@Mark Elsen I am back on the 9800 WLC after configuring everything and decided to go back to the original config on this post that I started with using Vlan10 as the VLAN for WLC interface and the VLAN100 for the SVI Interface. I am using the appliance and tried to configure interface GigabitEthernet1 as a switchport access Vlan10 and got "Command rejected: Gi1 is not a switching port." So I do not have the interface GigabitEthernet0/1.

My operational status is still down as per the previous messages we spoke about. I tried your instructions as you can tell and still have the same issue.

  - @dcgtechnologies    >...I started with using Vlan10 as the VLAN for WLC interface and the VLAN100 for the SVI Interface
                                     A bit confusing , each Vlan  has it's SVI interface (when active used).
                                     What vlan do you intend to use for managing the controller and what vlan do you
                                     intend to use for the Wireless Management Interface ?

                                                   >... I am using the appliance 
                                    Which appliance , are referring to the virtual 9800 controller here too ?

                                                   >...Command rejected: Gi1 is not a switching port."
                                    Can you on the (virtual) 9800 controller post the output of show run int gi1

 M.

@Mark Elsen              >...I started with using Vlan10 as the VLAN for WLC interface and the VLAN100 for the SVI Interface
                                     A bit confusing , each Vlan  has it's SVI interface (when active used).
                                     What vlan do you intend to use for managing the controller and what vlan do you
                                     intend to use for the Wireless Management Interface ?

                                     I want to use VLAN10 for managing the controller and use VLAN100 for the Wireless Management Interface

                                     >... I am using the appliance 
                                    Which appliance , are referring to the virtual 9800 controller here too ?

                                     That is correct. The virtual 9800 Controller appliance.

                                     >...Command rejected: Gi1 is not a switching port."
                                    Can you on the (virtual) 9800 controller post the output of show run int gi1

                                         See below:

ciscowlc#show run int gi1
Building configuration...

Current configuration : 133 bytes
!
interface GigabitEthernet1
no switchport
vrf forwarding Mgmt-intf
ip address 192.168.1.30 255.255.255.0
negotiation auto
end

Thank you.

 - @dcgtechnologies    You need to remove all those directives for  Gi1 , except negotiation auto can stay.
                                    In the 9800 framework you must assign that ip address to VLAN 10 (Gi1 is for managing the controller)
                                                         Then you must put Gi1 in VLAN 10

  M.

@Mark Elsen I added the VLAN10 to the interface Gi1. See config below:

interface GigabitEthernet1
switchport access vlan 10
switchport mode access
negotiation auto

then I added the IP Address to VLAN10. See config below:

interface Vlan10
ip address 192.168.1.243 255.255.255.0
no ip proxy-arp

See show vlan output:

Based on the output the vlan is assigned to the Gi1 Interface, but I am not able to reach the interface and I have searched to now at a dead end. It worked before when the IP Address is assigned directly to the Gi1 Interface, but now it is not reachable. Any ideas or something I am missing? Thank you.

  - - @dcgtechnologies    Change the running configuration of Gi1 like this :
                                            interface Gi1
                                                          switchport trunk native vlan 10
                                                           switchport mode trunk
                        

   M.
                                                 

@Mark Elsen I did that previously and tried it in a trunk and as access port and it still not reachable. I get Destination host unreachable, and I have rebooted the WLC a few times. Here are the interfaces below:

Show config:

interface GigabitEthernet1
switchport trunk native vlan 10
switchport mode trunk
negotiation auto
!
interface GigabitEthernet2
switchport trunk allowed vlan 100
switchport mode trunk
negotiation auto
!
interface Vlan1
no ip address
no ip proxy-arp
!
interface Vlan10
ip address 192.168.1.243 255.255.255.0
no ip proxy-arp
!
interface Vlan100
ip address 192.168.10.240 255.255.255.0
no ip proxy-arp

Gi1 works great if it has an IP Address assigned to it and no switchport and not assigned to a Vlan. I am guessing it would be a service port at that point. I had this problem before. It still not working and not able to get to the interface Gi1 to go through the configuration as this is holding me up. Been having this trouble since I set this thing up. Thank you for your help Mark!

 - @dcgtechnologies    This starts looking good ; in the screenshots all interfaces are up and running.
                                     Can you ping 192.168.1.243  locally on the controller ?

                                     Can you also add : ip route 0.0.0.0 0.0.0.0 <def-gateway-address-192.168.1.x>
                                     to the running configuration ?
                                                           Does that help ?

