Cisco Catalyst 9800-L
The Cisco® Catalyst® 9800-L is a fixed wireless controller with seamless software updates for small and midsize enterprises.
Built from the ground up for intent-based networking, the Cisco Catalyst 9800-L brings together Cisco IOS® XE Software and Cisco RF excellence to create a best-in-class wireless experience for your evolving and growing organization.
The Cisco Catalyst 9800-L is feature rich and enterprise ready to power your business-critical operations and transform end-user experiences:
● Choose between copper and fiber uplinks. This choice gives you flexibility in your network.
● High availability and seamless software updates, enabled by hot and cold patching, keep your clients and services always on in planned and unplanned events.
● Secure the air, devices, and users with the Cisco Catalyst 9800-L. The wireless infrastructure becomes the strongest first line of defense, with Encrypted Traffic Analytics and Software-Defined Access (SD-Access). The controller comes with built-in security: Secure Boot, runtime defenses, image signing, integrity verification, and hardware authenticity.
● Built on a modular operating system, the controller features open and programmable APIs that enable automation of day-0 to day-N network operations. Model-driven streaming telemetry provides deep insights into your network and client health.
Product overview: Key features
Maximum number of access points
Maximum number of clients
2x 10G/Multigigabit copper or 2x 10G/Multigigabit fiber
110W, 12VDC, AC/DC adapter
Maximum power consumption
9800-L-C: 86.9W (with 4.5W USB load)
9800-L-F: 84.5W (assumes 2pc 2.5W SFP and with 4.5W USB load)
Centralized, Cisco FlexConnect®, and fabric
1RU; half-width chassis allows side-by-side installation in standard 19-in. rack
Smart License enabled
Cisco IOS XE
Cisco DNA Center, Cisco Prime® Infrastructure, and third party (open standards APIs)
Cisco Aironet® 802.11ac Wave 1 and Wave 2 access points, Cisco Catalyst 9100 802.11ax access points
The Cisco Catalyst 9800-L provides seamless software updates for faster resolution of critical issues, the ability to introduce new access points with zero downtime, and flexible software upgrades. Stateful Switchover (SSO) with active standby and N+1 redundancy keeps your network, services, and clients always on, even in unplanned events.
Secure the air, devices, and users with the Cisco Catalyst 9800-L. Wireless infrastructure becomes the strongest first line of defense with Encrypted Traffic Analytics and SD-Access. The controller comes with built-in security: Secure Boot, runtime defenses, image signing, integrity verification, and hardware authenticity.
Open and programmable
The Cisco Catalyst 9800-L controller is built on the Cisco IOS XE operating system, which offers a rich set of open standards-based programmable APIs and model-driven telemetry that provide an easy way to automate day-0 to day-N network operations.
Table 1. Cisco Catalyst 9800-L physical dimensions
8.5 in. (21.59 cm)
9.06 in. (23.01 cm)
1.58 in. (4.02 cm)
C9800-L-C: 3.95 lb. (1.79 kg)
C9800-L-F: 4.01 lb. (1.82 kg)
Cisco Catalyst 9800-L-C front panel
Cisco Catalyst 9800-L-F front panel
Cisco Catalyst 9800-L -C front panel with components labeled
Cisco Catalyst 9800-L-F front panel with components labeled
Table 2. Cisco Catalyst 9800-L front panel components
Service port LED
Redundancy port LED
Service Port (SP) (RJ-45) for out-of-band management
RJ-45 console port
Micro-B USB console
USB 3.0 port
2x 10G/Multigigabit copper (Figure 4) 2x 10G/Multigigabit fiber (Figure 5)
Quad RJ-45 2.5G/1G Multigigabit Ethernet ports
High availability LED
Table 3. Cisco Catalyst 9800-L ports and their purpose
1x RJ-45 console port
Console port for out-of-band management.
1x Micro USB console port
Console port for out-of-band management.
1x USB 3.0 port
USB 3.0 port for plugging in external memory.
1x RJ-45 management port
Management port used for out-of-band management. Also known as the service port.
1x RJ-45 redundancy port
Redundancy port used for SSO.
4x 2.5G/1G and 2x 10G copper ports
Ports used for sending and receiving traffic between access points and controller, northbound traffic, in-band management traffic, and wireless client traffic. Must be connected to the switch.
