C9800 Initial Setup: Step-by-Step Configuration Guide
The Catalyst 9800 wireless controller represents a significant shift in Cisco's architecture—whether you're deploying it as a Catalyst 9800-40 on-prem appliance or running C9800-CL on virtualized infrastructure. Getting the initial setup right determines how smoothly the rest of your wireless deployment unfolds. This guide walks you through every phase from first power-on to AP join readiness, covering the methods available and the decisions you need to make along the way.
Prerequisites and Planning
Before you connect the C9800 to your network, you need to have these items documented:
- IP addressing plan — VLAN ID, subnet, gateway, and static IP for the management interface (or DHCP scope details)
- NTP server IP(s) — Accurate timekeeping is critical for certificate validation and logging
- Country code — Required to set regulatory domain; APs cannot join until this is configured
- Default credentials — For physical appliances, the default username is
webuiand password is the serial number; for C9800-CL, check your provisioning method (oftenadmin/admin) - Licensing information — C9800 operates in evaluation mode initially; you may need to install licenses for specific features
- Deployment mode — Standalone or High Availability (SSO) pair; this affects initial configuration paths
- Console access method — RJ-45 console port, USB-C, or out-of-band management
Knowing these items before you start eliminates the need to restart configuration mid-process.
Bootstrap Configuration: Reaching the Box
Bootstrap configuration is the absolute minimum needed to get the C9800 on your network and accessible for management. Think of it as the gateway to everything else.
Physical Console Connection
The C9800 physical appliances (such as the 9800-40) come with two serial console options:
- RJ-45 Console Port (EIA/TIA-232) — Requires a rollover cable; connect to a terminal emulator at 9600 baud, 8 data bits, no parity, 1 stop bit
- USB-C Console Port — Modern virtual serial connection over USB; same baud rate and settings
For virtual deployments (C9800-CL), console access is provided by your hypervisor or cloud platform (vSphere console, AWS EC2 serial port, etc.).
Two Bootstrap Methods
Cisco provides two paths to initial configuration:
| Method | Best For | Speed | Network Dependency |
|---|---|---|---|
| Console CLI Setup Wizard | Off-network setup, no DHCP available, maximum control | 15–20 minutes | No (console only) |
| Plug and Play (PnP) | Brownfield additions, integration with DNA Center | 5–10 minutes | Yes (requires reachability to PnP server) |
For most initial deployments, we recommend the Console CLI Setup Wizard. It's more transparent, requires no external infrastructure, and gives you direct control over every setting.
Day 0 Setup Methods
Once the C9800 boots and you have console access, you'll see a banner prompting you to enter the initial setup workflow. IOS-XE 17.4.1 and later offer a guided setup wizard directly in the CLI.
IOS-XE CLI Setup Wizard (17.4.1+)
This is a step-by-step interactive prompt that collects the essential Day 0 settings. When you access the console, the system detects that the controller has no configuration and launches the wizard automatically:
--- System Configuration Dialog ---
Would you like to enter the initial configuration dialog? [yes/no]: yes
At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Enter hostname [C9800]: C9800-Lab
Enter country code [US]: US
The wizard prompts you for hostname, country code, timezone, NTP servers, and other essentials. You can also skip to manual CLI configuration if you prefer. The wizard saves all input to the running configuration, and at the end, it asks if you want to save to startup configuration.
After the wizard completes, the controller boots into a base configuration and is ready for web GUI access or further CLI work.
Day 0 Web Interface (GUI)
Once you've completed basic bootstrap (or if the controller has a management IP already), you can access the configuration GUI at the wireless management interface (WMI) IP address:
- For physical appliances with factory defaults:
http://192.168.1.1via the front-panel service port - For deployed controllers:
https://<wmi-ip>on the configured VLAN
Default credentials are webui / [serial number] for physical appliances, or admin / admin for C9800-CL (depending on provisioning).
The GUI presents a Configuration Setup Wizard that mirrors the CLI wizard. You're asked to set:
- Deployment Mode (Standalone or HA)
- Hostname
- Country / Regulatory Domain
- Date, Time, and Timezone
- NTP Servers
- AAA Servers (optional at Day 0)
After completing the setup wizard in the GUI, the controller is ready for AP discovery and WLAN configuration.