                                    Actually configuring Gi1 as a trunk port is only needed when the address for                       
                                    managing the controller is combined with  the WMI (when using the port for  multiple Vlans)
                                   Since you are using Gi2 for that, both can revert to being an access port in the
                                   correct vlan, as initially outlined (also for Gi2)
                                            Perhaps address the first 2 topics first

  
  M.
                                   

@Mark Elsen  - My responses are noted in "RED"

                                     This starts looking good ; in the screenshots all interfaces are up and running.
                                     Can you ping 192.168.1.243  locally on the controller ?

The answer is Yes. Please see screenshot below:

                                     Can you also add : ip route 0.0.0.0 0.0.0.0 <def-gateway-address-192.168.1.x>
                                     to the running configuration ?

See screenshot below:

                                                           Does that help ?

No it did not help either. I try to ping the device from a desktop computer on my network and get a "Destination Host Unreachable". I totally understand what you are saying and have tried the access port config to on VLAN10 and well same result. Why is it unreachable? Is there a firewall on this device? I am lost at this point, because in theory I should be able to reach the WLC either way. I use the same desktop to configure the 9800 WLC.

                                    Actually configuring Gi1 as a trunk port is only needed when the address for                       
                                    managing the controller is combined with the WMI (when using the port for multiple Vlans)
                                   Since you are using Gi2 for that, both can revert to being an access port in the
                                   correct vlan, as initially outlined (also for Gi2)
                                            Perhaps address the first 2 topics first

So right now I am at a stopping point, because I have tried both combinations, but still not reachable. I want to use Vlan10 for both management and Service port I guess are the right terms. Thank you again Mark!

  - @dcgtechnologies   If you get a "Destination Host Unreachable".   when pinging the controller from a remote destination
                                    that means. That this host can't reach the controller or the vlan 10 network.
                                    Is that host also in vlan 10 ? If not , does it have a routable path to the vlan 10 subnet ?

  M.

@Mark Elsen The controller works fine if I remove the switchport from the interface Gi1 and assign that same IP Address to it. I have two different vSwitches for the controller one tagged with VLAN10 and another tagged with VLAN100 for the Wireless Management. Everything is routing through my firewall, which my firewall interface is unmanaged at this point (I have another post out there struggling with that as well with the vendor). My native vlan is VLAN 10 which it is assigned to all trunks on the switch accept the VMWare trunks that have no native VLAN specified. If the ports on my switch are not a trunk then I have them configured as an Access Port on the designated VLAN I want them on. 

    - @dcgtechnologies      >..The controller works fine if I remove the switchport from the interface Gi1
                                             and assign that same IP Address to it. 
                                         Which you shouldn't do,  you are also referring to the example provided by @Rich R 
                                         That particular setup is only needed when deploying the controller in a remote cloud
                                         such as AWS. Azure or Google Cloud , when 'there is only one way out'

                                         You don't need that in a local vmware setup and or virtual environment  because
                                         then you loose the purpose  of different VLANs for different purposes on the intranet
                                         and connected within the controller.
                                         So you need to go back to the configuration with Vlans and figure out the issue.

                                        One possible approach could be as a test ,  configure a single VM on the VMware 
                                        in VLAN10 with an address ,and try if you can reach it from the outside 
                                        that's a 'starters test'

  M>
                                         

@Mark Elsen I have all my VM's on a vSwitch, which is tagged for VLAN10 on my internal network. Could that be the reason it is not reachable? I know when I tagged the VLAN ID on the physical NIC of a VM it losses connectivity ans when I remove it the VM comes back online. The switch port it is connected to a Trunk for both VLAN10,100......So I would not know what to check, but I can do some digging. My native vlan on the switch for all trunks (NOT VMWARE) are all set to Vlan10. The access port for the machine I use is on an access port set to VLAN10. That is why it is not making sense to me, but I keep digging. I am performing the VLAN tagging on the vSwitch and using the trunk to allow the VLAN10 and 100. I set the trunk up via VMWare's recommendations. Thank you Mark!

  - @dcgtechnologies      Checkout : https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-cl-dg.html#9800CLnetworkinterfacemappings
                                      Also note : >...By default, a hypervisor vSwitch is configured to reject promiscuous mode.
                                                            For 9800-CL, besides the above mapping to the hypervisor interfaces,
                                                            promiscuous mode needs to be set to “accept" in order for the vSwitch
                                                            to carry traffic to the 9800-CL.

  M.