It’s been about two and half years, since the launch of next generation Cisco Catalyst 9800 Wireless LAN Controllers that has the most deployment flexibility and runs the modular, scalable, highly reliable, open and programmable operating system, IOS-XE starting release 16.10. The Catalyst 9800 controller, though still young, has fully evolved and matured into being the most stable platform, taking in many innovations, feature additions and feature parity with AireOS based Wireless LAN Controllers. It’s seeing the fastest growth in adoption and is already serving many big customer deployments and earing kudos!
Next Generation Wireless Stack is incomplete without the mention of its partner – the aesthetic Cisco Catalyst 9100 series Wi-Fi 6 Access Points – that goes above and beyond the Wi-Fi 6 standard with creative RF excellence and intelligence embedded in the access point with its Cisco RF ASIC chipset that enhances the wireless communication, security and also brings in advanced analytics capabilities.
There were multiple software releases in the last couple of years for Catalyst 9800 Wireless LAN Controller and Catalyst 9100 Series Access Points starting with IOS-XE version 16.10 with several innovations, feature enhancements, parity and stability improvements in each of the IOS-XE release.
We are now pleased to announce the availability of IOS-XE release 17.5.1, code named as Bengaluru, for the Catalyst 9800 Wireless LAN Controllers.
The new software code is now available in CCO and can be found at the following link:
Private Cloud – ESXi, Hyper-V, KVM and Cisco NFVIS on ENCS platform
Public Cloud – AWS, AWS Gov and GCP
Cisco Embedded Wireless Controller on Catalyst 91xx Access Point
Supported Access Points:
Cisco Catalyst 9100 Series Access Points
Cisco Catalyst 9105AX Access Points
Cisco Catalyst 9115AX Access Points
Cisco Catalyst 9117AX Access Points
Cisco Catalyst 9120AX Access Points
Cisco Catalyst 9130AX Access Points
Indoor Access Points
Cisco Aironet 1800 Series Access Points
Cisco Aironet 2800 Series Access Points
Cisco Aironet 3800 Series Access Points
Cisco Aironet 4800 Series Access Points
Outdoor Access Points
Cisco Catalyst 9124 Wi-Fi 6 Access Points (New!!)
Cisco Aironet 1540 Series Access Points
Cisco Aironet 1560 Series Access Points
Cisco Industrial Wireless 3700 Series Access Points
Cisco Catalyst Industrial Wireless 6300 Heavy Duty Series Access Point
Cisco 6300 Series Embedded Services Access Point
Software Compatibility Matrix:
Cisco Catalyst 9800 Wireless Controller Software
Cisco Identity Services Engine
Cisco Prime Infrastructure
Cisco AireOS IRCM Interoperability
Cisco DNA Center
Cisco DNA Spaces Connector
Cisco DNA Spaces – On Premise (CMX)
So, what’s new in IOS-XE 17.5.1 for Wireless?
Firstly, it introduces the much-awaited Wi-Fi 6 Outdoor Access Point – the Catalyst 9124 Access Point and makes the Wi-Fi 6 portfolio complete with its Indoor and Outdoor offerings. Secondly, there are several feature enhancements and additions across all categories -i.e RF, Security, Resiliency, Services and Parity Features.
Let’s look at some of the details of the new outdoor access point and some key features that IOS-XE 17.5.1 brings in for Wireless.
Platform additions and enhancements:
Cisco Catalyst 9124 Wi-Fi 6 Access Points:
The Cisco Catalyst 9124AX Series outdoor access points are next-generation Wi-Fi 6 access points encased in a rugged and robust design that service providers and enterprises can easily deploy.
The Catalyst 9124AX Series offers flexible deployment options for service providers and enterprise networks that need the fastest links possible for mobile, outdoor clients (smartphones, tablets, and laptops), and wireless backhaul. With options for internal or external antennas, the 9124AX Series gives network operators the flexibility to balance their desired wireless coverage with their need for easy deployment.
The Catalyst 9124AX Series Access Points comes in three SKUs – viz
C9124AXI – with Internal Omnidirectional Antenna
C9124AXD – with Internal Directional Antenna
C9124AXE – with External Antenna (available in second half of 2021)
The table below summarizes the key features of Catalyst 9124 Wi-Fi 6 Outdoor Access Points.