4x 2.5G/1G copper and 2x 10G SFP+ fiber ports
Ports used for sending and receiving traffic between access points and controller, northbound traffic, in-band management traffic, and wireless client traffic. Must be connected to the switch.
The four data ports can operate in either 2.5 Gigabit Ethernet or 1 Gigabit Ethernet mode.
Note: 10-Mbps operation is not supported.
Table 4. Cisco Catalyst 9800-L front-panel LEDs and their purpose
Green if all power rails are within spec
On: Cisco IOS XE boot is complete
Blinking: Cisco IOS boot in progress
On: System crash
Blinking: Secure Boot failure
Off: ROMMON boot
High Availability (HA) port
On: HA active
Slow blink: HA standby hot
Slow blink: Booted with HA standby cold
Fast blink: HA maintenance
On: ROMMON boot complete
Blinking: System upgrade in progress
On: ROMMON boot and SYSTEM bootup
Blinking: Temperature error and Secure Boot failure
Network link LED Indicator
Solid green: Link
Flashing green: Activity
LED off: Link down
Cisco Catalyst 9800-L rear panel with components labeled
Table 5. Cisco Catalyst 9800-L rear panel components
The Cisco Catalyst 9800-L Wireless Controller is powered by a single output 12VDC, 110W 120/240VAC adapter (C9800-AC-110W) that is shipped by default.
SFPs supported (C9800-L-F-K9 only)
Table 6. SFPs supported on the Cisco Catalyst 9800-L
Cisco IOS XE
The Cisco Catalyst 9800 Series opens a completely new paradigm in network configuration, operation, and monitoring through network automation. Cisco’s automation solution is open, standards based, and extensible across the entire lifecycle of a network device. The various mechanisms that bring about network automation are outlined below, based on the device lifecycle.
● Automated device provisioning: This is the ability to automate the process of upgrading software images and installing configuration files on Cisco Catalyst access points when they are being deployed in the network for the first time. Cisco provides turnkey solutions with Plug and Play (PnP) capabilities that enable an effortless and automated deployment.
● API-driven configuration: Modern wireless controllers such the Cisco Catalyst 9800 Series support a wide range of automation features and provide robust open APIs over NETCONF and RESTCONF using YANG data models for external tools, both off-the-shelf and custom built, to automatically provision network resources.
● Granular visibility: Model-driven telemetry provides a mechanism to stream data from a switch to a destination. The data to be streamed is driven through subscription to a data set in a YANG model. The subscribed data set is streamed out to the destination at configured intervals. Additionally, Cisco IOS XE enables the push model, which provides near-real-time monitoring of the network, leading to quick detection and rectification of failures.
● Seamless software upgrades and patching: To enhance OS resilience, Cisco IOS XE supports patching, which provides fixes for critical bugs and security vulnerabilities between regular maintenance releases. This support allows customers to add patches without having to wait for the next maintenance release.
● Trustworthy systems: Cisco Trust Anchor Technologies provide a highly secure foundation for Cisco products. With the Cisco Catalyst 9800 Series, these trustworthy systems enable hardware and software authenticity assurance for supply chain trust and strong mitigation against man-in-the-middle attacks on software and firmware. Trust Anchor capabilities include:
● Image signing: Cryptographically signed images provide assurance that the firmware, BIOS, and other software are authentic and unmodified. As the system boots, its software signatures are checked for integrity.
● Secure Boot: Cisco Secure Boot technology anchors the boot sequence chain of trust to immutable hardware, mitigating threats against a system's foundational state and the software that is to be loaded, regardless of a user's privilege level. It provides layered protection against the persistence of illicitly modified firmware.
● Cisco Trust Anchor module: A tamper-resistant, strong cryptographic, single-chip solution provides hardware authenticity assurance to uniquely identify the product so that its origin can be confirmed to Cisco, providing assurance that the product is genuine.
Resiliency and high availability
● Stateful Switchover (SSO): Stateful Switchover with an active standby and N+1 redundancy keeps your network, services, and clients always on, even in unplanned events.