Cisco DNA Center Provisioning
If you're integrating the C9800 into a DNA Center–managed environment, you can use DNA Center's Onboarding and Provisioning workflow instead. DNA Center handles Day 0 configuration, license installation, and initial policy deployment as part of a unified intent-based model. This approach is best suited for larger deployments with centralized management.
Day 0 Configuration Requirements
Whether you use the CLI wizard, GUI, or DNA Center, these settings must be configured before the controller is production-ready:
| Configuration Item | Purpose | Mandatory? | Notes |
|---|---|---|---|
| Hostname | Device identification | Yes | Used in logs, SNMP, and DNS; recommended to include site code |
| Username / Password (Privilege 15) | CLI authentication | Yes | Create a strong local user; consider AAA integration later |
| Enable Password | Privileged mode access | Yes | Protects configuration changes; should differ from login password |
| Management IP / Route | Network reachability | Yes | Preferred method: SVI (VLAN interface) rather than physical port |
| Deployment Mode | HA vs. Standalone | Yes | Cannot be changed after boot; set correctly on Day 0 |
| NTP Server(s) | Time synchronization | Yes | Configure before anything else; impacts certificate validation |
| Timezone | Local time offset | Yes | Used for log timestamps and scheduling |
| Country Code | Regulatory domain | Yes | APs cannot join until this is set; cannot be changed easily later |
| Wireless Management Interface | AP management traffic path | Yes | Use SVI interface; management over wireless is disabled by default |
| Trustpoint Certificate (C9800-CL) | Self-signed CA for DTLS | Yes (C9800-CL) | Physical appliances have MIC; virtual requires manual setup |
| WLAN | Wireless network definition | No | Can be configured as Day 1; Day 0 focus is controller setup |
CLI Bootstrap Configuration
If you bypass the wizard or need to configure manually, here's the core bootstrap configuration. This assumes you have console access and are starting from a factory-reset state.
! Set hostname and credentials
hostname C9800-Lab
username admin privilege 15 secret 0 MySecurePassword
enable secret 0 MyEnableSecret
! Configure management VLAN (SVI preferred)
interface Vlan10
no shutdown
ip address 10.100.10.100 255.255.255.0
description "Management Interface"
! Default route (replace 10.100.10.1 with your gateway)
ip route 0.0.0.0 0.0.0.0 10.100.10.1
! SSH configuration (required for secure remote access)
ip ssh version 2
ip ssh rsa keypair-name C9800-Key
crypto key generate rsa modulus 4096 label C9800-Key
! Console security
line con 0
exec-timeout 0 0
logging synchronous
! VTY (Telnet / SSH) security
line vty 0 15
exec-timeout 15 0
transport input ssh
logging synchronous
! NTP (MUST be configured early)
ntp server 10.100.10.1 prefer
ntp server 10.100.10.2
! Set timezone (adjust offset as needed; example: EST = UTC-5)
clock timezone EST -5
! Configure regulatory domain
ap country US
! Wireless Management Interface (must match a configured SVI)
wireless management interface Vlan10
! Optional: configure a DHCP relay if APs are on different VLAN
interface Vlan20
ip address 10.100.20.1 255.255.255.0
ip helper-address 10.100.10.2
! Save configuration
end
write memory
After entering this configuration, verify connectivity from a remote workstation before relying on it. The most common issue is routing: if your management VLAN doesn't have a default route to the rest of your network, you won't reach the controller from remote subnets.
Day 0 GUI Setup Walkthrough
Once you have network reachability to the C9800, open a browser to the WMI IP address. You'll be presented with the Configuration Setup Wizard. Here's what each section covers:
| Wizard Section | Key Fields | Guidance |
|---|---|---|
| Deployment Mode | Standalone / High Availability | For greenfield, typically Standalone. HA requires two identical controllers, synchronized clocks, and network redundancy. |
| Hostname | Device name | Use a naming scheme that identifies site and function (e.g., NYC-C9800-01). |
| Country Code | Regulatory domain (US, CA, GB, etc.) | This locks in RF regulations. Ensure it matches your physical deployment location. |
| Date & Time | Current system time and timezone | Critical for certificate validation; verify NTP is working before relying on it. |
| NTP Servers | Primary and secondary NTP IPs | Use internal NTP or 0.0.0.0 / 1.1.1.1 as fallback. Verify with show ntp status. |
| AAA Servers (optional) | RADIUS / TACACS+ servers for AP management auth | Can be skipped at Day 0 and added as Day 1 configuration. |
After completing the wizard, the controller saves the configuration and reloads the management interface. You're then presented with the main configuration dashboard where you can proceed to AP Join Profile, WLAN, and other advanced settings.
