cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Cisco IOS-XE 17.5.1 for the Catalyst 9800 Wireless Controllers.

2638
Views
45
Helpful
5
Comments
anandg
Cisco Employee

 

It’s been about two and half years, since the launch of next generation Cisco Catalyst 9800 Wireless LAN Controllers that has the most deployment flexibility and runs the modular, scalable, highly reliable, open and programmable operating system, IOS-XE starting release 16.10.  The Catalyst 9800 controller, though still young, has fully evolved and matured into being the most stable platform, taking in many innovations, feature additions and feature parity with AireOS based Wireless LAN Controllers.  It’s seeing the fastest growth in adoption and is already serving many big customer deployments and earing kudos!

Next Generation Wireless Stack is incomplete without the mention of its partner – the aesthetic Cisco Catalyst 9100 series Wi-Fi 6 Access Points – that goes above and beyond the Wi-Fi 6 standard with creative RF excellence and intelligence embedded in the access point with its Cisco RF ASIC chipset that enhances the wireless communication, security and also brings in advanced analytics capabilities.

There were multiple software releases in the last couple of years for Catalyst 9800 Wireless LAN Controller and Catalyst 9100 Series Access Points starting with IOS-XE version 16.10 with several innovations, feature enhancements, parity and stability improvements in each of the IOS-XE release.

We are now pleased to announce the availability of IOS-XE release 17.5.1, code named as Bengaluru, for the Catalyst 9800 Wireless LAN Controllers.

The new software code is now available in CCO and can be found at the following link:

https://software.cisco.com/download/home/286322605/type/282046477/release/Bengaluru-17.5.1

Supported Hardware and Virtual Platforms:

Cisco Catalyst 9800-80 Wireless Controller

Cisco Catalyst 9800-40 Wireless Controller

Cisco Catalyst 9800-L Wireless Controller

Cisco Catalyst Controller for Cloud:

     Private Cloud – ESXi, Hyper-V, KVM and Cisco NFVIS on ENCS platform

     Public Cloud – AWS, AWS Gov and GCP

Cisco Embedded Wireless Controller on Catalyst 91xx Access Point

 

Supported Access Points:

Cisco Catalyst 9100 Series Access Points

  • Cisco Catalyst 9105AX Access Points
  • Cisco Catalyst 9115AX Access Points
  • Cisco Catalyst 9117AX Access Points
  • Cisco Catalyst 9120AX Access Points
  • Cisco Catalyst 9130AX Access Points

Indoor Access Points

  • Cisco Aironet 1800 Series Access Points
  • Cisco Aironet 2800 Series Access Points
  • Cisco Aironet 3800 Series Access Points
  • Cisco Aironet 4800 Series Access Points

Outdoor Access Points

  • Cisco Catalyst 9124 Wi-Fi 6 Access Points (New!!)
  • Cisco Aironet 1540 Series Access Points
  • Cisco Aironet 1560 Series Access Points
  • Cisco Industrial Wireless 3700 Series Access Points
  • Cisco Catalyst Industrial Wireless 6300 Heavy Duty Series Access Point
  • Cisco 6300 Series Embedded Services Access Point

Software Compatibility Matrix:

Cisco Catalyst 9800 Wireless Controller Software

Cisco Identity Services Engine

Cisco Prime Infrastructure

Cisco AireOS IRCM Interoperability

Cisco DNA Center

Cisco DNA Spaces Connector

Cisco DNA Spaces – On Premise (CMX)

Bengaluru 17.5.1

3.0

2.7

2.6 P6

3.9.1

3.9

8.10.151.0

8.10.142.0

8.10.130.0

8.8.130.0

8.5.164.0 (IRCM)

2.2.1.x

2.1.2.x

2.3

2.2

10.6.3

 

So, what’s new in IOS-XE 17.5.1 for Wireless?