● Software Maintenance Upgrades (SMUs) and hot and cold patching: Patching allows for a patch to be installed as a bug fix without bringing down the entire network and avoiding the need to requalify an entire software image. The SMU is a package that can be installed on a system to provide a patch fix or security resolution to a released image. SMUs allow you to address the network issue quickly while reducing the time and scope of the testing required. The Cisco IOS XE platform internally validates the SMU compatibility and does not allow you to install incompatible SMUs. All SMUs are integrated into the subsequent Cisco IOS XE Software maintenance releases.
● Intelligent rolling access point upgrades and seamless multisite upgrades: The Cisco Catalyst 9800 Series comes with intelligent rolling access point upgrades to simplify network operations. Multisite upgrades can now be done in stages, and access points can be upgraded intelligently without restarting the entire network.
● Flexible NetFlow (FNF): Cisco IOS Software FNF is the next generation in flow visibility technology, allowing optimization of the network infrastructure, reducing operating costs, and improving capacity planning and security incident detection with increased flexibility and scalability.
Application Visibility and Control
● Next-Generation Network-Based Application Recognition (NBAR2): NBAR2 enables advanced application classification techniques and accuracy, with up to 1400 predefined and well-known application signatures and up to 150 encrypted applications on the Cisco Catalyst 9800 Series. Some of the most popular applications included are Skype, Office 365, Microsoft Lync, Cisco WebEx®, and Facebook. Many others are already predefined and easy to configure. NBAR2 provides the network administrator with an important tool to identify, control, and monitor end-user application usage while helping ensure a quality user experience and securing the network from malicious attacks. It uses FNF to report application performance and activities within the network to any supported NetFlow collector, such as Cisco Prime, Cisco Stealthwatch®, or any compliant third-party tool.
Quality of Service (QoS)
● Superior QoS: QoS technologies are a set of tools and techniques for managing network resources and are considered the key enabling technologies for the transparent convergence of voice, video, and data networks. QoS on the Cisco Catalyst 9800 Series consists of classification and marking, policing and markdown, and scheduling, shaping, and queuing functions. A modular QoS command-line framework provides consistent platform-independent and flexible configuration behavior. The Cisco Catalyst 9800 Series also supports 2-level hierarchical or nested policies.
● Bluetooth ready: The Cisco Catalyst 9800-L has hardware support to connect a Bluetooth dongle to the controller, enabling you to use this wireless interface as a management port. This port functions as an IP management interface and can be used for configuration and troubleshooting using the WebUI or Command-Line Interface (CLI), and to transfer images and configurations.
● WebUI: WebUI is an embedded GUI-based device-management tool that enables provisioning of the device, simplifying device deployment and manageability and enhancing the user experience. WebUI comes with the default image. There is no need to enable anything or install any license on the device. You can use WebUI to build a day-1 configuration and from then on monitor and troubleshoot the device without having to know how to use the CLI.
Table 7. Cisco Catalyst 9800-L specifications
IEEE 802.11a, 802.11b, 802.11g, 802.11d, WMM/802.11e, 802.11h, 802.11n, 802.11k, 802.11r, 802.11u, 802.11w, 802.11ac Wave1 and Wave2, 802.11ax
