Connecting Cisco 9800 Wireless Controllers to Dashboard
Meraki Tunnel for Wireless Controllers
Starting with IOS XE 17.12.3 / IOS XE 17.15.1, the Cisco 9800 Wireless LAN Controllers (WLCs) can register with Meraki Dashboard for Cloud Monitoring for Wireless. The Meraki device-to-cloud connectivity architecture has been crafted from the ground up to provide security and simplicity for connecting network devices to the Meraki dashboard, which now includes the 9800 WLCs.
The Meraki Tunnel uses TLS 1.2 with AES-256 for encryption and enforces mutual TLS authentication to securely connect the 9800 wireless controllers to the Meraki cloud infrastructure. Device-to-cloud connectivity with the Meraki Tunnel communicates via TCP port 443. This simplifies upstream firewall configurations, as the 9800 WLCs are usually behind firewalls that may already allow outbound connections to port 443.
This feature serves a common use-case where customers want their access points (APs) to continue to be managed by their 9800 WLC while also having the 9800 live in Meraki Dashboard. This would allow for a co-existence of a 9800 managed wireless deployment and the possible migration to a fully Cloud Managed Wireless deployment.
Your controller will register with dashboard to obtain its Cloud ID (Meraki Serial Number) over a secure HTTPS connection when Meraki Service Connect is initiated:
Once the 9800 has been registered with dashboard, it will securely connect to the dashboard Tunnel Config server to fetch its Meraki Tunnel configuration:
Finally, with the Meraki Tunnel configuration, the 9800 will create a secure tunnel to dashboard on TCP Port 443:
Considerations
-
The Meraki Tunnel on 9800 does NOT support HTTP Web Proxy servers and requires the controller to have direct outbound access to the Meraki Cloud Infrastructure.
-
It is recommended for Meraki Tunnel traffic to be exempt from TLS/SSL traffic inspection in order to avoid potential connectivity issues.
Connecting the 9800 to dashboard is the first stage of onboarding. Follow the Adding Catalyst 9800 Wireless Controller and Access Points to Dashboard document to claim your 9800 into your dashboard organization after you have connected the 9800.
Make sure your Wireless Controller and Access Points meet the requirements. More information about Firmware, License and other aspects are covered in this document: Cloud Monitoring for Wireless Requirements.
Meraki Tunnel Prerequisites
Before the Meraki Tunnel is enabled the 9800 Controller the following is required:
-
IP Routing is enabled. IP routing mode is required for the Meraki Tunnel services on the wireless controller.
-
The Meraki Tunnel only supports the Global VRF.
-
Domain Name Lookup is required for hostname resolution to the dashboard Registration and Meraki Tunnel services.
ip name-server {Domain server IP address}
ip domain lookup
-
The Wireless controller clock must reflect the correct current time in order to establish a mutual TLS tunnel with the Registration and Meraki Tunnel services by enabling NTP services.
ntp server {ntp server IP address}
Connecting the Wireless Controller to Dashboard
Using the WebUI
- Navigate to Configuration > Services > Cloud Services > Meraki in the Web UI to connect the 9800 wireless controller to the dashboard:
- Set the Meraki Connect button to ENABLED and click Apply.
- Within the same Web UI page, you can monitor the status of the registration and Meraki Tunnel to confirm the 9800 wireless controller has successfully registered and connected,
- Once the registration is completed and Meraki Tunnel is up, the Cloud ID of the WLC can be found in the Meraki Registration Details section.
Using the CLI
- Connecting the 9800 wireless controller to dashboard from the command line interface is done with the configuration command service meraki connect:
9800# conf t
Enter configuration commands, one per line. End with CNTL/Z.