Firstly, it introduces the much-awaited Wi-Fi 6 Outdoor Access Point – the Catalyst 9124 Access Point and makes the Wi-Fi 6 portfolio complete with its Indoor and Outdoor offerings. Secondly, there are several feature enhancements and additions across all categories -i.e RF, Security, Resiliency, Services and Parity Features.

Let’s look at some of the details of the new outdoor access point and some key features that IOS-XE 17.5.1 brings in for Wireless.

Platform additions and enhancements:

Cisco Catalyst 9124 Wi-Fi 6 Access Points:

The Cisco Catalyst 9124AX Series outdoor access points are next-generation Wi-Fi 6 access points encased in a rugged and robust design that service providers and enterprises can easily deploy.

 

anandg_0-1617384622840.png

 

The Catalyst 9124AX Series offers flexible deployment options for service providers and enterprise networks that need the fastest links possible for mobile, outdoor clients (smartphones, tablets, and laptops), and wireless backhaul. With options for internal or external antennas, the 9124AX Series gives network operators the flexibility to balance their desired wireless coverage with their need for easy deployment.

The Catalyst 9124AX Series Access Points comes in three SKUs – viz

C9124AXI – with Internal Omnidirectional Antenna

C9124AXD – with Internal Directional Antenna

C9124AXE – with External Antenna (available in second half of 2021)

The table below summarizes the key features of Catalyst 9124 Wi-Fi 6 Outdoor Access Points.

  • 4x4 + 4x4 in both 2.4 and 5 GHz
  • MU-MIMO with four spatial streams
  • Uplink/downlink OFDMA
  • TWT
  • BSS Coloring
  • Cisco RF ASIC for next-gen Cisco CleanAir
  • Integrated BLE/IoT Radio
  • 2.5G mGig Wired Uplink
  • 1 Gig Ethernet Port with PoE Out
  • Centralized and FlexConnect Deployments
  • Transmit Power of 30 dBm

More details about the product can be obtained from the following link:

https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9100ax-access-points/nb-06-cat9124-ser-ap-ds-cte-en.html

Support for Catalyst 9124 Access Point is also available as an AP Device Pack in IOS-XE Release 17.3.3.  For customers, who would like to be on the long-lived release train of 17.3.x but need to add Catalyst 9124 Access Points in their setup, can do so, by applying the AP Device Pack to the Catalyst 9800 Controller running IOS-XE 17.3.3 image, thereby, utilizing one of the features in resiliency, that IOS-XE offers.  This eliminates the need to upgrade to a new software version, just to support the new AP hardware.

Catalyst 9124 Access Point availability is currently limited to US and Canada (Domain B and A).

RF Enhancements:

The following key RF enhancements are introduced in IOX-XE 17.5.1.

Increased 11ax OFDMA users on Catalyst 9105/9115/9120 Access Points:

The number of users in a single OFDMA transmission is increased to 16 users on the downlink and 8 users in the uplink.  This helps to improve the spectral efficiency and transmission latency.

Downlink MU-MIMO support on Catalyst 9105/9115/9120 Access Points:

Addition of MU-MIMO capability for both VHT (Wi-Fi 5/11ac) and HE (Wi-Fi 6/11ax) in the downlink direction for the Catalyst 9105/9115/9120 Access Points.  This helps to increase the capacity and improves the efficiency.

High density performance improvements via Adaptive Client Load-Based EDCA:

EDCA (Enhanced Distributed Channel Access) is the feature supporting the IEEE 802.11e QoS. It supports differentiated and distributed access to the Wireless Medium using eight different User Priorities supporting four different Access Categories.

IFS (Inter-Frame Spaces) are waiting periods between transmission of frames operating in the medium access control (MAC) sublayer where carrier-sense multiple access with collision avoidance is used. These are techniques used to prevent collisions in Wi-Fi. EDCA adjusts the AIFS (Arbitration Interframe Space) to have set priorities for each Access Category.

With EDCA, high-priority traffic has a higher chance of being sent than low-priority traffic: a station with high priority traffic waits a little less before it sends its packet, on average, than a station with low priority traffic.