Wired, switching, and routing
IEEE 802.3 10BASE-T, IEEE 802.3u 100BASE-TX specification, 1000BASE-T, 1000BASE-SX, 1000-BASE-LH, IEEE 802.1Q VLAN tagging, IEEE 802.1AX Link Aggregation
Data Requests For Comments (RFCs)
● RFC 768 UDP
● RFC 791 IP
● RFC 2460 IPv6
● RFC 792 ICMP
● RFC 793 TCP
● RFC 826 ARP
● RFC 1122 Requirements for Internet Hosts
● RFC 1519 CIDR
● RFC 1542 BOOTP
● RFC 2131 DHCP
● RFC 5415 CAPWAP Protocol Specification
● RFC 5416 CAPWAP Binding for 802.11
● Wi-Fi Protected Access (WPA)
● IEEE 802.11i (WPA2, RSN)
● RFC 1321 MD5 Message-Digest Algorithm
● RFC 1851 ESP Triple DES Transform
● RFC 2104 HMAC: Keyed-Hashing for Message Authentication
● RFC 2246 TLS Protocol Version 1.0
● RFC 2401 Security Architecture for the Internet Protocol
● RFC 2403 HMAC-MD5-96 within ESP and AH
● RFC 2404 HMAC-SHA-1-96 within ESP and AH
● RFC 2405 ESP DES-CBC Cipher Algorithm with Explicit IV
● RFC 2407 Interpretation for ISAKMP
● RFC 2408 ISAKMP
● RFC 2409 IKE
● RFC 2451 ESP CBC-Mode Cipher Algorithms
● RFC 3280 Internet X.509 PKI Certificate and CRL Profile
● RFC 4347 Datagram Transport Layer Security
● RFC 5246 TLS Protocol Version 1.2
● Wired Equivalent Privacy (WEP) RC4 40, 104 and 128 bits (both static and shared keys)
● Advanced Encryption Standard (AES): Cipher Block Chaining (CBC), Counter with CBC-MAC (CCM), Counter with Cipher Block Chaining Message Authentication Code Protocol (CCMP)
● Data Encryption Standard (DES): DES-CBC, 3DES
● Secure Sockets Layer (SSL) and Transport Layer Security (TLS): RC4 128-bit and RSA 1024- and 2048-bit
● DTLS: AES-CBC
● IPsec: DES-CBC, 3DES, AES-CBC
● 802.1AE MACsec encryption
Authentication, Authorization, and Accounting (AAA)
● IEEE 802.1X
● RFC 2548 Microsoft Vendor-Specific RADIUS Attributes
● RFC 2716 PPP EAP-TLS
● RFC 2865 RADIUS Authentication
● RFC 2866 RADIUS Accounting
● RFC 2867 RADIUS Tunnel Accounting
● RFC 2869 RADIUS Extensions
● RFC 3576 Dynamic Authorization Extensions to RADIUS
● RFC 5176 Dynamic Authorization Extensions to RADIUS
● RFC 3579 RADIUS Support for EAP
● RFC 3580 IEEE 802.1X RADIUS Guidelines
● RFC 3748 Extensible Authentication Protocol (EAP)
● Web-based authentication
● TACACS support for management users
● Simple Network Management Protocol (SNMP) v1, v2c, v3
● RFC 854 Telnet
● RFC 1155 Management Information for TCP/IP-Based Internets
● RFC 1156 MIB
● RFC 1157 SNMP
● RFC 1213 SNMP MIB II
● RFC 1350 TFTP
● RFC 1643 Ethernet MIB
● RFC 2030 SNTP
● RFC 2616 HTTP
● RFC 2665 Ethernet-Like Interface Types MIB
● RFC 2674 Definitions of Managed Objects for Bridges with Traffic Classes, Multicast Filtering, and Virtual Extensions
● RFC 2819 RMON MIB
● RFC 2863 Interfaces Group MIB
● RFC 3164 Syslog
● RFC 3414 User-Based Security Model (USM) for SNMPv3
● RFC 3418 MIB for SNMP
● RFC 3636 Definitions of Managed Objects for IEEE 802.3 MAUs
● RFC 4741 Base NETCONF protocol
● RFC 4742 NETCONF over SSH
● RFC 6241 Network Configuration Protocol (NETCONF)
● RFC 6242 NETCONF over SSH
● RFC 5277 NETCONF event notifications
● RFC 5717 Partial Lock Remote Procedure Call
● RFC 6243 With-Defaults capability for NETCONF
● RFC 6020 YANG
● Cisco private MIBs
● Web-based: HTTP/HTTPS
● Command-line interface: Telnet, Secure Shell (SSH) Protocol, serial port
● Cisco Prime Infrastructure
Environmental conditions supported
● 32° to 113°F (0° to 45°C)
Note: The maximum temperature is derated by 1.0°C for every 1000 ft (305 m) of altitude above sea level.
● –13° to 158°F (–25° to 70°C)
● 10% to 95% noncondensing
● 0% to 95% noncondensing
● Operating altitude: 0 to 3000 m (0 to 10,000 ft)
● Nonoperating altitude: 0 to 12,192 m (0 to 40,000 ft.)
