Installing the VM<\/h3>\n\n\n\n
First you have to download the install medium from software.cisco.com. I prefer the “ova”-file:<\/p>\n\n\n\n Deploy it on your ESX server. This guide is using a standalone ESXi, not the VCenter.<\/p>\n\n\n\n For a lab setup, these are my deployment options:<\/p>\n\n\n\n GigabitEthernet1 is for OOB management, GigabitEthernet3 is for HA. For a lab setup, I’ll disable them later.<\/p>\n\n\n\n GigabitEthernet2 is our primary interface for AP and Client communication. It’s a VMware interface that uses tagged frames:<\/p>\n\n\n\n The important settings are:<\/p>\n\n\n\n This part is meant to make the VM accessible through SSH, as the configuration is much more comfortable through SSH than through the VMware console:<\/p>\n\n\n\n Say no to the initial configuration dialog:<\/p>\n\n\n\n Enter your preferred secret:<\/p>\n\n\n\n Next we go to the IOS command prompt.<\/p>\n\n\n\n Adding a temporary user to access the VM by SSH. I use a temporary user and password because my real admin user has a password that is much longer and more complex. The likelihood of typos is much higher in the VMware console compared to SSH:<\/p>\n\n\n\n Configure the IP-Settings of my management interface:<\/p>\n\n\n\n Your settings might vary. With this basic config, we can continue on SSH.<\/p>\n\n\n\n First I configure my “real” admin user and delete the temp user:<\/p>\n\n\n\n Next, I add the host-settings:<\/p>\n\n\n\n Again, adjust this to your needs.<\/p>\n\n\n\n Next we need a trustpoint which is used for the DTLS-communication:<\/p>\n\n\n\n The wireless management interface and the wireless country gets defined:<\/p>\n\n\n\n As a last step, don’t forget to save the config, or the GUI won’t get out of the day0-loop:<\/p>\n\n\n\n Now the 9800-CL can be accessed through the GUI.<\/p>\n\n\n\n Some additional config that I always need (regardless of LAB or production), and what I always configure through the CLI:<\/p>\n\n\n\n <\/p>\n\n\n\n Have fun with your Cisco Catalyst 9800-CL!<\/p>\n","protected":false},"excerpt":{"rendered":" There are many guides on the internet for the setup of the Cisco Catalyst 9800-CL. But most of them are pretty old, and things have changed in the meantime. This guide is based on version 17.15.3 of the 9800-CL. It shows how to do the basic setup on VMware ESXi in three steps. This is <\/p>\n![\"\"](\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2025\/07\/CleanShot-2025-07-12-at-11.32.43-1024x592.jpg\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2025\/07\/CleanShot-2025-07-10-at-16.54.23.jpg\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2025\/07\/CleanShot-2025-07-12-at-11.15.51.jpg\")
<\/figure>\n\n\n\n\n
Minimum needed config on the VMware console<\/h3>\n\n\n\n
![\"\"](\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2025\/07\/CleanShot-2025-07-11-at-16.42.47.jpg\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/cyber-fi.net\/wp-content\/uploads\/2025\/07\/CleanShot-2025-07-11-at-16.45.19.jpg\")
<\/figure>\n\n\n\nconf t\nusername temp priv 15 secret temp\naaa new-model\naaa authentication login default local\naaa authorization exec default local<\/code><\/pre>\n\n\n\nvlan 1224\n name WLC-Mgmt\n!\ninterface Vlan1224\n ip address 10.255.224.200 255.255.255.0\n!\ndefault interface vlan 1\n!\nip route 0.0.0.0 0.0.0.0 10.255.224.254\n!\ninterface GigabitEthernet2\n switchport trunk native vlan 1239\n switchport mode trunk<\/code><\/pre>\n\n\n\nFinishing the setup remotely<\/h3>\n\n\n\n
\u279c ~ ssh -l temp 10.255.224.200<\/code><\/pre>\n\n\n\nconf t\nusername admin privilege 15 algorithm-type scrypt secret YOUR-NEW-PASSWORD\n!\nno username temp<\/code><\/pre>\n\n\n\nhostname c9800-cl-k63-1\nip domain name wireless-training.net\nip name-server 10.255.224.101 10.255.192.101\n!\nclock timezone CET 1 0\nclock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00\n!\nntp server ptbtime2.ptb.de\nntp server ptbtime1.ptb.de\n!\nip access-list standard restrict_ipv4_webui\n 10 permit 10.255.0.0 0.0.255.255\n!\nno ip http server\nip http access-class ipv4 restrict_ipv4_webui\nip http authentication aaa login-authentication default\nip http authentication aaa exec-authorization default\nip http secure-server\nno ip http client source-interface Vlan1\n!\ninterface GigabitEthernet1\n shutdown\n!\ninterface GigabitEthernet3\n shutdown<\/code><\/pre>\n\n\n\n! This is done in Privilege mode:\nwireless config vwlc-ssc key-size 4096 signature-algo sha384 password 0 YOUR-PASSWORD<\/code><\/pre>\n\n\n\nconf t\nwireless management interface vlan 1224\n!\nwireless country DE<\/code><\/pre>\n\n\n\nwr<\/code><\/pre>\n\n\n\nradius server ISE-1\n address ipv4 ISE-IP-1 auth-port 1812 acct-port 1813\n key 0 YOUR-RADIUS-SECRET\n!\naaa server radius dynamic-author\n client ISE-IP-1\n server-key 0 YOUR-RADIUS-SECRET\n!\naaa group server radius ISE-ALL\n server name ISE-1\n!\naaa authentication dot1x ISE-AuthC group ISE-ALL\naaa authorization network ISE-AuthZ group ISE-ALL\naaa accounting identity default start-stop group ISE-ALL\n!\nservice tcp-keepalives-in\nservice tcp-keepalives-out\n!\nline vty 0 50\n transport input ssh<\/code><\/pre>\n\n\n\n