Static EDCA config is good for small number of clients. As client scales in Enterprise Multi-Client Deployment scenario, AP may experience excessive collisions. This can result in significant performance degradation.

To overcome the above challenge and to reduce collisions significantly, this software release introduces this feature to dynamically change EDCA parameters of clients based on active client and load on the Catalyst 9105, 9115 and 9120 access points.

Enable or disable 11ax Features per SSID:

Wi-Fi 6 standard brings many new features to Wi-Fi and not all legacy devices may react well to new capabilities advertised over the air.  By extending 802.11ax capability control to SSID level, customers can maintain the compatibility with old, legacy wireless standard clients that couldn’t get firmware or driver update for 802.11ax interoperability.

Spectrum Intelligence for Catalyst 9105 Access Point:

Spectrum Intelligence for non CleanAir capable AP’s is driven by Software analysis of the base Wi-Fi radios receiver.  The Spectrum Intelligence feature can detect and report on five common kinds of Non-Wi-Fi interference:

  • Microwave Oven (2.4 GHz)
  • Analog Cordless Phones (2.4 and 5 GHz)
  • Wireless Analog Video Camera (2.4 and 5 GHz)

Cisco Spectrum Intelligence is equivalent to competing solutions based on software analysis of data pattern from the Wi-Fi chip radios.

Security:

Intermediate CA Support for AP Authentication:

This feature is an extension support to the existing Locally Significant Certificates (LSC) feature.

Prior to IOS-XE 17.5.1, Root CA server was needed to sign the Access Points CSR and issuance of certificates.  Many PKI deployments do not expose Root CA directly and use Intermediate CA server for enrollment and issuance of certificates.

This software release introduces the support for Intermediate CA server to sign and issue certificates to Access Points, which is a more secure and scalable solution. 

Catalyst 9800 Wireless LAN Controller can now interact with an Intermediate CA server through SCEP (Simple Certificate Enrollment Protocol) to forward certificate requests and fetch the certificates on behalf of Access Points. 

Support for both MIC and LSC APs to join the same Catalyst 9800 Controller:

From this software release, the new authorization policy configuration allows MIC access points (APs) to join the LSC deployed controller, so that the LSC and MIC APs can co-exist in the controller, at the same time.

This eliminates the need for additional Wireless Controller, just for LSC provisioning purposes or maintenance window for LSC provisioning.

Multiple Cipher Support:

This software release introduces Elliptic Curve Diffie-Hellman Ephemeral (ECDHE)/Galois Counter Mode (GCM) ciphersuite with perfect forward secrecy (PFS) capability added in the default-list along with existing AES128-SHA. All the supported AP models, except legacy Cisco IOS APs, will prioritize this PFS ciphersuite for CAPWAP-DTLS under default configuration.

Easy PSK – Client onboarding without Registration:

As the number of devices connecting to the internet is increasing rapidly, a simple and easy way to implement security mechanism is desirable for large-scale deployments. One such solution is Easy Pre-Shared Key (Easy PSK). This feature bundles several PSKs onto an SSID and performs client group authentication and authorization on the PSK. Easy PSK feature eliminates the need for client preregistration and automatically adds the client to a group and applies the requisite policies. This feature also provides the means to limit peer-to-peer communication amongst the clients of a group.

PSK grouping on an SSID is useful for different deployment scenarios such as multi dwelling units, university halls, hospitality centers, and hospitals where a single SSID offers efficient use of airtime and roaming capabilities across the access infrastructure while segregating clients as if they were on a private SSID.

Support to Provision SuiteB 192-bit AVPs to AAA Server:

This feature addresses a requirement in WPA3 Enterprise 192-bit Security certification test requirement where they need four AVPs to be added in the RADIUS Access Request.  This is required for WFA compliance.  AAA server will expect the mentioned AVPs and the association may fail without this support.