● AC input frequency range: 47 to 63 Hz
● AC input range: 90 to 264 VAC
● 9800-L-C max measured power = 86.9W (with 4.5W USB load)
● 9800-L-F max measured power = 84.5W (assumes 2pc 2.5W SFP and with 4.5W USB load)
Maximum heat dissipation:
● 9800-L-C: 296.4 Btu/hr (with 4.5W USB load)
● 9800-L-F: 288.2 Btu/hr (assumes 2pc 2.5W SFP and with 4.5W USB load)
Sound power level measure:
● Normal: 40 dBA at 25C
● Maximum: 42.9 dBA at 40C
● Input power: 100 to 240 VAC; 50/60 Hz
● UL/CSA 60950-1
● IEC/EN 60950-1
● AS/NZS 60950.1
● CAN/CSA-C22.2 No. 60950-1
EMC - Emissions:
● FCC 47CFR15
● AS/NZS CISPR 22
● CISPR 22
● EN55022/EN55032 (EMI-1)
● KN 32 (EMI-2)
EMC – Emissions:
● EN61000-3-2 Power Line Harmonics (EMI-3)
● EN61000-3-3 Voltage Changes, Fluctuations, and Flicker (EMI-3)
The Cisco Catalyst 9800-L runs on Cisco IOS XE Software version 16.12.1 or later. This software release includes all the features listed earlier in the Product Benefits section.
Table 8 lists the minimum software requirements for the controller models.
Table 8. Minimum software requirements
Minimum software requirement
Cisco Catalyst 9800-L Wireless Controller
Cisco IOS XE Software Release 16.12.1
The Cisco Catalyst 9800 Series Wireless Controllers require mandatory Smart Licensing. This provides ease of use for Cisco DNA license management, consumption, and tracking.
No licenses are required to boot up a Cisco Catalyst 9800 Series Wireless Controller. However, in order to connect any access points to the controller, Cisco DNA licenses are required. Every access point connecting to the Cisco Catalyst 9800 Series controller requires a Cisco DNA subscription license. See Figure 8.
Adding a Cisco Catalyst 9800 Series controller to your network
The APs connecting to the Cisco Catalyst 9800 Series have a new and simplified licensing package.
They can support three types of Cisco DNA license: Cisco DNA Essentials, Cisco DNA Advantage, and Cisco DNA Premier.
The Cisco DNA licenses provide Cisco innovations on the access points. The license also includes the Network Essentials and Network Advantage licensing options, which cover wireless fundamentals such as 802.1X authentication, QoS, PnP, etc., telemetry and visibility, and SSO, as well as security controls. These Network Essentials and Network Advantage components are perpetual and are valid throughout the life of the AP. Cisco DNA subscription licenses have to be purchased for a 3-, 5-, or 7-year subscription term. Upon expiration of a Cisco DNA license, the Cisco DNA features will expire, but the Network Essentials and Network Advantage features will remain.
The following figures and tables show what each base and add-on package includes.
Wireless subscription offer structure
Advantage vs. Essentials licenses
Note: It is not required to deploy Cisco DNA Center just to use one of the above packages.
The following table shows the features included in the Network Advantage and Network Essentials package.
Table 9. Features included in the Network Advantage and Network Essentials packages
● 802.1X authentications, guest access, device onboarding, infrastructure and client IPv6, Access Control Lists (ACLs), QoS, Videostream, smart defaults, Radio Resource Management (RRM), Spectrum Intelligence, Bluetooth Low Energy (BLE), Zigbee, USB, Cisco TrustSec ® SXP, SSO, Dynamic QoS, analytics, ADP, OpenDNS, mDNS, IPsec, rogue management and detection, mobility
● Flexible Radio Assignment (FRA), ClientLink, Cisco CleanAir ® Advanced
● Next-Generation High Density Experience (NG-HDX), predictive/proactive RRM
Internet of Things (IoT) optimized
Identity Pre-Shared Keys (PSK), enhanced device profilers
● PnP agent
● NETCONF, RESTCONF, gRPC Network Management Interface protocol (gNMI)
● YANG data models
● Guest shell (on-box Python)
Federal Information Processing Standards (FIPS), CC, UCAPL, USGV6
Telemetry and visibility
● Model-driven telemetry
● NETCONF dial-in, gRPC dial-out
High availability and resiliency (advanced)
● In-Service Software Upgrades (ISSU), process restart
● Rolling AP upgrades
● Patching (CLI)
● AP service pack and device pack
Flexible network segmentation
The following table shows the features included in the Cisco DNA Advantage and Cisco DNA Essentials packages.