4x4 + 4x4 in both 2.4 and 5 GHz
MU-MIMO with four spatial streams
Cisco RF ASIC for next-gen Cisco CleanAir
Integrated BLE/IoT Radio
2.5G mGig Wired Uplink
1 Gig Ethernet Port with PoE Out
Centralized and FlexConnect Deployments
Transmit Power of 30 dBm
More details about the product can be obtained from the following link:
Support for Catalyst 9124 Access Point is also available as an AP Device Pack in IOS-XE Release 17.3.3. For customers, who would like to be on the long-lived release train of 17.3.x but need to add Catalyst 9124 Access Points in their setup, can do so, by applying the AP Device Pack to the Catalyst 9800 Controller running IOS-XE 17.3.3 image, thereby, utilizing one of the features in resiliency, that IOS-XE offers. This eliminates the need to upgrade to a new software version, just to support the new AP hardware.
Catalyst 9124 Access Point availability is currently limited to US and Canada (Domain B and A).
The following key RF enhancements are introduced in IOX-XE 17.5.1.
Increased 11ax OFDMA users on Catalyst 9105/9115/9120 Access Points:
The number of users in a single OFDMA transmission is increased to 16 users on the downlink and 8 users in the uplink. This helps to improve the spectral efficiency and transmission latency.
Downlink MU-MIMO support on Catalyst 9105/9115/9120 Access Points:
Addition of MU-MIMO capability for both VHT (Wi-Fi 5/11ac) and HE (Wi-Fi 6/11ax) in the downlink direction for the Catalyst 9105/9115/9120 Access Points. This helps to increase the capacity and improves the efficiency.
High density performance improvements via Adaptive Client Load-Based EDCA:
EDCA (Enhanced Distributed Channel Access) is the feature supporting the IEEE 802.11e QoS. It supports differentiated and distributed access to the Wireless Medium using eight different User Priorities supporting four different Access Categories.
IFS (Inter-Frame Spaces) are waiting periods between transmission of frames operating in the medium access control (MAC) sublayer where carrier-sense multiple access with collision avoidance is used. These are techniques used to prevent collisions in Wi-Fi. EDCA adjusts the AIFS (Arbitration Interframe Space) to have set priorities for each Access Category.
With EDCA, high-priority traffic has a higher chance of being sent than low-priority traffic: a station with high priority traffic waits a little less before it sends its packet, on average, than a station with low priority traffic.
Static EDCA config is good for small number of clients. As client scales in Enterprise Multi-Client Deployment scenario, AP may experience excessive collisions. This can result in significant performance degradation.
To overcome the above challenge and to reduce collisions significantly, this software release introduces this feature to dynamically change EDCA parameters of clients based on active client and load on the Catalyst 9105, 9115 and 9120 access points.
Enable or disable 11ax Features per SSID:
Wi-Fi 6 standard brings many new features to Wi-Fi and not all legacy devices may react well to new capabilities advertised over the air. By extending 802.11ax capability control to SSID level, customers can maintain the compatibility with old, legacy wireless standard clients that couldn’t get firmware or driver update for 802.11ax interoperability.
Spectrum Intelligence for Catalyst 9105 Access Point:
Spectrum Intelligence for non CleanAir capable AP’s is driven by Software analysis of the base Wi-Fi radios receiver. The Spectrum Intelligence feature can detect and report on five common kinds of Non-Wi-Fi interference:
Microwave Oven (2.4 GHz)
Analog Cordless Phones (2.4 and 5 GHz)
Wireless Analog Video Camera (2.4 and 5 GHz)
Cisco Spectrum Intelligence is equivalent to competing solutions based on software analysis of data pattern from the Wi-Fi chip radios.
Intermediate CA Support for AP Authentication:
This feature is an extension support to the existing Locally Significant Certificates (LSC) feature.
Prior to IOS-XE 17.5.1, Root CA server was needed to sign the Access Points CSR and issuance of certificates. Many PKI deployments do not expose Root CA directly and use Intermediate CA server for enrollment and issuance of certificates.
This software release introduces the support for Intermediate CA server to sign and issue certificates to Access Points, which is a more secure and scalable solution.
Catalyst 9800 Wireless LAN Controller can now interact with an Intermediate CA server through SCEP (Simple Certificate Enrollment Protocol) to forward certificate requests and fetch the certificates on behalf of Access Points.
Support for both MIC and LSC APs to join the same Catalyst 9800 Controller:
From this software release, the new authorization policy configuration allows MIC access points (APs) to join the LSC deployed controller, so that the LSC and MIC APs can co-exist in the controller, at the same time.
This eliminates the need for additional Wireless Controller, just for LSC provisioning purposes or maintenance window for LSC provisioning.