Wireless Management Interface (WMI) Configuration
The Wireless Management Interface is the VLAN / SVI that the controller uses to communicate with access points. It's critical to configure this correctly because APs discover and join the controller primarily through this interface.
Why SVI Over Physical Interfaces?
Always use an SVI (Switched Virtual Interface / VLAN) for the WMI rather than a physical port. Here's why:
- Redundancy — If a single port fails, the entire management path is lost; VLAN aggregation across multiple ports is more resilient
- Scalability — You can extend the WMI VLAN across your switching fabric
- Separation — Isolates management traffic from data traffic
- HA readiness — High Availability deployments require multiple controllers to share the same WMI VLAN
CLI Configuration
Configure the WMI VLAN on the controller itself:
! Create the SVI if not already present
interface Vlan10
ip address 10.100.10.100 255.255.255.0
no shutdown
! Set this VLAN as the WMI
wireless management interface Vlan10
! Verify
show wireless management interface
On the access switches connecting the C9800, ensure the WMI VLAN is tagged and allowed on the C9800 uplink port(s).
GUI Configuration
In the GUI: Configuration > Wireless > Wireless Global > Management Interface. Select the target VLAN from the dropdown. You can also toggle "Management via Wireless" if you want APs to manage the controller over the wireless SSID (disabled by default for security).
AP Join Profile Configuration
The AP Join Profile defines how access points discover, join, and maintain connectivity to the controller. These profiles are central to C9800 operation.
GUI-Based AP Join Profile Setup
Navigate to Configuration > Tags & Profiles > AP Join Profile. You'll see several tabs:
| Tab | Key Settings | When to Adjust |
|---|---|---|
| CAPWAP | Primary / Secondary / Tertiary controller IPs, CAPWAP port, heartbeat timeout, discovery timeout | Multi-controller deployments; HA pairs; tuning AP stickiness |
| Advanced | VLAN tagging, DTLS encryption, jumbo MTU, link latency, split tunneling | Troubleshooting connectivity; encrypted data plane; large packet support |
| AP | Switch flag (standalone vs. controller mode), power injector type, EAP protocol, AP authorization | Legacy AP integration; mixed-mode deployments |
| Management | Device credentials, CDP, IP telemetry, image management settings | AP provisioning; discovery optimization |
For a greenfield Day 0 setup, the default join profile often suffices. You're primarily checking that the CAPWAP Primary Controller field points to the correct WMI IP and that DTLS is enabled (encrypted by default).
CLI-Based AP Join Profile Configuration
If you prefer CLI management, you can create or modify AP Join Profiles:
! Create a custom AP Join Profile
configure terminal
ap profile NYC-AP-Profile-01
description "Default AP join profile for NYC site"
ip dhcp fallback
! Enable DHCP fallback; if DHCP fails, AP retries CAPWAP discovery
cdp
! Enable CDP discovery for controllers
exit
! Verify the profile
show ap profile name NYC-AP-Profile-01 detailed
! Sample output:
! AP Profile name: NYC-AP-Profile-01
! Description: Default AP join profile for NYC site
! Flex profile not configured
! IP Address Assignment: DHCP fallback enabled
! CAPWAP Primary Controller: 10.100.10.100
! CAPWAP Primary Controller Port: 5246
! CDP enabled
By default, the controller assigns APs to the "default" join profile. If you create custom profiles, you bind them to APs via tags or individual AP configuration.
Verification and Validation
After Day 0 setup is complete, run these commands to verify the configuration is correct before connecting APs:
| Command | What to Verify | Expected Output |
|---|---|---|
show wireless management interface |
WMI VLAN and IP are active | VLAN 10, IP 10.100.10.100/24, Admin State: Enabled |
show ap summary |
AP join readiness (should be empty at Day 0) | Number of APs: 0 |
show ap join-profile summary |
Join profile configuration | Profile names, CAPWAP primary controller IP |
show running-config | section wireless |
All wireless-related settings | Country code, WMI VLAN, join profiles, WLAN definitions |
show clock |
System time is accurate | Time should match your NTP server within 1–2 seconds |
show ntp status |
NTP synchronization | Clock synchronized, stratum 2–3, offset <100ms |
show ap join-profile default |
Default join profile details | Primary Controller, CAPWAP port, DTLS settings |
show version |
IOS-XE version, system uptime | 17.4.1 or later recommended for Day 0 wizard support |
If any of these checks fail (e.g., NTP not synchronized, WMI VLAN unreachable), troubleshoot before proceeding to AP deployment.