Disable Random MAC Clients:

In this software release, the controller is equipped with a knob that denies the entry of clients with random MAC address into the network.  When this knob is enabled on the controller, the association of any client joining the network with a random MAC address will be rejected. 

WIPS Additional Signatures:

Fifteen new additional signatures are added to the NextGen WIPS.

Resiliency:

Standby Monitoring Enhancements:

This feature monitors standby CPU or memory information from the active controller. Also, this feature independently monitors standby controller using SNMP for the interface MIB.

Auto Upgrade of Standby Controller:

This feature enables the standby controller to upgrade to active controller's software image, so that both controllers can form high availability (HA).

Use cases:

  • HA formation between the controllers running different releases:  Can bring up the HA between controller running with different images, auto-upgrade will take care image mismatch.
  •  Can replace faulty controller in HA setup without upgrading controller.
  • Will ease out HA recovery arise out version mismatch.

Catalyst 9800-CL LAG Support:

LACP protocol (IEEE 802.3ad) aggregates physical Ethernet interfaces by exchanging the Link Aggregation Control Protocol Data Units (LACPDUs) between two devices.

LAGP, PAGP support is needed on SSO pair in order to have:

1: Ability to detect and monitor the link/connectivity failures on STANDBY.

2: Seamless transfer of client data traffic upon switchover (SSO)

Prior to Cisco IOS XE release 17.5.1, which brought in high throughput features like SR-IOV, link redundancy was offered via NIC teaming. Since SR-IOV doesn’t support NIC teaming/bonding, LAG support is needed for providing link redundancy and load balancing.

Services:

OEAP Link Test:

This feature helps network administrators to troubleshoot OEAP Link Issues for Remote Teleworker users from Catalyst 9800 Wireless Controller. 

OEAP Link Test provides DTLS upload speed, link latency and link jitter.

Track AP CPU Usage for AP Health:

This software release helps to track the CPU utilization and the memory usage of an AP, and monitor the health of the AP, from the controller, by generating AP real-time statistics.

Release Notes:

Link to release notes:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-5/release-notes/rn-17-5-9800.html

 

5 Comments
philosophie
Beginner

Hi Team,

 

Increased 11ax OFDMA users on Catalyst 9105/9115/9120 Access Points:

The number of users in a single OFDMA transmission is increased to 16 users on the downlink and 8 users in the uplink.  This helps to improve the spectral efficiency and transmission latency.

Downlink MU-MIMO support on Catalyst 9105/9115/9120 Access Points:

Addition of MU-MIMO capability for both VHT (Wi-Fi 5/11ac) and HE (Wi-Fi 6/11ax) in the downlink direction for the Catalyst 9105/9115/9120 Access Points.  This helps to increase the capacity and improves the efficiency.

 

I saw this 2 point on this release, how about for catalyst 9130 AP?

Because on this release there are enhancement only for 9105/9115/9120 AP.

Thank you.

anandg
Cisco Employee

9130 already supports higher number of users from Rel 17.3.1.  Please refer to IOS-XE 17.3.1 documentation for more details.

Thanks

jineshn
Cisco Employee

Nice blog.  Very helpful. 

Rasika Nayanajith
VIP Mentor

Hi Anand,

It was a very detailed document about all the new features added.. very well written.

 

I think in the software compatibility matrix section it should specify 8.10.151.0 as that is more closely go with 17.5.1 code. It is also good to specify this is going to be a standard maintenance release code version, so customers may not straight jump into it (unless they need to use this newer AP model and test these new features)

 

what would be the impact of "Disable Random MAC address"? Would not that impact a wider client base (Apple and Android who is doing this now)

 

Great work once again & keep it up

 

Rasika

anandg
Cisco Employee

Hi Rasika,

Thanks for your feedback.  The software compatibility matrix has been updated to include 8.10.151.0.  

Disable Random MAC address is not enabled by default.  A knob has been provided based on customer requests to selective disable clients with mac address on per SSID in their environment. The knob is disabled by default.

Thanks,

Anand

Content for Community-Ad

This widget could not be displayed.