Multiple Cipher Support:
This software release introduces Elliptic Curve Diffie-Hellman Ephemeral (ECDHE)/Galois Counter Mode (GCM) ciphersuite with perfect forward secrecy (PFS) capability added in the default-list along with existing AES128-SHA. All the supported AP models, except legacy Cisco IOS APs, will prioritize this PFS ciphersuite for CAPWAP-DTLS under default configuration.
Easy PSK – Client onboarding without Registration:
As the number of devices connecting to the internet is increasing rapidly, a simple and easy way to implement security mechanism is desirable for large-scale deployments. One such solution is Easy Pre-Shared Key (Easy PSK). This feature bundles several PSKs onto an SSID and performs client group authentication and authorization on the PSK. Easy PSK feature eliminates the need for client preregistration and automatically adds the client to a group and applies the requisite policies. This feature also provides the means to limit peer-to-peer communication amongst the clients of a group.
PSK grouping on an SSID is useful for different deployment scenarios such as multi dwelling units, university halls, hospitality centers, and hospitals where a single SSID offers efficient use of airtime and roaming capabilities across the access infrastructure while segregating clients as if they were on a private SSID.
Support to Provision SuiteB 192-bit AVPs to AAA Server:
This feature addresses a requirement in WPA3 Enterprise 192-bit Security certification test requirement where they need four AVPs to be added in the RADIUS Access Request. This is required for WFA compliance. AAA server will expect the mentioned AVPs and the association may fail without this support.
Disable Random MAC Clients:
In this software release, the controller is equipped with a knob that denies the entry of clients with random MAC address into the network. When this knob is enabled on the controller, the association of any client joining the network with a random MAC address will be rejected.
WIPS Additional Signatures:
Fifteen new additional signatures are added to the NextGen WIPS.
Standby Monitoring Enhancements:
This feature monitors standby CPU or memory information from the active controller. Also, this feature independently monitors standby controller using SNMP for the interface MIB.
Auto Upgrade of Standby Controller:
This feature enables the standby controller to upgrade to active controller's software image, so that both controllers can form high availability (HA).
HA formation between the controllers running different releases: Can bring up the HA between controller running with different images, auto-upgrade will take care image mismatch.
Can replace faulty controller in HA setup without upgrading controller.
Will ease out HA recovery arise out version mismatch.
Catalyst 9800-CL LAG Support:
LACP protocol (IEEE 802.3ad) aggregates physical Ethernet interfaces by exchanging the Link Aggregation Control Protocol Data Units (LACPDUs) between two devices.
LAGP, PAGP support is needed on SSO pair in order to have:
1: Ability to detect and monitor the link/connectivity failures on STANDBY.
2: Seamless transfer of client data traffic upon switchover (SSO)
Prior to Cisco IOS XE release 17.5.1, which brought in high throughput features like SR-IOV, link redundancy was offered via NIC teaming. Since SR-IOV doesn’t support NIC teaming/bonding, LAG support is needed for providing link redundancy and load balancing.
OEAP Link Test:
This feature helps network administrators to troubleshoot OEAP Link Issues for Remote Teleworker users from Catalyst 9800 Wireless Controller.
OEAP Link Test provides DTLS upload speed, link latency and link jitter.
Track AP CPU Usage for AP Health:
This software release helps to track the CPU utilization and the memory usage of an AP, and monitor the health of the AP, from the controller, by generating AP real-time statistics.
Please see 2 images attaches-- I/O graph, and pcap.
1. What does this specific pattern in this wireless I/O Graph represent?
2. Why does wireless device exchange no packets for approximately 1.5 seconds in a repeating pattern?
We have two branch offices and the WAN is connected through IPsec tunnel. Presently those two office has Couple of AP's and it is connected to DC WLC in local- Centralize switching mode. Now we are planning to enable Flex Connect mode to branch...
I am configured HA in mobility Express
I have the mobility Express solution working correctly with an AP Master and the rest are slaves.
I configure the HA, it takes the role of Mobility Express and everything works fine
I turn off the Primary and ever...
Hi every one! I have this kind of issue, I connected a cable in Cat 2960-CX (trunk) and other side SW C9200L-48P-4G this SW we ready connect 9 access point C9115AXI over POE, one time connected, automatic restart this only C9115AXI' ports...i b...
HiI had been using wireless routers for my home usage, made for the consumer market. I was having reliability issues, so decided to switch to a brand like Cisco and purchase one for my home use.I purchased the 145AC access point, and plugged it downstream...