Best Practices for C9800 Day 0 Setup
These practices will save you time and prevent common pitfalls:
- Configure NTP first, before anything else. Many C9800 functions depend on accurate time (certificate validation, licensing, logging). If NTP is wrong, you'll spend hours chasing phantom issues.
- Use an SVI for the Wireless Management Interface. Physical interfaces are fragile; SVIs scale and provide redundancy.
- Set the country code correctly on Day 0. Changing it later requires careful coordination with existing APs. Mistake here = RF chaos.
- Default credentials are weak. Replace them immediately with strong local credentials. Then plan AAA (RADIUS/TACACS+) integration as part of your Day 1 security hardening.
- For physical appliances, assign a static IP to the SP port first if you want console-over-IP. The factory default
192.168.1.1is convenient only for first-time setup. - Verify routing and DNS before relying on remote access. A misconfigured default route means you're stuck at the console.
- Validate the AP Join Profile before connecting APs. Ensure the Primary Controller IP points to the WMI VLAN IP, not a data-plane interface.
- For C9800-CL virtual deployments, confirm trustpoint and certificate settings. Unlike physical appliances with built-in MIC (Manufacture-Installed Certificate), virtual instances need certificate provisioning for DTLS encryption.
- Enable SSH and disable Telnet on Day 0. SSH should be the only remote CLI access; Telnet sends credentials in plaintext.
- Save your configuration to startup-config after Day 0 is complete. Use
write memoryor the GUI export feature to create a backup.
Common Day 0 Issues and Troubleshooting
You may encounter these issues during initial setup:
Run show ap country (should show your code); verify show ap join-profile default has correct primary controller IP
| Issue | Symptom | Root Cause | Resolution |
|---|---|---|---|
| No network reachability to C9800 | Ping to management IP fails; SSH unreachable | Missing default route; wrong VLAN membership on switch | Verify ip route 0.0.0.0 is configured; confirm VLAN tagged on access switch uplink |
| NTP not synchronizing | show ntp status shows "unsynchronized" |
NTP server IP unreachable; firewall blocking UDP/123 | Ping NTP server from C9800; verify no firewall rules blocking port 123 |
| APs won't discover the controller | APs show "Standalone" mode; join failed state | Country code not set; AP join profile missing primary controller IP | |
| Web GUI unreachable (404 / timeout) | Browser cannot connect to https://[wmi-ip] | Incorrect WMI IP; GUI service not started; self-signed certificate trust issue | Check show wireless management interface; access via HTTP first (port 80) if HTTPS fails; check firewall rules |
| Trustpoint certificate not installed (C9800-CL) | DTLS handshake fails; APs show "join failed" | Certificate generation not run; certificate signing request (CSR) not processed | Run crypto pki trustpoint C9800 pubkey-chain and follow CSR workflow; physical appliances ship with MIC pre-installed |
Key Takeaways
The C9800 Day 0 setup process is straightforward if you follow a methodical approach:
- Start with a documented plan covering IP addressing, NTP servers, country code, and credentials.
- Use the CLI Setup Wizard (17.4.1+) or the GUI Configuration Wizard for repeatable, consistent configuration.
- Configure NTP and timezone immediately—most downstream issues trace back to time sync problems.
- Always use an SVI for the Wireless Management Interface, never a physical port.
- Set the country code correctly; changing it later is operationally expensive.
- Verify all Day 0 settings with the provided CLI verification commands before connecting APs.
- For C9800-CL, ensure trustpoint and self-signed certificates are properly generated and installed.
- Secure SSH immediately; disable Telnet and change default credentials.
- Create an AP Join Profile that matches your controller topology (single vs. HA pair).
- After Day 0 is complete, save the configuration and create a backup before moving to WLAN and advanced security settings.
With these foundations in place, your C9800 is ready for Day 1 configuration: WLAN creation, security policies, RF profiles, and integration into your broader network management platform (DNA Center, monitoring, etc.). The goal of Day 0 is not to optimize the wireless network—it's to get the controller running, reachable, and ready for the work that comes next.