-ap-pr-filter)# ap name-regex <RegEx String to Match>
C9800(config-ap-pr-filter)# profile <AP Priming Profile Name>

Example Priming Filter:

ap filter name ap-priming-filter type priming

ap name-regex (SITE)*
profile ap-priming-profile

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
Activate AP Filter

C9800# configure terminal

C9800(config)# ap filter priority <Priority Number> filter-name <Filter Name>

Example Filter Priority:

ap filter priority 1 filter-name ap-priming-filter

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Statically Assign AP Priming Profile using MAC

C9800# configure terminal

C9800(config)# ap <MAC Address>
C9800(config-ap-tag)# profile <AP Priming Profile Name>

Example Static Assignment:

ap aaaa.bbbb.cccc
profile ap-priming-profile

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Verification
AP Priming Profile

C9800# show ap filters all type priming

Filter Name Regex Priming Profile
--------------------------------------------------------------------------------------------------------
ap-priming-filter (SITE)* ap-priming-profile

C9800# show wireless profile ap priming summary

Number of AP Priming Profiles: 1
Profile Name
---------------------------------
ap-priming-profile

C9800# show wireless profile ap priming detailed ap-priming-profile

Profile Name : ap-priming-profile
Primary Controller Name : C9800-2
Primary Controller IP : 10.10.110.3
Secondary Controller Name : C9800-1
Secondary Controller IP : 10.10.210.3
Tertiary Controller Name :
Tertiary Controller IP : 0.0.0.0
Override : Enabled
#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
Verification
Correct Priming Profile Assigned – Controller Side

Profile Assigned using Filter:

C9800# show ap name SITE1-9120-1 config general | sec Priming
Priming Profile : ap-priming-profile
Priming Override : Enabled
Priming Source : Filter
Priming Filter name : ap-priming-filter

Profile Assigned using Static Assignment:

C9800# show ap name Static-9120-1 config general | sec Priming

Priming Profile : ap-priming-profile
Priming Override : Enabled
Priming Source : MAC

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
Verification
Correct Priming Profile Assigned – AP Side

SITE1-9120-1# show capwap client configuration | inc controller

Primary controller name : C9800-2

Primary controller IP : 10.10.110.3
Secondary controller name : C9800-1
Secondary controller IP : 10.10.210.3
Tertiary controller name :

#CiscoLive BRKEWN-2338 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 145