Table 10. Features included in the Cisco DNA Advantage and Cisco DNA Essentials packages
Cisco DNA Essentials
Cisco DNA Advantage/Premier
Plug and Play, network site design and device provisioning
Image management, network topology and discovery, Application Visibility and Control (AVC)
Health dashboard (network, client, and application), AP floor map and coverage map, predefined reports
Basic wireless IPS
Location Plug and Play
Automated ISE integration for guest
Third-party API integration
Assurance and analytics
Apple iOS Insights
Proactive issue detection
Aironet Active Sensor tests
Client location heatmaps
Application performance (packet loss, latency, and jitter)
App 360, AP 360, Client 360, and WLC 360
Enhanced security and Internet of Things (IoT)
Encrypted Traffic Analytics, advanced wireless intrusion prevention (wIPS)
EasyQoS configuration, EasyQoS monitoring, policy-based automation
Patch lifecycle management
Two modes of licensing are available:
● SL: Smart Licensing simplifies and adds flexibility to licensing. It is:
◦ Simple: Procure, deploy, and manage licenses easily. Devices self-register, removing the need for Product Activation Keys (PAKs).
◦ Flexible: Pool license entitlements in a single account. Move licenses freely through the network, wherever you need them.
◦ Smart: Manage your license deployments with real-time visibility into ownership and consumption.
● SLR mode
◦ Specific License Reservation (SLR) is a feature used in highly secure networks. It provides a method for customers to deploy a software license on a device (product instance) without communicating usage information to Cisco. There will be no communication with Cisco or a satellite. The licenses will be reserved for every controller. It is node-based licensing.
● Four levels of licensing are supported on the Cisco Catalyst 9800 Series Wireless Controllers. The controllers can be configured to function at any one of the four levels.
◦ Cisco DNA Essentials: Supports the Cisco DNA Essentials feature set.
◦ Cisco DNA Advantage: Supports the Cisco DNA Advantage feature set.
◦ NE: Supports the Network Essentials feature set.
◦ NA: Supports the Network Advantage feature set.
● For customers who purchase Cisco DNA Essentials, Network Essentials will be supported and will continue to function even after term expiration. For customers who purchase Cisco DNA Advantage, Network Advantage will be supported and will continue to function even after term expiration.
● Initial bootup of the controller is at the Cisco DNA Advantage level.
● For questions, contact the Cisco Catalyst 9800 Series Wireless Controllers Licensing mailer group at ask-catalyst9800licensing.
Managing licenses with Smart Accounts
Creating Smart Accounts by using the Cisco Smart Software Manager (SSM) enables you to order devices and licensing packages and also manage your software licenses from a centralized website. You can set up the Smart Account to receive daily email alerts and to be notified of expiring add-on licenses that you want to renew. A Smart Account is mandatory for Cisco Catalyst 9800 Series controllers.
Find warranty information on Cisco.com at the Product Warranties page.
Cisco 1-year limited hardware warranty terms
The following are terms applicable to your hardware warranty. Your embedded software is subject to the Cisco End User License Agreement (EULA) and/or any Supplemental EULA (SEULA) or specific software warranty terms for additional software products loaded on the device.
Duration of hardware warranty: One (1) year
Replacement, repair, or refund procedure for hardware: Cisco or its service center will use commercially reasonable efforts to ship a replacement part within ten (10) working days after receipt of the RMA request. Actual delivery times may vary depending on customer location.
Cisco reserves the right to refund the purchase price as its exclusive warranty remedy.
Table 11. Ordering information
Cisco Catalyst 9800-L (Fiber Uplink) Wireless Controller
Cisco Catalyst 9800-L (Copper Uplink) Wireless Controller
Cisco Catalyst 9800 Series Wireless Controller DTLS License
Cisco Catalyst 9800 Series Wireless Controller Rack Mount Bracket
Cisco Catalyst Wireless Controller 110W AC Power Supply