9800(config)#service meraki connect
- To confirm the 9800 wireless controller has successfully registered and the Meraki Tunnel is connected use the show meraki connect command:
CMON-9800M1#show meraki connect
Service meraki connect: enable
Meraki Tunnel Config
------------------------------------
Fetch State: Config fetch succeeded
Fetch Fail:
Last Fetch(UTC): 2025-12-01 19:32:00
Next Fetch(UTC): 2025-12-01 20:56:30
Config Server: cs111-2037.meraki.com
Primary: usw.nt.meraki.com
Secondary: use.nt.meraki.com
Client IPv6 Addr: FD0A:9B09:1F7:1:4214:82FF:FE70:C900
Network Name: Cloud Monitoring WLC and AP Demo - wireless controller
Meraki Tunnel State
------------------------------------
Primary: Up
Secondary: Up
Primary Last Change(UTC): 2025-11-30 00:40:36
Secondary Last Change(UTC): 2025-11-21 00:25:02
Client Last Restart(UTC): 2025-10-31 04:38:38
Meraki Tunnel Interface
------------------------------------
Status: Enable
Rx Packets: 30418212
Tx Packets: 43693985
Rx Errors: 0
Tx Errors: 0
Rx Drop Packets: 0
Tx Drop Packets: 47
Meraki Device Registration
------------------------------------
url: https://catalyst.meraki.com/nodes/register
Device Number: 1
PID: CW9800M
Serial Number: FLXXXXXXXXX
Cloud ID: Q5XX-XXXX-XXXX
Mac Address: AA:BB:CC:DD:EE:FF
Status: Registered
Timestamp(UTC): 2025-10-31 04:38:27
Device Number: 2
PID: CW9800M
Serial Number: FLXXXXXXXXX
Cloud ID: Q5XX-XXXX-XXXX
Mac Address: AA:BB:CC:DD:EE:FF
Status: Registered
Timestamp(UTC): 2025-11-06 17:44:21
C9800-CL Important Information
To securely onboard the C9800-CL Wireless Controller for Cloud, the WLC will need an additional task to complete registration. After connecting to the Meraki Registration service, the WLC will receive a Temporary Cloud ID.
The Temporary Cloud ID is provided in the same format as the Cloud ID. However, the first character for the Temporary Cloud IS is always "V".
After a Temporary Cloud ID is generated, you will have 60 minutes to claim the C9800-CL into your Organization. For steps to claim, please see the guide here on how to claim a device.
The Temporary Cloud ID will expire in 60 minutes after you enable service meraki connect in the C9800-CL. If it has been longer than 60 minutes and your Temporary Cloud ID has expired, you must disable and re-enable the meraki service in the C9800-CL.
For HA-SSO C9800-CL deployments, you must claim both the Active and Standby WLC units temporary Cloud IDs
There is a limit of 10 C9800-CL wireless controllers per dashboard organization. Please contace Meraki support if you need to claim additional C9800-CL wireless controllers.
Once the C9800-CL is claimed, a permanent Cloud ID will generated and assigned to the C9800-CL.
Permanent Cloud IDs will always start with "Q" (QXXX-XXXX-XXXX).
Once claimed in your Organization inventory, the Meraki Device Registration output of show meraki connect will update to show the C9800-CL permanent Cloud ID and status registered.
Meraki Device Registration ------------------------------------ url: https://vcatalyst.meraki.com/v1/vRegister/registerVirtualDevice Device Number: 1 PID: C9800-CL-K9 Serial Number: ABCDEF12345 Cloud ID: QXXX-XXXX-XXXX Mac Address: AA:BB:CC:DD:EE:FF Status: Registered Timestamp(UTC): 2025-11-21 18:22:10 Cert expiry: 2026-08-09 21:11:46
The C9800-CL wireless controller will now be listed in your Organization inventory.
Access Point Registration
Access points must be registered with dashboard in order to be onboarded and will also receive their own unique Cloud ID (serial number). When the Meraki Connect service is enabled on the controller, the controller will instruct all joined access points to begin to register with dashboard over a secure HTTPS connection:
The access point registration process will automatically begin when the service is enabled on the controller and requires no additional configuration.
Access Point Registration Prerequisites
- Access Points must be able to reach the following Meraki Dashboard IP ranges to register with dashboard:
-
209.206.48.0/20 TCP/443
216.157.128.0/20 TCP/443
158.115.128.0/19 TCP/443
-
- Access Points must be able to perform a domain name lookup is required for hostname resolution to the dashboard Registration service.
-
For access points obtaining IP address configuration from DHCP, ensure DHCP Option 6—DNS server option is enabled to specify the DNS server IP address to be assigned to the access points.
-
Only dashboard supported access point models will register. For the list of supported access points, view the Cloud Monitoring for Wireless Requirements document.
To confirm access points have successfully registered in dashboard use the show ap meraki monitoring summary command:
9800#show ap meraki monitoring summary
Meraki Monitoring : Enabled
Number of Supported APs : 2
AP Name AP Model Radio MAC MAC Address AP Serial Number Cloud ID Status
-----------------------------------------------------------------------------------------------------------------------------------------------------
AP-C9130AXE-01 C9130AXE-B 5c64.f112.c720 6c8d.7738.2130 FJC271123CQ Q2ZZ-8SWV-NZ7A Registered
AP-CW9166I-01 CW9166I-B e438.7e43.bd20 6849.9275.9060 FJC271122H0 Q5AP-WBAV-2SSY Registered
Access point registration status can also be seen in the the 9800 Web UI by navigating to Configuration > Wireless > access points:
Note: You may need to select the Meraki monitoring columns to see the AP Meraki registration information:
As long as the Meraki Connect service remains enabled, any access points that join the 9800 wireless controller that are supported will automatically register to dashboard.