Solved: Re: Cisco Catalyst 9800-L and DNA question

M Tech · ‎10-13-2022

Hello Experts,

We are planning to deploy Cisco Catalyst 9800-L controller with a mix of different model access points: new Catalyst 9162, Aironet 3800s and Aironet 3700s.

- On the controller datasheet it says that in order to connect access points, DNA license is required for each AP. Does it mean we also need to deploy Cisco DNA Center - which is beyond our current budget? Or, DNA license is just applied on the Catalyst 9800 controller itself and APs are joined afterwards?

- Cisco DNA license is available with 3,5 and 7 year validity. For example if we purchase 3 year DNA license, then after its expiration does the controller stop joining APs?

- For older Aironet 3700s, would there be any issue to join Catalyst 9800 controller?

- We will be deploying two Catalyst 9800-L controllers (A. and B.) in HA setup. And, we will apply DNA license that covers all existing APs (for instance 150) on the primary controller A. Then, down the road, in case if the primary controller A. fails then would the DNA license automatically transfer to the secondary controller B.? Or. do we again have to buy DNA license for controller B. ?

Also, if you did similar deployment previously what would you advice to watch out for or any concerns etc?

Many thanks

Arshad Safrulla · ‎10-14-2022

Hi,

You cannot have 9162 and 3700 registering to the same WLC due to compatibility issues. Please refer the compatibility matrix listed below in my signature.

Are you planning on HA SSO or N+1 for WLC? In both the cases you just need to sync the WLC with the smart account. I prefer to use direct connectivity to SSM from the WLC. Refer the below link for configuration guide

Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Amsterdam 17.3.x - Smart Licensing [Cisco Catalyst 9800 Series Wireless Controllers] - Cisco

For each AP AIR-DNA license is mandatory. So to answer your question AP license is not bound to the WLC, rather to the AP itself. So when smart licenses are used it doesn't matter which WLC, AP is registered to. It will simply consume one license from the smart account. Also to be noted that Cisco doesn't enforce any license restrictions on the 9800L as of today, (which might change in the future and good to have it synced to avoid legal issues).

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

View solution in original post

Rich R · ‎10-17-2022

I think he was hoping he could run his 3700's on 17.9.1.
As I already explained, the last release to support the 3700's is 17.3.x - you cannot use them with 17.9.1
IW3700 is a specific exception to that - the firmware they run is irrelevant - the controller will not allow the others to register.
Take note of @Arshad Safrulla's advice if you want to keep the 3700's - you'll need a separate controller running 17.3.x to support them.
But remember 17.3 itself is approaching end of life https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-xe-17/ios-xe-17-3-x-eol.html End of software maintenance (bugfixes) by March 2023 and End of Vulnerability/Security Support by September 2023.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

View solution in original post

Rich R · ‎10-19-2022

We have it running on ESX in lab and not seen any problems but that's very low load so can't comment on stability under load.
You'll need to test it for your use case and expected load.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

View solution in original post

Haydn Andrews · ‎10-13-2022

DNA Licensing just what Cisco is calling it these days - no requirement for DNA Centre to be deployed. Licensing is per AP and applied to WLC via your smart licensing portal.

3700s can join the 9800 just check the software compadibility matrix as there are cavearts there - https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html

Reference what happens post the expiry of the subscription licensing model - your APs keep working an so does the WLC for new AP joins - currently its an honor system

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

M Tech · ‎10-13-2022

Thank you very much Mr. Andrews for your reply. It is much appreciated!

I just realized that I left another important question:

We will be deploying two Catalyst 9800-L controllers (A. and B.) in HA setup. And, we will apply DNA license that covers all existing APs (for instance 150) on the primary controller A. Then, down the road, in case if the primary controller A. fails then would the DNA license automatically transfer to the secondary controller B.? Or. do we again have to buy DNA license for controller B. ?

Arshad Safrulla · ‎10-14-2022

Hi,

You cannot have 9162 and 3700 registering to the same WLC due to compatibility issues. Please refer the compatibility matrix listed below in my signature.

Are you planning on HA SSO or N+1 for WLC? In both the cases you just need to sync the WLC with the smart account. I prefer to use direct connectivity to SSM from the WLC. Refer the below link for configuration guide

Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Amsterdam 17.3.x - Smart Licensing [Cisco Catalyst 9800 Series Wireless Controllers] - Cisco

For each AP AIR-DNA license is mandatory. So to answer your question AP license is not bound to the WLC, rather to the AP itself. So when smart licenses are used it doesn't matter which WLC, AP is registered to. It will simply consume one license from the smart account. Also to be noted that Cisco doesn't enforce any license restrictions on the 9800L as of today, (which might change in the future and good to have it synced to avoid legal issues).

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

M Tech · ‎10-17-2022

Thank you so much, Arshad!

We are planning HA SSO setup. We will follow your suggestion. Instead of CW9166s we can buy 4800s.

On the said compatibility matrix, it states that Cisco IOS XE Cupertino 17.9.1 version will support 9166s, Aironet 3800s and Cisco Industrial Wireless 3700 Series. Aside from rugged design what is difference between regular vs industrial version of Aironet 3700 APs? Do they run different firmware?

Arshad Safrulla · ‎10-17-2022

If I were you, I would look away from all the Catalyst AP’s including the AX compatible APs and lean more towards any CW series APs in your case 9166. 4800 is a not a wise choice considering it has EOS dates announced.
To address the software limitations what I would do

1. Replace all the older generation AP’s with newer APs (Most of the wave1 17xx,27xx,37xx APs are goin EOL very soon)

2. Incase I have to have an environment with both older and newer APs, I would consider running a VM instance for 9800-CL to host the older AP’s or extend the support for the older WLC if feasible.

Regarding the differences between IW and AIR models of 3702, IW3702 is still supported and it is a beast designed to work even in the most challenging environments. If you want IW series APs then I would look towards 9167.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Rich R · ‎10-17-2022

I think he was hoping he could run his 3700's on 17.9.1.
As I already explained, the last release to support the 3700's is 17.3.x - you cannot use them with 17.9.1
IW3700 is a specific exception to that - the firmware they run is irrelevant - the controller will not allow the others to register.
Take note of @Arshad Safrulla's advice if you want to keep the 3700's - you'll need a separate controller running 17.3.x to support them.
But remember 17.3 itself is approaching end of life https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-xe-17/ios-xe-17-3-x-eol.html End of software maintenance (bugfixes) by March 2023 and End of Vulnerability/Security Support by September 2023.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

M Tech · ‎10-19-2022

Many many thanks Arshad and Rich! It is sincerely appreciated.

We already use VMware based virtual platform for many years. I am wondering how stable is running Catalyst 9800-CL as virtual machine on VMware ESXi hosts. Would you recommend it for production environment?

Rich R · ‎10-19-2022

We have it running on ESX in lab and not seen any problems but that's very low load so can't comment on stability under load.
You'll need to test it for your use case and expected load.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Rich R · ‎10-15-2022

To expand on what @Arshad Safrulla said because that was the first thing that caught my attention:
17.3.x is the LAST release which will support 3700's.
17.9.2/17.10.1 (still to be released) will be the FIRST releases to support 9162
So there is no release which can support both AP models.
Suggest you plan for replacement of the 3700 APs as they are almost end of support anyway: https://www.cisco.com/c/en/us/products/collateral/wireless/aironet-3700-series/eos-eol-notice-c51-740710.html

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs