The Wireless Management Interface (WMI) is the mandatory Layer 3 interface on the Cisco Catalyst 9800 Wireless Controller. It is used for all communications between the controller and access points. Also, it is used for all CAPWAP or inter-controller mobility messaging and tunneling traffic.

WMI is also the default interface for in-band management and connectivity to enterprise services, such as, AAA, syslog, SNMP, and so on. You can use the WMI IP address to remotely connect to the device using SSH or Telnet (or) access the Graphical User Interface (GUI) using HTTP or HTTPs by entering the wireless management interface IP address of the controller in the address field of your browser.

The Cisco Catalyst 9800 Series Wireless Controller should be able to use Ethernet Service Port (SP) (Management Interface VRF/GigabitEthernet 0) for the below management/control plane protocols from release 17.6.1 onwards:

• SNMP

• RADIUS (both for user authentication to the box and wireless client authorization)

• TACACS

• Syslog

• NTP

• SSH/NETCONF/HTTPS

• NetFlow

The Wireless Management Interface is a Layer 3 interface, which can be configured only with a single IP address (IPv4 or IPv6) or using a dual-stack configuration.

It is always recommended to use a wireless management VLAN and configure WMI as a Switched VLAN Interface (SVI). If the uplink port or port-channel to the next-hop switch is configured as a dot1q trunk, the wireless management VLAN would be one of the allowed tagged VLAN on the trunk.

The recommendation is true, independent of the deployment mode of APs (local, FlexConnect, or SDA) with the following exceptions:

• The WMI is configured as an L3 port for Cisco Catalyst 9800 Wireless Controller deployed in a Public Cloud environment.

• The WMI is configured as a loopback interface for embedded wireless controller in Cisco Catalyst 9000 switches.

We recommended statically assigning IPv6 address in WMI and not configuring using the ipv6 auto-config command.

Note

When migrating from VLAN A to VLAN B, ensure to first create VLAN B and SVI B, and associate SVI B with the Wireless Management Interface (WMI) before removing VLAN A and SVI A. This sequence prevents multicast traffic issues, ensuring all devices, including those behind WGB, receive multicast traffic correctly.

NAT enables private IP networks that use non-registered IP addresses to connect to the Internet. NAT operates on a device, usually connecting two networks. Before packets are forwarded onto another network, NAT translates the private (not globally unique) addresses from the internal network into public addresses. NAT can be configured to advertise to the outside world only few addresses for the entire internal network. This ability provides more security by effectively hiding the private network details.

Note

Certain ISP routers performing NAT may assign the same public source port to different APs. This results in the WLC receiving CAPWAP traffic from same IP:PORT but from different APs. The controller is unable to differentiate the packets are from differnent APs, even if packet A is for DATA and Packet B is for CTRL. The controller does not support CAPWAP connections from different APs behind NAT using same SRC IP:PORT.

If you want to deploy your Cisco Catalyst 9800 Wireless Controller on a private network and make it reachable from internet, you need to have the controller behind a router, firewall, or other gateway device that uses one-to-one mapping Network Address Translation (NAT).

To do so, perform the following:

• Configure the NAT device with 1:1 static mapping of the Wireless Management interface IP address (private IP) to a unique external (public) IP address configured on the NAT device.

• Enable the NAT feature on the Wireless Controller and specify its external public IP address. This public IP is used in the discovery responses to APs, so that the APs can then send CAPWAP packets to the right destination.

• Make sure that the external APs discover the public IP of the controller using DHCP, DNS, or PnP.

Note	You need not enable NAT if the Cisco Catalyst 9800 Wireless Controller is deployed with a public address. Instead you will need to configure the public IP directly on the Wireless Management Interface (WMI).

In a CAPWAP environment, a lightweight access point discovers a wireless controller by using CAPWAP discovery mechanisms, and then sends a CAPWAP join request to the controller. The controller sends a CAPWAP join response to the access point that allows the access point to join the controller.

If the wireless controller is behind a NAT device, the controller responds to the discovery response in the following ways:

• Using the public IP.

• Using the private IP.

• Using public and private IP.

The Public IP needs to be mapped to the controller’s Private IP using static 1:1 NAT configuration on the router or firewall performing the NAT translation.

If your wireless controller manages only Access Points reachable through the public internet (external APs), you need to configure the controller so it responds with only the Public IP in the discovery response.

If your wireless controller manages both internal and external APs, you need to configure the controller so it responds with both Public and Private IPs in the discovery response.

Note

In NAT deployments, the APs running internally and externally must use different AP join profiles with CAPWAP Discovery Private and Public enabled separately. This behaviour was introduced from the 17.9.5 release and applies to APs upgraded to Cisco IOS XE 17.9.5, 17.9.6, 17.9.m (m>=5), 17.12.n (n>=1) and later releases.